HackMyVM-VivifyTech

---

目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

wpscan

feroxbuster

hydra

提权

系统信息收集

横向渗透

git提权

get root

---

信息收集

arp

┌──(root㉿0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.9.190   08:00:27:b8:65:fa       PCS Systemtechnik GmbH6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.997 seconds (128.19 hosts/sec). 6 responded

---

nmap

端口信息收集┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.190 --min-rate 10000 -oA ports    
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-08 09:00 CST
Nmap scan report for 192.168.9.190
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx
MAC Address: 08:00:27:B8:65:FA (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 32.31 seconds

版本服务信息收集┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -p 22,80,3306,33060 192.168.9.190 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-08 09:02 CST
Nmap scan report for 192.168.9.190
Host is up (0.00060s latency).PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94%I=7%D=5/8%Time=663ACF1A%P=x86_64-pc-linux-gnu%r(NU
SF:LL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOpt
SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersi
SF:onBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fIn
SF:valid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
SF:05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x
SF:08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20mes
SF:sage\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LAND
SF:esk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0
SF:\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC
SF:,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0
SF:fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"\
SF:x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid\
SF:x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\
SF:x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 08:00:27:B8:65:FA (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.28 seconds

---

nikto

┌──(root㉿0x00)-[~/HackMyVM]
└─# nikto -h 192.168.9.190       
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.190
+ Target Hostname:    192.168.9.190
+ Target Port:        80
+ Start Time:         2024-05-08 09:00:54 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.57 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 60bc4bc0ba5e6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ /wordpress/wp-admin/: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ /wordpress/: Drupal Link header found with value: <http://192.168.9.190/wordpress/index.php/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /wordpress/: A Wordpress installation was found.
+ /wordpress/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ /wordpress/wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2024-05-08 09:01:17 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

探测到了wordpress！

---

whatweb

┌──(root㉿0x00)-[~/HackMyVM]
└─# whatweb -v 192.168.9.190          
WhatWeb report for http://192.168.9.190
Status    : 200 OK
Title     : Apache2 Debian Default Page: It works
IP        : 192.168.9.190
Country   : RESERVED, ZZSummary   : Apache[2.4.57], HTTPServer[Debian Linux][Apache/2.4.57 (Debian)]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.57 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.57 (Debian) (from server string)HTTP Headers:HTTP/1.1 200 OKDate: Wed, 08 May 2024 01:01:03 GMTServer: Apache/2.4.57 (Debian)Last-Modified: Tue, 05 Dec 2023 15:17:36 GMTETag: "29cd-60bc4bc0ba5e6-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 3041Connection: closeContent-Type: text/html

---

WEB

web信息收集

因为先前使用nikto探测到了wordpress！我们查看！

---

wpscan

我们使用wpscan枚举用户！

枚举到用户 ： sancelisso既然如此，我们尝试爆破密码！

---

爆破了很久，没有出来!我们目录扫描一下！

---

feroxbuster

可以扫描出一大堆目录！我们只查看关键的！

应该是一个字典文件！我们使用这个字典文件爆破一下密码！下载到本地！

---

不是密码？？那就换成ssh爆破！

还是失败！！思路到这，我已经大概知道了，因为登录不进wordpress，所以他的各种主题插件漏洞就不可以利用！
那么只能爆破密码！我们知道了密码字典，但是还是爆破不出来！那就很有可能这个不是用来爆破wordpress用户密码的，可能这个字典是用来爆破ssh服务的，
因为wordpress用户爆破ssh失败，所以我们需要重新收集用户名称，我们需要其他用户的名称进行ssh爆破！

---

hydra

通过读取两篇文章，我们可以获取以下名称：Sarah
Mark
Emily
Jake

成功！sarah：bohicon

---

提权

系统信息收集

sarah@VivifyTech:~$ ls
user.txt
sarah@VivifyTech:~$ cat user.txt 
HMV{Y0u_G07_Th15_0ne_6543}
sarah@VivifyTech:~$ 

sarah@VivifyTech:~$ cat /etc/passwd | grep "home" | grep -v "nologin"
user:x:1000:1000:user,,,:/home/user:/bin/bash
sarah:x:1001:1001:Sarah,,,:/home/sarah:/bin/bash
gbodja:x:1002:1002:gbodja,,,:/home/gbodja:/bin/bash
emily:x:1003:1003:Emily,,,:/home/emily:/bin/bash

sarah@VivifyTech:~$ sudo -l
[sudo] password for sarah: 
Sorry, user sarah may not run sudo on VivifyTech.

sarah@VivifyTech:~/.private$ ls -al
total 12
drwxr-xr-x 2 sarah sarah 4096 Dec  5 16:19 .
drwx------ 4 sarah sarah 4096 Dec  5 17:53 ..
-rw-r--r-- 1 sarah sarah  274 Dec  5 16:19 Tasks.txt
sarah@VivifyTech:~/.private$ cat Tasks.txt 
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

得到了gbodja用户的密码！

---

横向渗透

sarah@VivifyTech:~/.private$ su gbodja
Password: 
gbodja@VivifyTech:/home/sarah/.private$ id
uid=1002(gbodja) gid=1002(gbodja) groups=1002(gbodja),100(users)

gbodja@VivifyTech:/home$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_ptyUser gbodja may run the following commands on VivifyTech:(ALL) NOPASSWD: /usr/bin/git

---

git提权

---

get root

# pwd
/root
# ls 
root.txt
# cat root.txt
HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}
#