【season-5】box GreenHorn wp

User

Nmap

└─$ sudo nmap -sS 10.129.118.118 -p22,80,3000 -sV  --min-rate=3000 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-21 02:48 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 02:48 (0:00:05 remaining)
Nmap scan report for 10.129.118.118 (10.129.118.118)
Host is up (0.43s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
3000/tcp open  ppp?

80

一进来URL就是http://greenhorn.htb/?file=welcome-to-greenhorn

目录爆破出

GET 41l 266w 1811c http://greenhorn.htb/docs/README

文件可以看出是pluck cms

pluck cms readme
==================

Introduction
---------------
Pluck is your small and simple content management system, written in PHP. With pluck, you can easily manage your own website without knowledge of programming languages.

Pluck focuses on ease of use and enables everyone to manage his own website. This makes pluck an excellent choice for every small website. Licensed under the GPL, pluck is completely open source.

Requirements
---------------
 - Apache webserver, running on Linux or Windows
 - PHP 5.2.0 or newer (PHP 4 is not supported anymore)
 - PHP safe-mode OFF
 - register_globals in php.ini should be off, for safety reasons. You can contact your webhost if you are unsure.
 - The PHP-module php-gd
 - The PHP-module php-zlib
 - The PHP-module curl
 - The ability to change permissions for files and directories (on Linux)
 - No database is needed

Installation
---------------
Please read https://github.com/pluck-cms/pluck/wiki/Installation-guide for more information on installing pluck.

How can I edit my site?
-------------------------
At the bottom of your website is a link (with the text "admin"). This link points to login.php. You can log in to pluck there.
Don't forget to log out after you've finished editing your website.

Need help?
---------------
Browse to http://www.phphelp.com/forum/pluck-cms/ and open a topic on the forums!

License
----------
Pluck is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See COPYING for the complete license.

Stay up-to-date
----------
Want to stay up-to-date? Subscribe to our mailinglist at http://www.pluck-cms.org/cgi-bin/dada/mail.cgi/list/announce

其中有提到At the bottom of your website is a link (with the text "admin"). This link points to login.php. You can log in to pluck there.

他的后台是login.php

因为他那个看着像文件读取，所以试了下

http://greenhorn.htb/?file=../../../../../../../../../etc/passwd

提示A hacking attempt has been detected. For security reasons, we're blocking any code execution. 看来是不行

到后台看下

看到版本是4.7.18找找漏洞，顺便去搜下默认密码

很遗憾github上4.7.18没找到前台rce..试了几个密码也不行

转战3000端口看一下

3000

拿到一个用户名GreenAdmin

以及一个项目GreenHorn

在这个项目历史提交里有个叫junior的用户提交了了一次，记录一下

主要还是看看他怎么登陆的，他的登录逻辑是啥

然后就在/main/login.php

找到了这段

if (($pass == $ww) && (!isset($login_error))) {
	$_SESSION[$token] = 'pluck_loggedin';

	//Delete loginattempt file, if it exists.
	if (file_exists(LOGIN_ATTEMPT_FILE))
		unlink(LOGIN_ATTEMPT_FILE);

	//Display success message.
	show_error($lang['login']['correct'], 3);
	if (isset($_SESSION['pluck_before']))
		redirect($_SESSION['pluck_before'], 1);
	else
		redirect('admin.php?action=start', 1);
	include_once 'data/inc/footer.php';
	exit;
}

不难看出他只要$pass == $ww 就可以，他$ww是从别的地方引入的变量，我去找了下他上方引用的几个

require_once 'data/settings/pass.php';

//Check if we're already logged in. First, get the token.
require_once 'data/settings/token.php';

在pass.php中找到了$ww

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

格式比较神奇，看了下在login.php上面有说，这个是sha512后的

if (isset($_POST['submit']) && empty($_POST['bogus'])) {
	$pass = hash('sha512', $cont1);

所以直接跑一下试试能不能跑出明文

└─$ hashcat 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163' -m 1700 /usr/share/wordlists/rockyou.txt --show
d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163:iloveyou1

就出来了

login 80 admin

进来之后就可以打后台漏洞了

https://packetstormsecurity.com/files/173640/Pluck-4.7.18-Remote-Shell-Upload.html

参考里面的视频链接 https://www.nu11secur1ty.com/2023/07/pluck-4718-fi-rce.html

写个一句话到php 然后打个zip 传到里面加载module 他加载后会自动跳转。

这里传了个webshell上去

弹shell

进去找了一顿什么都没找到

然后想起来在外面用ssh登录junior时候报错了。

然后在里面su了一下用前面拿到的密码就切过来了

ROOT

在这个junior用户下有一个openvas的pdf

里面有个密码，说有个openvas可以用，不过我看了下并没有找到openvas，他的密码被打码了

try 1

我当前的想法是pspy时候看到git用户有在执行

UID=114   PID=1014   | /usr/local/bin/gitea web --config /etc/gitea/app.ini

然后到又因为/etc/gitea/app.ini这个路径只有git用户有权限

所以考虑拿到git用户，再去查看配置里有没有敏感信息，或者尝试拿到gitea那个green用户密码，我猜测可能是root密码

junior用户是/usr/local/bin/gitea有全部权限的 所以我想直接写入revshell ，不过echo 1>1的时候提示当前被占用了..所以这条路不通

try2

上一条路走不通就返回来重新看了一眼这个pdf 毕竟不能莫名其妙给个pdf..看到里面这个密码其实有想到之前做的misc题，但是这是个靶机啊..这怎么能这么出题。

最后第一条路走不通才回来重新depix跑了下这个，正常是可以跑出密码的，这里我是用adobe dc->ps简单处理了一下清晰度，然后再导出来，depix这个工具一直识别都有点问题，直接给大图或者像素太模糊识别会有些困难，所以尽量处理一下。

先跑一下

python3 tool_show_boxes.py -p aa.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o testa.jpg

看一下识别情况，选一张识别比例比较高的拿去跑就ok

最后得到密码图片

试了下 side from side the other side side from side the other side切不进去

去除了空格部分就切root了

root:$y$j9T$NSPhYbBCBMhifcNXubO4U0$KgghRp5OmEotPgUh6e0/Qcyl4dKNs7Q/Xo7bmXFe6//:19885:0:99999:7:::