【HackTheBox Machine】Brainfuck 记录
https://img2023.cnblogs.com/blog/3174408/202308/3174408-20230814120042696-1123982758.png信息搜集
nmap
┌──(kali㉿kali)-[~/htb/Brainfuck]
└─$ cat nmap.txt
# Nmap 7.93 scan initiated Sun Aug 13 23:13:58 2023 as: nmap -n -v -sC -sV --min-rate=1500 -p- -oN nmap.txt 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.42s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICEVERSION
22/tcpopenssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA)
| 256 6bd5dc153a667af419915d7385b24cb2 (ECDSA)
|_256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519)
25/tcpopensmtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp openpop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) PIPELINING UIDL USER TOP RESP-CODES AUTH-RESP-CODE CAPA
143/tcp openimap Dovecot imapd
|_imap-capabilities: ID capabilities more AUTH=PLAINA0001 have IDLE listed LOGIN-REFERRALS IMAP4rev1 post-login Pre-login OK ENABLE LITERAL+ SASL-IR
443/tcp openssl/http nginx 1.10.0 (Ubuntu)
| tls-alpn:
|_http/1.1
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_Supported Methods: GET HEAD POST
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg:
|_http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-13T11:19:29
| Not valid after:2027-04-11T11:19:29
| MD5: cbf1689996aaf7a005650fc094917f20
|_SHA-1: f448e798a8175580879c8fb8ef0e2d3dc656cb66
Service Info: Host:brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 13 23:16:35 2023 -- 1 IP address (1 host up) scanned in 156.94 seconds可以发现443端口的ssl证书内容中有几个域名,把这几个域名加到/etc/hosts里去和ip地址绑定,然后访问,得到了两个网站,一个是WordPress的博客,还得到了一个邮箱
https://img2023.cnblogs.com/blog/3174408/202308/3174408-20230814123045547-1386100511.png
还有一个网站是一个Super Secret Forum --超级神秘后台,在这里面我们可以看到两个用户名
https://img2023.cnblogs.com/blog/3174408/202308/3174408-20230814123445310-78117140.png
漏洞扫描
WPScan
对第一个网站用WPScan扫描一下,加上扩展的漏扫和用户的枚举,要去官网注册一个免费的token,用这个token一天可以扫25次
┌──(kali㉿kali)-[~/htb/Brainfuck]
└─$ WPScan --url https://brainfuck.htb/ --disable-tls-checks --api-token FD4Mg8hQgD3ufcCLEQPSghvDCFscCOTpEPJWb6V5lVA -e vp,u -o wpscan.txt[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: WP Support Plus Responsive Ticket System < 8.0.0 – Authenticated SQL Injection
| Fixed in: 8.0.0
| References:
| - https://wpscan.com/vulnerability/f267d78f-f1e1-4210-92e4-39cce2872757
| - https://www.exploit-db.com/exploits/40939/
| - https://lenonleite.com.br/en/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
| - https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)
| Fixed in: 8.0.8
| References:
| - https://wpscan.com/vulnerability/1527b75a-362d-47eb-85f5-47763c75b0d1
| - https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System < 9.0.3 - Multiple Authenticated SQL Injection
| Fixed in: 9.0.3
| References:
| - https://wpscan.com/vulnerability/cbbdb469-7321-44e4-a83b-cac82b116f20
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000131
| - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
| - https://plugins.trac.wordpress.org/changeset/1814103/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System < 9.1.2 - Stored XSS
| Fixed in: 9.1.2
| References:
| - https://wpscan.com/vulnerability/e406c3e8-1fab-41fd-845a-104467b0ded4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7299
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15331
| - https://cert.kalasag.com.ph/news/research/cve-2019-7299-stored-xss-in-wp-support-plus-responsive-ticket-system/
| - https://plugins.trac.wordpress.org/changeset/2024484/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System < 8.0.0 - Privilege Escalation
| Fixed in: 8.0.0
| References:
| - https://wpscan.com/vulnerability/b1808005-0809-4ac7-92c7-1f65e410ac4f
| - https://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
| - https://packetstormsecurity.com/files/140413/
|
| [!] Title: WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution
| Fixed in: 8.0.8
| References:
| - https://wpscan.com/vulnerability/85d3126a-34a3-4799-a94b-76d7b835db5f
| - https://plugins.trac.wordpress.org/changeset/1763596
|
| Version: 7.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|- https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
User(s) Identified:
[+] admin
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
|Rss Generator (Passive Detection)
|Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|Login Error Messages (Aggressive Detection)
[+] administrator
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 22WPScan完整扫描结果┌──(kali㉿kali)-[~/htb/Brainfuck]└─$ cat wpscan.txt _______________________________________________________________ __ _______ _____ \ \ / /__ \ / ____| \ \/\/ /| |__) | (___ _____ _ _ __ ® \ \/\/ / |___/ \___ \ / __|/ _` | '_ \ \/\/| | ____) | (__| (_| | | | | \/\/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: https://brainfuck.htb/ [+] Started: Mon Aug 14 00:43:37 2023Interesting Finding(s):[+] Headers | Interesting Entry: Server: nginx/1.10.0 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100%[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |- http://codex.wordpress.org/XML-RPC_Pingback_API |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ |- https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: https://brainfuck.htb/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |- https://www.iplocation.net/defend-wordpress-from-ddos |- https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) |- https://brainfuck.htb/?feed=rss2, https://wordpress.org/?v=4.7.3 |- https://brainfuck.htb/?feed=comments-rss2, https://wordpress.org/?v=4.7.3 | | [!] 79 vulnerabilities identified: | | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset | References: | - https://wpscan.com/vulnerability/b3f2f3db-75e4-4d48-ae5e-d4ff172bc093 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html | - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html | - https://core.trac.wordpress.org/ticket/25239 | | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/e9e59e08-0586-4332-a394-efb648c7cd84 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066 | - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/973c55ed-e120-46a1-8dbb-538b54d03892 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 | | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks| Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/a5a4f4ca-19e5-4665-b501-5c75e0f56001 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 | | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/efe46d58-45e4-4cd6-94b3-1a639865ba5b | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 | - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html | | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/78ae4791-2703-4fdd-89b2-76c674994acf | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 | - https://hackerone.com/reports/203515 | - https://hackerone.com/reports/203515 | | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/e9535a5c-c6dc-4742-be40-1b94a718d3f3 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 | | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection | Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/9b3414c0-b33b-4c55-adff-718ff4c3195d | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec | | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection | Fixed in: 4.7.5 | References: | - https://wpscan.com/vulnerability/95e87ae5-eb01-4e27-96d3-b1f013deff1c | - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://wpvulndb.com/vulnerabilities/8905 | | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect | Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/571beae9-d92d-4f9b-aa9f-7c94e33683a1 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41398 | | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping | Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/d74ee25a-d845-46b5-afa6-b0a917b7737a | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41457 | - https://hackerone.com/reports/205481 | | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer| Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/6ef4eb23-d5a9-44b3-8402-f4b7b1a91522 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41397 | | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed | Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/d1bb1404-ebdc-4bfd-9cae-d728e53c66e2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41448 | | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor | Fixed in: 4.7.6 | References: | - https://wpscan.com/vulnerability/e525b3ed-866e-4c48-8715-19fc8be14939 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41395 | - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html | | [!] Title: WordPress prepare() Weakness | Fixed in: 4.7.7 | References: | - https://wpscan.com/vulnerability/c161f0f0-6527-4ba4-a43d-36c644e250fc | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510 | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d | - https://twitter.com/ircmaxell/status/923662170092638208 | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload | Fixed in: 4.7.8 | References: | - https://wpscan.com/vulnerability/0d2323bd-aecd-4d58-ba4b-597a43034f57 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 | | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping | Fixed in: 4.7.8 | References: | - https://wpscan.com/vulnerability/1f71a775-e87e-47e9-9642-bf4bce99c332 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de | | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping | Fixed in: 4.7.8 | References: | - https://wpscan.com/vulnerability/a6281b30-c272-4d44-9420-2ebd3c8ff7da | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a | | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing | Fixed in: 4.7.8 | References: | - https://wpscan.com/vulnerability/809f68d5-97aa-44e5-b181-cc7bdf5685c5 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c | | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS) | Fixed in: 4.7.9 | References: | - https://wpscan.com/vulnerability/6ac45244-9f09-4e9c-92f3-f339d450fe72 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263 | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/42720 | | [!] Title: WordPress
页:
[1]