【HackTheBox Machine】Brainfuck 记录

信息搜集

nmap

1. ┌──(kali㉿kali)-[~/htb/Brainfuck]
2. └─$ cat nmap.txt
3. # Nmap 7.93 scan initiated Sun Aug 13 23:13:58 2023 as: nmap -n -v -sC -sV --min-rate=1500 -p- -oN nmap.txt 10.10.10.17
4. Nmap scan report for 10.10.10.17
5. Host is up (0.42s latency).
6. Not shown: 65530 filtered tcp ports (no-response)
7. PORT    STATE SERVICE  VERSION
8. 22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA)
11. |   256 6bd5dc153a667af419915d7385b24cb2 (ECDSA)
12. |_  256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519)
13. 25/tcp  open  smtp     Postfix smtpd
14. |_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
15. 110/tcp open  pop3     Dovecot pop3d
16. |_pop3-capabilities: SASL(PLAIN) PIPELINING UIDL USER TOP RESP-CODES AUTH-RESP-CODE CAPA
17. 143/tcp open  imap     Dovecot imapd
18. |_imap-capabilities: ID capabilities more AUTH=PLAINA0001 have IDLE listed LOGIN-REFERRALS IMAP4rev1 post-login Pre-login OK ENABLE LITERAL+ SASL-IR
19. 443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
20. | tls-alpn:
21. |_  http/1.1
22. |_ssl-date: TLS randomness does not represent time
23. | http-methods:
24. |_  Supported Methods: GET HEAD POST
25. |_http-title: Welcome to nginx!
26. |_http-server-header: nginx/1.10.0 (Ubuntu)
27. | tls-nextprotoneg:
28. |_  http/1.1
29. | ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
30. | Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
31. | Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
32. | Public Key type: rsa
33. | Public Key bits: 3072
34. | Signature Algorithm: sha256WithRSAEncryption
35. | Not valid before: 2017-04-13T11:19:29
36. | Not valid after:  2027-04-11T11:19:29
37. | MD5:   cbf1689996aaf7a005650fc094917f20
38. |_SHA-1: f448e798a8175580879c8fb8ef0e2d3dc656cb66
39. Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
41. Read data files from: /usr/bin/../share/nmap
42. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
43. # Nmap done at Sun Aug 13 23:16:35 2023 -- 1 IP address (1 host up) scanned in 156.94 seconds

复制代码

可以发现443端口的ssl证书内容中有几个域名，把这几个域名加到/etc/hosts里去和ip地址绑定，然后访问，得到了两个网站，一个是WordPress的博客，还得到了一个邮箱

还有一个网站是一个Super Secret Forum --超级神秘后台，在这里面我们可以看到两个用户名

漏洞扫描

WPScan

对第一个网站用WPScan扫描一下，加上扩展的漏扫和用户的枚举，要去官网注册一个免费的token，用这个token一天可以扫25次

1. ┌──(kali㉿kali)-[~/htb/Brainfuck]
2. └─$ WPScan --url https://brainfuck.htb/ --disable-tls-checks --api-token FD4Mg8hQgD3ufcCLEQPSghvDCFscCOTpEPJWb6V5lVA -e vp,u -o wpscan.txt

复制代码

1. [+] wp-support-plus-responsive-ticket-system
2. | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
3. | Last Updated: 2019-09-03T07:57:00.000Z
4. | [!] The version is out of date, the latest version is 9.1.2
5. |
6. | Found By: Urls In Homepage (Passive Detection)
7. |
8. | [!] 6 vulnerabilities identified:
9. |
10. | [!] Title: WP Support Plus Responsive Ticket System < 8.0.0 – Authenticated SQL Injection
11. |     Fixed in: 8.0.0
12. |     References:
13. |      - https://wpscan.com/vulnerability/f267d78f-f1e1-4210-92e4-39cce2872757
14. |      - https://www.exploit-db.com/exploits/40939/
15. |      - https://lenonleite.com.br/en/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
16. |      - https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
17. |
18. | [!] Title: WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)
19. |     Fixed in: 8.0.8
20. |     References:
21. |      - https://wpscan.com/vulnerability/1527b75a-362d-47eb-85f5-47763c75b0d1
22. |      - https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
23. |
24. | [!] Title: WP Support Plus Responsive Ticket System < 9.0.3 - Multiple Authenticated SQL Injection
25. |     Fixed in: 9.0.3
26. |     References:
27. |      - https://wpscan.com/vulnerability/cbbdb469-7321-44e4-a83b-cac82b116f20
28. |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000131
29. |      - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
30. |      - https://plugins.trac.wordpress.org/changeset/1814103/wp-support-plus-responsive-ticket-system
31. |
32. | [!] Title: WP Support Plus Responsive Ticket System < 9.1.2 - Stored XSS
33. |     Fixed in: 9.1.2
34. |     References:
35. |      - https://wpscan.com/vulnerability/e406c3e8-1fab-41fd-845a-104467b0ded4
36. |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7299
37. |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15331
38. |      - https://cert.kalasag.com.ph/news/research/cve-2019-7299-stored-xss-in-wp-support-plus-responsive-ticket-system/
39. |      - https://plugins.trac.wordpress.org/changeset/2024484/wp-support-plus-responsive-ticket-system
40. |
41. | [!] Title: WP Support Plus Responsive Ticket System < 8.0.0 - Privilege Escalation
42. |     Fixed in: 8.0.0
43. |     References:
44. |      - https://wpscan.com/vulnerability/b1808005-0809-4ac7-92c7-1f65e410ac4f
45. |      - https://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
46. |      - https://packetstormsecurity.com/files/140413/
47. |
48. | [!] Title: WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution
49. |     Fixed in: 8.0.8
50. |     References:
51. |      - https://wpscan.com/vulnerability/85d3126a-34a3-4799-a94b-76d7b835db5f
52. |      - https://plugins.trac.wordpress.org/changeset/1763596
53. |
54. | Version: 7.1.3 (80% confidence)
55. | Found By: Readme - Stable Tag (Aggressive Detection)
56. |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
59. [i] User(s) Identified:
61. [+] admin
62. | Found By: Author Posts - Display Name (Passive Detection)
63. | Confirmed By:
64. |  Rss Generator (Passive Detection)
65. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
66. |  Login Error Messages (Aggressive Detection)
68. [+] administrator
69. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
70. | Confirmed By: Login Error Messages (Aggressive Detection)
72. [+] WPScan DB API OK
73. | Plan: free
74. | Requests Done (during the scan): 0
75. | Requests Remaining: 22

复制代码

WPScan完整扫描结果[code]┌──(kali㉿kali)-[~/htb/Brainfuck]└─$ cat wpscan.txt       _______________________________________________________________         __          _______   _____         \ \        / /  __ \ / ____|          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |             \/  \/   |_|    |_____/ \___|\__,_|_| |_|         WordPress Security Scanner by the WPScan Team                         Version 3.8.22       Sponsored by Automattic - https://automattic.com/       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: https://brainfuck.htb/ [10.10.10.17][+] Started: Mon Aug 14 00:43:37 2023Interesting Finding(s):[+] Headers | Interesting Entry: Server: nginx/1.10.0 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100%[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |  - http://codex.wordpress.org/XML-RPC_Pingback_API |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: https://brainfuck.htb/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |  - https://www.iplocation.net/defend-wordpress-from-ddos |  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) |  - https://brainfuck.htb/?feed=rss2, https://wordpress.org/?v=4.7.3 |  - https://brainfuck.htb/?feed=comments-rss2, https://wordpress.org/?v=4.7.3 | | [!] 79 vulnerabilities identified: | | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset |     References: |      - https://wpscan.com/vulnerability/b3f2f3db-75e4-4d48-ae5e-d4ff172bc093 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 |      - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html |      - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html |      - https://core.trac.wordpress.org/ticket/25239 | | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/e9e59e08-0586-4332-a394-efb648c7cd84 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066 |      - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/973c55ed-e120-46a1-8dbb-538b54d03892 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ |      - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 | | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks  |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/a5a4f4ca-19e5-4665-b501-5c75e0f56001 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ |      - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 | | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/efe46d58-45e4-4cd6-94b3-1a639865ba5b |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ |      - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 |      - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html | | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/78ae4791-2703-4fdd-89b2-76c674994acf |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ |      - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 |      - https://hackerone.com/reports/203515 |      - https://hackerone.com/reports/203515 | | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/e9535a5c-c6dc-4742-be40-1b94a718d3f3 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/ |      - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 | | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/9b3414c0-b33b-4c55-adff-718ff4c3195d |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 |      - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec | | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection |     Fixed in: 4.7.5 |     References: |      - https://wpscan.com/vulnerability/95e87ae5-eb01-4e27-96d3-b1f013deff1c |      - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 |      - https://wpvulndb.com/vulnerabilities/8905 | | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/571beae9-d92d-4f9b-aa9f-7c94e33683a1 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/41398 | | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/d74ee25a-d845-46b5-afa6-b0a917b7737a |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/41457 |      - https://hackerone.com/reports/205481 | | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer  |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/6ef4eb23-d5a9-44b3-8402-f4b7b1a91522 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/41397 | | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/d1bb1404-ebdc-4bfd-9cae-d728e53c66e2 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/41448 | | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor |     Fixed in: 4.7.6 |     References: |      - https://wpscan.com/vulnerability/e525b3ed-866e-4c48-8715-19fc8be14939 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/changeset/41395 |      - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html | | [!] Title: WordPress prepare() Weakness |     Fixed in: 4.7.7 |     References: |      - https://wpscan.com/vulnerability/c161f0f0-6527-4ba4-a43d-36c644e250fc |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510 |      - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ |      - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d |      - https://twitter.com/ircmaxell/status/923662170092638208 |      - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload |     Fixed in: 4.7.8 |     References: |      - https://wpscan.com/vulnerability/0d2323bd-aecd-4d58-ba4b-597a43034f57 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 | | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping |     Fixed in: 4.7.8 |     References: |      - https://wpscan.com/vulnerability/1f71a775-e87e-47e9-9642-bf4bce99c332 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de | | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping |     Fixed in: 4.7.8 |     References: |      - https://wpscan.com/vulnerability/a6281b30-c272-4d44-9420-2ebd3c8ff7da |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a | | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing |     Fixed in: 4.7.8 |     References: |      - https://wpscan.com/vulnerability/809f68d5-97aa-44e5-b181-cc7bdf5685c5 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ |      - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c | | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS) |     Fixed in: 4.7.9 |     References: |      - https://wpscan.com/vulnerability/6ac45244-9f09-4e9c-92f3-f339d450fe72 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263 |      - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 |      - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ |      - https://core.trac.wordpress.org/ticket/42720 | | [!] Title: WordPress