[THM] Blog

文章发布时间:

文章总字数:
1.7k

[THM] Blog

信息收集

首先拿到IP,这里提示是需要将IP和blog.thm写入到/etc/hosts文件中,然后首先就是nmap对于这个IP进行端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
sudo nmap -A -sV -sC -T4 -Pn  -p - --defeat-rst-ratelimit 10.48.181.182
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-31 05:27 EST
Nmap scan report for blog.thm (10.48.181.182)
Host is up (0.15s latency).
Not shown: 64377 closed tcp ports (reset), 1154 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
|   256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_  256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=1/31%OT=22%CT=1%CU=42319%PV=Y%DS=3%DC=T%G=Y%TM=697DD99
OS:B%P=x86_64-pc-linux-gnu)SEQ(TI=Z%CI=Z%TS=A)SEQ(SP=104%GCD=1%ISR=101%TI=Z
OS:%CI=Z%TS=A)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)SEQ(SP=106%GCD=1%ISR=
OS:10E%TI=Z%CI=Z%TS=A)SEQ(SP=F4%GCD=1%ISR=10E%TI=Z%CI=Z%TS=B)OPS(O1=M4E8ST1
OS:1NW7%O2=M4E8ST11NW7%O3=M4E8NNT11NW7%O4=M4E8ST11NW7%O5=M4E8ST11NW7%O6=M4E
OS:8ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=N)ECN(R=
OS:Y%DF=Y%T=40%W=F507%O=M4E8NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 3 hops
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-01-31T10:29:41
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: blog
|   NetBIOS computer name: BLOG\x00
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2026-01-31T10:29:40+00:00

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   144.45 ms 192.168.128.1
2   ...
3   151.20 ms blog.thm (10.48.181.182)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.36 seconds

这里找到三个主要的服务,80端口的HTTP服务,22的SSH,139,445端口的SMB服务

我访问了blog.thm网页,发现是wordpress搭建的博客,一个是想到使用dirsearch先爆破一下目录,还有一个就是专门的wordpress的扫描工具wpscan

在dirsearch爆破目录的同时,我打算先查看smb服务,有没有信息的泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
sudo nmap -p 445,139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.48.181.182 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-31 05:50 EST
Nmap scan report for blog.thm (10.48.181.182)
Host is up (0.15s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.48.181.182\BillySMB: 
|     Type: STYPE_DISKTREE
|     Comment: Billy's local SMB Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\srv\smb\files
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.48.181.182\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (blog server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.48.181.182\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 25.85 seconds

这里发现一个BillySMB的共享,smbclient进行访问,结果很可惜只有两章图片和一个视频,其中一个二维码图片,解码也只是一个没有啥用处的连接地址,然后我就开启了enum4linux看看还有什么有用的东西在smb服务中,结果很可惜的是什么东西都没有收获

网站信息枚举

所以接下来主要还是争对的HTTP服务,这里的dirsearch给我扫出来robots.txt目录(其实是我看错题目了,把root.txt看成robots.txt,所以特定看了这个文件),上面提示到/wp-admin/admin-ajax.php,只有一个0,包括检查下来也真是一个0

不过dirsearch扫到一个/0/目录,我以为这里会有些提示,不过还是一无所获

那么接下来只能依靠wpsscan了

1
2
3
wpsscan --url http://blog.thm --enumerate u
wpsscan --url http://blog.thm --enumerate p
wpsscan --url http://blog.thm --enumerate t

基本全扫了一遍,也是有所收获,找到了网站的版本是5.0,同时网站CMS是WordPress

wpsscan在枚举u用户的时候,找到四个用户名, kwheel, bjoel, Karen Wheeler, Billy Joel

这里在wordpress登录页面尝试,发现前两个,kwhell和bjoel可以的,那就可以这两作为用户名字典,然后使用rockyou密码字典进行hydra爆破,找到wheel的密码

漏洞利用

之后登录管理页面,不过这个5.0版本的wordpress和以前做过的wordpress少了可以编辑插件的功能,就不能上传php木马,反弹,所以尝试去网络搜索了5.0版本有没有什么特殊的漏洞,找到存在一个图片getshell的漏洞,然后本地searsploit选择下载了46662.rb那一个利用脚本,发现这个还是metasploit的插件

那我直接就是打开msfconsole,search wordpress 5.0发现 exploit/multi/http/wp_crop_rce这一个最是符合

然后就是show options填写一下参数基本就拿到shell了

之后发现自己是www-data用户,/home目录下就只有bjoel,不过我在他的目录下找到一个user.txt,不过这是迷惑的

后面使用LinEnum.sh的权限提升枚举脚本,找到suid文件中一个/usr/sbin/checker最可疑,不过我运行之后却提示我not admin

然后就不知道该怎么处理,查看其他大佬的writeup,发现下载到本地,然后逆向分析

这里我用ida打开后,直接f5查看伪代码,原来只要环境变量的admin不是空就可以拿到shell了

最后export amdin=tr3,运行/usr/sbin/checker,再id就有root权限了,自然而然拿到root.txt,同时使用find / -name user.txt 2>/dev/null找到隐藏的那个user.txt.也是可以完成这个房间了

以后遇到不认识的suid文件,看来也可以尝试逆向分析利用这一个思路了