当前位置: 首页 > news >正文

HackMyVM-Canto

news 2026/6/14 22:21:12

简介

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Canto

image
环境:

  • 攻击机:kali 192.168.43.35
  • 靶机:VB 192.168.43.39

开始渗透

常规nmap扫出22和80端口
image
访问80端口,是个网站的主页,所有能点击的地方都没反应,感觉就是一个空白的站
用dirsearch扫一下,害怕扫不全就用gobuster又扫了一下
image
主要有三个路径,其中两个打开啥也没有,其中dirsearch扫出了一个web-login.php(这个gobuster没扫出来,应该是字典的问题)
打开一看是一个登录框
image
这里我去尝试了万能密码,又因为它报错的时候明确显示是用户名错了,然后我就用字典去爆了一下用户名。
当然,一无所获.......
后来感觉感觉可以从网站的框架入手,它这个是用wordpress搭的,去网上搜了一下,这个wordpress真有漏洞
还有一个专用的工具wpscan,现学了一手QAQ

  • wpscan的扫描操作如下:
    wpscan --url http://192.168.43.39/ --plugins-detection aggressive -e ap --api-token=a5...
    输出如下:
点击查看代码 

_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.43.39/ [192.168.43.39]
[+] Started: Sun Jun 14 02:26:34 2026Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.43.39/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.43.39/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.43.39/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.43.39/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299Fingerprinting the version - Time: 00:00:01 <============================================================> (702 / 702) 100.00% Time: 00:00:01
[i] The WordPress version could not be detected.[+] WordPress theme in use: twentytwentyfour| Location: http://192.168.43.39/wp-content/themes/twentytwentyfour/| Last Updated: 2026-05-20T00:00:00.000Z| Readme: http://192.168.43.39/wp-content/themes/twentytwentyfour/readme.txt| [!] The version is out of date, the latest version is 1.5| [!] Directory listing is enabled| Style URL: http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css| Style Name: Twenty Twenty-Four| Style URI: https://wordpress.org/themes/twentytwentyfour/| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...| Author: the WordPress team| Author URI: https://wordpress.org|| Found By: Urls In Homepage (Passive Detection)|| Version: 1.1 (80% confidence)| Found By: Style (Passive Detection)|  -  http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css , Match: 'Version: 1.1'[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:01:02 <=======================================================> (122575 / 122575) 100.00% Time: 00:01:02
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] akismet| Location: http://192.168.43.39/wp-content/plugins/akismet/| Last Updated: 2026-04-23T22:34:00.000Z| Readme: http://192.168.43.39/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.7|| Found By: Known Locations (Aggressive Detection)|  -  http://192.168.43.39/wp-content/plugins/akismet/ , status: 200|| Version: 5.3.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.43.39/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - http://192.168.43.39/wp-content/plugins/akismet/readme.txt[+] canto| Location: http://192.168.43.39/wp-content/plugins/canto/| Last Updated: 2026-05-07T09:11:00.000Z| Readme: http://192.168.43.39/wp-content/plugins/canto/readme.txt| [!] The version is out of date, the latest version is 3.1.2|| Found By: Known Locations (Aggressive Detection)|  -  http://192.168.43.39/wp-content/plugins/canto/ , status: 200|| [!] 6 vulnerabilities identified:|| [!] Title: Canto < 3.0.9 - Unauthenticated Blind SSRF|     Fixed in: 3.0.9|     References:|      - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063|      - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0|| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.5|     References:|      - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452|| [!] Title: Canto < 3.0.7 - Unauthenticated RCE|     Fixed in: 3.0.7|     References:|      - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096|      - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability|| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion|     Fixed in: 3.0.9|     References:|      - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936|      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338|| [!] Title: Canto < 3.1.2 - Missing Authorization to Unauthenticated File Upload|     Fixed in: 3.1.2|     References:|      - https://wpscan.com/vulnerability/c189c05f-f00c-41bb-8fac-1f23da22e4fd|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3335|      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0777f759-6980-4572-a866-0210bd5f5085|| [!] Title: Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification|     References:|      - https://wpscan.com/vulnerability/cb121deb-0089-4b97-96e0-2abedcf67599|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6441|      - https://www.wordfence.com/threat-intel/vulnerabilities/id/c1a0200f-9861-4eca-adbf-d458eb6b4e63|| Version: 3.0.4 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.43.39/wp-content/plugins/canto/readme.txt| Confirmed By: Composer File (Aggressive Detection)|  -  http://192.168.43.39/wp-content/plugins/canto/package.json , Match: '3.0.4'[+] WPScan DB API OK| Plan: free| Requests Done (during the scan): 0| Requests Remaining: 21[+] Finished: Sun Jun 14 02:27:47 2026
[+] Requests Done: 123281
[+] Cached Requests: 622
[+] Data Sent: 33.365 MB
[+] Data Received: 16.56 MB
[+] Memory used: 505.941 MB
[+] Elapsed time: 00:01:12

wpscan --url http://192.168.43.39/ -e u --api-token=a5a...

输出如下:

点击查看代码 
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.43.39/ [192.168.43.39]
[+] Started: Sun Jun 14 02:30:22 2026Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.43.39/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.43.39/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.43.39/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.43.39/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299Fingerprinting the version - Time: 00:00:03 <============================================================> (702 / 702) 100.00% Time: 00:00:03
[i] The WordPress version could not be detected.[+] WordPress theme in use: twentytwentyfour| Location: http://192.168.43.39/wp-content/themes/twentytwentyfour/| Last Updated: 2026-05-20T00:00:00.000Z| Readme: http://192.168.43.39/wp-content/themes/twentytwentyfour/readme.txt| [!] The version is out of date, the latest version is 1.5| [!] Directory listing is enabled| Style URL: http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css| Style Name: Twenty Twenty-Four| Style URI: https://wordpress.org/themes/twentytwentyfour/| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...| Author: the WordPress team| Author URI: https://wordpress.org|| Found By: Urls In Homepage (Passive Detection)|| Version: 1.1 (80% confidence)| Found By: Style (Passive Detection)|  -  http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css , Match: 'Version: 1.1'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <===============================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] erik| Found By: Rss Generator (Passive Detection)| Confirmed By:|  Wp Json Api (Aggressive Detection)|   - http://192.168.43.39/index.php/wp-json/wp/v2/users/?per_page=100&page=1|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] WPScan DB API OK| Plan: free| Requests Done (during the scan): 0| Requests Remaining: 21[+] Finished: Sun Jun 14 02:30:28 2026
[+] Requests Done: 1316
[+] Cached Requests: 19
[+] Data Sent: 359.413 KB
[+] Data Received: 35.41 MB
[+] Memory used: 215.184 MB
[+] Elapsed time: 00:00:06

扫描结果:

  • 1.有插件canto存在漏洞,和靶机名对上了!!!
  • 2.有一个用户erik

我当时用erik这个用户名尝试用wpscan和rockyou字典去爆破了一下密码,没爆出来 感觉只能从canto插件入手了

image

Github上面有这个漏洞的poc(CVE-2023-3452),下载到kali上直接用就行了
注意:要写一个反弹shell的php文件

image

开个监听,shell就弹过来了。

后来shell断开重弹的时候发现,不需要另外开监听,稍微等一会shell就会弹过来

image

提权

现在是canto用户,发现user.txt打不开,想起还有个用户erik,去登录erik的shell


这里在/var/www下面隐藏了一个 .bash_history文件,字面意思:用户执行bash的历史
打开看一下,可以发现用户之前看了/var/backups下的一个文件


www-data@canto:/var/www$ ls -al
ls -al
total 16
drwxr-xr-x  3 www-data www-data 4096 May 12  2024 .
drwxr-xr-x 15 root     root     4096 May 12  2024 ..
-rw-------  1 www-data www-data  219 May 12  2024 .bash_history
drwxr-xr-x  5 www-data www-data 4096 Jun 14 05:18 html
www-data@canto:/var/www$ cat .bash
cat .bash_history 
cd /var/wordpress
cd /var
cd /wordpress
export TERM=xterm
clear
ls
cd wordpress
cd wordpres
ls
cd backups
ls
clear
ls
ls -la
unzip dbbackup.zip
ls
clear
ls -la
su erik
cd /var/wordpress/backups
ls
cat 12052024.txt
exit

我们也去看一下嘿嘿
是erik的用户名和密码,我们有救了!!!
image
直接登上erik的shell,拿到第一个flag
image


这里跑一下题
后来在erik的shell中翻敏感文件的时候,在目录下有一个note文件夹


erik@canto:~/notes$ ls
ls
Day1.txt  Day2.txt
erik@canto:~/notes$ cat Day1
cat Day1.txt 
On the first day I have updated some plugins and the website theme.
erik@canto:~/notes$ cat Day2.txt
cat Day2.txt
I almost lost the database with my user so I created a backups folder.

里面的文件是用户的日记,这里提到了backups文件夹,可能这个线索指的也是前面的/var/backups


跑题结束


sudo -l 看一下sudo可以执行的命令

这里有个cpulimit,去GTFOBins看一下能不能利用,显然是可以的
(这里我一开始没有去看sudo -l,而是用linpeas去扫了一下嘿嘿)

image

image
直接用GTFOBins中的命令提权就行了,剩下没啥好说的,提权拿root和flag就结束了

image

靶机知识点

1.wordpress ----> wpscan的使用
2.信息搜寻


结束!ciallo

http://www.rkmt.cn/news/1526256.html

相关文章:

  • Deep-Live-Cam:3步实现实时AI换脸,开启移动端深度伪造新纪元
  • 从直播小白到多平台达人:obs-multi-rtmp带你玩转同步直播
  • shutil模块
  • py每日spider案例之某多多查询商品接口anti_content参数逆向源码(webpack+补环境)
  • 2026广州电缆回收怎么估价铜价换算公式与避坑要点 - 广东再生资源回收
  • FanControl终极指南:三步实现Windows电脑风扇智能控制
  • AI推荐发布平台怎么用更好_我在CSDN_AI数字营销上的使用心得
  • 普宁月子中心大房间家属陪护|套房设计比单间好在哪里 - 品牌观察
  • Java毕设选题推荐:基于 B/S 架构的足球俱乐部后台管理系统的设计与实现 依托 SpringBoot 技术的足球赛事与队员管理系统【附源码、mysql、文档、调试+代码讲解+全bao等】
  • MPC8260 SCC HDLC与BISYNC协议硬件配置与调试实战详解
  • 普宁月子中心转介绍率高哪家|转介绍率为什么比平台好评更可信 - 品牌观察
  • 2026年 东莞横幅厂家推荐排行榜:节日派对背景横幅/建筑工地安全横幅,专业定制与质量口碑之选 - 品牌发掘
  • Java计算机毕设之SpringBoot 驱动的智能水果电商购物系统的设计与实现(完整前后端代码+说明文档+LW,调试定制等)
  • 某多多skills逆向分享
  • 2026免费视频转TS在线保姆级教程!无限制工具手把手教学,高清电视录制与直播流通用 - 时时资讯
  • OpenClaw分层架构深度解析:核心组件、运行机制与技术原理
  • 2026小红书图片无水印保存全攻略 - 科技热点发布
  • 终极QQ音乐解析教程:3步实现无损音乐下载与批量处理
  • 深入高通Hypervisor:对比Virtio与Pass-through,为Android分配QUP资源该如何选型?
  • SpaceX上市造就财富神话,华人AI工程师搭上财富火箭!
  • OpenClaw核心认知:开源本地AI智能体的定位、特性与价值解析
  • Rufus如何巧妙绕过Windows 11 LTSC 2024的在线账户强制要求?
  • UI-TARS桌面版:5分钟快速上手,用自然语言解放你的重复GUI操作
  • AI软件工程范式革命,终结五十年的“手工伪工程”时代
  • 快手怎么去水印?保姆级神器实测 - 科技热点发布
  • 红外探测器、红外机芯和红外热像仪的关系
  • 2026年北京学员领取众智商学院试听课和资料前怎么确认课程信息 - 众智商学院官方
  • 潍坊冷却塔厂家技术实力实测与行业选型参考 - 奔跑123
  • 终极免费AI换脸工具:roop-unleashed零基础完整指南
  • A股指数样本重大调整!多只个股尾盘异动 2026年06月12日