HackMyVM-Canto
简介
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Canto
环境:
- 攻击机:kali 192.168.43.35
- 靶机:VB 192.168.43.39
开始渗透
常规nmap扫出22和80端口
访问80端口,是个网站的主页,所有能点击的地方都没反应,感觉就是一个空白的站
用dirsearch扫一下,害怕扫不全就用gobuster又扫了一下
主要有三个路径,其中两个打开啥也没有,其中dirsearch扫出了一个web-login.php(这个gobuster没扫出来,应该是字典的问题)
打开一看是一个登录框
这里我去尝试了万能密码,又因为它报错的时候明确显示是用户名错了,然后我就用字典去爆了一下用户名。
当然,一无所获.......
后来感觉感觉可以从网站的框架入手,它这个是用wordpress搭的,去网上搜了一下,这个wordpress真有漏洞
还有一个专用的工具wpscan,现学了一手QAQ
- wpscan的扫描操作如下:
wpscan --url http://192.168.43.39/ --plugins-detection aggressive -e ap --api-token=a5...
输出如下:
点击查看代码
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.43.39/ [192.168.43.39]
[+] Started: Sun Jun 14 02:26:34 2026
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.43.39/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.43.39/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.43.39/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.43.39/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:01 <============================================================> (702 / 702) 100.00% Time: 00:00:01
[i] The WordPress version could not be detected.
[+] WordPress theme in use: twentytwentyfour
| Location: http://192.168.43.39/wp-content/themes/twentytwentyfour/
| Last Updated: 2026-05-20T00:00:00.000Z
| Readme: http://192.168.43.39/wp-content/themes/twentytwentyfour/readme.txt
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
| Style URL: http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css , Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:02 <=======================================================> (122575 / 122575) 100.00% Time: 00:01:02
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.43.39/wp-content/plugins/akismet/
| Last Updated: 2026-04-23T22:34:00.000Z
| Readme: http://192.168.43.39/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/akismet/ , status: 200
|
| Version: 5.3.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/akismet/readme.txt
[+] canto
| Location: http://192.168.43.39/wp-content/plugins/canto/
| Last Updated: 2026-05-07T09:11:00.000Z
| Readme: http://192.168.43.39/wp-content/plugins/canto/readme.txt
| [!] The version is out of date, the latest version is 3.1.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/canto/ , status: 200
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: Canto < 3.0.9 - Unauthenticated Blind SSRF
| Fixed in: 3.0.9
| References:
| - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063
| - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
|
| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.5
| References:
| - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452
|
| [!] Title: Canto < 3.0.7 - Unauthenticated RCE
| Fixed in: 3.0.7
| References:
| - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096
| - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability
|
| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.9
| References:
| - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338
|
| [!] Title: Canto < 3.1.2 - Missing Authorization to Unauthenticated File Upload
| Fixed in: 3.1.2
| References:
| - https://wpscan.com/vulnerability/c189c05f-f00c-41bb-8fac-1f23da22e4fd
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3335
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/0777f759-6980-4572-a866-0210bd5f5085
|
| [!] Title: Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
| References:
| - https://wpscan.com/vulnerability/cb121deb-0089-4b97-96e0-2abedcf67599
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6441
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/c1a0200f-9861-4eca-adbf-d458eb6b4e63
|
| Version: 3.0.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/canto/readme.txt
| Confirmed By: Composer File (Aggressive Detection)
| - http://192.168.43.39/wp-content/plugins/canto/package.json , Match: '3.0.4'
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 21
[+] Finished: Sun Jun 14 02:27:47 2026
[+] Requests Done: 123281
[+] Cached Requests: 622
[+] Data Sent: 33.365 MB
[+] Data Received: 16.56 MB
[+] Memory used: 505.941 MB
[+] Elapsed time: 00:01:12
wpscan --url http://192.168.43.39/ -e u --api-token=a5a...
输出如下:
点击查看代码
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.43.39/ [192.168.43.39]
[+] Started: Sun Jun 14 02:30:22 2026
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.57 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.43.39/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.43.39/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.43.39/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.43.39/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:03 <============================================================> (702 / 702) 100.00% Time: 00:00:03
[i] The WordPress version could not be detected.
[+] WordPress theme in use: twentytwentyfour
| Location: http://192.168.43.39/wp-content/themes/twentytwentyfour/
| Last Updated: 2026-05-20T00:00:00.000Z
| Readme: http://192.168.43.39/wp-content/themes/twentytwentyfour/readme.txt
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
| Style URL: http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.43.39/wp-content/themes/twentytwentyfour/style.css , Match: 'Version: 1.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] erik
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://192.168.43.39/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 21
[+] Finished: Sun Jun 14 02:30:28 2026
[+] Requests Done: 1316
[+] Cached Requests: 19
[+] Data Sent: 359.413 KB
[+] Data Received: 35.41 MB
[+] Memory used: 215.184 MB
[+] Elapsed time: 00:00:06
扫描结果:
- 1.有插件canto存在漏洞,和靶机名对上了!!!
- 2.有一个用户erik
我当时用erik这个用户名尝试用wpscan和rockyou字典去爆破了一下密码,没爆出来 感觉只能从canto插件入手了
Github上面有这个漏洞的poc(CVE-2023-3452),下载到kali上直接用就行了
注意:要写一个反弹shell的php文件
开个监听,shell就弹过来了。
后来shell断开重弹的时候发现,不需要另外开监听,稍微等一会shell就会弹过来
提权
现在是canto用户,发现user.txt打不开,想起还有个用户erik,去登录erik的shell
这里在/var/www下面隐藏了一个 .bash_history文件,字面意思:用户执行bash的历史
打开看一下,可以发现用户之前看了/var/backups下的一个文件
www-data@canto:/var/www$ ls -al
ls -al
total 16
drwxr-xr-x 3 www-data www-data 4096 May 12 2024 .
drwxr-xr-x 15 root root 4096 May 12 2024 ..
-rw------- 1 www-data www-data 219 May 12 2024 .bash_history
drwxr-xr-x 5 www-data www-data 4096 Jun 14 05:18 html
www-data@canto:/var/www$ cat .bash
cat .bash_history
cd /var/wordpress
cd /var
cd /wordpress
export TERM=xterm
clear
ls
cd wordpress
cd wordpres
ls
cd backups
ls
clear
ls
ls -la
unzip dbbackup.zip
ls
clear
ls -la
su erik
cd /var/wordpress/backups
ls
cat 12052024.txt
exit
我们也去看一下嘿嘿
是erik的用户名和密码,我们有救了!!!
直接登上erik的shell,拿到第一个flag
这里跑一下题:
后来在erik的shell中翻敏感文件的时候,在目录下有一个note文件夹
erik@canto:~/notes$ ls
ls
Day1.txt Day2.txt
erik@canto:~/notes$ cat Day1
cat Day1.txt
On the first day I have updated some plugins and the website theme.
erik@canto:~/notes$ cat Day2.txt
cat Day2.txt
I almost lost the database with my user so I created a backups folder.
里面的文件是用户的日记,这里提到了backups文件夹,可能这个线索指的也是前面的/var/backups
跑题结束
sudo -l 看一下sudo可以执行的命令
这里有个cpulimit,去GTFOBins看一下能不能利用,显然是可以的
(这里我一开始没有去看sudo -l,而是用linpeas去扫了一下嘿嘿)
直接用GTFOBins中的命令提权就行了,剩下没啥好说的,提权拿root和flag就结束了
靶机知识点
1.wordpress ----> wpscan的使用
2.信息搜寻
结束!
浙公网安备 33010602011771号