好的,我现在需要帮助用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读用户提供的文章内容。 这篇文章是关于一个CTF虚拟机的挑战,目标是找到五个旗帜。作者已经找到了一个,但卡在了提升权限到用户或root的阶段。系统信息显示是Ubuntu 16.04.3 LTS,运行了多个服务,包括SSH、DNS、HTTP、POP3、IMAP、SMB和Postgres。Web部分使用的是WordPress 5.2.4。 作者通过扫描发现了几个漏洞:信息泄露、目录遍历和本地文件包含(LFI)。特别是利用site-editor插件的LFI漏洞成功读取了/etc/passwd文件,并确认了Web根目录的位置。然而,尝试读取wp-config.php时遇到了问题,因为PHP的过滤器和编码方法返回空值,直接访问则执行但看不到源代码。 此外,作者还尝试了SQL注入攻击,但因为缺少bwg_nonce而受阻。在 credential hunting方面,尝试了SSH和WordPress登录但未成功。使用Hydra进行暴力破解速度太慢,不得不放弃。 综合来看,作者需要解决的问题包括被阻止的PHP过滤器、SQL注入所需的nonce以及可能的其他小技巧来绕过限制。 总结时要抓住关键点:系统环境、发现的漏洞及其利用情况、遇到的障碍以及下一步可能的方向。确保在100字以内简洁明了地表达出来。 </think> 文章描述了一名渗透测试者在Ubuntu 16.04 LTS虚拟机上进行CTF挑战的过程。目标是找到5个旗帜,已找到1个但卡在权限提升阶段。发现WordPress漏洞(如LFI)并成功读取部分文件,但无法获取wp-config.php内容或突破SQL注入限制。尝试暴力破解WordPress登录未果。寻求解决PHP过滤器被阻止或找到bwg_nonce的方法以推进攻击。 2026-3-5 09:17:14 Author: www.reddit.com(查看原文) 阅读量:7 收藏
Hi everyone,
I’m currently working on a Boot2Root/CTF VM (Ubuntu based) and I’ve hit a wall. The goal is to find 5 flags. I’ve found 1, but I’m stuck trying to pivot to the user/root.
Target Info: OS: Ubuntu 16.04.3 LTS Services: SSH (22), DNS (53), HTTP (80), POP3 (110), IMAP (143), SMB (139/445), Postgres (Internal).
Web: WordPress 5.2.4.
Users Identified (via /etc/passwd): rooter (UID 1000) - GECOS: root3r,,, admin1kl (UID 1001) - GECOS: D,2,2,2,2
Vulnerabilities Found: Info Disclosure: info.php is exposed. Directory Indexing: wp-content/uploads/ is open. LFI: Unauthenticated Local File Inclusion in wp-vault plugin.
Current Progress & The Problem:
-
Enumeration (WPScan) I ran an advanced wpscan (using an API token for full vulnerability data) and aggressive plugin detection.
-
Result: It identified the site-editor plugin (v1.1.1) as vulnerable to Local File Inclusion (LFI).
-
Vector: The vulnerability is in the ?wpv-image= parameter.
-
LFI Exploitation (Confirmed but Limited) Using the site-editor vulnerability, I successfully exploited the LFI:
-
Payload: http://target/wordpress/?wpv-image=../../../../../../../../../../etc/passwd
-
Success: This worked and gave me the user list (including the root3r comment).
-
Success: I verified the web root is /var/www/html/wordpress/ by reading license.txt via absolute path.
-
The Blocker: I cannot read wp-config.php.
-
I tried php://filter/convert.base64-encode/resource=... -> Returns Empty.
-
I tried ROT13 wrappers -> Returns Empty.
-
I tried accessing it directly without wrappers -> It executes (blank screen), so the path is correct, but I can't see the source code.
-
Question: Has anyone seen a box where standard PHP wrappers are stripped/blocked like this?
-
-
SQL Injection (Stalled) wpscan also flagged Photo Gallery 1.5.34 as vulnerable to Unauthenticated SQLi (admin-ajax.php).
-
The Blocker: The exploit requires a valid bwg_nonce.
-
I grepped the entire homepage HTML and other accessible pages for bwg_nonce but it is not leaking in the source code.
-
sqlmap fails with 400 Bad Request because of the missing token.
-
Credential Hunting & Brute Force
-
Found root3r in the /etc/passwd comments for user rooter.
-
Failed Attempts: SSH rooter:root3r and WP Login admin1kl:root3r both failed.
-
Brute Force Attempt: I tried running Hydra against the WordPress login for user admin1kl using rockyou.txt.
-
Result: It was incredibly slow (projected to take days). I'm not sure if this is a hardware limitation on my end or if the server is throttling requests, but I had to abandon it. Is this normal for WP login brute-forcing on these types of VMs?
-
I feel like I'm staring at the answer. I have LFI, but can't read the config. I have a potential password (root3r), but it doesn't work on SSH/Login. I have directory listing enabled on /wp-content/uploads/ (no leads, apparently empty).
Has anyone seen a similar box where PHP wrappers are blocked? Or is there a specific location for the bwg_nonce I'm overlooking?
I feel like I'm missing a small trick with the LFI wrapper or the nonce location. Any nudges on what to check next?
Thanks!
如有侵权请联系:admin#unsafe.sh