好的,我现在需要帮助用户总结一篇技术文章,控制在100字以内。首先,我得仔细阅读文章内容,理解作者遇到的问题。 这篇文章是关于一个CTF虚拟机的挑战,目标是找到5个旗帜。作者已经找到了一个,但卡在了如何提升权限到用户或root。系统是Ubuntu 16.04.3 LTS,运行了多个服务,包括SSH、DNS、HTTP、POP3等。 作者使用了WordPress 5.2.4,并通过扫描发现了几个漏洞:信息泄露、目录遍历和本地文件包含(LFI)。他成功利用site-editor插件的LFI漏洞读取了/etc/passwd文件,但无法读取wp-config.php。尝试了多种PHP包装器都失败了。 此外,作者还尝试了SQL注入和暴力破解密码,但都没有成功。他怀疑PHP包装器被阻止或配置问题。 总结时需要涵盖主要问题:LFI成功但无法读取关键文件、SQL注入受阻、密码尝试失败以及可能的PHP包装器限制。控制在100字以内,直接描述内容。 </think> 作者在Ubuntu 16.04.3 LTS虚拟机上进行CTF挑战,目标是获取5个旗帜。已发现1个旗帜,但无法进一步提升权限。系统运行多个服务(如SSH、HTTP等),WordPress 5.2.4存在漏洞(如LFI和SQL注入)。尽管利用LFI成功读取部分文件(如/etc/passwd),但无法读取wp-config.php。SQL注入因缺少bwg_nonce而受阻。尝试暴力破解密码未果。问题可能在于PHP包装器被限制或配置问题。 2026-3-5 09:18:45 Author: www.reddit.com(查看原文) 阅读量:5 收藏
Hi everyone,
I’m currently working on a Boot2Root/CTF VM (Ubuntu based) and I’ve hit a wall. The goal is to find 5 flags. I’ve found 1, but I’m stuck trying to pivot to the user/root.
Target Info: OS: Ubuntu 16.04.3 LTS Services: SSH (22), DNS (53), HTTP (80), POP3 (110), IMAP (143), SMB (139/445), Postgres (Internal).
Web: WordPress 5.2.4.
Users Identified (via /etc/passwd): rooter (UID 1000) - GECOS: root3r,,, admin1kl (UID 1001) - GECOS: D,2,2,2,2
Vulnerabilities Found: Info Disclosure: info.php is exposed. Directory Indexing: wp-content/uploads/ is open. LFI: Unauthenticated Local File Inclusion in wp-vault plugin.
Current Progress & The Problem:
-
Enumeration (WPScan) I ran an advanced wpscan (using an API token for full vulnerability data) and aggressive plugin detection.
-
Result: It identified the site-editor plugin (v1.1.1) as vulnerable to Local File Inclusion (LFI).
-
Vector: The vulnerability is in the ?wpv-image= parameter.
-
LFI Exploitation (Confirmed but Limited) Using the site-editor vulnerability, I successfully exploited the LFI:
-
Payload: http. ://target/wordpress/?wpv-image=../../../../../../../../../../etc/passwd
-
Success: This worked and gave me the user list (including the root3r comment).
-
Success: I verified the web root is /var/www/html/wordpress/ by reading license.txt via absolute path.
-
The Blocker: I cannot read wp-config.php.
-
I tried php://filter/convert.base64-encode/resource=... -> Returns Empty.
-
I tried ROT13 wrappers -> Returns Empty.
-
I tried accessing it directly without wrappers -> It executes (blank screen), so the path is correct, but I can't see the source code.
-
Question: Has anyone seen a box where standard PHP wrappers are stripped/blocked like this?
-
-
SQL Injection (Stalled) wpscan also flagged Photo Gallery 1.5.34 as vulnerable to Unauthenticated SQLi (admin-ajax.php).
-
The Blocker: The exploit requires a valid bwg_nonce.
-
I grepped the entire homepage HTML and other accessible pages for bwg_nonce but it is not leaking in the source code.
-
sqlmap fails with 400 Bad Request because of the missing token.
-
Credential Hunting & Brute Force
-
Found root3r in the /etc/passwd comments for user rooter.
-
Failed Attempts: SSH rooter:root3r and WP Login admin1kl:root3r both failed.
-
Brute Force Attempt: I tried running Hydra against the WordPress login for user admin1kl using rockyou.txt.
-
Result: It was incredibly slow (projected to take days). I'm not sure if this is a hardware limitation on my end or if the server is throttling requests, but I had to abandon it. Is this normal for WP login brute-forcing on these types of VMs?
-
I feel like I'm staring at the answer. I have LFI, but can't read the config. I have a potential password (root3r), but it doesn't work on SSH/Login. I have directory listing enabled on /wp-content/uploads/ (no leads, apparently empty).
Has anyone seen a similar box where PHP wrappers are blocked? Or is there a specific location for the bwg_nonce I'm overlooking?
I feel like I'm missing a small trick with the LFI wrapper or the nonce location. Any nudges on what to check next?
Thanks!
如有侵权请联系:admin#unsafe.sh