vulnhub Literally-Vulnerable
-
0X01 Main Point
1. wordpress framework for the development of wpscan basic use
2. PWD environment variable to provide the right
3. set up SSH , key landing
4. get a low-privileged shell variety of positions
5.kali comes dirb scan web directory (dictionary so delicious) -
0X02 pre-sniffing and port detection
kali terminalarp-scan -lto get drone IP: 172.20.10.3
nmap scan drone open ports there65535、80、21、23, namely,HTTP、HTTP、FTP、SSHservice, and anonymous FTP services are logged in and readable file.
After direct anonymous FTP LoggetFiles to attack aircraft, see:
There doe user's password, one by one test thedoeuser's SSH, FTP no fruit. Now turning to look at the target site, found a Wordpress framework of a personal blog, but the page is displayed very strange, find links to all use the domain name: http: //literally.vulnerable/, we returned to the hosts on kali increase the domain name resolved locally :
now revisit the page to get regular,
routinedirsearchsweep catalog, here comes kalidirbmay be, are foreign commonly used directories, has wp login screen after sweeping out, but the password given before the meal fuzz-free fruit! Beyond expectations, and had other than to be able to log, and spent several user names blasting are no results.
那不妨在看看66536的端口
同样用dirb扫目录,这个时候字典格外关键,我用dirsearch.py在物理机是没有扫出来想要的目录的,建议使用dirb自带的大字典,或者是使用https://github.com/danielmiessler/SecLists中的/Discovery/Web-Content/raft-large-directories.txt这个字典足够大了。这里我们使用前者,dirb自带的字典进行扫描。
可以看到用常规字典是并没有扫除目标目录的,我们进入dirb自带的字典目录(/usr/share/dirb/wordlists)选一个更大的字典big.txt,进行扫描即可。
/phpcms这个目录发现又是另外一个wordpress框架的网站
高高兴兴用之前得到的密码发现又没有用,login界面也不知道User,既然是wordpress,那用wpscan扫描有什么新发现,各种扫描后发现可以枚举得到用户名,再根据我们之前得到的密码,逐一枚举可以成功登录!----wpscan具体用法参考:https://www.freebuf.com/sectool/174663.html
得到用户:notadmin、maybeadmin
利用之前的backpassword枚举爆破得到成功登录的user/password
wpscan --url http://172.20.10.3:65535/phpcms/ --user notadmin -P '/root/bp'
登录发现果然不是admin用户,但是在留言那儿看到了另外一个密码,我们再退出用这个密码登录noadmin用户发现是admin权限。
登陆之后找到上传模板并修改。
- 姿势一:利用PHP一句话,蚁剑连接,在进行反弹shell,得到www用户的shell
- 姿势二:直接构造PHP版的一句话反弹shell,监听后得到www用户的shell
- 姿势三:利用msfconsole的
exploit/unix/webapp/wp_admin_shell_upload直接得到shell
这里利用第三种姿势得到shell,show options查看各种需要set的配置,利用已知的notadmin用户和密码,成功得到shell。再利用python3(前期发现是python3版本)得到交互式shell
在/home下发现doe、john两个用户,各种胡乱fuzz,发现有执行和读取的文件少之又少,可见必须先提权才行。发现一个可执行已经编译的itseasy文件,而且是任意用户可以执行的,这里执行了一下这个可执行文件,得到的结果是:Your Path is: /home/doe。由于当前所在路径就是/home/doe,所以猜测这个可执行文件是调用了pwd命令,可以通过PATH环境变量进行提权。
https://www.freebuf.com/articles/system/173903.html
但此处利用PATH好像没有用,这里可能调用的是PWD环境变量,修改环境变量发现成功得到john用户的shell。
但这个时候可以执行命令但是并无回显任何东西,既然我们有一个较高权限的shell,这里干脆使用SSH进行连接。
SSH连接:
- kali终端
ssh-keygen目的是将公钥给到john用户 - 在
/home/john目录下创建.ssh文件夹,将kali的公钥导入到/.ssh/authorized_keys文件中 - kali be SSH connection to successfully connect to the
John用户
note I am using a blank password.
SSH can be obtained after a successful/home/johndirectory is a flag, but to see the permissionsjohnthe user's password, here we look for hidden files, find hidden.localthere folderjohnuser's password (base64 prompted decryption)john:YZW$s8Y49IB#ZZJ
sudo -lCan be found that can take advantage of /var/www/html/test.html, but johndo not have permission in /var/www/htmlwriting to a file, only www用户you can write files, users cut back www
echo '/bin/bash' > /var/www/html/test.htmlIn the given executable permissions , so the user can execute john
reference chmod command
chmod 777 test.html
after the user back to the john, sudo test.htmlfound success becomes the root user to get the final flag!
Finally create your own user as a trophy:
