DeRPnStiNK

目录

信息泄露

查看robots.txt 

wpscan

插件漏洞

反弹shell

wp-config.php

破解密码john

stinky 用户

发现私钥

NC 下载流量包

sudo提权

sudo -l


信息泄露

通过nmap扫描发现存在开放的端口:21、22、80;观察是否存在版本等问题

nmap -A 192.168.243.160

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:18:D5:E3 (VMware)

查看robots.txt 

访问80端口进入页面寻找robots.txt文件内容;

DeRPnStiNK

从目录遍历的结果来看存在返回值为200的,wp-admin 的目录上存在wordpress

DeRPnStiNK

wpscan工具

wpscan 进行爆破获取用户名和密码文件信息,发现存在用户名

wpscan -u http://192.168.243.160/weblog -eu

DeRPnStiNK

DeRPnStiNK

插件漏洞

查看是否有插件的漏洞可以利用

root@kali:~# wpscan -u http://192.168.243.160/weblog -eu,vt,vp

DeRPnStiNK

访问地址链接:slideshow-gallery显示了相关信息

http://192.168.243.160/weblog/wp-content/plugins/slideshow-gallery/

DeRPnStiNK

发现Sliddeshow Gallery 插件,搜索漏洞利用文件

DeRPnStiNK

使用nikto进行漏洞扫描,发现了网站的版本和HTTP的使用方法

nikto -h http://192.168.243.160/

DeRPnStiNK

查看info.txt文件信息,提示添加hosts

DeRPnStiNK

添加hosts

DeRPnStiNK

访问wordpress登录页面

http://derpnstink.local/weblog/wp-login.php?redirect_to=http%3A%2F%2F192.168.243.160%2Fweblog%2Fwp-admin%2F&reauth=1

DeRPnStiNK

默认密码admin 进入主页

http://derpnstink.local/weblog/wp-admin/index.php

DeRPnStiNK

反弹shell

该php-reverse-shell.php位置于 /usr/share/webshells/php/目录下

DeRPnStiNK

查看配置文件:wp-config.php

发现存在着数据库的相关信息文件内容;

DeRPnStiNK

DeRPnStiNK

$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41

$P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/

DeRPnStiNK

破解密码john

使用john进行破解密码文件

DeRPnStiNK

在home 目录下看到存在两个账户信息【mrderp 、stinky】

DeRPnStiNK

破解出来的密码显示

DeRPnStiNK

stinky 用户

使用爆破出来的密码依次尝试登录:wedgie57

DeRPnStiNK

存在-下载流量包

DeRPnStiNK

发现私钥

DeRPnStiNK

DeRPnStiNK

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----

NC 下载流量包

使用nc的命令进行尝试下载流量包获取信息

DeRPnStiNK

分析

strings derp.pcap | grep mrderp

DeRPnStiNK

derpderpderpderpderpderpderp

利用wireshark进行过滤分析

DeRPnStiNK

切换账户mrderp

DeRPnStiNK

sudo提权

其中的原理呢,就是普通用户在使用sudo执行命令的过程中,会暂时拥有root权限,如果该命令执行没有中断,而且该命令运行的过程中可以调用系统命令,那就可以直接运行/bin/bash,此时就是在root权限下运行bash了。

sudo -l

DeRPnStiNK

由于mrderp目录下没有该文件,于是创建目录mkdir binaries

DeRPnStiNK

DeRPnStiNK


参考链接

https://www.freebuf.com/column/208353.html?replytocom=270976

https://zhuanlan.zhihu.com/p/130228710

https://blog.****.net/where_qwer/article/details/82977772

DeRPnStiNK

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

上一篇:NEMU PA1


下一篇:攻防世界 parallel-comparator-200 wp