Lazysysadmin

信息收集

# nmap -sn 192.168.1.0/24 -oN live.port                     
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:10 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00075s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00055s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00011s latency).
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00021s latency).
MAC Address: 00:50:56:E2:FC:91 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.

探测到目标靶机IP地址为192.168.1.97

# nmap -sT --min-rate 10000 -p- 192.168.1.97 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.0021s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
MAC Address: 00:0C:29:AF:FE:0C (VMware)

开放的端口信息比较多,当然还是先以80端口为重点,寻找突破点,其他的端口作为辅助;6667端口暂时还不知道是什么样的服务~

# nmap -sT -sC -sV -O -p80,22,139,445,3306,6667 192.168.1.97 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00055s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Backnode
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  `JRSV      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.1.60
|_  error: Closing link: (nmap@192.168.1.60) [Client exited]
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2024-01-30T23:24:42+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-01-30T13:24:42
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds

详细信息探测的结果比较多,挑选出来重点:80端口Apache2.4.7 存在robots文件,samba服务探测到工作组信息,操作系统是Ubuntu系统!6667端口也有信息,但是这里还没有了解,先向下看看,一会去了解下irc服务是什么;smb探测到了os的计算机名等信息!

# nmap -sT --script=vuln -p80,22,139,445,3306,6667 192.168.1.97 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00075s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /wordpress/: Blog
|   /test/: Test page
|   /robots.txt: Robots file
|   /info.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /wordpress/wp-login.php: Wordpress login page.
|   /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_  /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
| irc-botnet-channels: 
|_  ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 00:0C:29:AF:FE:0C (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false

默认漏洞脚本的探测结果显示存在几个感兴趣的目录,同时存在wordpress目录,那应该就是wordpress了!很大的概率是通过wordpress进行建立立足点;

这里去了解了一下什么是irc:

寻找立足点

既然80端口上存在wordpress,这个是我们比较熟悉的,那就先从这里入手;

可以看到下面存在一句英文"My mind in MYSQL" 提示我们思路应该在MYSQL上面?看一下robots文件:

存在几个目录,尝试都访问一下:old目录:

下面这个目录是存在文件的,其他的都没有,虽然没有,但是可以查看是不是开启了PUT方法等,能直接上传文件!

上面信息收集的时候,还看到了几个其他的目录,这里也都挨着去访问一下看看!

phpmyadmin界面:

这里尝试了一下弱口令,但是没有什么效果:

查看wordpress目录:

发现可能存在用户名为togie,同时在评论处,发现了Admin:

这里先尝试利用wpscan进行初步的漏洞和用户等信息的探测!wpscan识别到存在用户:

但是并没有上面我们发现的togie用户~ 但是利用wpscan并没有寻找到存在漏洞的插件等:

尝试弱口令登录到wordpress的后台:

可以看到test目录是不可以利用PUT方式上传文件的!这里去尝试了几个wordpress的后台弱口令,均以失败而告终!这个togie(网站上说了很多次togie 感觉这个用户还是有东西的!)用户既然不是wordpress的用户,那是谁的用户?mysql 还是ssh?

mysql无法登录,尝试一下togie去登录ssh,直接上hydra吧,毕竟也不知道密码,巧了真爆破出来了:

接下来去登录:

先确认靶标情况:

接下来就是提权了!

提权

因为我们在ssh登陆成功的时候,出现了系统的信息,内存等使用率;这里会不会涉及到motd提权?看一下吧:

哎? rbash了!需要绕过了这就!看看能使用sudo不,查看下当前用户的权限呗:

没问题,非常好了!三个ALL!

那就直接提权了!看看flag文件!这个靶机比较简单,看起来很复杂,但是实际上很简单了!

总结

昨晚打完之后,闲来无事看了一下红笔师傅的讲解视频,跟自己的打法完全不同,所以来复盘一下红笔师傅的打法:

回到我们wpscan没有什么信息,同时发现了togie用户,但是并不是一个wordpress的用户!于是到了这里似乎80端口上无法进一步去利用了~ 既然靶机开放了139 445端口,所以就尝试去登陆一下:

利用enum4linux进行信息的枚举:

发现了打印机和共享,尝试来链接共享,利用smbclient去登录:

直接无密码登录,上来发现了很多的文件和目录信息,所以直接给下载下来!直接下载当前目录下面所有的文件,然后看到存在wordpress目录,看到存在配置文件,也下载下来:

prompt OFF是将提示关闭掉,所以我们下载文件的时候,就不会每次询问我们!

Backnode_files目录下面似乎没什么有价值的东西,存在一个文件名比较奇怪的图片,之前我们就看到了,当时还去尝试了base64解码,似乎没什么东西,继续看其他的目录:

其他的目录也没什么东西了,所以这里我们就退出了,看一下下载得到的东西有什么价值嘛:

提示一个密码是12345(也不知道是谁的密码)

插件上传getshell

wp的配置文件中发现了数据库的账号和密码信息!于是拿着两个密码和一个账号去碰撞wordpress的后台!最终利用数据库的账号和密码信息,成功登陆到了wordpress的后台,接下来就是利用插件等进行RCE:

先给写好的反弹shell,进行压缩,形成压缩包!

直接将其他的插件头拿过来改一下:

然后上传安装即可!

然后访问插件中的文件:

192.168.1.97/wordpress/wp-content/plugins/sh/sh.php

成功拿到初始的立足点!

修改404文件getshell

还有一种方式是直接编辑写反弹shell:(往404页面里面写反弹shell脚本)

更新之后,想办法触发404页面的执行:

相关推荐
一只特立独行的程序猿22 分钟前
关于GCC内联汇编(也可以叫内嵌汇编)的简单学习
汇编·学习·gcc
虾球xz28 分钟前
游戏引擎学习第10天
学习·游戏引擎
Chef_Chen30 分钟前
从0开始学习机器学习--Day25--SVM作业
学习·机器学习·支持向量机
L_cl38 分钟前
Python学习从0到1 day28 Python 高阶技巧 ⑧ 递归
学习
IT小辉同学42 分钟前
一键生成本地SSL证书:打造HTTPS安全环境
安全·https·ssl
weisian1511 小时前
认证鉴权框架SpringSecurity-2--重点组件和过滤器链篇
java·安全
Koi慢热1 小时前
信息收集合集
网络·安全·web安全·网络安全
vortex51 小时前
Vim 编辑器学习笔记
学习·编辑器·vim
源于花海1 小时前
论文学习(四) | 基于数据驱动的锂离子电池健康状态估计和剩余使用寿命预测
论文阅读·人工智能·学习·论文笔记
心怀梦想的咸鱼1 小时前
Ue5 umg学习(一)
学习·ue5