信息收集

# nmap -sn 192.168.1.0/24 -oN live.port                     
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:10 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00075s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00055s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00011s latency).
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00021s latency).
MAC Address: 00:50:56:E2:FC:91 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.

探测到目标靶机IP地址为192.168.1.97

# nmap -sT --min-rate 10000 -p- 192.168.1.97 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.0021s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
MAC Address: 00:0C:29:AF:FE:0C (VMware)

开放的端口信息比较多，当然还是先以80端口为重点，寻找突破点，其他的端口作为辅助；6667端口暂时还不知道是什么样的服务~

# nmap -sT -sC -sV -O -p80,22,139,445,3306,6667 192.168.1.97 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00055s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Backnode
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  `JRSV      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.1.60
|_  error: Closing link: (nmap@192.168.1.60) [Client exited]
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2024-01-30T23:24:42+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-01-30T13:24:42
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds

详细信息探测的结果比较多，挑选出来重点：80端口Apache2.4.7 存在robots文件，samba服务探测到工作组信息，操作系统是Ubuntu系统！6667端口也有信息，但是这里还没有了解，先向下看看，一会去了解下irc服务是什么；smb探测到了os的计算机名等信息！

# nmap -sT --script=vuln -p80,22,139,445,3306,6667 192.168.1.97 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00075s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /wordpress/: Blog
|   /test/: Test page
|   /robots.txt: Robots file
|   /info.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /wordpress/wp-login.php: Wordpress login page.
|   /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_  /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
| irc-botnet-channels: 
|_  ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 00:0C:29:AF:FE:0C (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false

默认漏洞脚本的探测结果显示存在几个感兴趣的目录，同时存在wordpress目录，那应该就是wordpress了！很大的概率是通过wordpress进行建立立足点；

这里去了解了一下什么是irc：

寻找立足点

既然80端口上存在wordpress，这个是我们比较熟悉的，那就先从这里入手；

可以看到下面存在一句英文”My mind in MYSQL“ 提示我们思路应该在MYSQL上面？看一下robots文件：

存在几个目录，尝试都访问一下：old目录：

下面这个目录是存在文件的，其他的都没有，虽然没有，但是可以查看是不是开启了PUT方法等，能直接上传文件！

上面信息收集的时候，还看到了几个其他的目录，这里也都挨着去访问一下看看！

phpmyadmin界面：

这里尝试了一下弱口令，但是没有什么效果：

查看wordpress目录：

发现可能存在用户名为togie，同时在评论处，发现了Admin：

这里先尝试利用wpscan进行初步的漏洞和用户等信息的探测！wpscan识别到存在用户：

但是并没有上面我们发现的togie用户~ 但是利用wpscan并没有寻找到存在漏洞的插件等：

尝试弱口令登录到wordpress的后台：

可以看到test目录是不可以利用PUT方式上传文件的！这里去尝试了几个wordpress的后台弱口令，均以失败而告终！这个togie（网站上说了很多次togie 感觉这个用户还是有东西的！）用户既然不是wordpress的用户，那是谁的用户？mysql 还是ssh？

mysql无法登录，尝试一下togie去登录ssh，直接上hydra吧，毕竟也不知道密码，巧了真爆破出来了：

接下来去登录：

先确认靶标情况：

接下来就是提权了！

提权

因为我们在ssh登陆成功的时候，出现了系统的信息，内存等使用率；这里会不会涉及到motd提权？看一下吧：

哎？ rbash了！需要绕过了这就！看看能使用sudo不，查看下当前用户的权限呗：

没问题，非常好了！三个ALL！

那就直接提权了！看看flag文件！这个靶机比较简单，看起来很复杂，但是实际上很简单了！

总结

昨晚打完之后，闲来无事看了一下红笔师傅的讲解视频，跟自己的打法完全不同，所以来复盘一下红笔师傅的打法：

回到我们wpscan没有什么信息，同时发现了togie用户，但是并不是一个wordpress的用户！于是到了这里似乎80端口上无法进一步去利用了~ 既然靶机开放了139 445端口，所以就尝试去登陆一下：

利用enum4linux进行信息的枚举：

发现了打印机和共享，尝试来链接共享，利用smbclient去登录：

直接无密码登录，上来发现了很多的文件和目录信息，所以直接给下载下来！直接下载当前目录下面所有的文件，然后看到存在wordpress目录，看到存在配置文件，也下载下来：

prompt OFF是将提示关闭掉，所以我们下载文件的时候，就不会每次询问我们！

Backnode_files目录下面似乎没什么有价值的东西，存在一个文件名比较奇怪的图片，之前我们就看到了，当时还去尝试了base64解码，似乎没什么东西，继续看其他的目录：

其他的目录也没什么东西了，所以这里我们就退出了，看一下下载得到的东西有什么价值嘛：

提示一个密码是12345（也不知道是谁的密码）

插件上传getshell

wp的配置文件中发现了数据库的账号和密码信息！于是拿着两个密码和一个账号去碰撞wordpress的后台！最终利用数据库的账号和密码信息，成功登陆到了wordpress的后台，接下来就是利用插件等进行RCE：

先给写好的反弹shell，进行压缩，形成压缩包！

直接将其他的插件头拿过来改一下：

然后上传安装即可！

然后访问插件中的文件：

192.168.1.97/wordpress/wp-content/plugins/sh/sh.php

成功拿到初始的立足点！

修改404文件getshell

还有一种方式是直接编辑写反弹shell：（往404页面里面写反弹shell脚本）

更新之后，想办法触发404页面的执行：