信息收集

# nmap -sn 192.168.1.0/24 -oN live.nmap       
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 17:49 CST
Nmap scan report for 192.168.1.1
Host is up (0.00052s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00043s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.103
Host is up (0.00033s latency).
MAC Address: 00:0C:29:B6:9D:3B (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00042s latency).
MAC Address: 00:50:56:E6:68:F1 (VMware)
Nmap scan report for 192.168.1.60
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds

发现192.168.1.103是新增加的IP地址！

# nmap -sT --min-rate 10000 -p- 192.168.1.103 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 17:49 CST
Nmap scan report for 192.168.1.103
Host is up (0.00067s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx
MAC Address: 00:0C:29:B6:9D:3B (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds

开放端口信息为三个 分别是22 80 和33060，分别对应ssh http和mysqlx，进行详细的服务信息和操作系统的信息探测：

# nmap -sT -sC -sV -O -p22,80,33060 192.168.1.103 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 17:50 CST
Nmap scan report for 192.168.1.103
Host is up (0.00032s latency).PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
|   256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
|_  256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/secret.txt
|_http-title: OSCP Voucher – Just another WordPress site
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :MAC Address: 00:0C:29:B6:9D:3B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

22端口是openssh 8.2p1 操作系统是ubuntu系统！ 80端口是http Apache 2.4.41 看到了存在wordpress！同时存在一个目录为secret.txt 33060端口是mysql

# nmap -sT --script=vuln -p22,80,33060 192.168.1.103 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 17:50 CST
Nmap scan report for 192.168.1.103
Host is up (0.00038s latency).PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.103
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.1.103:80/
|     Form id: search-form-1
|     Form action: http://192.168.1.103/
|     
|     Path: http://192.168.1.103:80/
|     Form id: search-form-2
|     Form action: http://192.168.1.103/
|     
|     Path: http://192.168.1.103:80/index.php/2020/07/
|     Form id: search-form-1
|     Form action: http://192.168.1.103/
|     
|     Path: http://192.168.1.103:80/index.php/2020/07/
|     Form id: search-form-2
|_    Form action: http://192.168.1.103/
| http-wordpress-users: 
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.4.2
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
33060/tcp open  mysqlx
MAC Address: 00:0C:29:B6:9D:3B (VMware)

发现了wordpress的用户是admin！还有几个目录的信息！没有其他的别的信息了；

寻找立足点

刚才看到了一个secret文件，查看一下！

发现可能是base64编码，直接下载下来该文件，然后尝试base64解码！

发现只openssh的私钥！尝试转为id_rsa 并且赋予权限为600，但是我们目前没有用户名！看到首页存在大量的文字说明：

发现提示我们说 这个盒子的唯一用户是oscp！尝试利用私钥进行登录：

登陆成功~ 准备提权工作！

提权

由于没有oscp的密码，所以没法查看到oscp的sudo权限！

查看suid文件，发现了存在pkexec！

暂时先不用，继续看看其他的！查看了网站的目录下面存在wp-config.php文件，找到了数据库的账号和密码信息！

数据库中没什么信息；回到了suid文件，看到了存在/usr/bin/bash！直接./bash -p即可

读取flag：