Hackmyvm target series (4) -vulny

One 、 information gathering

The old , Let's start with a wave of network segment scanning , Discover the host

nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox

Use nmap Scan port , Two ports were found , One 80 port , One 33060( I don't know what it is , No matter it first )

nmap -sC -sV 192.168.200.153 -p-

Visit the home page , However, no useful information was found .

The old , Let's start with a wave of directory scanning , See if you can find any useful information .

Use gobuster Scan the directory .

gobuster dir -u http://192.168.200.153 -w directory-list-2.3-medium.txt -t 30 -x php,html,txt,7z,zip,bak,gz

Found several directories and files , After visiting , Only secret The directory is useful .

Find keywords wordpress, Is this website cms yes wordpress？

Reuse dirsearch Scan this record and try

dirsearch -u "http://192.168.200.153/secret/" -e php,html,txt,zip,bak,gz,7z -x 404,500-599 -t 50

Sure enough wordpress, There are many catalogues .

Visit the following directories one by one to see if there are any gains

Found a compressed file , Download it and see . However, after opening it, I found that I was still too young , I don't understand .

So Baidu took a look , This is a wordpress A plug-in for , There is also an arbitrary file upload vulnerability .

On exploitdb Search the Internet , Found a utilization script . But I always report syntax errors in this script , We won't change , Then we can only find another way .

Two 、 Exploit

Use msf, stay msf The exploitation method of this vulnerability is found above .

Configuration module parameters , Use success , To obtain a web jurisdiction . Use python Get an interactive shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Check the user , Find out besides root One more adrian user

cat /etc/passwd

Pay attention to this sentence , Mentioned the configuration file and the ability to read accounts and passwords .

Then try reading wordpress Try the configuration file of ！

<!-- A picture is missing here , Reading the configuration file, you can see a line of comments -->

Why ！ A line of comments is found here , Is this the password of the user above ？

adrian:idrinksomewater

perfect , Successfully switched users ！

Get the first flag

3、 ... and 、 Elevated privileges

See if there is any order to raise power ！

flock The command can be executed as any user without permission password .

Enter the following command to raise the right

sudo flock -u / /bin/bash

perfect , Successfully promoted the permission to root

Get the second flag