Vulnhub-w1r3s-editable

一、信息收集

端口扫描,ftp允许匿名登录,但是没有得到什么有用的线索

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
|   256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_  256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open  mysql   MySQL (unauthorized)

目录扫描,最开始使用御剑扫描,扫描道了wordpress但是访问就重定向,后面使用dirb工具扫描到了cuppa cms

Vulnhub-w1r3s-editable_第1张图片

Vulnhub-w1r3s-editable_第2张图片

二、漏洞利用

使用searchsploit cuppa查找漏洞

Vulnhub-w1r3s-editable_第3张图片

Vulnhub-w1r3s-editable_第4张图片

读取/etc/shadow文件,这个文件是存放加密后的密码文件

Vulnhub-w1r3s-editable_第5张图片

一共有三个账号的密码

Vulnhub-w1r3s-editable_第6张图片

使用john工具进行爆破最后得到了两个用户的密码

Vulnhub-w1r3s-editable_第7张图片

三、提权

进行信息收集发现sudo可以直接以root权限运行bash

Vulnhub-w1r3s-editable_第8张图片

Vulnhub-w1r3s-editable_第9张图片

Vulnhub-w1r3s-editable_第10张图片

你可能感兴趣的:(#,vulnhub,web安全)