UA: Literally Vulnerable靶机
前言
略有点虎头蛇尾。主要有一步没想通。
web打点
nmap -sP 192.168.218.0/24
#发现主机IP 192.168.218.138
#端口扫描
nmap -sV -p- 192.168.218.138
所得结果如下
Nmap scan report for 192.168.218.138
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.14.0 (Ubuntu)
65535/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 00:0C:29:6F:A0:4F (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
ftp存在匿名登陆(用户名ftp,密码为空)
下载下来用notepad++打开
Hi Doe,
I'm guessing you forgot your password again! I've added a bunch of passwords below along with your password so we don't get hacked by those elites again!
*$eGRIf7v38s&p7
yP$*SV09YOrx7mY
GmceC&oOBtbnFCH
3!IZguT2piU8X$c
P&s%F1D4#KDBSeS
$EPid%J2L9LufO5
nD!mb*aHON&76&G
$*Ke7q2ko3tqoZo
SCb$I^gDDqE34fA
访问80端口,发现页面显示不正常,随便点个search按钮查看跳转连接的域名。修改hosts文件把literally.vulnerable配到靶机IP上,再访问页面正常。
web指纹识别到这是个wordpress站点(看也看得出)
扫一波目录
[21:48:18] 200 - 25KB - /admin/?/login
[21:48:54] 200 - 25KB - /domcfg.nsf/?open
[21:49:00] 200 - 0B - /favicon.ico
[21:49:09] 301 - 0B - /index.php -> http://literally.vulnerable/
[21:49:09] 301 - 0B - /index.php/login/ -> http://literally.vulnerable/login/
[21:49:14] 200 - 19KB - /license.txt
[21:49:24] 301 - 0B - /myadminphp -> http://literally.vulnerable/myadminphp/
[21:49:42] 200 - 7KB - /readme.html
[21:49:59] 200 - 25KB - /v2/keys/?recursive=true
[21:50:01] 200 - 25KB - /solr/admin/file/?file=solrconfig.xml
[21:50:02] 500 - 3KB - /wp-admin/setup-config.php
[21:50:02] 400 - 1B - /wp-admin/admin-ajax.php
[21:50:03] 200 - 1KB - /wp-admin/install.php
[21:50:03] 200 - 0B - /wp-config.php
[21:50:03] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[21:50:03] 500 - 0B - /wp-content/plugins/hello.php
[21:50:04] 200 - 0B - /wp-cron.php
[21:50:04] 500 - 0B - /wp-includes/rss-functions.php
[21:50:04] 200 - 5KB - /wp-login.php
[21:50:04] 302 - 0B - /wp-signup.php -> http://literally.vulnerable/wp-login.php?action=register
[21:50:05] 405 - 42B - /xmlrpc.php
经过一番对sql注入、越权、使用admin和doe作为账号爆破wordpress和ssh的尝试,确认80端口这个站确实如他所说not so vulnerable…
只能看最后一个端口65535了
开局一个apache2默认页面,dirb和dirsearch结果如下
[22:20:18] 200 - 11KB - /index.html
[22:20:19] 301 - 342B - /javascript -> http://literally.vulnerable:65535/javascript/
GENERATED WORDS: 4612
---- Scanning URL: http://literally.vulnerable:65535/ ----
+ http://literally.vulnerable:65535/index.html (CODE:200|SIZE:10918)
==> DIRECTORY: http://literally.vulnerable:65535/javascript/
+ http://literally.vulnerable:65535/server-status (CODE:403|SIZE:288)
---- Entering directory: http://literally.vulnerable:65535/javascript/ ----
==> DIRECTORY: http://literally.vulnerable:65535/javascript/jquery/
---- Entering directory: http://literally.vulnerable:65535/javascript/jquery/ ----
+ http://literally.vulnerable:65535/javascript/jquery/jquery (CODE:200|SIZE:268026)
换了几个字典都没扫出什么其他的,陷入僵局。看一眼别人的wp,这里扫出了一个phpcms
版权声明:本文为wuerror原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。