Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

HARRYPOTTER: ARAGOG (1.0.2)靶场练习KALI操作获得flag

 Share


Recommended Posts

靶场链接:https://www.vulnhub.com/entry/harrypotter-aragog-102,688/

信息收集

开局nmap

2XcHoQ.png

gobuster web扫描

2XcOWn.png

访问/blog发现是个wordpress

2XgR7F.png

需要添加hosts (这里我已经添加了)

2X2FHS.png

wpscan扫描wordpress
(存在wp-admin用户)

2X2e9s.png

插件扫描,存在wp-file-manager插件,版本6.0

wpscan --url http://aragog.hogwarts/blog -t 20 --plugins-detection aggressive
  • 1
2X2e9s.png

这个版本存在任意文件上传,利用该洞getshell即可

2XRCG9.png

得到shell

2XRix1.png

权限提升

得到flag,并得知/home目录下查找ginny和hagrid98用户

2XRtIg.png

原本以为/var/www/html下是存放wordpress的路径,查看后发现不是。最后在/usr/share/wordpress发现数据库配置文件

find / -maxdepth 5 -type f -writable 2> /dev/null | grep -v "/proc"
find / -maxdepth 5 -type f -writable 2> /dev/null | grep -v "/proc" | grep "config"
2XR4Q1.png

查询数据库得到wp-admin用户的密码

use wordpress;
select * from wp_users;
2XRjSA.png

cmd5查询得到密码

2XWpef.png

ssh撞密码得

2XWVln.png

后续常规linux提权检测发现没有有用的东西,上pspy检测root权限的进程,最后发现有个定时任务执行/opt/.backup.sh

2XWBfH.png

里面插入反弹shell等待即可获得root shell

2XW6Xt.png

wp-file 任意文件上传分析

漏洞点位于file manager的connector.minimal.php文件,具体路径在wordpress\wp-content\plugins\wp-file-manager\lib\php\connector.minimal.php

2XW7Xq.png

首先实例化一个elFinderConnector对象,然后调用它的run()方法,跟进run()
跟进到FILES数据判断

2XfpcR.png

最后调用exec函数进入到文件上传处理点

2XfAAO.png

Upload函数(关键点是Content-Type类型存在image即进入文件保存)

2Xf8US.png
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...