1. Scan host

nmap Scanning ports found 22 and 80

2. Yes http 80 Port to test

web Service turn ip Address translation into domain name access , We need to modify here host file , hold ip Address and wordy This domain name can be accessed by corresponding .


Here is a wordpress Website , Let's scan the specific version information

Use wpscan obtain wordpress Username


Then all kinds of blasting were carried out ... Finally, I saw the author's tips on the website where I downloaded the target .

We need to go from rockyou.txt Extract contains k01 As a dictionary


According to the prompt , We got the dictionary , And then use wpscan The blasting function of 4 Brute force password cracking of users , Finally get a user mark Password

Here we can log in to the management page , But I didn't find anything valuable , Next, we'll continue to use wpscan Scan the plug-in


Here we find this plainview-activity-monitor Of 20161228 There is a command execution vulnerability in version

3. Exploit

Let's look at one poc

It can be seen here that activity_monitor The plug-in activity_tools in ,post The content of can be divided by ｜ To execute system commands ,poc Use... Directly nc Listening for port bounce shell
The operation is not complicated. We can operate it manually

First, find the location where the command is executed , And then use burpsuit To modify us post Data content of



Here we successfully login to the server

4. Raise the right

Here we will first look for suid The order of , But no command can be found

And found that jens There is one in your home directory backups.sh It has executive authority
mark There is a text file in the home directory

backups.sh Is a simple backup command
however things-to-do.txt Users are shown in graham Password , Remember before we nmap The scanned ports are also 22 port , So we use graham user ssh Sign in

And then we look at graham What high authority commands do users have

It can only be modified jens The backup file in , We modify the file to get jens Of shell



So we get jens Authority
Then we continue to set dolls

Find out jens have access to root Permission to run nmap
here nmap It can run .nse The script file at the end , The script file follows Lua grammar , So we can use it os.execute() Give Way nmap To execute system commands

Use sudo To run the nmap, Use shell.nse Script , I can get it root The powers of the shell, here shell Don't echo what we entered , It doesn't have a big impact , stay root There are flag.