基本信息

端口扫描

21,22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV 10.10.10.37
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 14:00 CST
Nmap scan report for 10.10.10.37
Host is up (0.072s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.85 seconds

80

是一个wordpress:

目录扫描

1
2
3
4
5
6
7
8
9
10
gobuster dir -u http://10.10.10.37/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50

/wiki (Status: 301)
/wp-content (Status: 301)
/plugins (Status: 301)
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)

目录扫描能发现一些目录,其中plugins里面两个jar文件:

(可能有修改,wp是直接plugins里就有显示,我做的时候显示为空,访问plugins/files才能看到文件):

reverse engine

BlockyCore.jar中得到sql密码:

1
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

user flag

这个密码就是ssh密码,用户名是前面wordpress里可以得到的,Posted on July 2, 2017 by Notch, 直接ssh登录,得到user.txt:

提权信息

这个应该是最简单的了,sudo完全没限制:

提权 && root flag

直接sudo到root,读取root.txt:

参考资料