基本信息

端口扫描

22,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 nmap -sV -sC 10.10.11.125
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-25 14:51 CST
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.071s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Backdoor – Real-Life
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.45 seconds

80

加hosts,wordpress:

1
10.10.11.125 backdoor.htb

wordpress

wpscan没什么东西,手动访问插件目录发现目录遍历,ebook-download 1.1版本:

eBook Download

搜到这个插件漏洞:

wp-config

1
2
3
4
5
6
7
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );

proc

Lfi enum,proc cmdline发现枚举到gdbserver在1337端口:

gdbserver & user flag

根据这个:

也可以直接msf

user flag

提权信息

ps可以看到root screen session:

提权 & root flag

直接attach到root session:

1
2
export TERM=xterm
screen -x root/root

参考资料