Experiment 4 CTF practice

The experiment purpose ： Through the penetration process of the target , understand CTF Competition mode , understand CTF Scope of knowledge covered , Such as MISC、PPC、WEB etc. , by way of practice , Strengthen the ability of teamwork , Master the preliminary CTF Actual combat ability and information collection ability . Familiar with network scanning 、 Probe HTTP web service 、 Directory enumeration 、 Raise the right 、 Image information extraction 、 Use of password cracking and other related tools .
System environment ：Kali Linux 2、WebDeveloper Target source ：https://www.vulnhub.com/
Experimental tools ： There is no limit
Experimental steps and contents ：
Purpose ： Get the target Web Developer file /root/flag.txt in flag.
The basic idea ： This segment IP Address survival scan (netdiscover); Network scanning (Nmap); Browse HTTP service ; Site directory enumeration (Dirb); Package file found “cap”; analysis “cap” file , Find the website management background account password ; Plug in utilization （ There are loopholes ）; Exploit the vulnerability to obtain the server account password ;SSH Remote login server ;tcpdump Alternative applications .
The implementation details are as follows ：

1、 Finding goals (netdiscover), find WebDeveloper Of IP Address . Screenshot .

2、: utilize NMAP Scan target host , The target host port is found to be open 、 Service situation , Screenshot and explain the services provided by the target ？（ Use the knowledge points of the first experiment ）

The port service opened by the target
22 port ： Open the remote login service
80 port ： Turn on http service

3、 If the target host provides HTTP service , Try using your browser to access the target website . Screenshot . Is there any information available ？

4、 utilize whatweb Detect the... Used by the target website CMS Templates . Screenshot . Analyze the use of CMS What is it? ？

5、 Web search wpscan, Briefly describe its function

function ：WPScan yes Kali Linux The default comes with a vulnerability scanning tool , It uses Ruby To write , Able to scan WordPress A variety of security vulnerabilities in the website , These include WordPress Its own loopholes 、 Plug in vulnerabilities and theme vulnerabilities . The latest version WPScan Your database contains more than 18000 There are plug-in vulnerabilities and 2600 A theme vulnerability , And support the latest version of WordPress. It is worth noting that , It can not only scan things like robots.txt Such sensitive files , It can also detect currently enabled plug-ins and other functions

6、 Use Dirb Website directory .（Dirb It's a special tool for blasting catalog , stay Kali Has been installed by default , There are also foreign similar tools patator,dirsearch,DirBuster, Domestic imperial sword ） Screenshot . Find a directory that seems to be related to network traffic （ route ）.

![ Insert picture description here ](https://img-blog.csdnimg.cn/20201215225814129.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV

6、 utilize Wireshark Analyze the packet , analysis TCP Data flow . Find any useful information ？ Screenshot .


Use the information obtained in the previous step to enter the background of the website . Screenshot

8、 Use this CMS There is （ plug-in unit Plugin） Loophole .
9、 Take advantage of the vulnerability of the plug-in to raise rights .
programme 3： Using file management plug-ins （File manager） Loophole .
Install the plug-in , You can browse directly wp-config.php.



**10、SSH logon server
Try to connect to the remote server by using the user name and password to access the database obtained in the previous step . Screenshot .
1、 Try to view /root/flag.txt **

Cannot be viewed .
10、 Use tcpdump Execute arbitrary orders （ When tcpdump After capturing the packet, the specified command will be executed .）
Check the executable commands of the current identity and find that you can root Permissions to perform tcpdump command
Create Attack File

Discovery can root Permissions to perform tcpdump command
Create Attack File

touch /tmp/exploit1

write in shellcode

echo ‘cat /root/flag.txt’ > /tmp/exploit

Give executable permission

chmod +x /tmp/exploit

utilize tcpdump Execute arbitrary orders

sudo tcpdump -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root

get flag

tcpdump Detailed command ：
-i eth0 Capture packets from the specified network card
-w /dev/null Output the captured packet to the empty device （ Do not output packet results ）
-z [command] Run the specified command
-Z [user] Specify the user to execute the command
-G [rotate_seconds] Every time rotate_seconds Once every second -w Specified dump
-W [num] Specify the number of packets captured