渗透案例-第一篇-Acid-Walkthrough

（在信息安全圈也算是有半年的渗透经验了，下面给大家带来的是Vulnhub的一台Acid主机的渗透过程，供大家参考。）

https://www.vulnhub.com/entry/acid-server,125/

Acid: From Vulnhub

Reference from Vulnhub walkthrough

By: Pan Chao ([email protected])

The name of the virtual machine is "acid server"

First step, network scanning, like nmap, and netdiscover

Then go port scan…

Find that port 33447 is open

Nmap results are showing that there is only one port open i.e 33447 with the services of HTTP. There are only a heading and a quote on the page; nothing else but if you look at the tab on the browser, it says ' /challenge/' . This can be a directory, let's open it.

Upon opening / challenge, a login portal will open. Let's learn more about / challenge by using Dirbuster.

Upon opeing / Challenge, a login portal will open. Let's learn more about /challenge by using Dirbuster. Copy the link from the browser in Target URL box and then select medium word list in Files with list of files box by clicking on the browse button. And then click on start.

I went through every directory but the only cake.php was useful. Open it in the browser. When you open cake.php, the page says " ah, haan, there is long go ..dude.

We find that /magic_box is written on the tab. Let's open it in the URL just like before.

When you open the /magic_box It says that access to the page is forbidden. OK! There is no problem with that.

Let's use Dirbuster again on it. Give that URL http://192.168.1.103:33447/Challenges/Magic/Box and 2.3 medium wordlists just as before and then click on start button.

In the result, it will show the name of the directories.

Out of all those Command.php is the only one that has proved to be useful. Open it in the URL. Here you will find a ping portal that means you can ping any IP address from here. Let's try and ping an IP. (You can ping any IP but I am going to ping the default IP i.e 127.0.0.1)

Once the IP has been pinged, go to the page source. On the page source, you can contemplate that results of ping are showing.

Hence there are possibilities for OS command injection and to ensure let's run any arbitrary command such as ; ls as shown above. On the page source, you can contemplate that results of ls command.

Since the page is showing the desired result that means we can use this portal to inject our virus using the web_delivery exploit. And to do so, go to the terminal of Kali an open Metasploit by typing msfconsole and then further type:

We return back to msfconsole and use web_delivery,  and this exploit is a multi-exploit that means it can be used on multiple programs. Therefore, I have set the target as one because 1 refers to php and as we are using php payload we have to set the target as 1.

Now performing this exploit will give me a code. Copy this code and paste it on the ping portal after the IP that you are using to ping. And to add this code use semi-colon

And we get Meterpreter session in Metasploit. Further type the following command to see the list of directories.

And then we do privilege escalation.

We get the meterpreter session

In the list ,we find that a directory called s.bin. Let's go into the folder and see its list of files and for that type.

We go to former directory

In the list of files, we could see a file named raw_vs_isi. Let's check it out.

It contains only one file, called hint.pcapng. Let's download it on our desktop with help of following command.

Now the file is downloaded on my desktop.

We opened this pcapng file with wireshark.

Choose tcp stream, we find that in 90 th package English words occur.

We use TCP follow and find that whole conversation

In the conversation, one of them says " Saman and nowadays he's known by the alias of 1337hax0r" that means saman is the usename and 1337hax0r can be the password.

Let's try it. Then to access proper TTY shell we had import python one line script and type command to reach the terminal and here log in with the username we just found:

And we have entered the root. We get the flag.

这台主机我从早上9点开始做起，做到晚上11点半才拿到权限。虽然是中等难度的实验室靶机，但是过程也是可以供大家参考的。

本文来源于：渗透案例-第一篇-Acid-Walkthrough-变化吧门户
特别声明：以上文章内容仅代表作者本人观点，不代表变化吧门户观点或立场。如有关于作品内容、版权或其它问题请于作品发表后的30日内与变化吧联系。