渗透案例-第一篇-Acid-Walkthrough

二叶草 2020年3月25日18:55:22渗透评论阅读模式

(在信息安全圈也算是有半年的渗透经验了,下面给大家带来的是Vulnhub的一台Acid主机的渗透过程,供大家参考。)

https://www.vulnhub.com/entry/acid-server,125/

Acid: From Vulnhub

Reference from Vulnhub walkthrough

By: Pan Chao ([email protected])

The name of the virtual machine is "acid server"

First step, network scanning, like nmap, and netdiscover

渗透案例-第一篇-Acid-Walkthrough

Then go port scan…

渗透案例-第一篇-Acid-Walkthrough

Find that port 33447 is open

渗透案例-第一篇-Acid-Walkthrough

Nmap results are showing that there is only one port open i.e 33447 with the services of HTTP. There are only a heading and a quote on the page; nothing else but if you look at the tab on the browser, it says ' /challenge/' . This can be a directory, let's open it.

Upon opening / challenge, a login portal will open. Let's learn more about / challenge by using Dirbuster.

渗透案例-第一篇-Acid-Walkthrough

Upon opeing / Challenge, a login portal will open. Let's learn more about /challenge by using Dirbuster. Copy the link from the browser in Target URL box and then select medium word list in Files with list of files box by clicking on the browse button. And then click on start.

渗透案例-第一篇-Acid-Walkthrough

渗透案例-第一篇-Acid-Walkthrough

I went through every directory but the only cake.php was useful. Open it in the browser. When you open cake.php, the page says " ah, haan, there is long go ..dude.

We find that /magic_box is written on the tab. Let's open it in the URL just like before.

渗透案例-第一篇-Acid-Walkthrough

When you open the /magic_box It says that access to the page is forbidden. OK! There is no problem with that.

渗透案例-第一篇-Acid-Walkthrough

Let's use Dirbuster again on it. Give that URL http://192.168.1.103:33447/Challenges/Magic/Box and 2.3 medium wordlists just as before and then click on start button.

渗透案例-第一篇-Acid-Walkthrough

In the result, it will show the name of the directories.

Out of all those Command.php is the only one that has proved to be useful. Open it in the URL. Here you will find a ping portal that means you can ping any IP address from here. Let's try and ping an IP. (You can ping any IP but I am going to ping the default IP i.e 127.0.0.1)

Once the IP has been pinged, go to the page source. On the page source, you can contemplate that results of ping are showing.

渗透案例-第一篇-Acid-Walkthrough

Hence there are possibilities for OS command injection and to ensure let's run any arbitrary command such as ; ls as shown above. On the page source, you can contemplate that results of ls command.

渗透案例-第一篇-Acid-Walkthrough

Since the page is showing the desired result that means we can use this portal to inject our virus using the web_delivery exploit. And to do so, go to the terminal of Kali an open Metasploit by typing msfconsole and then further type:

渗透案例-第一篇-Acid-Walkthrough

We return back to msfconsole and use web_delivery,  and this exploit is a multi-exploit that means it can be used on multiple programs. Therefore, I have set the target as one because 1 refers to php and as we are using php payload we have to set the target as 1.

渗透案例-第一篇-Acid-Walkthrough

Now performing this exploit will give me a code. Copy this code and paste it on the ping portal after the IP that you are using to ping. And to add this code use semi-colon

渗透案例-第一篇-Acid-Walkthrough

渗透案例-第一篇-Acid-Walkthrough

And we get Meterpreter session in Metasploit. Further type the following command to see the list of directories.

渗透案例-第一篇-Acid-Walkthrough

And then we do privilege escalation.

渗透案例-第一篇-Acid-Walkthrough

We get the meterpreter session

渗透案例-第一篇-Acid-Walkthrough

In the list ,we find that a directory called s.bin. Let's go into the folder and see its list of files and for that type.

渗透案例-第一篇-Acid-Walkthrough

We go to former directory

渗透案例-第一篇-Acid-Walkthrough

渗透案例-第一篇-Acid-Walkthrough

渗透案例-第一篇-Acid-Walkthrough

In the list of files, we could see a file named raw_vs_isi. Let's check it out.

It contains only one file, called hint.pcapng. Let's download it on our desktop with help of following command.

渗透案例-第一篇-Acid-Walkthrough

Now the file is downloaded on my desktop.

渗透案例-第一篇-Acid-Walkthrough

We opened this pcapng file with wireshark.

渗透案例-第一篇-Acid-Walkthrough

Choose tcp stream, we find that in 90 th package English words occur.

We use TCP follow and find that whole conversation

渗透案例-第一篇-Acid-Walkthrough

In the conversation, one of them says " Saman and nowadays he's known by the alias of 1337hax0r" that means saman is the usename and 1337hax0r can be the password.

Let's try it. Then to access proper TTY shell we had import python one line script and type command to reach the terminal and here log in with the username we just found:

渗透案例-第一篇-Acid-Walkthrough

And we have entered the root. We get the flag.

渗透案例-第一篇-Acid-Walkthrough

这台主机我从早上9点开始做起,做到晚上11点半才拿到权限。虽然是中等难度的实验室靶机,但是过程也是可以供大家参考的。

本文来源于:渗透案例-第一篇-Acid-Walkthrough-变化吧门户
特别声明:以上文章内容仅代表作者本人观点,不代表变化吧门户观点或立场。如有关于作品内容、版权或其它问题请于作品发表后的30日内与变化吧联系。

  • 赞助本站
  • 微信扫一扫
  • weinxin
  • 加入Q群
  • QQ扫一扫
  • weinxin
二叶草
渗透测试实用工具 渗透

渗透测试实用工具

 工具概述 1、新增批量修改文件夹文件后缀功能,并重新排列工具,更加详细使用 2、新增文件夹监控功能,监控python tool.py -monitor C: 3、新增将包含rgb值的txt...
简谈渗透测试各阶段我常用的那些“神器” 渗透

简谈渗透测试各阶段我常用的那些“神器”

 前言 本人所有文章都很用心的写作完成,并时常总结如何分享更有用的东西给朋友们。这篇更是如此,晚上准备到凌晨四点开始写作,为了需要的朋友而写,不喜欢的右上角点叉不要像上次文章一样在下面喷粪逼我骂你,另...
内网渗透工具- Intranet-Penetration 渗透

内网渗透工具- Intranet-Penetration

 整理一些常用的内外网渗透测试工具 PHPoxy 通过PHP脚本运行一个可以访问内网机器的Web代理。 SocksCap  socks5代理客户端 XX-Net    科学上网利器 phpsocks5...

发表评论