DeRPnStiNK target machine penetration case analysis

DeRPnStiNK target machine penetration

I found the DeRPnStiNK target machine as an experimental environment from the Internet. For beginners, we used this target machine to conduct penetration experiments.

After downloading the target machine online, open it directly through the virtual machine. Just use the default bridge mode for the network card configuration. Note here that your kali attack machine must also be in bridge mode to ensure communication with the attacked server. Can communicate normally. First, if we are not sure about the address of the attacked server, we need to perform host discovery and check that our IP address is: 192.168.50.76, as shown in the figure:

Use Nmap or netdiscover performs network discovery. The command is as follows: nmap –sP192.168.50.0/24 (-sP here mainly performs host discovery and will skip port scanning and other detections) or netdiscover –r 192.168.50.0/24. The IP address of the server we were attacked is found as shown in the figure:

After we find the IP address of the server, use nmap –A to scan , and found that ports 21, 22, 80, etc. are open, as shown in the figure:

We can access the http service through the browser and observe what content is inside. The following is the page we observed:

When we get a page that cannot provide us with more information, our first step is to view the page source code information. (If it is pictures and other content, we can right-click the page to view the source code information, so we use view-source): View the page source code information, as shown in the figure, find a flag information in the source code:

We are looking for more useful information through other visits, as shown in the picture:

We saw the following sentence through the webnotes/info.txt file: stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live. The derpnstink blog can only be accessed after the local DNS has been updated.

Through searching various paths, we found that there is no better sensitive information for us to use. After we did not find any available information in the directories and links provided, we next You can try to scan the directory, using the command: dirb or the Yujian tool to scan. After the scan is completed, we will find the sensitive path of weblog. When we tried to access the path, we found that the domain name jumped, but according to the prompt information given by the jump, we can try to add domain name resolution to the host file. The host file under Kali is in /etc/hosts.

Add the hosts value, as shown in the figure:

We visit the weblog directory after adding the hosts value, Found to be accessible normally.

So what do we do next? Through observation, you can find that this is a wordpress blog. Try to access it through the wordpress default management background. Under normal circumstances, after obtaining the default background path wp-login.php, we need to detect weak passwords. I tried to log in using admin/admin and found that I successfully entered the background.

Next, you can use the wordpress scanning tool to discover vulnerabilities. Use wpscan under kali, as shown in the figure: (note the path when wpscan scans) wpscan –url http: //derpnstink.local/weblog/

Marked version information, here we apply the corresponding vulnerability information. There will be corresponding vulnerability exploitation modules in metasploit. We use the search command in msfconsole to find the module corresponding to wp_slideshowgallery_upload. Use the command search to find wp_slideshowgallery_upload. After finding the module, use the use command to load it. As shown in the picture:

Use options to view the configuration items and configure them according to your target machine, as shown in the picture:

As follows, we obtain a shell: we can view sensitive files in it.

Note that in the process of daily penetration, we find that config and other files must be checked to see if there is necessary information in them, as shown in the figure, we can go to weblog/ Get the database username and password information in wp-config.php:

## stealment When using Dirb or Royal Sword for directory scanning, we may find the PHP or PHPMYADMIN path. This is the database web backend of php-study. Use the username and password we just found to log in to root/admin.

In the database we will find flag2. And the username and password hash value in wp_users.

Many tools are integrated under kali. After we obtain a string of encrypted hash values, we try to analyze it through hash-identifier Its encryption type. Note that this tool is not a cracking tool, it is just used to determine the encryption type. As shown in the picture:

# Based on the rockyou.txt that comes with Kali, use John to crack the password. Use wedgie57 password for ftp login.

Use a connection tool such as Mobaxterm or xshell to access the target host through ftp. You can find 2 files: a conversation and an ssh login key file (in the ssh folder, the name is key, it must be the ssh login key file)

Use the ssh key to log in. We save the key information and log in through ssh –i. As shown in the figure:

#After entering the system through ssh connection, check the file and you will find flag.txt. As shown in the figure:

#We found another sensitive file in the derpissues.pcap packet file. Use Wireshark to analyze packets and see the information they contain.

When using scp for file transfer, the specific command is as follows:

Start wireshark and open the derp.pcap file directly. Because there are many packets, filter the http protocol data packets. (Why should we filter the http data packets here? Because in the conversation we found above, we found that it is possible for the user to add a new user, and it is necessary to log in to weblog/wp-admin. So try First filter the http protocol and look for the submitted information. We find that the user and pwd password fields are displayed in plain text: Form item: "pwd" = "derpderpderpderpderpderp".

# Try to establish a new connection via ssh using the mrderp user: As shown in the figure:

We can find a message in helpdesk.log reminding us that the problem is Handled by sudo user. So we try to use sudo command

.

Use sudo –l to check the permissions we have, as shown in the figure:

Only in the bin directory The mrderp user only needs to use sudo when executing derpy* files. Therefore, we need to create a folder called binaries in the target directory and add the executable derpy.sh. To make the derpy.sh file executable, you need to run it with sudo and change the permissions. Successful privilege escalation root

#Check the root user file and find the flag.

The above is the detailed content of DeRPnStiNK target machine penetration case analysis. For more information, please follow other related articles on the PHP Chinese website!