DC-6靶机渗透实战
靶机渗透
靶机渗透

靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-6.html

信息搜集

直接上nmap进行扫描

nmap -sV -A -p- 172.16.0.18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Nmap scan report for localhost (172.16.0.18)
Host is up (0.00019s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:9C:80:16 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

可知开放22、80端口,linux主机,同样要设置hosts,发现是wordpress
发现开了80端口却无法访问,是重定向到wordy域名,可改hosts文件访问,添加ip对应域名

win10路径: C:\Windows\System32\drivers\etc\hosts

linux路径: etc/hosts

  • 根据靶机官网提示

    cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)
    猜测爆破进入后台

阅读全文
DC-5靶机渗透实战
靶机渗透
靶机渗透

靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-5.html

信息搜集

直接上nmap进行扫描

nmap -sV -A -p- 172.16.0.17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Nmap scan report for localhost (172.16.0.17)
Host is up (0.00029s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          41519/tcp6  status
|   100024  1          46625/udp6  status
|   100024  1          53363/udp   status
|_  100024  1          59243/tcp   status
59243/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:A7:4E:87 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms localhost (172.16.0.17)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

可知开放111、80、59243端口,linux主机 猜测从web页面拿到shell

阅读全文
DC-4靶机渗透实战
靶机渗透
靶机渗透

靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-4.html

信息搜集

直接上nmap进行扫描

nmap -sV -A 172.16.0.16 -oN dc.nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:93:30:DE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2020-2-5-13-24-16

可知开放22、80端口,linux主机 web是一个登录框 考虑万能密码 注入 爆破

阅读全文
DC-2靶机渗透实战
靶机渗透
靶机渗透

靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-2.html

信息搜集

直接上nmap进行扫描

nmap -sV -A 172.16.0.12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Nmap scan report for localhost (172.16.0.12)
Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:B7:BA:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.07 ms localhost (172.16.0.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.58 seconds

发现开了80端口却无法访问,是重定向到dc-2域名,可改hosts文件访问,添加ip对应域名

win10路径: C:\Windows\System32\drivers\etc\hosts

linux路径: etc/hosts

阅读全文
DC-1靶机渗透实战
靶机渗透
靶机渗透

靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-1.html

信息搜集

直接上nmap进行扫描
2020-2-4-14-8-49

可知开放22、80、110端口,linux主机 web可能为Drupal版本号为7

阅读全文
Algolia