This range is a very friendly range for new penetrators. Moreover, the range includes the whole process of information collection, vulnerability utilization and permission promotion of penetration testing, which is very helpful for beginners to understand the process of penetration testing.
Range address: https://hackmyvm.eu/machines/machine.php? vm=Hundred
Basic information of shooting range:
KALI target: 192.168.1.3/24
Host: 192.168.1.146/24
Target: Common user Flag and administrator Flag
Information Collection stage:
Nmap – sn 192.168.1.0/2
Sudo nmap -v - T4-p - -a-on nmap.log 192.168.1.146
Nmap -a 192.168.1.146
Here we see ports 21, 22, and 80 enabled:
1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF contest classic topic analysis 7, full kit 8, emergency response notes
Vulnerability exploitation stage:
Let’s connect port 21:
Both user name and password are FTP, then view the current directory file, the key file and users.txt file can be seen.
In fact, the user name is FTP, what is the password, can log in!
Here use MGET, download all files to the local! Here using Mget can download multiple files at once!
Id_rsa file: private key is a rabbit!
Public key file, look very normal!
Next, take a look at the id_rsa.pem file! This looks like a private key file!
Then, look at the username file! The last thanks looks like a real user name!
Here we try to use the private key file through SSH login HMV file!
Hey hey hey, no!
This road is temporarily different, then let’s take a look at the open port 80, direct access to see!!
A cube?
It looks like the person who set the question is in a daze at the shooting range!
View the source code, found clues!
It’s a file up here and a directory down here! ? Download it first
Wget HTTP: / / http://192.168.1.146/h4ckb1tu5.enc
The page as a whole tells us that we can get a directory with this key value. Also, we can get some information from logo images through steganography. Returning to this key value, we can decode the message using the RSA private key and the OpenSSL rsautl. Retrieve a file by decoding the message.
Next, we generate directories with private key files and downloaded files that don’t know what!
Visit to see! 192.168.1.146/, the direction is right!!
View the source code? Nothing?
Site directory scan points, layer by layer of scanning!!
Get a super dictionary!
Github.com/danielmiess…
Scan the catalog:
Gobuster dir – w/root/Web Content/common. TXT -u http://192.168.1.146/softyhackb4el7dshelldredd/
Then, download the private key:
Wget HTTP: / / http://192.168.1.146/softyhackb4el7dshelldredd/id_rsa
Try logging in this time! Two questions:
- Too open requires that the permission of the private key be changed to 600
- This ID_RSA requires a password
Next, you need to figure out the RSA password !!!!
Let’s take this logo picture down first!!
Wget HTTP: / / http://192.168.1.146/logo.jpg
Here we need to install an image steganography tool:
Github.com/RickdeJager…
After downloading: Install:
DPKG -i stegseek_0. The 6-1. Deb
Some components may be missing during installation:
apt --fix-broken install
After installation: use the previous user. TXT to decrypt the logo picture!
stegseek logo.jpg users.txt -xf output
This is the private key password!!
d4t4s3c#1
SSH -i id_rsa to [email protected]
Finally come in !!!!
Permission promotion Stage:
Next, root privileges are promoted:
Root’s permission promotion is easy on this VM. This /etc/shadow file is writable to anyone. Because we can modify this file to get root’s password.
The following link describes the composition of the /etc/shadow file:
www.cyberciti.biz/faq/underst…
Since we don’t need to read /etc/shadow, we just need to copy it.
Therefore, we change the password to root as follows:
1 Generate the encrypted value of password root
openssl passwd # enter new password “root”
2 Import the encrypted value of root to the root user format in /etc/shadow
echo root:qdbEWfKM1ov2g:18844:0:99999:7::: > /etc/shadow
3 Switch to root and enter the password root
su -l
That’s it. It’s easy. It’s not easy.