A penetration test on Red Hat Enterprise Linux 5.4 in BT5

The best way to learn is to link theory with practice. When we know how to penetrate an attack, someone will try to simulate a real attack. During Penetration, when we find that some ports are opened on a machine, you can think about how to use the relevant service vulnerabilities to launch attacks without thinking about them. The success of each attack depends on the operating system of the target host. The installed Service Pack version and language type also depend on whether the Data Execution Protection (DEP: Data Execution Prevention) is successfully bypassed ). DEP is designed to defend against buffer overflow. It renders the program stack as read-only to prevent shellcode from being maliciously placed on the stack and executed. However, we can bypass DEP protection through some complex stack operations. The essence of attack penetration is to fully identify the security vulnerabilities in the target system, find the corresponding attacks against the vulnerabilities, and obtain system access permissions. 1. The penetration of the operating system has been described in the previous experiment. If you do not know it, you can view it. 2. penetration of installed service packages
Use nmap to detect the target machine quota and scan the port number and service version number.

 

 

 

 

Open the metasploit (msfconsole) that comes with BT5 to search For vsftpd-related vulnerability modules in the msfconsole. We just found a vsftpd2.3.4 vulnerability module and used it.

 

 

 

Set RHOST as the IP address of the target host and execute overflow directly. We will get a linux shell

 

 

Queries and various operations in shell

 

 

Add an account with uid = 0 to the shell to raise the permission. In this way, we have full control over the target machine and can perform any operation without knowing the root password!

 

 

 

 

If port 3389 or port 22 is enabled for the peer, we can directly log on to linux. After detecting a vulnerability in the installed service package, we need to promptly patch the vulnerability or download and use a new version to avoid host failure because the vulnerability is not fixed in time! E n d !!!