Penetration Testing-manual vulnerability Exploitation
1. experiment environment description
I have introduced the installation and network configuration of the Kioptrix target in the previous article. Now let's take a look at the two necessary systems in the Virtual Machine: Kioptrix Virtual Machine and Kali Linux virtual machine. The former is the target, and the latter is used as the attacker. Shows the network topology:
2. List services
First, run the nmap command to scan machines on the network. Run the following command to scan all IP addresses and TCP ports in the 192.168.50.0/24 CIDR block.
Nmap-f-n-P0-T4 192.168.50.0/24
The scan results are as follows:
Now we can know that the machine is online, and we can see that the target machine has opened TCP ports 22, 80, 139, and 445, respectively. Next, we have multiple schemes to choose from. You can use netcat or other similar programs to manually explore these ports for more information.
3. Use nmap for full scanning
Now we have determined the target system with the IP address "192.168.50.102". Next we will perform a targeted nmap scan to observe the scan information.
Nmap-n-sTUV-pT: 139,443, 111,137, U:, 53 192.168.50.102
-STUV: scan the TCP and UDP ports, determine the port status, and output the version information of the relevant software;
-P: Specifies the scan range and port to be scanned;
U: Specifies the port as UDP;
The scan result is as follows:
Some valuable information can be found from the results, such as host: KIOPTRIX4; OSs; open port and version information. Prepare for the next step.
Note that the OSs tag is a probabilistic representation, which is not necessarily true. OSs: linux. windows indicates that it may be a linux instance or a windows instance. Review Based on all output results.
4. Use netcat and ncat to obtain the flag
Netcat is a powerful tool that can be used in the information collection and vulnerability exploitation phase. In addition, it can be used to create backdoors and transfer files.
4.1 netcat get flag
Run the following command to Connect Port 80 of 192.168.50.102.
Nc 192.168.50.102 80
This will connect to Kioptrix's Web service. We need to use commands to obtain the returned information. ENTER: HEAD/HTTP 1.1, and press ENTER twice consecutively to view the output result:
The content in the HTTP header is output here. The above information indicates that Apache/2.2.8 is running on the target machine, the system is Ubuntu, And the PHP version is PHP/5.2.4-2.
4.2 Use ncat to obtain the flag
This process is similar to that of nc. Refer to section 4.1.
4.3 Use smbclient to obtain the flag
TCP port 139 is an interesting port. The smbclient tool can be used to obtain the flag of this service. Enter the following command:
Smbclient-L 192.168.50.102-N
The smbclient connects to 192.168.50.102 and displays the service information. -N indicates that the root password does not exist.
The output result is as follows:
From the results, samba version is 3.0.28a. We can use this information to search for possible vulnerabilities on this server.