vulnhub target machine learning - jis

Posted by tetley at 2020-04-02

Tidesec @ new information

Escort for network security

2000- to date

Sheng Ming

This article was first published by "you can't hurt me" member of the tide security team in freebuf tidesec column:

The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

I. Preface

So far, we have written four summaries of the actual combat of the vulnhub target aircraft. Generally speaking, I feel that I have learned a lot of knowledge and accumulated experience. Today, the target machine is not very difficult, but there are five flags to take. I haven't contacted such a target machine before. Today, I'll have a penetration test, hoping I can learn something new.

2、 Operating instructions

* target difficulty: primary

* target: get 5 flags

* running environment: Kali Linux

Target jis-ctf (download address: OVA)

All running in VMWare

* network settings: Nat mode

3、 Infiltrate the actual combat process

1. Port scanning & Directory blasting

The first step is to find the IP address of the primary target. Enter the command nmap on Kali's command line port

Find the target address Now visit Kali's browser

It's another user login page, blind blasting is definitely not feasible. First look at the source code

Nothing. Let's take a look at other catalogs

I saw the sensitive / flag words at a glance, ha ha ~, open it and have a look

Get the first flag successfully (it feels so simple). Go to another page, open robots.txt

Open the admin area link based on the results of our directory explosion

There is nothing... Check the source code

Wow, it's too easy. The second flag has also been obtained, and a user name and password have also been obtained. Needless to say, it must be from the login page just now. It was successfully logged in

After landing successfully, I found that this is a file upload page. The first reaction is to take advantage of the file upload vulnerability to get the shell. First upload a picture and open the uploads page to try

No URL... That should be in the uploaded files

The visit found a blank page, but proved that the directory does exist. Input nc-lvnp 6666 in Kali to start monitoring, upload a sentence, Trojan horse try to rebound shell

The success of rebound shell proves that our thinking is right. Let's see what documents are in it

Open home directory

I didn't find anything. Try another one

Open the WWW folder. There is only one HTML directory in it. Open it and have a look

Another flag file was found, but there was no permission to open it

Open another TXT file in the same directory, find the third flag, and get some tips about opening the previous flag file. You need to use the account of techni to open it. Where is the password to store this account? Search directly for a wave

Command line type grep - RNs techni / etc/

Found a credentials.txt file that may save the password. Open it and have a look

3. Connect SSH (root is authorized)

OK, I found the password successfully and got the fourth flag at the same time. Next, I will ask for the right. After entering Su, you will still be prompted that you need a terminal. Based on previous experience, enter python-c 'import Pty; Pty. Spawn ("/ bin / bash")'

But it didn't seem to work this time...

At this time, I remembered that when I found the IP address of the target with nmap, I saw that port 22 of the target was open. The last time I was a target drone, I forgot to take many detours. This time, I'll try to connect it directly with SSH to see if it can succeed

Kali opens a new command-line window, enters ssh-p22 [email protected], and successfully logs in after entering the password

Open the flag file directly

OK, get all five flags

Four, summarize

It's not hard to finish the target machine. It mainly tests some basic knowledge, such as directory scanning and port scanning. When you do it, just be careful. This 5-flag target is still the first contact, although it is not very difficult, but it also adds some experience to yourself. In the future, we should find some more difficult target machines to exercise ourselves and improve our technical level.




Gu n








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number:

Trendy information

Professional focus excellence safety