下载
- 靶机下载链接汇总:https://download.vulnhub.com/
- 使用搜索功能,搜索dc类型的靶机即可。
- 本次实战使用的靶机是:DC-5
- 系统:Debian
- 下载链接:https://download.vulnhub.com/dc/DC-5.zip
启动
- 下载完成后,打开VMware软件,通过左上角文件打开,将ova文件导入,导入完成后将网络连接方式修改为NAT。
- 启动成功图
扫描分析
- 本次实践ip网段为:192.168.198.0/24 攻击机IP为:192.168.198.129
- 未启动靶机扫描网段
nmap -sP 192.168.198.0/24 # 结果 # Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 14:10 CST # Nmap scan report for 192.168.198.1 # Host is up (0.00020s latency). # MAC Address: 00:50:56:C0:00:08 (VMware) # Nmap scan report for 192.168.198.2 # Host is up (0.00020s latency). # MAC Address: 00:50:56:F7:F2:9C (VMware) # Nmap scan report for 192.168.198.254 # Host is up (0.00012s latency). # MAC Address: 00:50:56:E7:6F:81 (VMware) # Nmap scan report for 192.168.198.129 # Host is up. # Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
- 启动靶机扫描网段
- 得到靶机IP:192.168.198.134
nmap -sP 192.168.198.0/24 # 结果 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 14:11 CST Nmap scan report for 192.168.198.1 Host is up (0.00018s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.198.2 Host is up (0.00017s latency). MAC Address: 00:50:56:F7:F2:9C (VMware) Nmap scan report for 192.168.198.134 Host is up (0.00022s latency). MAC Address: 00:0C:29:CD:6E:79 (VMware) Nmap scan report for 192.168.198.254 Host is up (0.00017s latency). MAC Address: 00:50:56:E7:6F:81 (VMware) Nmap scan report for 192.168.198.129 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.92 seconds ┌──(root㉿kali)-[/home/varin]
- 扫描靶机基本信息
- 开放端口:111 、80、33830
- 开放服务:http
- 中间件服务:nginx/1.6.2
nmap -A -v -p 1-65535 -T4 --script=vuln 192.168.198.134 # 结果 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 14:13 CST NSE: Loaded 150 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 14:13 NSE Timing: About 50.00% done; ETC: 14:14 (0:00:31 remaining) Completed NSE at 14:13, 34.02s elapsed Initiating NSE at 14:13 Completed NSE at 14:13, 0.00s elapsed Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Initiating ARP Ping Scan at 14:13 Scanning 192.168.198.134 [1 port] Completed ARP Ping Scan at 14:13, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:13 Completed Parallel DNS resolution of 1 host. at 14:13, 0.00s elapsed Initiating SYN Stealth Scan at 14:13 Scanning 192.168.198.134 [65535 ports] Discovered open port 111/tcp on 192.168.198.134 Discovered open port 80/tcp on 192.168.198.134 Discovered open port 33830/tcp on 192.168.198.134 Completed SYN Stealth Scan at 14:13, 1.93s elapsed (65535 total ports) Initiating Service scan at 14:13 Scanning 3 services on 192.168.198.134 Completed Service scan at 14:14, 11.02s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.198.134 NSE: Script scanning 192.168.198.134. Initiating NSE at 14:14 Completed NSE at 14:15, 64.37s elapsed Initiating NSE at 14:15 Completed NSE at 14:15, 0.02s elapsed Nmap scan report for 192.168.198.134 Host is up (0.00042s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 |_http-dombased-xss: Couldn't find any DOM based XSS. | vulners: | cpe:/a:igor_sysoev:nginx:1.6.2: | EDB-ID:40768 7.8 https://vulners.com/exploitdb/EDB-ID:40768 *EXPLOIT* | SSV:92538 7.2 https://vulners.com/seebug/SSV:92538 *EXPLOIT* | PRION:CVE-2016-1247 7.2 https://vulners.com/prion/PRION:CVE-2016-1247 |_ 1337DAY-ID-26345 7.2 https://vulners.com/zdt/1337DAY-ID-26345 *EXPLOIT* |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-server-header: nginx/1.6.2 | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.198.134 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.198.134:80/contact.php | Form id: fname |_ Form action: thankyou.php 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 33830/tcp status | 100024 1 36704/tcp6 status | 100024 1 52821/udp6 status |_ 100024 1 54900/udp status 33830/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:CD:6E:79 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 199.639 days (since Sun Nov 19 22:54:53 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.198.134 NSE: Script Post-scanning. Initiating NSE at 14:15 Completed NSE at 14:15, 0.00s elapsed Initiating NSE at 14:15 Completed NSE at 14:15, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 113.41 seconds Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
