本文详细记录了一次网络安全演练的过程,包括利用Nmap进行信息收集,通过HTTP扫描和FTP操作获取目标系统信息,进行SSH社工爆破并最终提权到root权限。过程中发现了名为morris和norris的用户,通过解码隐藏信息找到了密码,成功登录并获取了root权限。
信息收集:
# Nmap 7.94 scan initiated Tue Aug 1 08:44:47 2023 as: nmap -sT -sC -sV -O -A -p21,80,111,2049,7822,38165,41727,42949,54889 -o nmap_details.txt 192.168.56.114
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.114
Host is up (0.00065s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 33031/udp mountd
| 100005 1,2,3 33775/tcp6 mountd
| 100005 1,2,3 41034/udp6 mountd
| 100005 1,2,3 54889/tcp mountd
| 100021 1,3,4 38436/udp6 nlockmgr
| 100021 1,3,4 41727/tcp nlockmgr
| 100021 1,3,4 43569/tcp6 nlockmgr
| 100021 1,3,4 46645/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
7822/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 38:4f:e8:76:b4:b7:04:65:09:76:dd:23:4e:b5:69:ed (RSA)
| 256 ac:d2:a6:0f:4b:41:77:df:06:f0:11:d5:92:39:9f:eb (ECDSA)
|_ 256 93:f7:78:6f:cc:e8:d4:8d:75:4b:c2:bc:13:4b:f0:dd (ED25519)
38165/tcp open mountd 1-3 (RPC #100005)
41727/tcp open nlockmgr 1-4 (RPC #100021)
42949/tcp open mountd 1-3 (RPC #100005)
54889/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:18:23:5C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ gobuster dir -u http://192.168.56.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php
/index.html (Status: 200) [Size: 1964]
/images (Status: 301) [Size: 317] [--> http://192.168.56.114/images/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.114/manual/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.114/javascript/]
/hits.txt (Status: 200) [Size: 44]
/backups.html (Status: 200) [Size: 325]
/backups (Status: 200) [Size: 6301]
/mysite (Status: 301) [Size: 317] [--> http://192.168.56.114/mysite/]
浏览器访问主页,这里附上一段html代码,上面有很多信息:
<p class="lead text-white-50">You know how our family have named us, right? Them naming me <strong>M</strong> and you <strong>N</strong>. Well, our n
最低0.47元/天 解锁文章
616
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
