简介:
靶机下载URL: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/#release
虚拟机需要使用Virtualbox 直接导入VM, 攻击机器使用kali linux 如果你为了方便可不使用桥接模式,直接设置VM和kali在同一IP即可。如果在环境中有太多的机器就不太好分辨目标IP。
0x001 信息收集
nmap -sn 192.168.2.1-254
#省略。。。。。
Nmap scan report for 192.168.2.117
也可以使用
nmap -A -T4 192.168.2.1/24
找到目标进行详细的扫描
nmap -A -T4 192.168.2.117 #可使用-Pn不进行ping 可加-oN 写入一个文件方便查看
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.2.112
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
0x002 侦查
看到21可以匿名登录
ftp://192.168.2.117/
#查看
ftp://192.168.2.117/public/users.txt.bk
abatchy
john
mai
anne
doomguy
web服务
http://192.168.2.117/robots.txt
User-agent: *
Disallow: /backup_wordpress #知道了这个web程序是使用的wordpress 查看这个目录
查看以上web的URL我们发现 /backup_wordpress这个目录是一个已弃用的wordpress博客备份
0x003 破解文件和目录
使用dirb 进行web目录的爬取
dirb http://192.168.2.117/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 2 16:28:23 2019
URL_BASE: http://192.168.2.117/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.2.117/ ----
+ http://192.168.2.117/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.2.117/index (CODE:200|SIZE:177)
+ http://192.168.2.117/index.html (CODE:200|SIZE:177)
+ http://192.168.2.117/robots (CODE:200|SIZE:43)
+ http://192.168.2.117/robots.txt (CODE:200|SIZE:43)
+ http://192.168.2.11