VulnHub靶场系列:Flick
今天意外看到一个VulnHub上的一个靶场的WriteUp,觉得挺有意思,所以自己试着做一遍并记录下来。
环境部署:
下载靶场并导入到VMware中:
https://download.vulnhub.com/flick/flick.tar.gz
实战:
首先使用工具扫描整个网段得到靶机IP:
fping -g 192.168.142.0/24
得到靶机IP后使用Nmap工具检测服务器开放端口:
nmap -sV -p1-65535 192.168.142.35
这里发现服务器开启了22,8881端口。
root@kali:/# nmap -sV -p1-65535 192.168.142.35
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 17:26 CST
Nmap scan report for 192.168.142.35
Host is up (0.00081s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
8881/tcp open galaxy4d?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8881-TCP:V=7.80%I=7%D=10/2%Time=5F76F239%P=x86_64-pc-linux-gnu%r(NU
SF:LL,5F,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20pas
SF:sword\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x2
SF:0door:\n>\x20")%r(GetRequest,78,"Welcome\x20to\x20the\x20admin\x20serve
SF:r\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switch\x20
SF:and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/\x20HTTP/1\.0\r\n
SF:\r\n\n>\x20")%r(FourOhFourRequest,9B,"Welcome\x20to\x20the\x20admin\x20
SF:server\.\x20A\x20correct\x20password\x20will\x20'flick'\x20the\x20switc
SF:h\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20GET\x20/nice%20ports
SF:%2C/Tri%6Eity\.txt%2ebak\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(GenericLines,6
SF:A,"Welcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20passwor
SF:d\x20will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20doo
SF:r:\n>\x20OK:\x20\r\n\r\n\n>\x20")%r(HTTPOptions,7C,"Welcome\x20to\x20th
SF:e\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick'\x
SF:20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPTION
SF:S\x20/\x20HTTP/1\.0\r\n\r\n\n>\x20")%r(RTSPRequest,7C,"Welcome\x20to\x2
SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick
SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20OPT
SF:IONS\x20/\x20RTSP/1\.0\r\n\r\n\n>\x20")%r(RPCCheck,92,"Welcome\x20to\x2
SF:0the\x20admin\x20server\.\x20A\x20correct\x20password\x20will\x20'flick
SF:'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n>\x20OK:\x20\x8
SF:0\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n>\x20")%r(DNSVersionBindReqTCP,86,"W
SF:elcome\x20to\x20the\x20admin\x20server\.\x20A\x20correct\x20password\x2
SF:0will\x20'flick'\x20the\x20switch\x20and\x20open\x20a\x20new\x20door:\n
SF:>\x20OK:\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0
SF:\x10\0\x03\n>\x20")%r(DNSStatusRequestTCP,74,"Welcome\x20to\x20the\x20a
SF:dmin\x20server\.\x20A\x20correct\x20password\x20will\x20'flic