该靶机设定了一些不安全的配置以及弱口令,导致重要文件泄漏。本次通过对发现的端口服务,逐一进行渗透提权测试来学习该靶机,如有问题请指出。
文章较长,记录了不断测试并发现利用的过程。
简介
靶机:
- 名称:Lazysysadmin
- 系统:Linux
- 难度:初级 / 中级
- 目标:
1.教初学者一些基本的Linux枚举技巧
2.让自己更加熟悉Linux的服务配置,然后创造更多靶机给大家去学习
3.得到root权限并找到flag
环境:
- 靶机:Lazysysadmin——192,168.11.21
- 攻击机:Kali——192.168.11.11
- 工具:Nmap、dirb、NetCat(nc)、BurpSuit、Sqlmap、enum4linux 等
流程:
- 主机发现、端口扫描
- 逐一服务进行渗透
信息搜集
打开Lazysysadmin靶机
使用Nmap进行主机发现
nmap -sn 192.168.11.1/24
对其进行端口及操作系统详细扫描
nmap -sS -Pn -T4 -sV -O 192.168.11.21
再使用-A进行全盘扫描,结果如下
root@kali:~/Desktop# nmap -sS -A -T4 192.168.11.21
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 02:24 EDT
Nmap scan report for 192.168.11.21
Host is up (0.0011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.11.11
|_ error: Closing link: (nmap@192.168.11.11) [Client exited]
MAC Address: 00:0C:29:4A:06:AF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: -1s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-dis