一、靶场准备
下载地址:http://www.vulnhub.com/entry/durian-1,553/
更改网络模式
二、练习过程
1、使用kali进行探测,探测到192.168.174.138地址
netdiscover -r 192.168.174.0/24
2、使用kali对192.168.174.138进行端口探测,发现8000为nginx 1.14.2、7080为LiteSpeed、8088为LiteSpeed,7080为后台,8088为前台,8000代理8088
nmap -sC -sV -p- 192.168.174.138 -n -vv --min-rate=2000
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcIoZ27ulKq07HoP1IAw+p+ngZIw9E1wu2RSr/iVSr8jF8avZE4uJPET1cjydV6nBG5RPzhakghCPmAAukzctDBhPn5bMgWPMCVOv5DisAIldp6H44iQJWYsAAMxbgurBxfwLVVIeL2xyCxwK70G59QtOjCCLPIcoXo2MtNn2IC5rgLYY2UgL0SeNfblLkKKMscxAQgKZ6dh63aFT+j6Y0WHxn+N5uaySNG7CPxamddeKHNwoSdC1FZuMfAPRGGqDfH4OHAtu5/zYDWgP/BLheBalHR/TP8KYC1hDhbI+5fLCykSTT7Q8qXI9XtqfYnYoGwF5XqQX0ljw1ue9zKPhF
| 256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCIIPNvjo5nfOTzx/1iidyta9PBBg5UviiyhuMPxZq06KZccaHk2JobdXSYzKAWlUGYDBOncFRTErBSvkRWkt0=
| 256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJACpKE5LO4W2cn4Y54RR9yUu93wV+fFR7CPMBLBT3AG
7080/tcp open ssl/empowerid syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=d3b620b64038c4a2f4954c993ee0eea1; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Wed, 14 Sep 2022 01:20:55 GMT
| server: LiteSpeed
| alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
| HTTPOptions:
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=9f3792960e7814d08da02910250cf89b; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Wed, 14 Sep 2022 01:20:55 GMT
| server: LiteSpeed
|_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|_http-favicon: Unknown favicon MD5: AF89068FFB9883F7D99BB25F75687AC7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://192.168.174.138:7080/login.php
| ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Issuer: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-08T02:05:32
| Not valid after: 2022-12-07T02:05:32
| MD5: 9009 c3b8 8777 9a53 9b56 2556 30ee 0e9c
| SHA-1: ab6e 1ab5 d06d 506c c588 d946 b97a c0fd 89f1 5605
| -----BEGIN CERTIFICATE-----
| MIIEMTCCAxmgAwIBAgIUIE+NkC48iwucp8CENgLvUcYH84swDQYJKoZIhvcNAQEL
| BQAwgcUxDzANBgNVBAMMBmR1cmlhbjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB1Zp
| cnR1YWwxGzAZBgNVBAoMEkxpdGVTcGVlZENvbW11bml0eTEQMA4GA1UECwwHVGVz
| dGluZzELMAkGA1UECAwCTkoxGjAYBgkqhkiG9w0BCQEWC21haWxAZHVyaWFuMRYw
| FAYDVQQpDA1vcGVubGl0ZXNwZWVkMQswCQYDVQQrDAJDUDEWMBQGA1UELhMNb3Bl
| bmxpdGVzcGVlZDAeFw0yMDA5MDgwMjA1MzJaFw0yMjEyMDcwMjA1MzJaMIHFMQ8w
| DQYDVQQDDAZkdXJpYW4xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFsMRsw
| GQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3RpbmcxCzAJ
| BgNVBAgMAk5KMRowGAYJKoZIhvcNAQkBFgttYWlsQGR1cmlhbjEWMBQGA1UEKQwN
| b3BlbmxpdGVzcGVlZDELMAkGA1UEKwwCQ1AxFjAUBgNVBC4TDW9wZW5saXRlc3Bl
| ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqKu/8xCP8hH62rXJ
| PIoL9a+rtHe3HL1bNH3/pDOa7zCcWsEjcpYvl3sVTM3AuqCx1+RMJBKmLAaF8liy
| /eTvs2MLkpLr1zkv+jj3iEMvv9cyMtOJfk10PkBMKYiSffPMwELRHeT2x2tgTY2/
| toDBP8zQeVj8wm8svelG4bFRv8/bIsktJvZDy56nzFmXXjxiO9qBbKlUWLJHRtmT
| H+8whDiiGF55wY8pKJbJNlJa64RnfXxA004zEgmuDnYLPDj+tp2cvEvOZG+TAlTa
| 47FmZL2MkamPTveOB4ZXH+KN2gedEaZqIumb0tXrjahlI6Ukuh45lhz1BUxlriCa
| qPbxAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA
| A4IBAQAlOatyhOSya2XaAK+fAOrjMFT0iF7ekKKRnzwwNJUP50vF9mTMsj8l1Gb4
| rNn545bmtOuGE2GP9BUYyy+dw0NmUVyWBfyJmzZDbosSftwlTU7jJ8V3sM20MaxO
| 1x4181lTv9ROJrrDGrye+Sf2MOahrh5iZ+Mq/LZKZ04MTw7iYRNGgkCIbKISmafa
| qqja3MokTaIdQBf+oCxX7JiR0Jd6YMdmux5p1/xSEuq8GnPgM8mRZiLSkZYOrwB9
| HJhCswI5T79RSJVIrpRbR7g9h1vc+yDDu/SH49g5SGyE/e2YdDRuA/JVyMUKZFBt
| wSErKwtEdoJosbega14/Vpe9uKIr
|_-----END CERTIFICATE-----
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
8000/tcp open http syn-ack ttl 64 nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Durian
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
8088/tcp open radan-http syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| etag: "2fd-5f56ea13-40590;;;"
| last-modified: Tue, 08 Sep 2020 02:18:59 GMT
| content-type: text/html
| content-length: 765
| accept-ranges: bytes
| date: Wed, 14 Sep 2022 01:20:39 GMT
| server: LiteSpeed
| connection: close
| <html>
| <body bgcolor="white">
| <head>
| <title>Durian</title&