本文详细介绍了在Kioptrix 1.2靶机中,通过arp-scan和nmap发现目标,利用lotusCMS和phpadmin的漏洞获取webshell,进一步利用linpeas.sh扫描系统漏洞,通过MySQL密码登录phpadmin,猜测并验证SSH密码,最终使用sudo权限编辑sudoers文件实现提权至root的过程。
arp-scan -l
多出来的那个机子就是
nmap。很常规,22要想到可能有ssh登录,80就是进网页找信息
C:\root\Desktop> nmap -A 192.168.189.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-19 21:06 EDT
Nmap scan report for 192.168.189.162
Host is up (0.00071s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:E6:81:11 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.71 ms 192.168.189.162
OS and Service detection performed. Please report any incorrect results at https://nmap.org
最低0.47元/天 解锁文章
扫一扫
679
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
