Tr0ll: 1 Vulnhub靶机渗透笔记
本博客提供的所有信息仅供学习和研究目的,旨在提高读者的网络安全意识和技术能力。请在合法合规的前提下使用本文中提供的任何技术、方法或工具。如果您选择使用本博客中的任何信息进行非法活动,您将独自承担全部法律责任。本博客明确表示不支持、不鼓励也不参与任何形式的非法活动。
如有侵权请联系我第一时间删除
靶机地址
信息收集
nmap
主机发现
nmap -sn 192.168.236.128/24
tcp扫描
┌──(observer㉿kali)-[~/Tr0ll]
└─$ nmap -sT 192.168.236.136 -p- --min-rate 10000 -oA tcpscan
Starting Nmap 7.94 ( https://nmap.org ) at 2024-12-08 19:59 CST
Nmap scan report for 192.168.236.136
Host is up (0.0027s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds
udp扫描
┌──(observer㉿kali)-[~/Tr0ll]
└─$ sudo nmap -sU 192.168.236.136 --min-rate 10000 -oA udpscan
Starting Nmap 7.94 ( https://nmap.org ) at 2024-12-08 20:01 CST
Nmap scan report for 192.168.236.136
Host is up (0.00024s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
814/udp closed unknown
6970/udp closed unknown
17946/udp closed unknown
19933/udp closed unknown
48078/udp closed unknown
49202/udp closed unknown
MAC Address: 00:0C:29:8C:0A:29 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
刚刚扫描tcp扫到21ftp,22ssh,80web,现在对这三个端口进行详细的扫描
detail_tcpscan
┌──(observer㉿kali)-[~/Tr0ll]
└─$ sudo nmap -sT -sV -sC -O 192.168.236.136 -p 21,22,80 --min-rate 10000 -oA tcpscan_detail
Starting Nmap 7.94 ( https://nmap.org ) at 2024-12-08 20:13 CST
Nmap scan report for 192.168.236.136
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.236.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/secret
MAC Address: 00:0C:29:8C:0A:29 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
漏洞脚本扫描
nmap -script=vuln -p22,21,80 -min-rate 10000 -oA scriptvuln 192.168.236.136
这里不知道什么原因,扫不到东西
攻击面分析&尝试&getshell
那就不管了,主要看一下detail里的东西 这里本来是要先分析一下的,分析ftp的时候直接匿名登陆拿到了一个流量包,看到了一个关键的目录,然后去web渗透拿到了一些凭据,爆破后就ssh,思路就还挺简单的,所以就省略这个分析了
ftp
运行的是 vsftpd (Very Secure FTP Daemon) 3.0.2 版本
运行匿名登录,这个很值得关注:
ftp-anon: Anonymous FTP login allowed
在匿名登录的情况下,存在一个名为 lol.pcap 的文件具有读写执行权限 (-rwxrwxrwx),这表示任何连接到FTP服务器的人都可以读取、修改或删除这个文件。这对于安全性来说是一个严重的风险,因为它可能允许未授权的用户上传恶意内容或者修改现有文件。
-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable]
ftp连接以明文传输
控制连接是以明文形式进行的。这意味着客户端与服务器之间的命令交互(例如登录、目录更改等)不会被加密。
| Control connection is plain text
数据连接也将以明文形式进行。这表示当传输文件或目录列表时,这些数据也不会被加密
| Data connections will be plain text
当我ftp不给用户名进去后,给出一条这样的报错,This FTP server is anonymous only 猜测anonymous就是管理员的username,而我们匿名进去是没有权限执行命令的
这里还尝试了用root,还是提示只能用anonymous
那就用anonymous匿名登录吧,提示输入密码,直接回车给他一个空密码,成功连接到了ftp,尝试输入ls ,是ok的 ,过了一会这个ftp就掉了,回头看tcp扫描结果发现 Session timeout in seconds is 600 ,也就是说600秒就会timeout,不过不影响什么
把这个流量文件下载下来
get lol.pcap
在wireshark中发现了一个secret_stuff.txt
但我尝试ftp去下载,也尝试web端去路由他,都失败了,那他到底是个什么呢,仔细看wireshark的流量,这里是抓到了request请求下载secret_stuff.txt ,仔细看一下,搞清楚下载过程的流量来源,又一开始我们就知道ftp是以明文传输数据的,既然这里有抓包的流量,也就是说这个响应包里肯定就是明文
将响应包里的明文拿出来:
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n
\n
Sucks, you were so close... gotta TRY HARDER!\n
大概意思就是 好好好,你真是个小机灵鬼,你差不多找到了sup3rs3cr3tdirlol
标签:tmp,Linux,192.168,Tr0ll,Vulnhub,Ubuntu,靶机,txt,目录 From: https://www.cnblogs.com/Sol9/p/18595681