来自tryhackme的 Basic Pentesting

开靶场IP:10.10.227.255

# nmap 端口扫描

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7

# gobuster 目录扫描

/.hta (Status: 403)

/.htaccess (Status: 403)

/.htpasswd (Status: 403)

/development (Status: 301)

/index.html (Status: 200)

/server-status (Status: 403)

在/development发现

#

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat

to host that on this server too. Haven't made any real web apps yet, but I have tried that example

you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm

using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

#

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,

and I was able to crack your hash really easily. You know our password policy, so please follow

it? Change that password ASAP.

-K

根据提示工具 使用 SMB 查找用户名怎么样?

/root/Desktop/Tools/Miscellaneous/enum4linux.pl -a 10.10.227.255

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

得到用户名jan

使用hydra爆破ssh密码

hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt 10.10.227.255 ssh

......等了很久大概有十分钟的样子

passwd:armando

按照提示使用LinEnum找到到登录的ssh

https://github.com/rebootuser/LinEnum(开箱即用)

/home/kay/.ssh/id_rsa

使用

ssh2john rsa_a.id_rsa >id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

破解密码为

beeswax(很快)

登录

ssh -i id_rsa kay@10.10.227.255

即可

Basic Pentesting的更多相关文章

  1. vulnhub writeup - 持续更新

    目录 wakanda: 1 0. Description 1. flag1.txt 2. flag2.txt 3. flag3.txt Finished Tips Basic Pentesting: ...

  2. Atitit HTTP 认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结

    Atitit HTTP认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结 1.1. 最广泛使用的是基本验证 ( ...

  3. Basic Tutorials of Redis(9) -First Edition RedisHelper

    After learning the basic opreation of Redis,we should take some time to summarize the usage. And I w ...

  4. Basic Tutorials of Redis(8) -Transaction

    Data play an important part in our project,how can we ensure correctness of the data and prevent the ...

  5. Basic Tutorials of Redis(7) -Publish and Subscribe

    This post is mainly about the publishment and subscription in Redis.I think you may subscribe some o ...

  6. Basic Tutorials of Redis(6) - List

    Redis's List is different from C#'s List,but similar with C#'s LinkedList.Sometimes I confuse with t ...

  7. Basic Tutorials of Redis(5) - Sorted Set

    The last post is mainly about the unsorted set,in this post I will show you the sorted set playing a ...

  8. Basic Tutorials of Redis(4) -Set

    This post will introduce you to some usages of Set in Redis.The Set is a unordered set,it means that ...

  9. Basic Tutorials of Redis(3) -Hash

    When you first saw the name of Hash,what do you think?HashSet,HashTable or other data structs of C#? ...

  10. Basic Tutorials of Redis(2) - String

    This post is mainly about how to use the commands to handle the Strings of Redis.And I will show you ...

随机推荐

  1. java面向对象-类与对象,构造器

    java面向对象-类与对象,构造器 类与对象 package charpter5.Demo; public class Student { //属性:字段 static String name2=&q ...

  2. 谷歌浏览器配置Selenium,并配合python使用

    python环境准备 python 需要安装selenium ,这个直接pip安装即可 pip install selenium -i http://pypi.douban.com/simple -- ...

  3. Java 面试——Zookeeper

    一.Zookeeper 实现机制 文件系统 + 通知机制 二.Zookeeper 高可用实现原理 一个 ZooKeeper 集群如果要对外提供可用的服务,那么集群中必须要有过半的机器正常工作并且彼此之 ...

  4. JVM加载中初始化时机?什么时候不会进行初始化?

    初始化的过程是给静态变量赋予指定值以及执行静态代码块的过程. 当遇到new,getstatic,putstatic,invokestatic指令时要进行初始化,也就是new实例化对象,调用静态变量以及 ...

  5. AcWing 1902. 马拉松

    题目链接 每次路程改变只对前后两点间距离有影响,因此每次都判断当前三个点之间的距离之和与去掉中间点的距离哪个更优即可,最后取最大值作为结果输出. #include<iostream> #i ...

  6. MySQL日志机制分析

    进入正题前先简单看看MySQL的逻辑架构,相信我用的着. MySQL的逻辑架构大致可以分为三层: 第一层:处理客户端连接.授权认证,安全校验等. 第二层:服务器server层,负责对SQL解释.分析. ...

  7. Alchemy Nft黑客松任务(第一周)

    Alchemy是什么项目? 2019年12月,Alchemy完成1500万美元A轮融资,资方为Pantera Capital,斯坦福大学,Coinbase,三星等. 2021年4月,Alchemy以5 ...

  8. 二进制安装Kubernetes(k8s) v1.22.10 IPv4/IPv6双栈

    二进制安装Kubernetes(k8s) v1.22.10 IPv4/IPv6双栈 Kubernetes 开源不易,帮忙点个star,谢谢了 介绍 kubernetes二进制安装 后续尽可能第一时间更 ...

  9. flask-wtfwkfom使用

    我们在使用flask框架来搭建自己的博客,只要是设涉及到表单相关,必然会想起Flask-WTF与WTForms.对于flask初学者来说,比较容易混淆两者.今天想来一一解释两者的用法. Flask-W ...

  10. [Linux]Xmanager+Xshell远程管理桌面版CentOS物理服务器的桌面版CentOS虚拟机

    1 需求/背景 在项目现场有这么一个情况,有1台Gnome版的CentOS的物理服务器,其内运行了2台通过vmware安装的Gnome桌面版的CentOS的虚拟服务器. 按照常规做法是: 将唯一的1台 ...