Vulnhub-Venus
Venus靶机下载:攻击机:KALI
信息搜集
在KALI中使用ARP-SCAN确认靶机IP
arp-scan -lhttps://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093015183-1393696225.png
使用NMAP扫描端口
nmap -A -p 1-65535 192.168.122.137https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093104138-688150538.png
访问8080端口
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093125242-935144969.png
发现是登陆页面
漏洞攻击
尝试弱口令登录
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093347481-482489262.png
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093405044-78101231.png
发现存在用户名枚举,使用字典跑用户名,得到guest、venus、magellan尝试guest/guest成功登录,并发现相应包中的Set-Cookie有变化https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093444111-1322734469.png
base64解码后得到guest:thrfg
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093505723-1363796871.png
由于账号密码均为guest,因此猜测thrfg也存在加密尝试多种方式后发现为Rot13加密https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093909729-14934327.png
修改用户名并进行base64加密https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093935151-2127203271.png
发现相应包内的Cookie值发生改变https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609093955955-846864782.png解密后得到venus:irahf
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094017537-2045360701.png
将irahf使用Rot13解密后得到密码也为venus
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094042663-836163522.png
同样将用户名改为magellan进行base64编码
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094112246-1752754559.png
得到bWFnZWxsYW46aXJhaGZ2bmF0cmJ5YnRsMTk4OQ==
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094420431-1601831092.png
base64解密后为magellan:irahfvnatrbybtl1989
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094507280-1434751560.png
将irahfvnatrbybtl1989使用Rot13解密后得到venusiangeology1989
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094529160-585964375.png
使用得到的这些账号密码进行登录
尝试目录扫描https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094557412-1043029090.png
打开后发现是登陆界面,尝试以上密码以及爆破均无效
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094626163-723172155.png
尝试SSH登录,使用magellan/venusiangeology1989成功登录
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094659209-364918815.png
找到第一个flag
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094709010-1201881980.png
提权
查找有权限的命令
find / -perm -u=s -type f 2>/dev/nullhttps://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094925265-1414114723.png
发现和Mercury一样存在CVE-2021-4034提权漏洞
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609094946471-97234797.png
发现无法使用git命令
本地下载后使用python微服务让靶机下载exppython -m http.server 1234https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609095536481-889729646.png
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609095437755-234971978.png
使用unzip解压压缩文件
https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609095129722-61720715.png
使用find命令查找flag后打开
find / -name "*flag*"https://img2022.cnblogs.com/blog/2774028/202206/2774028-20220609095156699-1780617914.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]