Nyx¶
知识整理 |
---|
nmap http-enum的使用 |
ssh私钥泄露 |
sudo提权 |
usershell¶
目标IP:192.168.205.138
服务探测:
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Web目录扫描
+ http://192.168.205.138/index.html (CODE:200|SIZE:965) + http://192.168.205.138/server-status (CODE:403|SIZE:280)
未发现有用的信息
nmap进行枚举
┌──(kali㉿kali)-[~]
└─$ nmap -p 80 --script=http-enum 192.168.205.138
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-13 09:26 EDT
Nmap scan report for 192.168.205.138
Host is up (0.00044s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
|_ /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability
发现这个文件是一个SSH的私钥,用户名应该是mpampis
ssh连接,获得userFlag
注:ssh私钥的文件权限应该是600,不然不能连接
rootshell¶
sudo -l
发现gcc文件可利用
https://gtfobins.github.io/gtfobins/gcc/
获得rootshell