公众号:泷羽Sec-尘宇安全
前言
oscp备考,oscp系列——hacklab-vulnix靶场:smtp用户名枚举,finger协议,ssh爆破,nfs挂载,ssh公钥写入,nsf提权
难度简单偏上
- 对于低权限shell获取涉及:smtp用户名枚举,finger协议,ssh爆破,nfs挂载,ssh公钥写入
- 对于提权:nsf提权
下载地址:
https://www.vulnhub.com/entry/hacklab-vulnix,48/
往期推荐
灵兔宝盒二开 | 286渗透工具合集,新增OneCS-49_尊享版、vshell4.9.3破解版、Godzilla特战版等24款
PotatoTool一款功能强大的网络安全综合工具支持免杀、自定义内存马、提权、扫描、一键解密、AI分析、溯源等等
14w+poc,nuclei全家桶:nuclei模版管理工具+Nuclei
红队武器库VulToolsKit全家桶:图形化页面+自己额外添加的一些工具
fscan全家桶:FscanPlus,fs,fscan适用低版本系统,FscanParser
ctf综合利用工具,集成多款AI,94GB大小量大管饱:ctftools-all-in-one_proV2
nmap
主机发现
└─# nmap -sn 192.168.66.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 19:09 CST
Nmap scan report for 192.168.66.1 (192.168.66.1)
Host is up (0.00086s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.66.2 (192.168.66.2)
Host is up (0.00026s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 192.168.66.131 (192.168.66.131)
Host is up (0.00019s latency).
MAC Address: 00:0C:29:8F:38:B5 (VMware)
Nmap scan report for 192.168.66.254 (192.168.66.254)
Host is up (0.00019s latency).
MAC Address: 00:50:56:E2:6D:97 (VMware)
Nmap scan report for 192.168.66.128 (192.168.66.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.94 seconds
端口扫描
└─# nmap --min-rate 10000 -p- 192.168.66.131 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 19:11 CST
Nmap scan report for 192.168.66.131 (192.168.66.131)
Host is up (0.0025s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open shell
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
34073/tcp open unknown
38610/tcp open unknown
46684/tcp open unknown
52218/tcp open unknown
59228/tcp open unknown
MAC Address: 00:0C:29:8F:38:B5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.76 seconds
┌──(root㉿192)-[/home/kali/桌面/nmap]
└─# ports=$(grep open port.nmap | awk -F '/' '{print $1}' | paste -sd ',')
┌──(root㉿192)-[/home/kali/桌面/nmap]
└─# echo $ports
22,25,79,110,111,143,512,513,514,993,995,2049,34073,38610,46684,52218,59228
详细端口扫描
└─# nmap -sV -sT -sC -O -p$ports 192.168.66.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 19:13 CST
Stats: 0:03:01 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 19:16 (0:00:00 remaining)
Nmap scan report for 192.168.66.131 (192.168.66.131)
Host is up (0.00097s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after: 2022-08-31T17:40:12
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2025-01-22T11:17:07+00:00; +2s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2025-01-22T11:17:07+00:00; +2s from scanner time.
|_pop3-capabilities: UIDL TOP STLS CAPA RESP-CODES SASL PIPELINING
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 45544/tcp6 mountd
| 100005 1,2,3 52218/tcp mountd
| 100005 1,2,3 55096/udp mountd
| 100005 1,2,3 57014/udp6 mountd
| 100021 1,3,4 41263/tcp6 nlockmgr
| 100021 1,3,4 46684/tcp nlockmgr
| 100021 1,3,4 56454/udp6 nlockmgr
| 100021 1,3,4 60980/udp nlockmgr
| 100024 1 48873/udp6 status
| 100024 1 49280/tcp6 status
| 100024 1 58496/udp status
| 100024 1 59228/tcp status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_ssl-date: 2025-01-22T11:17:07+00:00; +2s from scanner time.
|_imap-capabilities: LOGIN-REFERRALS Pre-login IMAP4rev1 ID LOGINDISABLEDA0001 more post-login have listed LITERAL+ IDLE capabilities SASL-IR OK STARTTLS ENABLE
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
512/tcp open exec?
513/tcp open login
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_imap-capabilities: LOGIN-REFERRALS Pre-login IMAP4rev1 ID more post-login have listed LITERAL+ capabilities AUTH=PLAINA0001 SASL-IR OK IDLE ENABLE
|_ssl-date: 2025-01-22T11:17:07+00:00; +2s from scanner time.
995/tcp open ssl/pop3s?
|_pop3-capabilities: UIDL TOP RESP-CODES CAPA USER SASL(PLAIN) PIPELINING
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2025-01-22T11:17:07+00:00; +
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
