HackLAB:vulnix
实战操作
信息收集
┌──(root💀kali)-[~]
└─# fping -a -g 192.168.32.0/24 > /tmp/scan.log
┌──(root💀kali)-[~]
└─# cat /tmp/scan.log 1 ⨯
192.168.32.1
192.168.32.2
192.168.32.130
192.168.32.143┌──(root💀kali)-[~]
└─# nmap -sT -sC -sV -A -O -p1-65535 192.168.32.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-29 21:58 EDT
Nmap scan report for 192.168.32.143
Host is up (0.00085s latency).
Not shown: 65518 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING TOP RESP-CODES STLS UIDL CAPA
|_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 34690/tcp mountd
| 100005 1,2,3 40182/tcp6 mountd
| 100005 1,2,3 46697/udp mountd
| 100005 1,2,3 48580/udp6 mountd
| 100021 1,3,4 35088/tcp6 nlockmgr
| 100021 1,3,4 37627/tcp nlockmgr
| 100021 1,3,4 47312/udp nlockmgr
| 100021 1,3,4 56054/udp6 nlockmgr
| 100024 1 32992/udp status
| 100024 1 45632/tcp status
| 100024 1 55313/udp6 status
| 100024 1 59036/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities more IMAP4rev1 SASL-IR Pre-login STARTTLS LITERAL+ IDLE LOGIN-REFERRALS post-login listed ENABLE have LOGINDISABLEDA0001 OK ID
|_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time.
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
34690/tcp open mountd 1-3 (RPC #100005)
37627/tcp open nlockmgr 1-4 (RPC #100021)
45632/tcp open status 1 (RPC #100024)
55719/tcp open mountd 1-3 (RPC #100005)
60479/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:78:E8:C4 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 192.168.32.143
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.55 seconds
SSH服务
Finger服务
NFS服务
获取权限
SSH服务爆破
提权
最后更新于