靶机描述
靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/
Description
This is the evil twin of JOY. Unlike JOY, this machine is designed to drive you crazy. Stephen Hawking once mentioned, “God plays dice and throws them into places where they cannot be seen.”
The dice for the machine can all be found on the Internet. Like all other machines built by me, you should not torment yourself by brute force. But perhaps, JOY and TORMENT are two sides of the same coin of satisfaction? Can we really spark joy if we can’t first be tormented to endure sufferance?
This machine guarantees to teach you some new ways of looking at enumeration and exploitation. Unlike all the other OSCP-like machines written by me, this machine will be mind-twisting and maybe mind-blowing. You may lose your mind while at it, but we will still nudge you to… try harder!
This is NOT an easy machine and you should not feel discouraged if you spend a few days headbanging on this machine. At least three competent pentesters I have asked to test this machine report days (thankfully not weeks) of head banging and nerve wrecking. Do this machine if you enjoy being humbled.
If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Torment is (#1): what happens when you can’t find your answer on Google, even though it’s there, (#2): what happens when you plead for mercy, but do not succeed, (#3): https://www.youtube.com/watch?v=7ge1yWot4cE
Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.53
靶机环境建设如下
- 将下载的靶机环境导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥模式网卡设置 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫描)
arp-scan -I eth0 -l
? TORMENT arp-scan -I eth0 -l Interface: eth0, type: EN10MB, MAC: 00:50:56:27:36, IPv4: 192.168.9.7 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.9.2 08:00:27:ab:1a:1b PCS Systemtechnik GmbH 192.168.9.53 08:00:27:1f:47:d2 PCS Systemtechnik GmbH 2 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 2 responded 方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四,等你补充
2.1.2 检查靶机开口端口
使用nmap -A -sV -T4 -p- 靶机ip检查靶机开口端口
? TORMENT nmap -A -sV -T4 -p- 192.168.9.53 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 14:30 CST Nmap scan report for bogon (192.168.9.53) Host is up (0.00034s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.9.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
| -rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
| -rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
| -rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
| -rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
| -rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
| -rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
| -rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
| -rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
| -rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
| 256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_ 256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=TORMENT
| Subject Alternative Name: DNS:TORMENT
| Not valid before: 2018-12-23T14:28:47
|_Not valid after: 2028-12-20T14:28:47
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25
|_http-title: Apache2 Debian Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 41233/tcp6 mountd
| 100005 1,2,3 46203/tcp mountd
| 100005 1,2,3 49339/udp mountd
| 100005 1,2,3 49394/udp6 mountd
| 100021 1,3,4 34459/tcp6 nlockmgr
| 100021 1,3,4 36137/tcp nlockmgr
| 100021 1,3,4 53291/udp nlockmgr
| 100021 1,3,4 58511/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 have LITERAL+ ENABLE more ID post-login AUTH=PLAIN listed capabilities OK Pre-login IDLE AUTH=LOGINA0001 SASL-IR LOGIN-REFERRALS
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
2049/tcp open nfs_acl 3 (RPC #100227)
6667/tcp open irc ngircd
6668/tcp open irc ngircd
6669/tcp open irc ngircd
6672/tcp open irc ngircd
6674/tcp open irc ngircd
36137/tcp open nlockmgr 1-4 (RPC #100021)
41735/tcp open mountd 1-3 (RPC #100005)
46203/tcp open mountd 1-3 (RPC #100005)
49167/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:1F:47:D2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: TORMENT.localdomain, TORMENT, irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h19m57s, deviation: 4h37m07s, median: 7h59m57s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: torment
| NetBIOS computer name: TORMENT\x00
| Domain name: \x00
| FQDN: torment
|_ System time: 2022-03-24T22:30:41+08:00
|_nbstat: NetBIOS name: TORMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-03-24T14:30:42
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms bogon (192.168.9.53)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.82 seconds
⬢ TORMENT
21—ftp—vsftpd 2.0.8 or later—Anonymous FTP login allowed (FTP code 230)
22—ssh—OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25—smtp—Postfix smtpd
80—http—Apache httpd 2.4.25
111—rpcbind—2-4 (RPC #100000)
139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143—imap—Dovecot imapd
445—netbios-ssn—Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631—ipp—CUPS 2.2
2049—nfs_acl—3 (RPC #100227) 6667—irc—ngircd 6668—irc—ngircd 6669—irc—ngircd 6672—irc—ngircd 6674—irc—ngircd 36137—nlockmgr—1-4 (RPC #100021) 41735—mountd—1-3 (RPC #100005) 46203—mountd—1-3 (RPC #100005) 49167—mountd—1-3 (RPC #100005)
2.2枚举漏洞
2.2.1 21端口分析
anonymous 无密码匿名登录
⬢ TORMENT ftp 192.168.9.53
Connected to 192.168.9.53.
220 vsftpd (broken)
Name (192.168.9.53:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
进行信息收集
ftp> ls -al
229 Entering Extended Passive Mode (|||44686|)
150 Here comes the directory listing.
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 .
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 ..
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .cups
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .ftp
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .imap
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .mysql
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .nfs
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ngircd
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .samba
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .smtp
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ssh
-rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
-rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
-rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
-rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.1.gz
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.2.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 ftp ftp 489389 Dec 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 ftp ftp 470278 Dec 27 2018 dpkg.status.6.gz
-rw------- 1 ftp ftp 1010 Dec 31 2018 group.bak
-rw------- 1 ftp ftp 840 Dec 31 2018 gshadow.bak
-rw------- 1 ftp ftp 2485 Dec 31 2018 passwd.bak
-rw------- 1 ftp ftp 1575 Dec 31 2018 shadow.bak
226 Directory send OK.
ftp>
好多东西,直接下载下来进行信息收集:wget -r ftp://192.168.9.53:21
查看channels其内容
⬢ TORMENT ls -al
总用量 24
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 .
drwxr-xr-x 6 hirak0 kali 4096 3月 24 14:27 ..
drwxr-xr-x 11 root root 4096 3月 24 14:55 192.168.9.53
-rw-r--r-- 1 root root 33 1月 5 2019 channels
-rw-r--r-- 1 root root 1766 1月 5 2019 id_rsa
-rw-r--r-- 1 root root 1471 3月 24 14:43 torment.txt
⬢ TORMENT cd 192.168.9.53
⬢ 192.168.9.53 ls -al
总用量 4896
drwxr-xr-x 11 root root 4096 3月 24 14:55 .
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 112640 12月 28 2018 alternatives.tar.0
-rw-r--r-- 1 root root 4984 12月 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 root root 95760 12月 28 2018 apt.extended_states.0
-rw-r--r-- 1 root root 10513 12月 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 root root 10437 12月 26 2018 apt.extended_states.2.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .cups
-rw-r--r-- 1 root root 559 12月 23 2018 dpkg.diversions.0
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 root root 505 12月 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 281 12月 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 208 12月 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 1719127 1月 1 2019 dpkg.status.0
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.1.gz
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.2.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 root root 489389 12月 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 root root 470278 12月 27 2018 dpkg.status.6.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ftp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .imap
drwxr-xr-x 2 root root 4096 3月 24 14:55 .mysql
drwxr-xr-x 2 root root 4096 3月 24 14:55 .nfs
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ngircd
drwxr-xr-x 2 root root 4096 3月 24 14:55 .samba
drwxr-xr-x 2 root root 4096 3月 24 14:55 .smtp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ssh
⬢ 192.168.9.53 cd .ngircd
⬢ .ngircd ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 33 1月 4 2019 channels
⬢ .ngircd cat channels
channels:
games
tormentedprinter
找到id_rsa,查看其内容
⬢ .ssh ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 1766 1月 4 2019 id_rsa
⬢ .ssh cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C37F0C31D1560056EA1F9204EC405986
U9X/cW7GIiI48TQAzUs5ozEQgexHKiFi2NcoADhs/ax/CTJvZh32k+izzW0mMzl1
mo5HID0qNghIbVbRcN6Zv8cdJ/AhREjy25YZ68zA7GWoyfoch1K/XY0NEnNTchLf
b6k5GEgu5jfQT+pAj1A6jQyzz4A4CGbvD+iEEJRX3qsTlAn6th6dniRORJggnVLB
K4ONTeP4US7GSGTtOD+hwoyoR4zNQKT2Hn/WryoF7LdAXMwf1aNJJJ7YPz1YdSnU
fxXscbOMlXuZ4ouawIVGeYeH85lmOh7aBy5MWsYq/vNC+2pVzVEkRfc6jug1UbdG
hncWxfU92Q47lVuqtc4HPINynD2Q8rBlYrKsEbPqtLyCnBGM/T0Srzztj+IjXUD1
SdbVLmxascquwnIyv2w55vjwJv5dKjLBmrDiY0Doc9YYCGi6cz1p9tsE+G+uRg0r
hGuFXldsYEkoQcJ4iWjsYiqcwWWFfkN+A0rYXqqcDY+aqAy+jXkhyzfmUp3KBz9j
CjR1+7KcmKvNXtjn8V+iv2Nwf+qc2YzBNkBWlwHhxIz6L8F3k3OkqnZUqPKCW2Ga
CNMcIYx3+Gde3aXpHXg4OFALV7y23N8A2h97VOqnnrnED46C39shkA8iiMNdH9mz
87TWgw+wPLbWXJO7G5nJL0qciLV/Eo6atSof3FUx/4WX4fmYeg1Rdy0KgTC1NRGn
VT/YnlBrNW3f7fdhk/YhHbcT9vCg9/Nm3hmzQX/FBP085SgeEA+ebNMzQwPmqcfb
jGpMPdhD7iLmKPwQL3RFTVODjUyzsgJ6kz83aQd80qPClopqp4NFMLwATVpbN858
d4Q0QQGrCRqu2SYaYmVhGo37BJXKE11y0JzWXOhiVLD0I9fBoHDmsKHN4Aw3lbVE
/n+B0Qa1bIMGfXP7J4r7/+4trQCGi7ngVfhtygtg6j/HcoXDy9y15zrHZqKerWd6
6ApM1caan4T0FjqlqTOQsN5GmB9sBCu02VQ1QF3Z4FVA9oW+pkNFxAeKIddG1yLM
5L1ePDgEYjik6vM1lE/65c7fNaO8dndMau4reUnPbTFqKsTA46uUaMyOV6S7nsys
kHGcAXLEzvbC8ojK1Pg5Llok6f8YN+H7cP6vE1yCfx3oU3GdWV36AgBWLON8+Wwc
icoyqfW6E2I0xz5nlHoea/7szCNBI4wZmRI+GRcRgegQvG06QvdXNzjqdezbb4ba
EXRnMddmfjFSihlUhsKxLhCmbaJk5mG2oGLHQcOurvOUPh/qgRBfUf3PTntuUoa0
0+tGGaLYibDNb5eXQ39Bsjzm8BWG/dSK/Qq7UU4Bk2bTKikWQLazPAy482BsZpWI
mXt8ISmJqldgdrtnVvG3zoQBQpspZ6HTojheNazfD4zzvduQguOcKrCNICxoSRgA
egRER+uxaLqNGz+6H+9sl7FYWalMa+VzjrEDU7PeZNgOj9PxLdKbstQLQxC/Zq6+
7kYu2pHwqP2HcXmdJ9xYnptwkuqh5WGR82Zk+JkKwUBEQJmbVxjqWLjCV/CDA06z
6VvrfrPo3xt/CoZkH66qcm9LCTcM3DsLs3UT4B7aH5wk4l5MmpVI4/mx2Dlv0Mkv
-----END RSA PRIVATE KEY-----
⬢ .ssh
可惜不知道是哪个用户的
2.2.2 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.3 25端口分析
⬢ TORMENT enum4linux 192.168.9.53 | tee torment.txt Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 24 15:03:13 2022 ========================== | Target Information | ========================== Target ........... 192.168.9.53 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 192.168.9.53 | ==================================================== [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 192.168.9.53 | ============================================ Looking up status of 192.168.9.53 TORMENT <00> - B <ACTIVE> Workstation Service TORMENT <03> - B <ACTIVE> Messenger Service TORMENT <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ==============