OS Bytesec
作者:jason huawen
靶机信息
名称:hackNos: Os-Bytesec
地址:
https://www.vulnhub.com/entry/hacknos-os-bytesec,393/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:60:36:cf 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:31:66:d4 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 22:14 EDT
Nmap scan report for bogon (192.168.56.254)
Host is up (0.00027s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12554f1ee97eea8769901c1fb0633ff3 (RSA)
| 256 a670f10edf4e737d7142d644f12f24d2 (ECDSA)
|_ 256 f0f8fd24650734c2d49a1fc0b82ed83a (ED25519)
MAC Address: 08:00:27:31:66:D4 (Oracle VirtualBox virtual NIC)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: 0s
| smb2-time:
| date: 2023-03-26T02:14:37
|_ start_date: N/A
|_nbstat: NetBIOS name: NITIN, NetBIOS user: , NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nitin
| NetBIOS computer name: NITINx00
| Domain name: 168.1.7
| FQDN: nitin.168.1.7
|_ System time: 2023-03-26T07:44:37+05:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.91 seconds
获得Shell
首先从smb协议入手收集信息:
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ smbclient -L 192.168.56.254
Password for [WORKGROUPkali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (nitin server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP NITIN
──(kali㉿kali)-[~/Vulnhub/OS_Bytesec]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix Usersagar (Local User)
S-1-22-1-1001 Unix Userblackjax (Local User)
S-1-22-1-1002 Unix Usersmb (Local User)
利用enum4linux工具识别出用户名为sagar, blackjax, smb
利用Kali linux的浏览器访问80端口,从返回页面的源代码有以下注释:
Copyright © All rights reserved | This template is made with James/Hacker by James
机房租用,北京机房托管,大带宽租用,IDC机房服务器主机租用托管-价格及服务咨询 www.e1idc.net