2. 程式人生 > 其它 >靶機Vulnhub的Empire Breakout攻略(不含提權)

靶機Vulnhub的Empire Breakout攻略(不含提權)

阿新 發佈:2022-04-14

首先掃描目標有哪些開放的埠:

# nmap -sV -A -sC -p- 192.168.140.164
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 00:16 EDT
Nmap scan report for 192.168.140.164
Host is up (0.0012s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))

 
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open  http        MiniServ 1.830
 
 (Webmin httpd)
|_http-title: 200 — Document follows
MAC Address: 00:0C:29:26:7A:D8 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

Host script results:
| smb2-security-mode:

 
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2022-04-14T04:17:00
|_  start_date: N/A
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   1.24 ms 192.168.140.164

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.48 seconds

從掃描結果得知,有http服務、以及運行於高位埠(10000以及20000)的webmin服務,以及Samba服務。

首先分別登陸目標的80以及10000埠,發現80埠只有一個預設頁面,而10000埠也就是網站管理介面需要使用者名稱以及密碼。

80埠頁面雖然沒有什麼內容,但是頁面原始碼中發現如下資訊:

<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.


-->

這應該是一串加密後的程式碼。經查詢這是一種brainfuck加密方法:

Brainfuck是一種極小化的計算機語言,它是由Urban Müller在1993年建立的。由於fuck在英語中是髒話,這種語言有時被稱為brainf*ck或brainf**k,甚至被簡稱為BF。
Ook與Brainfuck類似,也是用替換法。
特徵:

brainfuck語言用> < + - . , [ ]八種符號來替換C語言的各種語法和命令:
例如: +++++++++++++++++.>+++++++++++++++++++++++++++++++++++++++++

 

到網站 https://www.splitbrain.org/services/ook 進行破解,得到解密後的資訊:.2uqPEfj3D<P'a-3,應該是密碼什麼的,但是目前我們並沒有得到使用者名稱,因此用enum4linux嘗試一下:

# enum4linux 192.168.140.164 -a
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 14 00:32:55 2022

 ==========================
|    Target Information    |
 ==========================
Target ........... 192.168.140.164
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =======================================================
|    Enumerating Workgroup/Domain on 192.168.140.164    |
 =======================================================
[+] Got domain/workgroup name: WORKGROUP

 ===============================================
|    Nbtstat Information for 192.168.140.164    |
 ===============================================
Looking up status of 192.168.140.164
        BREAKOUT        <00> -         B <ACTIVE>  Workstation Service
        BREAKOUT        <03> -         B <ACTIVE>  Messenger Service
        BREAKOUT        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ========================================
|    Session Check on 192.168.140.164    |
 ========================================
[+] Server 192.168.140.164 allows sessions using username '', password ''

 ==============================================
|    Getting domain SID for 192.168.140.164    |
 ==============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 =========================================
|    OS information on 192.168.140.164    |
 =========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.140.164 from smbclient:
[+] Got OS info for 192.168.140.164 from srvinfo:
        BREAKOUT       Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ================================
|    Users on 192.168.140.164    |
 ================================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ============================================
|    Share Enumeration on 192.168.140.164    |
 ============================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.140.164
//192.168.140.164/print$        Mapping: DENIED, Listing: N/A
//192.168.140.164/IPC$  [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 =======================================================
|    Password Policy Information for 192.168.140.164    |
 =======================================================


[+] Attaching to 192.168.140.164 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] BREAKOUT
        [+] Builtin

[+] Password Info for Domain: BREAKOUT

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes
        [+] Locked Account Duration: 30 minutes
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 =================================
|    Groups on 192.168.140.164    |
 =================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ==========================================================================
|    Users on 192.168.140.164 via RID cycling (RIDS: 500-550,1000-1050)    |
 ==========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-500 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-502 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-503 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-504 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-505 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-506 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-507 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-508 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-509 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-510 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-511 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-512 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
S-1-5-21-1683874020-4104641535-3793993001-514 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-515 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-516 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-517 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-518 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-519 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-520 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-521 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-522 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-523 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-524 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-525 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-526 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-527 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-528 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-529 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-530 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-531 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-532 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-533 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-534 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-535 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-536 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-537 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-538 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-539 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-540 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-541 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-542 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-543 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-544 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-545 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-546 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-547 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-548 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-549 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-550 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1000 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1001 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1002 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1003 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1004 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1005 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1006 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1007 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1008 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1009 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1010 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1011 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1012 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1013 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1014 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1015 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1016 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1017 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1018 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1019 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1020 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1021 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1022 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1023 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1024 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1025 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1026 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1027 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1028 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1029 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1030 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1031 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1032 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1033 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1034 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1035 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1036 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1037 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1038 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1039 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1040 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1041 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1042 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1043 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1044 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1045 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1046 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1047 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1048 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1049 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)

 ================================================
|    Getting printer info for 192.168.140.164    |

從中發現了使用者名稱cyber,因此用該使用者名稱以及上面破解得到的密碼,看能否登陸webmin,10000埠登陸並不成功,20000埠可以成功登陸。

在頁面的地步(Cyber的左面,需要細心)發現了command_shell的功能,從而得到了user flag: 3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

 

相關推薦

靶機Vulnhub的Empire Breakout

首先掃描目標有哪些開放的埠: # nmap -sV -A -sC -p- 192.168.140.164 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 00:16 EDT

深圳IO遊戲入門定期更新

@目錄第一關 模擬安全攝像頭第二關 工程模型替換件第三關 脈衝發生器第四關 發光標誌第五關 海量男爵第六關 垃圾音訊裝置遊戲成就參考手冊中文英文

部落格美化&typora寫部落格部落格園版

部落格美化&typora編寫部落格部落格園版 1、登入部落格後臺設定基礎選項

戰3全面解析B站版·下

這坑人的字數限制...) 4缺陷解析 人無完人,英雄也有各自の痛,就像人到中年的WEST,直到他去世大家才知道他の痛是對他信賴的戰友毫無防備,以至於對他們的友傷抗性為0.。。。

戰3全面解析B站版·上

戰火英雄3是sky9在“消失”前最後留下的作品,然而因為各種原因,其的風評大不如前兩代。

xss challenges通關取巧,技術流就當看不見

第一關:沒有任何過濾,直接寫入語句 第二關:由f12發現原始碼中有value存在,考慮閉合

鴻蒙應用上架全常見問題

開發應用 使用鴻蒙開發工具HUAWEI DevEco Studio完成鴻蒙應用的開發。詳細的開發過程可以參考HarmonyOS開發文件。

奧奇維蕾塔大神氪金70,平民69通關boss部分原創,一關多打法

boss東北虎好像可以換無氣吞展昭,我沒試過,東北虎5暴擊穩定 boss在上面

《天命奇御2》全主支線任務及人物陌刀門DLC

《天命奇御2》除主線外還有諸多支線、傳聞任務,還能妹子。下面就為大家帶來由“Aegean”分享的《天命奇御2》全主支線任務及人物,包含陌刀門DLC任務,希望對大家有用。

【外掛開發】VSCode外掛開發全WebView

什麼是Webview 大家都知道,整個VSCode編輯器就是一張大的網頁,其實,我們還可以在Visual Studio Code中建立完全自定義的、可以間接和nodejs通訊的特殊網頁通過一個acquireVsCodeApi特殊方法,這個網頁就叫WebV

【外掛開發】VSCode外掛開發全HelloWord

文章轉載於:https://www.cnblogs.com/liuxianan/p/vscode-plugin-hello-world.html 寫著前面 學習一門新的語言或者生態首先肯定是從HelloWord開始。

【外掛開發】VSCode外掛開發全命令、選單、快捷鍵

文章轉載於:https://www.cnblogs.com/liuxianan/p/vscode-plugin-command-and-menu.html 命令 我們在前面HelloWord章節中已經提到了命令寫法,這裡再重溫一下。

【外掛開發】VSCode外掛開發全跳轉到定義、自動補全、懸停提示

跳轉到定義 跳轉到定義其實很簡單,通過vscode.languages.registerDefinitionProvider註冊一個provider,這個provider如果返回了new vscode.Location()就表示當前游標所在單詞支援跳轉,並且跳轉到對應location。

【外掛開發】VSCode外掛開發全開發除錯技巧

文章轉載於:http://blog.haoji.me/vscode-plugin-develop-tips.html 前言 在介紹完一些比較簡單的內容點之後,我覺得有必要先和大家介紹一些開發中遇到的一些細節問題以及技巧,特別是後面一章節將要介紹WebView的知

Mysql索引優化

所謂索引就是為特定的mysql欄位進行一些特定的演算法排序,比如二叉樹的演算法和雜湊演算法,雜湊演算法是通過建立特徵值,然後根據特徵值來快速查詢。而用的最多,並且是mysql預設的就是二叉樹演算法 BTREE,通過B

Pytorch-seq2seq機器翻譯模型attention和attention兩個版本

由於語料短,訓練時間也短,模型效能不好,以下演示過程。 語料連結: 資料格式如圖先英文,再空格,再繁體中文

萬字好文:智慧合約編寫之Solidity的程式設計轉載

上鍊的原則 “如無必要,勿增實體”。 基於區塊鏈技術及智慧合約發展現狀,資料的上鍊需遵循以下原則:

variant每個成員必賦值_COM程式設計十 COM設施之VARIANT

技術標籤:variant每個成員必賦值 為了方便查閱,我將之前所有的文章放入了COM的專欄中:

RxJava2詳細

0.簡介 RxJava其實就是提供一套非同步程式設計的API,這套API是基於觀察者模式的,而且是鏈式呼叫的,所以使用RxJava編寫的程式碼的邏輯會非常簡介。

企業專案遷移go-zero全

作者:Mikael 最近發現 golang 社群裡出了一個新興的微服務框架。看了一下官方提供的工具真的很好用,只需要定義好 .api 檔案模版程式碼都可以一鍵生成,只需要關心業務;同時 core 中的工具極大減少了開發成本。