Cengbox 2
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:ea:c7:5b 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:ee:62:de 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 20:09 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.253
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
| 256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_ 256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site Maintenance
MAC Address: 08:00:27:EE:62:DE (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.3)
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||56112|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 119 4096 May 23 2020 .
drwxr-xr-x 2 0 119 4096 May 23 2020 ..
-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||5618|)
150 Opening BINARY mode data connection for note.txt (209 bytes).
100% |****************************************************************************************************************| 209 488.28 KiB/s 00:00 ETA
226 Transfer complete.
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat note.txt
Hey Kevin,
I just set up your panel and used default password. Please change them before any hack.
I try to move site to new domain which name is ceng-company.vm and also I created a new area for you.
Aaron
域名:ceng-company.vm
可能的用户名: kevin, aaron
其他:kevin可能密码比较弱
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ curl http://192.168.56.254
<!doctype html>
<title>Site Maintenance</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<article>
<h1>Site Maintenance</h1>
<div>
<p>Sorry, We don't serve yet. You can check later the site. Regards </p> <p>— Ceng Company Team</p>
</div>
</article>
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
最低0.47元/天 解锁文章
扫一扫
350
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
