HTB靶场系列 linux靶机 Nineveh靶机

最新推荐文章于 2025-06-28 10:20:46 发布

彤彤学安全

最新推荐文章于 2025-06-28 10:20:46 发布

阅读量4.7k

点赞数

CC 4.0 BY-SA版权

分类专栏： HTB 文章标签： linux python 渗透测试安全 ssh

本文链接：https://blog.csdn.net/m0_57221101/article/details/122536107

本文详细介绍了对HTB靶场中的Nineveh靶机进行渗透测试的过程，包括nmap扫描、80和443端口的探索、域名发现、通过多种方法获取www权限、利用phpLiteAdmin漏洞提权至amrols用户，以及最终通过knockd和私钥实现ssh连接提权至root用户。涉及技术包括nmap、gobuster、phpbug、文件包含漏洞、弱口令爆破、ssh私钥利用、knockd等。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

勘探

nmap勘探

nmap -sC -sV 10.10.10.43            
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-26 16:22 CST
Nmap scan report for 10.10.10.43
Host is up (0.36s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.66 seconds

发现开了80和443，然后443端口上有一个证书，暴漏了一个虚拟域名

80端口勘探

注意，从这一个靶场开始，我决定了以后由dirsearch转用gobuster

gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -t 20                            
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.43
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/26 16:27:29 Starting gobuster in directory enumeration mode
===============================================================
/info.php             (Status: 200) [Size: 83695]
/department           (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]

发现了几个敏感目录

info.php就是phpinfo界面

/department是一个登陆界面

443端口

直接gobuster扫

gobuster dir -k -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.43
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/26 16:35:34 Starting gobuster in directory enumeration mode
===============================================================
/db                   (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/server-status        (Status: 403) [Size: 300]                              
/secure_notes         (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]

发现三个敏感目录

域名勘探

此处思路来源于0xdf，因为我自己根本没注意这个，这个是后期整理笔记看大佬思路发现的。这个-hh还是理解不了是什么东西

root@kali# wfuzz -c -u http://10.10.10.43/ -H "Host: FUZZ.nineveh.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 178

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.43/
Total requests: 100000

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================


Total time: 206.0595
Processed Requests: 100000
Filtered Requests: 100000
Requests/sec.: 485.2965