第306个Vulnhub靶场演练攻略:Empire: LupinOne
Empire:LupinOne是一款由 icex64 和 Empire Cybersecurity 联合设计的 Vulnhub 简易中型机器。该实验室适合经验丰富的 CTF 玩家,他们希望检验自己的技能。枚举是关键,所以,让我们开始学习如何将问题分解成易于管理的部分。
1.网络扫描
1.1 首先,我们必须使用 netdiscover 命令扫描网络以查找受害机器的 IP 地址。
Currently scanning: 192.168.28.0/16 | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 5 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.2.1 5e:ec:47:29:ea:18 2 120 Unknown vendor
192.168.2.127 f0:2f:74:1a:39:e7 1 60 ASUSTek COMPUTER INC.
192.168.2.129 54:05:db:05:79:fd 1 60 LCFC(Hefei) Electronics T
192.168.2.173 08:00:27:0c:16:f8 1 60 PCS Systemtechnik GmbH
192.168.2.243 d0:11:e5:77:95:09 1 60 Apple, Inc.
┌──(root㉿kali)-[~]
└─# netdiscover
1.2 为了推进这一进程,我们推出了 Nmap。
nmap -sC -sV 192.168.2.173
根据 nmap 输出,我们有:
┌──(root㉿kali)-[~]
└─# nmap -sC -sV 192.168.2.173
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-24 02:00 EDT
Nmap scan report for LupinOne.lan (192.168.2.173)
Host is up (0.00032s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
| 256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
|_ 256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/~myfiles
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.48 (Debian)
MAC Address: 08:00:27:0C:16:F8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds
端口 22 上有一个 SSH 服务器。
在端口 80 上运行的 HTTP 服务(Apache 服务器),以及/~myfiles
2.枚举
2.1 我们通过检查(/~myfiles) HTTP 页面开始了枚举过程。发现了一个可疑的 404 错误。
http://192.168.2.173/~myfiles/
我们查看了页面源代码,发现评论“你可以做到,继续尝试”。
view-source:http://192.168.2.173/~myfiles/
<!DOCTYPE html>
<html>
<head>
<title>Error 404</title>
</head>
<body>
<h1>Error 404</h1>
</body>
</html>
<!-- Your can do it, keep trying. -->
2.2 因此,我们使用模糊测试来从此案例中获取一些额外的信息。我们使用了ffuf并获取了一个目录(secret)。
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u ’ http://192.168.1.2/~FUZZ ’
┌──(root㉿kali)-[~]
└─# ls -lh /usr/share/seclists/
ls: cannot access '/usr/share/seclists/': No such file or directory
┌──(root㉿kali)-[~]
└─# apt -y install seclists
The following packages were automatically installed and are no longer required:
icu-devtools python3-asn1tools
libglapi-mesa python3-bitstruct
libicu-dev python3-dunamai
liblbfgsb0 python3-nfsclient
libpython3.12-minimal python3-poetry-dynamic-versioning
libpython3.12-stdlib python3-pywerview
libpython3.12t64 python3-requests-ntlm
libutempter0 python3-tomlkit
python3-aardwolf python3.12-tk
python3-aioconsole sphinx-rtd-theme-common
python3-arc4
Use 'apt autoremove' to remove them.
Installing:
seclists
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 191
Download size: 533 MB
Space needed: 1,816 MB / 61.8 GB available
Get:1 http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling/main amd64 seclists all 2025.1-0kali1 [533 MB]
Fetched 533 MB in 15s (34.5 MB/s)
Selecting previously unselected package seclists.
(Reading database ... 411568 files and directories currently installed.)
Preparing to unpack .../seclists_2025.1-0kali1_all.deb ...
Unpacking seclists (2025.1-0kali1) ...
Setting up seclists (2025.1-0kali1) ...
Processing triggers for kali-menu (2025.2.3) ...
Processing triggers for wordlists (2023.2.0) ...
┌──(root㉿kali)-[~]
└─# ls -lh /usr/share/seclists/
total 36K
drwxr-xr-x 9 root root 4.0K May 24 02:17 Discovery
drwxr-xr-x 10 root root 4.0K May 24 02:19 Fuzzing
drwxr-xr-x 9 root root 4.0K May 24 02:19 Miscellaneous
drwxr-xr-x 16 root root 4.0K May 24 02:19 Passwords
drwxr-xr-x 3 root root 4.0K May 24 02:19 Pattern-Matching
drwxr-xr-x 8 root root 4.0K May 24 02:19 Payloads
-rw-r--r-- 1 root root 2.7K Feb 22 03:13 README.md
drwxr-xr-x 4 root root 4.0K May 24 02:19 Usernames
drwxr-xr-x 10 root root 4.0K May 24 02:19 Web-Shells
┌──(root㉿kali)-[~]
└─# tree -d /usr/share/seclists/
/usr/share/seclists/
├── Discovery
│ ├── DNS
│ ├── File-System
│ ├── Infrastructure
│ ├── Mainframe
│ ├── SNMP
│ ├── Variables
│ └── Web-Content
│ ├── api
│ ├── BurpSuite-ParamMiner
│ ├── CMS
│ │ └── trickest-cms-wordlist
│ ├── Domino-Hunter
│ ├── dutch
│ │ └── new
│ ├── File-Extensions-Universal-SVNDigger-Project
│ │ ├── cat
│ │ │ ├── Conf
│ │ │ ├── Database
│ │ │ ├── Language
│ │ │ └── Project
│ │ └── context
│ ├── LEGACY-SERVICES
│ │ └── CGIs
│ ├── Programming-Language-Specific
│ │ └── ASP.NET
│ ├── Service-Specific
│ ├── trickest-robots-disallowed-wordlists
│ ├── URLs
│ └── Web-Servers
├── Fuzzing
│ ├── 403
│ ├── Amounts
│ ├── Databases
│ ├── LFI
│ ├── Polyglots
│ ├── SQLi
│ ├── User-Agents
│ │ ├── hardware-type-specific
│ │ ├── layout-engine-name
│ │ ├── operating-platform
│ │ ├── operating-system-name
│ │ ├── software-name
│ │ └── software-type-specific
│ └── XSS
│ ├── human-friendly
│ └── robot-friendly
├── Miscellaneous
│ ├── Danish-Wordlists-n0kovo
│ ├── EFF-Dice
│ ├── List-Of-Swear-Words
│ ├── Moby-Project
│ │ ├── Moby-Language-II
│ │ ├── Moby-Thesaurus-II
│ │ └── Moby-Words-II
│ ├── Security-Question-Answers
│ │ ├── us-colleges
│ │ ├── us-private-schools
│ │ └── us-public-schools
│ ├── Source-Code
│ │ └── c-linux
│ └── Web
│ └── http-request-headers
├── Passwords
│ ├── Books
│ ├── Common-Credentials
│ │ └── Language-Specific
│ ├── Cracked-Hashes
│ ├── Default-Credentials
│ │ └── Routers
│ ├── Honeypot-Captures
│ ├── Keyboard-Walks
│ ├── Leaked-Databases
│ ├── Malware
│ ├── Permutations
│ ├── PHP-Hashes
│ │ ├── Floating-Comp
│ │ ├── Plaintext
│ │ ├── Pre-Hashed
│ │ └── Truncated
│ ├── Pwdb-Public
│ │ ├── Frequent-Passwords
│ │ └── Wordlists
│ │ └── Language-Specifics
│ ├── Software
│ ├── WiFi-WPA
│ └── Wikipedia
├── Pattern-Matching
│ └── Source-Code-(PHP)
├── Payloads
│ ├── Anti-Virus
│ ├── File-Names
│ │ ├── exec
│ │ └── null-byte
│ ├── Flash
│ ├── Images
│ ├── Zip-Bombs
│ └── Zip-Traversal
├── Usernames
│ ├── Honeypot-Captures
│ └── Names
└── Web-Shells
├── CFM
├── FuzzDB
├── JSP
├── laudanum-1.0
│ ├── asp
│ ├── aspx
│ ├── cfm
│ ├── jsp
│ │ └── warfiles
│ │ ├── META-INF
│ │ └── WEB-INF
│ ├── php
│ └── wordpress
│ └── templates
├── Magento
├── PHP
├── Vtiger
│ ├── languages
│ │ └── en_us
│ │ └── Settings
│ ├── modules
│ │ └── VtigerVulnPlugin
│ │ └── actions
│ └── settings
│ └── actions
└── WordPress
129 directories
┌──(root㉿kali)-[~]
└─#
┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.2.173/~FUZZ'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.2.173/~FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [40/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Er:: Progress: [901/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: E:: Progress: [2033/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: :: Progress: [3024/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: secret [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 1ms]
:: Progress: [3703/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: :: Progress: [3871/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: :: Progress: [4744/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: :: Progress: [4744/4744] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00]
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
