环境准备:
攻击机:VMware(Kali 【192.168.10.13】) 网络:桥接+NAT
靶机:VBox 【192.168.10.9】
arp-scan -l # netdiscover 或 nmap -sn 192.168.10.0/24
nmap -sS -p- 192.168.10.9 -oA nmap_res/port_scan
# Nmap 7.93 scan initiated Sun Jul 23 21:23:23 2023 as: nmap -sS -p- -oA namp_res/port_scan 192.168.10.3
Nmap scan report for 192.168.10.3 (192.168.10.3)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:BF:FB:69 (Oracle VirtualBox virtual NIC)
# Nmap done at Sun Jul 23 21:23:24 2023 -- 1 IP address (1 host up) scanned in 1.18 seconds
开放端口 22,80
gobuster dir -u <http://192.168.10.9> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,zip,html,htm
没有用信息
访问 http://192.168.10.9,是一个登录界面,万能密码没用
浏览器搜索 GLPI,默认账号密码 glpi / glpi 成功登陆到后台
http://192.168.10.9/front/ticket.form.php?id=6发现一个子域名
添加到/etc/hosts
192.168.10.9 stardust.hmv intranetik.stardust.hmv
访问 http://intranetik.stardust.hmv ,是一个文件上传界面
