【TryHackMe】 Backtrack靶机

now look this！还没更新完，有空就会更新！

端口目录扫描

CVE-2023-39141

我们用openvpn链接，然后进行练习。

端口目录扫描

先扫描一下主机端口，这是我们进攻的入口。

┌──(root㉿kali)-[~]
└─# nmap 10.10.233.221 -sS -sV -A
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-15 13:12 UTC
Nmap scan report for ip-10-10-233-221.eu-west-1.compute.internal (10.10.233.221)
Host is up (0.00048s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 55415a65e3d8c24f59a168b6798ae3fb (RSA)
|   256 798a1264cc5cd2b738dd4f07764f92e2 (ECDSA)
|_  256 cee228015f0f6a77df1e0a79df9a5447 (ED25519)
8080/tcp open  http            Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open  sun-answerbook?
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Fri, 15 Nov 2024 13:12:42 GMT
|     Connection: close
|     <!doctype html>
|     <html>
|     <!-- {{{ head -->
|     <head>
|     <link rel="icon" href="../favicon.ico" />
|     <meta charset="utf-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <meta name="theme-color" content="#0A8476">
|     <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
|     <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
|     <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
|     <!-- }}} -->
|     <body ng-controller="MainCtrl" ng-cloak>
|     <!-- {{{ Icons -->
|_    <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.93%I=7%D=11/15%Time=673748CA%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,F580,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\
SF:nDate:\x20Fri,\x2015\x20Nov\x202024\x2013:12:42\x20GMT\r\nConnection:\x
SF:20close\r\n\r\n<!doctype\x20html>\n<html>\n\n<!--\x20{{{\x20head\x20-->
SF:\n<head>\n\x20\x20<link\x20rel=\"icon\"\x20href=\"\.\./favicon\.ico\"\x
SF:20/>\n\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equi
SF:v=\"X-UA-Compatible\"\x20content=\"IE=edge,chrome=1\">\n\x20\x20<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\.0\">\n\x20\x20<meta\x20name=\"theme-color\"\x20content=\"#0A8476\">\n
SF:\n\x20\x20<title\x20ng-bind=\"\$root\.pageTitle\">Aria2\x20WebUI</title
SF:>\n\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css\"\x20href=\
SF:"https://fonts\.googleapis\.com/css\?family=Lato:400,700\">\n\n<link\x2
SF:0href=\"app\.css\"\x20rel=\"stylesheet\"><script\x20type=\"text/javascr
SF:ipt\"\x20src=\"vendor\.js\"></script><script\x20type=\"text/javascript\
SF:"\x20src=\"app\.js\"></script></head>\n<!--\x20}}}\x20-->\n\n<body\x20n
SF:g-controller=\"MainCtrl\"\x20ng-cloak>\n\n<!--\x20{{{\x20Icons\x20-->\n
SF:<svg\x20aria-hidden=\"true\"\x20style=\"position:\x20absolute;\x20width
SF::\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20version=\"1\.1\"\
SF:x20xm")%r(HTTPOptions,F580,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20
SF:text/html\r\nDate:\x20Fri,\x2015\x20Nov\x202024\x2013:12:42\x20GMT\r\nC
SF:onnection:\x20close\r\n\r\n<!doctype\x20html>\n<html>\n\n<!--\x20{{{\x2
SF:0head\x20-->\n<head>\n\x20\x20<link\x20rel=\"icon\"\x20href=\"\.\./favi
SF:con\.ico\"\x20/>\n\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\
SF:x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=edge,chrome=1\">\n\x2
SF:0\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20ini
SF:tial-scale=1\.0\">\n\x20\x20<meta\x20name=\"theme-color\"\x20content=\"
SF:#0A8476\">\n\n\x20\x20<title\x20ng-bind=\"\$root\.pageTitle\">Aria2\x20
SF:WebUI</title>\n\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css
SF:\"\x20href=\"https://fonts\.googleapis\.com/css\?family=Lato:400,700\">
SF:\n\n<link\x20href=\"app\.css\"\x20rel=\"stylesheet\"><script\x20type=\"
SF:text/javascript\"\x20src=\"vendor\.js\"></script><script\x20type=\"text
SF:/javascript\"\x20src=\"app\.js\"></script></head>\n<!--\x20}}}\x20-->\n
SF:\n<body\x20ng-controller=\"MainCtrl\"\x20ng-cloak>\n\n<!--\x20{{{\x20Ic
SF:ons\x20-->\n<svg\x20aria-hidden=\"true\"\x20style=\"position:\x20absolu
SF:te;\x20width:\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20versi
SF:on=\"1\.1\"\x20xm");
MAC Address: 02:06:17:E4:4C:B1 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=11/15%OT=22%CT=1%CU=43058%PV=Y%DS=1%DC=D%G=Y%M=020617%
OS:TM=673748DB%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=
OS:I%TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11
OS:NW7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=
OS:F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%
OS:T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms ip-10-10-233-221.eu-west-1.compute.internal (10.10.233.221)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.45 seconds