首先打开靶机:
https://buuoj.cn/challenges#Linux%20Labs
使用xshell7连接ssh:
首先确认版本和剩余内存,以及apt的镜像源(可以发现是阿里云的镜像源)
root@out:/tmp# cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
root@out:/tmp# free -m
total used free shared buff/cache available
Mem: 256 75 61 8 119 180
Swap: 0 0 0
root@out:/tmp#
root@out:/tmp# cat /etc/apt/sources.list|grep -v "^#"
deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb http://mirrors.aliyun.com/ubuntu/ xenial universe
deb-src http://mirrors.aliyun.com/ubuntu/ xenial universe
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates universe
deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial multiverse
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse
deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ xenial-security main restricted
deb-src http://security.ubuntu.com/ubuntu/ xenial-security main restricted
deb http://security.ubuntu.com/ubuntu/ xenial-security universe
deb-src http://security.ubuntu.com/ubuntu/ xenial-security universe
deb http://security.ubuntu.com/ubuntu/ xenial-security multiverse
deb-src http://security.ubuntu.com/ubuntu/ xenial-security multiverse
root@out:/tmp#
输入如下命令安装xrdp:
export LANG=en_US.UTF-8
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
apt-get update;
apt install -y x11-common xserver-xorg-core x11-xserver-utils;
apt install -y xinit xterm;
apt install -y xrdp;
dpkg -L xrdp |grep ini
dpkg -L xrdp |grep -E "rsakeys|conf"
ls -al /var/log/xrdp*
root@out:/tmp# dpkg -L xrdp |grep ini
/usr/share/man/man5/sesman.ini.5.gz
/usr/share/man/man5/xrdp.ini.5.gz
/usr/share/doc/xrdp/rsakeys.ini
/etc/xrdp/km-0419.ini
/etc/xrdp/xrdp.ini
/etc/xrdp/km-0409.ini
/etc/xrdp/km-0410.ini
/etc/xrdp/km-0407.ini
/etc/xrdp/km-040c.ini
/etc/xrdp/sesman.ini
/etc/xrdp/km-041d.ini
/etc/init.d
/etc/init.d/xrdp
root@out:/tmp# dpkg -L xrdp |grep -E "rsakeys|conf"
/usr/share/doc/xrdp/rsakeys.ini
root@out:/tmp#
root@out:/tmp# ls -al /var/log/xrdp*
ls: cannot access '/var/log/xrdp*': No such file or directory
root@out:/tmp# ls -al /usr/lib/xorg/Xorg /etc/X11/xinit/xserverrc
-rwxr-xr-x 1 root root 46 Apr 26 2016 /etc/X11/xinit/xserverrc
-rwxr-xr-x 1 root root 2402920 Apr 8 2021 /usr/lib/xorg/Xorg
root@out:/tmp#
ls -al /var/log/xrdp*这句话报错,安装后还没启动没有日志文件,ubuntu官方镜像源安装后不启动xrdp也有日志文件,这是其中的一处区别,当然还有别的,比如依赖包不一样等等.
然后启动xrdp:
setsid /usr/sbin/xrdp-sesman --nodaemon ;
setsid /usr/sbin/xrdp --nodaemon ;
此时看网络连接(可以看到tcp3389和tcp3350端口):
root@out:/tmp# netstat -anlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 35/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 63/sshd
tcp 0 0 10.244.80.164:22 10.244.80.206:45882 ESTABLISHED 756/0
tcp6 0 0 127.0.0.1:3350 :::* LISTEN 24275/xrdp-sesman
tcp6 0 0 :::22 :::* LISTEN 63/sshd
tcp6 0 0 :::3389 :::* LISTEN 24277/xrdp
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 4 [ ] DGRAM 2153957696 11/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 2153957698 11/syslog-ng /var/lib/syslog-ng/syslog-ng.ctl
unix 2 [ ] DGRAM 2154645622 24277/xrdp
unix 2 [ ] DGRAM 2154649829 24275/xrdp-sesman
root@out:/tmp#
接下来转发远程的tcp3389
ssh -o StrictHostKeyChecking=no -CNf -L 13389:127.0.0.1:3389 root@node4.buuoj.cn -p28413
如下图所示:
![](https://img-blog.csdnimg.cn/img_convert/7dfe2ab47615a16874458904e130c330.png)
发现连接失败,原因为部分deb包得去ubuntu官方镜像源拉取安装.
![](https://img-blog.csdnimg.cn/img_convert/fd6f139ebd9226ce57ae5f571dbc8d69.png)
重新开一个靶机环境:
ssh连接上去:
先不修改镜像源,直接安装如下deb包:
export LANG=en_US.UTF-8;\
export DEBIAN_FRONTEND=noninteractive;\
export APT_LISTCHANGES_FRONTEND=none;\
apt-get update;\
apt install -y x11-common xserver-xorg-core x11-xserver-utils;\
apt install -y xinit xterm;
apt install -y apport apport-symptoms bsdmainutils fuse groff-base libapt-pkg5.0 \
libapt-inst2.0 libc-bin libc-dev-bin libc6 libc6-dev libevdev2 libfuse2 \
libsystemd0 libwacom-common libwacom2 libxfont2 libzstd1 locales man-db policykit-1 ;
apt install -y libgcrypt20 libglu1-mesa libgpg-error0 libgudev-1.0-0 libinput-bin \
libinput10 libopus0 libpam-systemd libpipeline1 libpng16-16 libpolkit-agent-1-0 \
libpolkit-backend-1-0 libpolkit-gobject-1-0 libpython3-stdlib;
apt install -y systemd zlib1g;
apt install -y python3 python3-apport python3-apt python3-certifi python3-chardet \
python3-dbus python3-gi python3-httplib2 python3-idna python3-minimal \
python3-pkg-resources python3-problem-report python3-pycurl python3-requests \
python3-requests-unixsocket python3-six python3-systemd python3-urllib3 ;
接下来,修改镜像源:
cat << EOF >/etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://archive.ubuntu.com/ubuntu/ bionic universe
deb http://archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted
deb http://security.ubuntu.com/ubuntu/ bionic-security universe
deb http://security.ubuntu.com/ubuntu/ bionic-security multiverse
EOF
继续安装deb,安装好后启动xrdp:
apt-get update;\
export LANG=en_US.UTF-8;
apt install -y x11-apps x11-session-utils xfonts-scalable xinput xorg xorg-docs-core xserver-common xserver-xorg xserver-xorg-core xserver-xorg-input-all \
xserver-xorg-input-evdev xserver-xorg-input-libinput xserver-xorg-input-synaptics xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-amdgpu xserver-xorg-video-ati \
xserver-xorg-video-fbdev xserver-xorg-video-intel xserver-xorg-video-nouveau xserver-xorg-video-qxl xserver-xorg-video-radeon xserver-xorg-video-vesa xserver-xorg-video-vmware
apt install -y blt fontconfig-config libfontconfig1 libtcl8.6 libtk8.6 tk8.6-blt2.5;\
apt install -y python3-tk; \
apt install -y python3.6 python3.6-minimal;
apt install -y libargon2-0 libcryptsetup12 libgdbm5 libip4tc0 libjson-c3 libpython3.6-minimal libpython3.6-stdlib libreadline7 libssl1.1;\
apt install -y xorgxrdp;
apt install -y xrdp
echo 'python3 -c "import tkinter;tkinter.Tk().mainloop();"'>/bin/p.sh
echo 'python3 -m tkinter '>/bin/p.sh ;
chmod +x /bin/p.sh;
setsid /usr/sbin/xrdp-sesman --nodaemon ;
setsid /usr/sbin/xrdp --nodaemon ;
cd /tmp;
root@out:/tmp# apt download xrdp
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 xrdp amd64 0.9.5-2 [419 kB]
Fetched 419 kB in 3s (151 kB/s)
root@out:/tmp# ll xrdp
-rw-r--r-- 1 root root 419216 Feb 16 2018 xrdp_0.9.5-2_amd64.deb
root@out:/tmp# md5sum xrdp_0.9.5-2_amd64.deb
4713f98fdd3bf5b91f8bd7d649e9f238 xrdp_0.9.5-2_amd64.deb
root@out:/tmp#
安装(apt install -y xrdp)的时候,尾部有一句需留意: saving to /etc/xrdp/rsakeys.ini
如上第13行是:apt install -y xorgxrdp;
安装xorgxrdp完毕后,执行如下命令不在报错(
(EE)
Fatal server error:
(EE) parse_vt_settings: Cannot open /dev/tty0 (No such file or directory)
):
cd /tmp;
/usr/bin/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
安装前是Cannot open /dev/tty0 .
接下来使用win10的mstsc远程桌面连接:
![](https://img-blog.csdnimg.cn/img_convert/adcec3eabeb6be453a04df608956dd98.png)
![](https://img-blog.csdnimg.cn/img_convert/8b0bf675530eb5a5669a0502d7aa0ba7.png)
![](https://img-blog.csdnimg.cn/img_convert/c9c9509b210c470c4f165f03f350be50.png)
实验成功.
最后还可以安装xfce来更好的使用图形界面:
apt install -y xfce4
apt install -y xfce4-goodies
以下为备忘录:
root@out:/tmp# ls -al /root/
total 36
drwx------ 1 root root 148 Feb 18 14:26 .
drwxr-xr-x 1 root root 136 Feb 18 13:48 ..
-rw------- 1 root root 18 Feb 18 14:27 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 3 root root 17 Nov 7 2019 .cache
drwx------ 3 root root 19 Feb 18 14:26 .local
drwxrwxrwt 2 root root 24 Feb 18 14:26 .pcsc10
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 6 Jan 26 2018 .ssh
drwxr-xr-t 2 root root 6 Feb 18 14:26 thinclient_drives
-rw------- 1 root root 49 Feb 18 14:26 .Xauthority
-rw-r--r-- 1 root root 15233 Feb 18 14:27 .xorgxrdp.10.log
-rw------- 1 root root 119 Feb 18 14:26 .xsession-errors
root@out:/tmp#
root@out:/tmp#
root@out:/tmp#
root@out:/tmp# find / -name startwm.sh
/etc/xrdp/startwm.sh
root@out:/tmp# cat /etc/xrdp/startwm.sh
#!/bin/sh
# xrdp X session start script (c) 2015, 2017 mirabilos
# published under The MirOS Licence
if test -r /etc/profile; then
. /etc/profile
fi
if test -r /etc/default/locale; then
. /etc/default/locale
test -z "${LANG+x}" || export LANG
test -z "${LANGUAGE+x}" || export LANGUAGE
test -z "${LC_ADDRESS+x}" || export LC_ADDRESS
test -z "${LC_ALL+x}" || export LC_ALL
test -z "${LC_COLLATE+x}" || export LC_COLLATE
test -z "${LC_CTYPE+x}" || export LC_CTYPE
test -z "${LC_IDENTIFICATION+x}" || export LC_IDENTIFICATION
test -z "${LC_MEASUREMENT+x}" || export LC_MEASUREMENT
test -z "${LC_MESSAGES+x}" || export LC_MESSAGES
test -z "${LC_MONETARY+x}" || export LC_MONETARY
test -z "${LC_NAME+x}" || export LC_NAME
test -z "${LC_NUMERIC+x}" || export LC_NUMERIC
test -z "${LC_PAPER+x}" || export LC_PAPER
test -z "${LC_TELEPHONE+x}" || export LC_TELEPHONE
test -z "${LC_TIME+x}" || export LC_TIME
test -z "${LOCPATH+x}" || export LOCPATH
fi
if test -r /etc/profile; then
. /etc/profile
fi
test -x /etc/X11/Xsession && exec /etc/X11/Xsession
exec /bin/sh /etc/X11/Xsession
root@out:/tmp#
root@out:/tmp# ls -al /etc/X11/Xsession
-rwxr-xr-x 1 root root 3730 May 3 2017 /etc/X11/Xsession
root@out:/tmp# cat /etc/X11/Xsession
#!/bin/sh
#
# /etc/X11/Xsession
#
# global Xsession file -- used by display managers and xinit (startx)
# $Id: Xsession 967 2005-12-27 07:20:55Z dnusinow $
set -e
PROGNAME=Xsession
message () {
# pretty-print messages of arbitrary length; use xmessage if it
# is available and $DISPLAY is set
MESSAGE="$PROGNAME: $*"
echo "$MESSAGE" | fold -s -w ${COLUMNS:-80} >&2
if [ -n "$DISPLAY" ] && which xmessage > /dev/null 2>&1; then
echo "$MESSAGE" | fold -s -w ${COLUMNS:-80} | xmessage -center -file -
fi
}
message_nonl () {
# pretty-print messages of arbitrary length (no trailing newline); use
# xmessage if it is available and $DISPLAY is set
MESSAGE="$PROGNAME: $*"
echo -n "$MESSAGE" | fold -s -w ${COLUMNS:-80} >&2;
if [ -n "$DISPLAY" ] && which xmessage > /dev/null 2>&1; then
echo -n "$MESSAGE" | fold -s -w ${COLUMNS:-80} | xmessage -center -file -
fi
}
errormsg () {
# exit script with error
message "$*"
exit 1
}
internal_errormsg () {
# exit script with error; essentially a "THIS SHOULD NEVER HAPPEN" message
# One big call to message() for the sake of xmessage; if we had two then
# the user would have dismissed the error we want reported before seeing the
# request to report it.
errormsg "$*" \
"Please report the installed version of the \"x11-common\"" \
"package and the complete text of this error message to" \
"<debian-x@lists.debian.org>."
}
# initialize variables for use by all session scripts
OPTIONFILE=/etc/X11/Xsession.options
SYSRESOURCES=/etc/X11/Xresources
USRRESOURCES=$HOME/.Xresources
SYSSESSIONDIR=/etc/X11/Xsession.d
USERXSESSION=$HOME/.xsession
USERXSESSIONRC=$HOME/.xsessionrc
ALTUSERXSESSION=$HOME/.Xsession
ERRFILE=$HOME/.xsession-errors
# attempt to create an error file; abort if we cannot
if (umask 077 && touch "$ERRFILE") 2> /dev/null && [ -w "$ERRFILE" ] &&
[ ! -L "$ERRFILE" ]; then
chmod 600 "$ERRFILE"
elif ERRFILE=$(tempfile 2> /dev/null); then
if ! ln -sf "$ERRFILE" "${TMPDIR:=/tmp}/xsession-$USER"; then
message "warning: unable to symlink \"$TMPDIR/xsession-$USER\" to" \
"\"$ERRFILE\"; look for session log/errors in" \
"\"$TMPDIR/xsession-$USER\"."
fi
else
errormsg "unable to create X session log/error file; aborting."
fi
# truncate ERRFILE if it is too big to avoid disk usage DoS
if [ "`stat -c%s \"$ERRFILE\"`" -gt 500000 ]; then
T=`mktemp -p "$HOME"`
tail -c 500000 "$ERRFILE" > "$T" && mv -f "$T" "$ERRFILE" || rm -f "$T"
fi
exec >>"$ERRFILE" 2>&1
echo "$PROGNAME: X session started for $LOGNAME at $(date)"
# sanity check; is our session script directory present?
if [ ! -d "$SYSSESSIONDIR" ]; then
errormsg "no \"$SYSSESSIONDIR\" directory found; aborting."
fi
# Attempt to create a file of non-zero length in /tmp; a full filesystem can
# cause mysterious X session failures. We do not use touch, :, or test -w
# because they won't actually create a file with contents. We also let standard
# error from tempfile and echo go to the error file to aid the user in
# determining what went wrong.
WRITE_TEST=$(tempfile)
if ! echo "*" >>"$WRITE_TEST"; then
message "warning: unable to write to ${WRITE_TEST%/*}; X session may exit" \
"with an error"
fi
rm -f "$WRITE_TEST"
# use run-parts to source every file in the session directory; we source
# instead of executing so that the variables and functions defined above
# are available to the scripts, and so that they can pass variables to each
# other
SESSIONFILES=$(run-parts --list $SYSSESSIONDIR)
if [ -n "$SESSIONFILES" ]; then
set +e
for SESSIONFILE in $SESSIONFILES; do
. $SESSIONFILE
done
set -e
fi
exit 0
# vim:set ai et sts=2 sw=2 tw=80:
root@out:/tmp#
# grep -i -rHn "xterm" /etc/X11/app-defaults/;
# /etc/X11/Xsession.d/99x11 ;
#/usr/bin/ssh-agent x-terminal-emulator
cat /usr/bin/x-terminal-emulator ;
cat /usr/bin/uxterm|grep -v "^#";
# xterm -class UXTerm -title uxterm -u8;
修改xterm样式:
cat << EOF >/etc/X11/Xresources/qq5201314
xterm*ScrollBar: true
xterm.geometry: 60x25
xterm*VT100.geometry: 166x58
xterm*rightScrollBar: true
xterm*leftScrollBar: true
XTerm*jumpScroll: true
xterm*faceSize: 14
xterm*allowBoldFonts: true
xterm*foreground: green
xterm*background: rgb:60/20/10
XTerm*SaveLines: 4096
xterm*printAttributes:
xterm*printerCommand: cat > /tmp/xtermdump
*customization: -fullscreen
xterm*fullscreen: 2
EOF