buuctf Linux Labs容器(ubuntu16.04)开启远程桌面rdp踩坑记

首先打开靶机:

https://buuoj.cn/challenges#Linux%20Labs

使用xshell7连接ssh:

首先确认版本和剩余内存,以及apt的镜像源(可以发现是阿里云的镜像源)

root@out:/tmp# cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
root@out:/tmp# free -m
              total        used        free      shared  buff/cache   available
Mem:            256          75          61           8         119         180
Swap:             0           0           0
root@out:/tmp# 

root@out:/tmp#  cat /etc/apt/sources.list|grep -v "^#"
deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted

deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted

deb http://mirrors.aliyun.com/ubuntu/ xenial universe
deb-src http://mirrors.aliyun.com/ubuntu/ xenial universe
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates universe

deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial multiverse
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse

deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse


deb http://security.ubuntu.com/ubuntu/ xenial-security main restricted
deb-src http://security.ubuntu.com/ubuntu/ xenial-security main restricted
deb http://security.ubuntu.com/ubuntu/ xenial-security universe
deb-src http://security.ubuntu.com/ubuntu/ xenial-security universe
deb http://security.ubuntu.com/ubuntu/ xenial-security multiverse
deb-src http://security.ubuntu.com/ubuntu/ xenial-security multiverse
root@out:/tmp# 

输入如下命令安装xrdp:

export LANG=en_US.UTF-8
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
apt-get update;
apt install -y x11-common xserver-xorg-core  x11-xserver-utils;
apt install -y  xinit xterm;
apt install -y  xrdp;

dpkg -L xrdp   |grep ini
dpkg -L xrdp   |grep  -E "rsakeys|conf"

ls -al /var/log/xrdp*



root@out:/tmp#   dpkg -L xrdp |grep ini
/usr/share/man/man5/sesman.ini.5.gz
/usr/share/man/man5/xrdp.ini.5.gz
/usr/share/doc/xrdp/rsakeys.ini
/etc/xrdp/km-0419.ini
/etc/xrdp/xrdp.ini
/etc/xrdp/km-0409.ini
/etc/xrdp/km-0410.ini
/etc/xrdp/km-0407.ini
/etc/xrdp/km-040c.ini
/etc/xrdp/sesman.ini
/etc/xrdp/km-041d.ini
/etc/init.d
/etc/init.d/xrdp
root@out:/tmp# dpkg -L xrdp  |grep  -E "rsakeys|conf"
/usr/share/doc/xrdp/rsakeys.ini
root@out:/tmp#  
root@out:/tmp# ls -al /var/log/xrdp*
ls: cannot access '/var/log/xrdp*': No such file or directory
root@out:/tmp# ls -al  /usr/lib/xorg/Xorg  /etc/X11/xinit/xserverrc
-rwxr-xr-x 1 root root      46 Apr 26  2016 /etc/X11/xinit/xserverrc
-rwxr-xr-x 1 root root 2402920 Apr  8  2021 /usr/lib/xorg/Xorg
root@out:/tmp# 

ls -al /var/log/xrdp*这句话报错,安装后还没启动没有日志文件,ubuntu官方镜像源安装后不启动xrdp也有日志文件,这是其中的一处区别,当然还有别的,比如依赖包不一样等等.

然后启动xrdp:

setsid /usr/sbin/xrdp-sesman --nodaemon ;
setsid /usr/sbin/xrdp  --nodaemon ;

此时看网络连接(可以看到tcp3389和tcp3350端口):

root@out:/tmp# netstat -anlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      35/apache2      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      63/sshd         
tcp        0      0 10.244.80.164:22        10.244.80.206:45882     ESTABLISHED 756/0           
tcp6       0      0 127.0.0.1:3350          :::*                    LISTEN      24275/xrdp-sesman
tcp6       0      0 :::22                   :::*                    LISTEN      63/sshd         
tcp6       0      0 :::3389                 :::*                    LISTEN      24277/xrdp      
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  4      [ ]         DGRAM                    2153957696 11/syslog-ng        /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     2153957698 11/syslog-ng        /var/lib/syslog-ng/syslog-ng.ctl
unix  2      [ ]         DGRAM                    2154645622 24277/xrdp          
unix  2      [ ]         DGRAM                    2154649829 24275/xrdp-sesman   
root@out:/tmp# 

接下来转发远程的tcp3389

ssh -o StrictHostKeyChecking=no -CNf -L 13389:127.0.0.1:3389 root@node4.buuoj.cn -p28413

如下图所示:

发现连接失败,原因为部分deb包得去ubuntu官方镜像源拉取安装.

重新开一个靶机环境:

ssh连接上去:

先不修改镜像源,直接安装如下deb包:

export LANG=en_US.UTF-8;\
export DEBIAN_FRONTEND=noninteractive;\
export APT_LISTCHANGES_FRONTEND=none;\
apt-get update;\
apt install -y x11-common xserver-xorg-core  x11-xserver-utils;\
apt install -y xinit xterm;
 
apt install -y apport apport-symptoms bsdmainutils fuse groff-base libapt-pkg5.0 \
libapt-inst2.0   libc-bin   libc-dev-bin libc6 libc6-dev libevdev2 libfuse2 \
libsystemd0 libwacom-common libwacom2 libxfont2 libzstd1 locales man-db policykit-1 ;
 
apt install -y libgcrypt20  libglu1-mesa libgpg-error0  libgudev-1.0-0 libinput-bin \
libinput10 libopus0 libpam-systemd libpipeline1 libpng16-16 libpolkit-agent-1-0 \
libpolkit-backend-1-0 libpolkit-gobject-1-0 libpython3-stdlib;

apt install -y systemd zlib1g;
 
apt install -y python3 python3-apport python3-apt python3-certifi python3-chardet \
python3-dbus python3-gi python3-httplib2 python3-idna python3-minimal \
python3-pkg-resources python3-problem-report python3-pycurl python3-requests \
python3-requests-unixsocket python3-six python3-systemd python3-urllib3 ;  

接下来,修改镜像源:

cat << EOF >/etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ bionic main restricted

deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted

deb http://archive.ubuntu.com/ubuntu/ bionic universe
deb http://archive.ubuntu.com/ubuntu/ bionic-updates universe

deb http://archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse


deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted
deb http://security.ubuntu.com/ubuntu/ bionic-security universe
deb http://security.ubuntu.com/ubuntu/ bionic-security multiverse
EOF

继续安装deb,安装好后启动xrdp:

apt-get update;\
export LANG=en_US.UTF-8;

apt install -y x11-apps x11-session-utils xfonts-scalable xinput xorg xorg-docs-core xserver-common xserver-xorg xserver-xorg-core xserver-xorg-input-all \
xserver-xorg-input-evdev xserver-xorg-input-libinput xserver-xorg-input-synaptics xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-amdgpu xserver-xorg-video-ati \
xserver-xorg-video-fbdev xserver-xorg-video-intel xserver-xorg-video-nouveau xserver-xorg-video-qxl xserver-xorg-video-radeon xserver-xorg-video-vesa xserver-xorg-video-vmware 

apt install -y  blt fontconfig-config libfontconfig1 libtcl8.6 libtk8.6 tk8.6-blt2.5;\
apt install -y  python3-tk;  \
apt install -y python3.6 python3.6-minimal;

apt install -y  libargon2-0  libcryptsetup12 libgdbm5  libip4tc0 libjson-c3 libpython3.6-minimal libpython3.6-stdlib libreadline7 libssl1.1;\
apt install -y  xorgxrdp;
apt install -y  xrdp

echo 'python3 -c "import tkinter;tkinter.Tk().mainloop();"'>/bin/p.sh
echo 'python3 -m tkinter '>/bin/p.sh ;
chmod +x /bin/p.sh;

setsid /usr/sbin/xrdp-sesman --nodaemon ;
setsid /usr/sbin/xrdp  --nodaemon ;


cd /tmp;
root@out:/tmp#   apt  download    xrdp
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 xrdp amd64 0.9.5-2 [419 kB]
Fetched 419 kB in 3s (151 kB/s)
root@out:/tmp# ll xrdp
-rw-r--r-- 1 root root 419216 Feb 16  2018 xrdp_0.9.5-2_amd64.deb
root@out:/tmp# md5sum xrdp_0.9.5-2_amd64.deb 
4713f98fdd3bf5b91f8bd7d649e9f238  xrdp_0.9.5-2_amd64.deb
root@out:/tmp# 

安装(apt install -y xrdp)的时候,尾部有一句需留意:   saving to /etc/xrdp/rsakeys.ini

如上第13行是:apt install -y xorgxrdp;

安装xorgxrdp完毕后,执行如下命令不在报错(

(EE)

Fatal server error:

(EE) parse_vt_settings: Cannot open /dev/tty0 (No such file or directory)

):

cd /tmp;
/usr/bin/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log 

安装前是Cannot open /dev/tty0 .

接下来使用win10的mstsc远程桌面连接:

实验成功.

最后还可以安装xfce来更好的使用图形界面:

  apt install -y xfce4 
  apt install -y xfce4-goodies 

以下为备忘录:

root@out:/tmp# ls -al  /root/
total 36
drwx------ 1 root root   148 Feb 18 14:26 .
drwxr-xr-x 1 root root   136 Feb 18 13:48 ..
-rw------- 1 root root    18 Feb 18 14:27 .bash_history
-rw-r--r-- 1 root root  3106 Oct 22  2015 .bashrc
drwxr-xr-x 3 root root    17 Nov  7  2019 .cache
drwx------ 3 root root    19 Feb 18 14:26 .local
drwxrwxrwt 2 root root    24 Feb 18 14:26 .pcsc10
-rw-r--r-- 1 root root   148 Aug 17  2015 .profile
drwx------ 2 root root     6 Jan 26  2018 .ssh
drwxr-xr-t 2 root root     6 Feb 18 14:26 thinclient_drives
-rw------- 1 root root    49 Feb 18 14:26 .Xauthority
-rw-r--r-- 1 root root 15233 Feb 18 14:27 .xorgxrdp.10.log
-rw------- 1 root root   119 Feb 18 14:26 .xsession-errors
root@out:/tmp# 
root@out:/tmp# 
root@out:/tmp# 
root@out:/tmp# find / -name  startwm.sh
/etc/xrdp/startwm.sh
root@out:/tmp# cat /etc/xrdp/startwm.sh 
#!/bin/sh
# xrdp X session start script (c) 2015, 2017 mirabilos
# published under The MirOS Licence

if test -r /etc/profile; then
    . /etc/profile
fi

if test -r /etc/default/locale; then
    . /etc/default/locale
    test -z "${LANG+x}" || export LANG
    test -z "${LANGUAGE+x}" || export LANGUAGE
    test -z "${LC_ADDRESS+x}" || export LC_ADDRESS
    test -z "${LC_ALL+x}" || export LC_ALL
    test -z "${LC_COLLATE+x}" || export LC_COLLATE
    test -z "${LC_CTYPE+x}" || export LC_CTYPE
    test -z "${LC_IDENTIFICATION+x}" || export LC_IDENTIFICATION
    test -z "${LC_MEASUREMENT+x}" || export LC_MEASUREMENT
    test -z "${LC_MESSAGES+x}" || export LC_MESSAGES
    test -z "${LC_MONETARY+x}" || export LC_MONETARY
    test -z "${LC_NAME+x}" || export LC_NAME
    test -z "${LC_NUMERIC+x}" || export LC_NUMERIC
    test -z "${LC_PAPER+x}" || export LC_PAPER
    test -z "${LC_TELEPHONE+x}" || export LC_TELEPHONE
    test -z "${LC_TIME+x}" || export LC_TIME
    test -z "${LOCPATH+x}" || export LOCPATH
fi

if test -r /etc/profile; then
    . /etc/profile
fi

test -x /etc/X11/Xsession && exec /etc/X11/Xsession
exec /bin/sh /etc/X11/Xsession
root@out:/tmp# 



root@out:/tmp# ls -al /etc/X11/Xsession
-rwxr-xr-x 1 root root 3730 May  3  2017 /etc/X11/Xsession
root@out:/tmp# cat /etc/X11/Xsession
#!/bin/sh
#
# /etc/X11/Xsession
#
# global Xsession file -- used by display managers and xinit (startx)

# $Id: Xsession 967 2005-12-27 07:20:55Z dnusinow $

set -e

PROGNAME=Xsession

message () {
  # pretty-print messages of arbitrary length; use xmessage if it
  # is available and $DISPLAY is set
  MESSAGE="$PROGNAME: $*"
  echo "$MESSAGE" | fold -s -w ${COLUMNS:-80} >&2
  if [ -n "$DISPLAY" ] && which xmessage > /dev/null 2>&1; then
    echo "$MESSAGE" | fold -s -w ${COLUMNS:-80} | xmessage -center -file -
  fi
}

message_nonl () {
  # pretty-print messages of arbitrary length (no trailing newline); use
  # xmessage if it is available and $DISPLAY is set
  MESSAGE="$PROGNAME: $*"
  echo -n "$MESSAGE" | fold -s -w ${COLUMNS:-80} >&2;
  if [ -n "$DISPLAY" ] && which xmessage > /dev/null 2>&1; then
    echo -n "$MESSAGE" | fold -s -w ${COLUMNS:-80} | xmessage -center -file -
  fi
}

errormsg () {
  # exit script with error
  message "$*"
  exit 1
}

internal_errormsg () {
  # exit script with error; essentially a "THIS SHOULD NEVER HAPPEN" message
  # One big call to message() for the sake of xmessage; if we had two then
  # the user would have dismissed the error we want reported before seeing the
  # request to report it.
  errormsg "$*" \
           "Please report the installed version of the \"x11-common\"" \
           "package and the complete text of this error message to" \
           "<debian-x@lists.debian.org>."
}

# initialize variables for use by all session scripts

OPTIONFILE=/etc/X11/Xsession.options

SYSRESOURCES=/etc/X11/Xresources
USRRESOURCES=$HOME/.Xresources

SYSSESSIONDIR=/etc/X11/Xsession.d
USERXSESSION=$HOME/.xsession
USERXSESSIONRC=$HOME/.xsessionrc
ALTUSERXSESSION=$HOME/.Xsession
ERRFILE=$HOME/.xsession-errors

# attempt to create an error file; abort if we cannot
if (umask 077 && touch "$ERRFILE") 2> /dev/null && [ -w "$ERRFILE" ] &&
  [ ! -L "$ERRFILE" ]; then
  chmod 600 "$ERRFILE"
elif ERRFILE=$(tempfile 2> /dev/null); then
  if ! ln -sf "$ERRFILE" "${TMPDIR:=/tmp}/xsession-$USER"; then
    message "warning: unable to symlink \"$TMPDIR/xsession-$USER\" to" \
             "\"$ERRFILE\"; look for session log/errors in" \
             "\"$TMPDIR/xsession-$USER\"."
  fi
else
  errormsg "unable to create X session log/error file; aborting."
fi

# truncate ERRFILE if it is too big to avoid disk usage DoS
if [ "`stat -c%s \"$ERRFILE\"`" -gt 500000 ]; then
  T=`mktemp -p "$HOME"`
  tail -c 500000 "$ERRFILE" > "$T" && mv -f "$T" "$ERRFILE" || rm -f "$T"
fi

exec >>"$ERRFILE" 2>&1

echo "$PROGNAME: X session started for $LOGNAME at $(date)"

# sanity check; is our session script directory present?
if [ ! -d "$SYSSESSIONDIR" ]; then
  errormsg "no \"$SYSSESSIONDIR\" directory found; aborting."
fi

# Attempt to create a file of non-zero length in /tmp; a full filesystem can
# cause mysterious X session failures.  We do not use touch, :, or test -w
# because they won't actually create a file with contents.  We also let standard
# error from tempfile and echo go to the error file to aid the user in
# determining what went wrong.
WRITE_TEST=$(tempfile)
if ! echo "*" >>"$WRITE_TEST"; then
  message "warning: unable to write to ${WRITE_TEST%/*}; X session may exit" \
          "with an error"
fi
rm -f "$WRITE_TEST"

# use run-parts to source every file in the session directory; we source
# instead of executing so that the variables and functions defined above
# are available to the scripts, and so that they can pass variables to each
# other
SESSIONFILES=$(run-parts --list $SYSSESSIONDIR)
if [ -n "$SESSIONFILES" ]; then
  set +e
  for SESSIONFILE in $SESSIONFILES; do
    . $SESSIONFILE
  done
  set -e
fi

exit 0

# vim:set ai et sts=2 sw=2 tw=80:
root@out:/tmp# 


# grep  -i  -rHn  "xterm"   /etc/X11/app-defaults/;
# /etc/X11/Xsession.d/99x11 ;
#/usr/bin/ssh-agent x-terminal-emulator
cat /usr/bin/x-terminal-emulator ;
cat /usr/bin/uxterm|grep -v "^#";
# xterm -class UXTerm -title uxterm -u8; 

修改xterm样式:

cat << EOF >/etc/X11/Xresources/qq5201314
xterm*ScrollBar: true
xterm.geometry: 60x25
xterm*VT100.geometry: 166x58
xterm*rightScrollBar: true
xterm*leftScrollBar: true
XTerm*jumpScroll: true
xterm*faceSize: 14
xterm*allowBoldFonts: true
xterm*foreground: green
xterm*background: rgb:60/20/10
XTerm*SaveLines: 4096
xterm*printAttributes:
xterm*printerCommand: cat > /tmp/xtermdump
*customization: -fullscreen
xterm*fullscreen: 2
EOF
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值