Skip to main content

Brute It

端口扫描

root@ip-10-10-219-129:~# nmap -sTCV -p 22,80 10.10.239.176

Starting Nmap 7.60 ( https://nmap.org ) at 2023-08-13 09:36 BST
Nmap scan report for ip-10-10-239-176.eu-west-1.compute.internal (10.10.239.176)
Host is up (0.00016s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:CB:CC:AF:2D:35 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds

80 - HTTP

20240530111042

访问网页, 发现其存在一段注释

20240530111054

进行密码暴力破解

20240530111105

登陆网页进行访问, 可以得到一个 john 用户的私钥, 下载进行暴力破解

20240530111116

后渗透

john

root@ip-10-10-219-129:~# ssh -i id_rsa [email protected]
The authenticity of host '10.10.239.176 (10.10.239.176)' can't be established.
ECDSA key fingerprint is SHA256:6/bVnMDQ46C+aRgroR5KUwqKM6J9jAfSYFMQIOKckug.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.239.176' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Aug 13 08:33:57 UTC 2023

  System load:  0.01               Processes:           105
  Usage of /:   26.3% of 19.56GB   Users logged in:     0
  Memory usage: 29%                IP address for eth0: 10.10.239.176
  Swap usage:   0%


63 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ id
uid=1001(john) gid=1001(john) groups=1001(john),27(sudo)

John —> root

用户具有 sudo 特权 , 我们可以直接查看 /etc/shadow 文件然后进行密码破解

20240530111151

20240530111156