Choc
备注
[Linux VM] [Tested on VirtualBox] created by || cromiphi
⏲️ Release Date // 2021-04-22
✔️ MD5 // 8d4d2817622e1185dc00533b07745aa9
☠ Root // 29
💀 User // 31
📝Notes // Hack and fun.
靶 机启动
靶机 IP
192.168.56.122
nmap 信息搜集
Nmap scan report for 192.168.56.122
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 1811 Apr 20 2021 id_rsa [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:66:48:ee:7b:a9:ef:e1:20:26:c5:a8:bf:c5:4d:5c (RSA)
| 256 80:46:cd:47:a1:ce:a7:fe:56:36:4f:f7:d1:ed:92:c0 (ECDSA)
|_ 256 a2:83:db:7a:7d:38:70:e6:00:16:71:29:ee:04:73:aa (ED25519)
ftp 匿名登陆
ftp> ls -lah
drwxr-xr-x 2 0 114 4096 Apr 20 2021 .
drwxr-xr-x 2 0 114 4096 Apr 20 2021 ..
-rwxrwxrwx 1 0 0 1811 Apr 20 2021 id_rsa
将 id_rsa
这个文件下载到本地,将其中的数据进行 Base64
解码,并提取可视字符串,得到
carl@choc
User - carl
┌─[randark@parrot]─[~]
└──╼ $ ssh carl@192.168.56.122 -i id_rsa
##############################
# #
# Welcome to my SSH ! #
# Carl. #
# #
##############################
███████╗ █████╗ ██╗██╗ ███████╗██████╗ ██╗ ██████╗ ██╗
██╔════╝██╔══██╗██║██║ ██╔════╝██╔══██╗ ██║ ██╔═══██╗██║
█████╗ ███████║██║██║ █████╗ ██║ ██║ ██║ ██║ ██║██║
██╔══╝ ██╔══██║██║██║ ██╔══╝ ██║ ██║ ██║ ██║ ██║██║
██║ ██║ ██║██║███████╗███████╗██████╔╝ ███████╗╚██████╔╝███████╗
╚═╝ ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝
Connection to 192.168.56.122 closed.
看起来是成功登陆了,但是不知道为何直接拦截出去了
尝试借助 Bash shellshock 漏洞,以及 bash - how can shellshock be exploited over SSH? - Unix & Linux Stack Exchange