关卡提示:
扫描服务器localhost(本地主机上)31000到32000范围内的端口,找出使用SSL唯一端口,将本级密码发送给这个端口获取下一级凭据。只有一个端口会提供下一个凭据,其他服务器只需将您发送给它的任何内容发送回您。
推荐命令:
ssh, telnet, nc, openssl, s_client, nmap
nc和nmap都可以扫描端口,前面已经谈过nc命令,让我们看看大名鼎鼎nmap命令:
Nmap,也就是Network Mapper,是Linux下的网络扫描和嗅探工具包。它由Fyodor编写并维护。由于Nmap品质卓越,使用灵活,它已经是渗透测试人员必备的工具。
其基本功能有三个:
(1)是扫描主机端口,嗅探所提供的网络服务
(2)是探测一组主机是否在线
(3)还可以推断主机所用的操作系统,到达主机经过的路由,系统已开放端口的软件版本
Nmap常用参数
1.执行快速扫描
使用以下参数可加快扫描速度:
-sS:TCP SYN 扫描;
-sT:TCP Connect 扫描;
-sU:UDP 扫描;
-T0~T5:设置不同级别的时间延迟。
2.隐藏IP地址 使用以下参数可隐藏源IP地址:
-S:指定源IP地址;
-D:伪装成其他IP地址。 l
3.指定端口范围 使用以下参数可指定端口范围:
-p:指定单个端口或端口范围;
–top-ports:指定前n个常见端口。
4.指定输出格式 使用以下参数可指定输出格式:
-oA:同时输出到三个文件(XML、nmap、grepable)中;
-oX:XML 格式输出; -oG:grepable 格式输出;
-oN:普通文本格式输出。
尝试使用本地端机扫描失败:
gyj@guyanjun:~$ nmap bandit.labs.overthewire.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:38 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.50 seconds
gyj@guyanjun:~$ nmap -pn bandit.labs.overthewire.org 31000-32000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:40 CST
段错误
gyj@guyanjun:~$ nmap -pn 30000 bandit.labs.overthewire.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:42 CST
段错误
为了验证,使用nmap扫描局域网其他机器正常
gyj@guyanjun:~$ nmap 192.168.0.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:43 CST
Nmap scan report for 192.168.0.102
Host is up (0.071s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
Nmap扫描一个网段`
```bash
gyj@guyanjun:~$ nmap 192.168.0.*
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:46 CST
Nmap scan report for 192.168.0.1
Host is up (0.0021s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
2004/tcp closed mailbox
Nmap scan report for 192.168.0.102
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 256 IP addresses (2 hosts up) scanned in 8.22 seconds
## 开始解题
ls -al 发现bandit15的密码文件:.bandit15.password
```bash
bandit16@bandit:~$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Oct 5 06:19 .
drwxr-xr-x 70 root root 4096 Oct 5 06:20 ..
-rw-r----- 1 bandit16 bandit16 33 Oct 5 06:19 .bandit15.password
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit16@bandit:~$ cat .bandit15.password
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
bandit16@bandit:~$
插曲1:nc 扫描的输出是STDERR(文件描述符2),而非STDOUT,在将nc的输出传入管道时然后使用grep过滤会得不到结果。
bandit16@bandit:~$ nc -v -z localhost 31040-31050 | grep -E "succeeded!"
nc: connect to localhost (127.0.0.1) port 31040 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31041 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31042 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31043 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31044 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31045 (tcp) failed: Connection refused
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
nc: connect to localhost (127.0.0.1) port 31047 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31048 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31049 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31050 (tcp) failed: Connection refused
验证nc的输出为STDERR
bandit16@bandit:~$ nc -v -z localhost 31000-32000 2>>/tmp/nc_1
bandit16@bandit:~$ grep "succ" /tmp/nc_1
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
将nc输出到管道要使用“|&”
bandit16@bandit:~$ nc -v -z localhost 31000-32000 |& grep -E "succeeded!"
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
bandit16@bandit:~$
插曲2:服务器资源紧张导致卡顿。可能这个服务器有自动恢复机制,需要等一会再试。
Nmap 扫描服务器开放端口
pbandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Nc扫描服务器开放端口
bandit16@bandit:~$ nc -v -z localhost 31000-32000 |& grep "succee"
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
bandit16@bandit:~$ nmap -sV 31046 31518 31691 31790 31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:32 UTC
Nmap扫描端口的服务。很慢需要耐心等待
bandit16@bandit:~$ nmap -sV 31046,31518,31691,31790,31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:34 UTC
Failed to resolve "31046,31518,31691,31790,31960".
bandit16@bandit:~$ nmap -sV -p 31046,31518,31691,31790,31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:35 UTC
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 02:36 (0:00:15 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00085s latency).
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
.......省略部分输出
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.33 seconds
openssl s_client 尝试端口31518
bandit16@bandit:~$bandit16@bandit:~$ openssl s_client -connect localhost:31518
CONNECTED(00000003)
Can't use SSL_get_servername
....... 省略输出
rtificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
JQttfApK4SeyHwDlI9SXGR50qclOAil1
^C
返回结果为输入结果, 排除此端口。
尝试端口31790
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
...... 省略输出
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
得到一个眼熟的东东,应该是个私钥吧。我查很多资料,好像没有办法将上面的私钥内容保存到一个文件中,我尝试了重定向和tee命令均没有实现。好在终端MobaXterm支持使用鼠标选取复制,不然把这些字符全部输入一个文件几乎是一个不可能完成的任务。
使用nano编辑文件/tmp/gyj16/aa,将上面内容粘贴。
bandit16@bandit:~$ nano /tmp/gyj16/aa
Unable to create directory /home/bandit16/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.
尝试使用私钥登录bandit17用户
bandit16@bandit:~$ ssh -i /tmp/gyj16/aa -l bandit17 localhost 2220
The authenticity of host 'localhost (127.0.0.1)' can't be established.
......
Permissions 0664 for '/tmp/gyj16/aa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/tmp/gyj16/aa": bad permissions
bandit17@localhost: Permission denied (publickey).
bandit16@bandit:~$
登录失败,提示/tmp/gyj16/aa权限太大,不能保证私钥安全
bandit16@bandit:/tmp/gyj16$ chmod 400 aa
再次登录
bandit16@bandit:~$ ssh -i /tmp/gyj16/aa -p 2220 -l bandit17 localhost
..... _ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
......
这个套路有点熟悉:在/etc/bandit_pass找到密码
bandit17@bandit:/etc/bandit_pass$ cat banndit17
cat: banndit17: No such file or directory
bandit17@bandit:/etc/bandit_pass$ cat bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
Bandit17家目录找到.bandit16.password
bandit17@bandit:/etc/bandit_pass$ cd ~
bandit17@bandit:~$ ls -al
total 36
drwxr-xr-x 3 root root 4096 Oct 5 06:19 .
drwxr-xr-x 70 root root 4096 Oct 5 06:20 ..
-rw-r----- 1 bandit17 bandit17 33 Oct 5 06:19 .bandit16.password
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r----- 1 bandit18 bandit17 3300 Oct 5 06:19 passwords.new
-rw-r----- 1 bandit18 bandit17 3300 Oct 5 06:19 passwords.old
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
drwxr-xr-x 2 root root 4096 Oct 5 06:19 .ssh
bandit17@bandit:~$ cat .bandit16.password
JQttfApK4SeyHwDlI9SXGR50qclOAil1
查看.ssh目录:cat authorized_keys为公钥文件,id_rsa为私钥文件。
bandit17@bandit:~$ cd .ssh
bandit17@bandit:~/.ssh$ ls
authorized_keys id_rsa
bandit17@bandit:~/.ssh$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Oct 5 06:19 .
drwxr-xr-x 3 root root 4096 Oct 5 06:19 ..
-rw-r----- 1 bandit17 bandit17 396 Oct 5 06:19 authorized_keys
-rw-r----- 1 bandit17 bandit17 1675 Oct 5 06:19 id_rsa
bandit17@bandit:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit17@bandit:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+Y6S6J+YyDocvZg8g6OifqJZ9untzePHfhiRhapQfntJR3ImKZnN7IYLSC1k8a6NRLGIlJYj+hOp7GH5wAxNIyU4l/v4Gsk5sCufF31jthPZtE9AlrovNvnnxhbcVmXzs5GI76tbgsIMI13aVS8sT8YvYZbK4o3QrmIJ3lNu0nMSRBO4NK3aZw2fiuEAv4kWvnqjhPrPxZYBbXwFHrIasyrtD+QAsdhbc56R49ADMvRVRhtYkZOLrkLFsKfNz/Dj6apDK+bOla0wDMlPMDNDE1uRHYwEbJLEMuuODQtY3qwrvA1fHRhXO3P/NsiQ+N+RTWMdL70RtU2P4PVcU4m5p rudy@localhost
bandit17@bandit:~/.ssh$