Wargames与bash知识09

Wargames与bash知识09

Bandit Level 16

关卡提示:

扫描服务器localhost(本地主机上)31000到32000范围内的端口,找出使用SSL唯一端口,将本级密码发送给这个端口获取下一级凭据。只有一个端口会提供下一个凭据,其他服务器只需将您发送给它的任何内容发送回您。

推荐命令:

ssh, telnet, nc, openssl, s_client, nmap

nc和nmap都可以扫描端口,前面已经谈过nc命令,让我们看看大名鼎鼎nmap命令:

Nmap简介

Nmap,也就是Network Mapper,是Linux下的网络扫描和嗅探工具包。它由Fyodor编写并维护。由于Nmap品质卓越,使用灵活,它已经是渗透测试人员必备的工具。

其基本功能有三个:

(1)是扫描主机端口,嗅探所提供的网络服务

(2)是探测一组主机是否在线

(3)还可以推断主机所用的操作系统,到达主机经过的路由,系统已开放端口的软件版本

Nmap命令常用格式

Nmap常用参数

1.执行快速扫描

使用以下参数可加快扫描速度:

-sS:TCP SYN 扫描;

-sT:TCP Connect 扫描;

-sU:UDP 扫描;

-T0~T5:设置不同级别的时间延迟。

2.隐藏IP地址 使用以下参数可隐藏源IP地址:

-S:指定源IP地址;

-D:伪装成其他IP地址。 l

3.指定端口范围 使用以下参数可指定端口范围:

-p:指定单个端口或端口范围;

--top-ports:指定前n个常见端口。

4.指定输出格式 使用以下参数可指定输出格式:

-oA:同时输出到三个文件(XML、nmap、grepable)中;

-oX:XML 格式输出; -oG:grepable 格式输出;

-oN:普通文本格式输出。

Nmap演示

尝试使用本地端机扫描失败:

bash 复制代码
gyj@guyanjun:~$ nmap bandit.labs.overthewire.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:38 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.50 seconds
gyj@guyanjun:~$ nmap -pn bandit.labs.overthewire.org 31000-32000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:40 CST
段错误
gyj@guyanjun:~$ nmap -pn 30000 bandit.labs.overthewire.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:42 CST
段错误

为了验证,使用nmap扫描局域网其他机器正常

bash 复制代码
gyj@guyanjun:~$ nmap 192.168.0.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:43 CST
Nmap scan report for 192.168.0.102
Host is up (0.071s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

Nmap扫描一个网段`

```bash
gyj@guyanjun:~$ nmap 192.168.0.*
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 09:46 CST
Nmap scan report for 192.168.0.1
Host is up (0.0021s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE  SERVICE
80/tcp   open   http
1900/tcp open   upnp
2004/tcp closed mailbox
bash 复制代码
Nmap scan report for 192.168.0.102
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Nmap done: 256 IP addresses (2 hosts up) scanned in 8.22 seconds
## 开始解题

ls -al 发现bandit15的密码文件:.bandit15.password

```bash
bandit16@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root     root     4096 Oct  5 06:19 .
drwxr-xr-x 70 root     root     4096 Oct  5 06:20 ..
-rw-r-----  1 bandit16 bandit16   33 Oct  5 06:19 .bandit15.password
-rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root     3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root     root      807 Jan  6  2022 .profile
bandit16@bandit:~$ cat .bandit15.password
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
bandit16@bandit:~$

插曲1:nc 扫描的输出是STDERR(文件描述符2),而非STDOUT,在将nc的输出传入管道时然后使用grep过滤会得不到结果。

bash 复制代码
bandit16@bandit:~$ nc -v -z localhost 31040-31050 |  grep -E "succeeded!"
nc: connect to localhost (127.0.0.1) port 31040 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31041 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31042 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31043 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31044 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31045 (tcp) failed: Connection refused
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
nc: connect to localhost (127.0.0.1) port 31047 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31048 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31049 (tcp) failed: Connection refused
nc: connect to localhost (127.0.0.1) port 31050 (tcp) failed: Connection refused

验证nc的输出为STDERR

bash 复制代码
bandit16@bandit:~$ nc -v -z localhost 31000-32000 2>>/tmp/nc_1
bandit16@bandit:~$ grep "succ" /tmp/nc_1
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!

将nc输出到管道要使用"|&"

bash 复制代码
bandit16@bandit:~$ nc -v -z localhost 31000-32000 |&  grep -E "succeeded!"
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
bandit16@bandit:~$

插曲2:服务器资源紧张导致卡顿。可能这个服务器有自动恢复机制,需要等一会再试。

Nmap 扫描服务器开放端口

bash 复制代码
pbandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Nc扫描服务器开放端口

bash 复制代码
bandit16@bandit:~$ nc -v -z localhost 31000-32000 |& grep "succee"
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
bandit16@bandit:~$ nmap -sV 31046 31518 31691 31790 31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:32 UTC

Nmap扫描端口的服务。很慢需要耐心等待

bash 复制代码
bandit16@bandit:~$ nmap -sV 31046,31518,31691,31790,31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:34 UTC
Failed to resolve "31046,31518,31691,31790,31960".

bandit16@bandit:~$ nmap -sV -p 31046,31518,31691,31790,31960 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 02:35 UTC
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 02:36 (0:00:15 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00085s latency).

PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
 .......省略部分输出
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.33 seconds

openssl s_client 尝试端口31518

bash 复制代码
bandit16@bandit:~$bandit16@bandit:~$ openssl s_client -connect localhost:31518
CONNECTED(00000003)
Can't use SSL_get_servername
 .......   省略输出
  rtificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
JQttfApK4SeyHwDlI9SXGR50qclOAil1
^C

返回结果为输入结果, 排除此端口。

尝试端口31790

bash 复制代码
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
 ...... 省略输出
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

得到一个眼熟的东东,应该是个私钥吧。我查很多资料,好像没有办法将上面的私钥内容保存到一个文件中,我尝试了重定向和tee命令均没有实现。好在终端MobaXterm支持使用鼠标选取复制,不然把这些字符全部输入一个文件几乎是一个不可能完成的任务。

使用nano编辑文件/tmp/gyj16/aa,将上面内容粘贴。

bash 复制代码
bandit16@bandit:~$ nano /tmp/gyj16/aa
Unable to create directory /home/bandit16/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.

尝试使用私钥登录bandit17用户

bash 复制代码
bandit16@bandit:~$ ssh -i /tmp/gyj16/aa -l bandit17 localhost 2220
The authenticity of host 'localhost (127.0.0.1)' can't be established.
......
Permissions 0664 for '/tmp/gyj16/aa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/tmp/gyj16/aa": bad permissions
bandit17@localhost: Permission denied (publickey).
bandit16@bandit:~$

登录失败,提示/tmp/gyj16/aa权限太大,不能保证私钥安全

bash 复制代码
bandit16@bandit:/tmp/gyj16$ chmod 400 aa

再次登录

bash 复制代码
bandit16@bandit:~$ ssh -i /tmp/gyj16/aa -p 2220 -l bandit17 localhost
.....                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


......

这个套路有点熟悉:在/etc/bandit_pass找到密码

bash 复制代码
bandit17@bandit:/etc/bandit_pass$ cat banndit17
cat: banndit17: No such file or directory
bandit17@bandit:/etc/bandit_pass$ cat bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

Bandit17家目录找到.bandit16.password

bash 复制代码
bandit17@bandit:/etc/bandit_pass$ cd ~
bandit17@bandit:~$ ls -al
total 36
drwxr-xr-x  3 root     root     4096 Oct  5 06:19 .
drwxr-xr-x 70 root     root     4096 Oct  5 06:20 ..
-rw-r-----  1 bandit17 bandit17   33 Oct  5 06:19 .bandit16.password
-rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root     3771 Jan  6  2022 .bashrc
-rw-r-----  1 bandit18 bandit17 3300 Oct  5 06:19 passwords.new
-rw-r-----  1 bandit18 bandit17 3300 Oct  5 06:19 passwords.old
-rw-r--r--  1 root     root      807 Jan  6  2022 .profile
drwxr-xr-x  2 root     root     4096 Oct  5 06:19 .ssh
bandit17@bandit:~$ cat .bandit16.password
JQttfApK4SeyHwDlI9SXGR50qclOAil1

查看.ssh目录:cat authorized_keys为公钥文件,id_rsa为私钥文件。

bash 复制代码
bandit17@bandit:~$ cd .ssh
bandit17@bandit:~/.ssh$ ls
authorized_keys  id_rsa
bandit17@bandit:~/.ssh$ ls -al
total 16
drwxr-xr-x 2 root     root     4096 Oct  5 06:19 .
drwxr-xr-x 3 root     root     4096 Oct  5 06:19 ..
-rw-r----- 1 bandit17 bandit17  396 Oct  5 06:19 authorized_keys
-rw-r----- 1 bandit17 bandit17 1675 Oct  5 06:19 id_rsa
bandit17@bandit:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit17@bandit:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+Y6S6J+YyDocvZg8g6OifqJZ9untzePHfhiRhapQfntJR3ImKZnN7IYLSC1k8a6NRLGIlJYj+hOp7GH5wAxNIyU4l/v4Gsk5sCufF31jthPZtE9AlrovNvnnxhbcVmXzs5GI76tbgsIMI13aVS8sT8YvYZbK4o3QrmIJ3lNu0nMSRBO4NK3aZw2fiuEAv4kWvnqjhPrPxZYBbXwFHrIasyrtD+QAsdhbc56R49ADMvRVRhtYkZOLrkLFsKfNz/Dj6apDK+bOla0wDMlPMDNDE1uRHYwEbJLEMuuODQtY3qwrvA1fHRhXO3P/NsiQ+N+RTWMdL70RtU2P4PVcU4m5p rudy@localhost
bandit17@bandit:~/.ssh$
相关推荐
Code apprenticeship几秒前
Java面试题(2)
java·开发语言
J不A秃V头A3 分钟前
Python爬虫:获取国家货币编码、货币名称
开发语言·爬虫·python
SRY122404193 小时前
javaSE面试题
java·开发语言·面试
无尽的大道3 小时前
Java 泛型详解:参数化类型的强大之处
java·开发语言
ZIM学编程3 小时前
Java基础Day-Sixteen
java·开发语言·windows
放逐者-保持本心,方可放逐3 小时前
react 组件应用
开发语言·前端·javascript·react.js·前端框架
一丝晨光4 小时前
编译器、IDE对C/C++新标准的支持
c语言·开发语言·c++·ide·msvc·visual studio·gcc
阮少年、4 小时前
java后台生成模拟聊天截图并返回给前端
java·开发语言·前端
代码小鑫4 小时前
A027-基于Spring Boot的农事管理系统
java·开发语言·数据库·spring boot·后端·毕业设计
程序猿-瑞瑞5 小时前
11 go语言(golang) - 数据类型:结构体
开发语言·golang