search

hgbe02 / hgbe02.github.io

Github blog:https://hgbe02.github.io/
MIT License
1 stars 0 forks source link

Hades(41~51) | 北海听雨 #3

Open utterances-bot opened 1 month ago

utterances-bot commented 1 month ago

Hades(41~51) | 北海听雨

41 leda

https://hgbe02.github.io//Hackmyvm/Hades(41-51).html

hgbe02 commented 1 month ago

原理其实是使用了默认的私钥进行了认证:

a@hades:~$ ls -la
total 40
drwxr-x--- 3 root hera 4096 Apr  5 06:36 .
drwxr-xr-x 1 root root 4096 Apr  5 06:36 ..
-rw-r----- 1 root hera  127 Apr  5 06:36 .bash_history
-rw-r--r-- 1 hera hera  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hera hera 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 hera hera  807 Apr 23  2023 .profile
drwxr-xr-x 2 root root 4096 Apr  5 06:36 .ssh
-rw-r----- 1 root hera   22 Apr  5 06:36 flagz.txt
-rw-r----- 1 root hera  182 Apr  5 06:36 mission.txt
hera@hades:~$ cd .ssh
hera@hades:~/.ssh$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Apr  5 06:36 .
drwxr-x--- 3 root hera 4096 Apr  5 06:36 ..
-rw-r----- 1 root hera  568 Apr  5 06:36 authorized_keys
-rw-r----- 1 root hera 2590 Apr  5 06:36 id_rsa
hera@hades:~/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHnkVd725zQHWzxW8JJFcTlmQRh2nQGEIiwsZo5dz+C99HqV9jwhryrJ6oucxjlwLatA5Fn270JFTdwHxaqFHQxHRHQBJoApbsVF3zpvhH5a+Y5GoDKToNDKU63pCMgZtdFKPC0+1Yr3D0TO
1ijaZya9ne9mnY20dFFVfGH2sye95C+uiDO1XPmhntqRkj74l6O6I5YqauCjEbb2G4WE5Qp1hw/D10Tul0gCCj9FT/Y4dSgFjzefRxT9JN1927NKmaNCuCfIs8vXeq6Z+wYzF+Obh6eFK4upLvG/P1w4fAyUZZb4LhtdFebhb1N3fjX9XbZtPR
010X8XMbzh6Q53iGifb9rgyFGcGGOTv0OQPCOtWsV+JvmCZR36wCbWE7t7UT9Mmt/zhnYzwhAoGbZX7WaieWS/W8kCvMzZzLbiq2mKOJ9obgFATvaKPc/8eValOhif1wFrbvvuQyAkuFkPMSFffjPxAU7U54L3DlypgTo3oS33X1pPvD8kfINZRcRSk= hera@hades.hmv
hera@hades:~/.ssh$ cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx55FXe9uc0B1s8VvCSRXE5ZkEYdp0BhCIsLGaOXc/gvfR6lfY8Ia
8qyeqLnMY5cC2rQORZ9u9CRU3cB8WqhR0MR0R0ASaAKW7FRd86b4R+WvmORqAyk6DQylOt
6QjIGbXRSjwtPtWK9w9EztYo2mcmvZ3vZp2NtHRRVXxh9rMnveQvrogztVz5oZ7akZI++J
ejuiOWKmrgoxG29huFhOUKdYcPw9dE7pdIAgo/RU/2OHUoBY83n0cU/STdfduzSpmjQrgn
yLPL13qumfsGMxfjm4enhSuLqS7xvz9cOHwMlGWW+C4bXRXm4W9Td341/V22bT0dNdF/Fz
G84ekOd4hon2/a4MhRnBhjk79DkDwjrVrFfib5gmUd+sAm1hO7e1E/TJrf84Z2M8IQKBm2
V+1monlkv1vJArzM2cy24qtpijifaG4BQE72ij3P/HlWpToYn9cBa2777kMgJLhZDzEhX3
4z8QFO1OeC9w5cqYE6N6Et919aT7w/JHyDWUXEUpAAAFgCnyEcUp8hHFAAAAB3NzaC1yc2
EAAAGBAMeeRV3vbnNAdbPFbwkkVxOWZBGHadAYQiLCxmjl3P4L30epX2PCGvKsnqi5zGOX
Atq0DkWfbvQkVN3AfFqoUdDEdEdAEmgCluxUXfOm+Eflr5jkagMpOg0MpTrekIyBm10Uo8
LT7VivcPRM7WKNpnJr2d72adjbR0UVV8YfazJ73kL66IM7Vc+aGe2pGSPviXo7ojlipq4K
MRtvYbhYTlCnWHD8PXRO6XSAIKP0VP9jh1KAWPN59HFP0k3X3bs0qZo0K4J8izy9d6rpn7
BjMX45uHp4Uri6ku8b8/XDh8DJRllvguG10V5uFvU3d+Nf1dtm09HTXRfxcxvOHpDneIaJ
9v2uDIUZwYY5O/Q5A8I61axX4m+YJlHfrAJtYTu3tRP0ya3/OGdjPCECgZtlftZqJ5ZL9b
yQK8zNnMtuKraYo4n2huAUBO9oo9z/x5VqU6GJ/XAWtu++5DICS4WQ8xIV9+M/EBTtTngv
cOXKmBOjehLfdfWk+8PyR8g1lFxFKQAAAAMBAAEAAAGAfLX0wGsFphtvbZC7fgqmHCao/g
qLoOaG6xCkxIRXPKBOLocygTCThWky9ladytpdfiVfhT/GIeFQ4/mNt1XRR4x02M6+sRxt
DdjnmYGHO+PTgMGzOaZYDi8IS28g/6c5WT270cx1TCLPftFQvXGhu3qF8zYfisv0CsT6wV
x/rFqW0WHQQaygP8MWz9QFUN4mFaeMAi4P1Eupwmojsvf4dYsXRf9QpYlncNFbkxLix2t2
76Qf7n0Sqngj+14RuRN8h8bGJSfTS5oUI6rY/3+QcmACjp7Sm784HwZPmLTWig5MrIsVBq
Y35pmDO7YbIZ66Pi327dC/JwuBn1pVMuxsoUOl3mZdRCUuUFdCD3gyxMU88vHEBq+SU9rO
DxsNauBPkEqJk9E24ElkkdkJ0zzirrsrs4R0TbyJqVS80/Witt7nG9jxb5NWbtp6c1Utr2
O9fnVv2OF7xvpMk81hJFOCkfHZF2uWOFC9Ey6rH80VBS6VocF6cy3jTK1Mq9sqZMrBAAAA
wBjxlJnsFonnKdWvaYJ5oVWZINRghBOYBQe3TzpneHivPLevivVz3ABGxzKcPCP2qHVELo
8gxoMEVqkL+RSaVTM6xoVVYBNoN8bb2nUnXk8IZtFIYhnWzVqfQ4+VNFcDbWSE0SIG0my7
lOUyX6W7a5xWzo6TitAtKKRcKsbMTv3UuVDoyvOZPmFiReCKfsRA3KIWNT5OXA6anjON03
dZkhrBUWc6izs5z/4bVMFFMoV4cRgoSCQCqHZo7bklFWNjxAAAAMEA5nCSZXESZUVLyajK
q0oUa/gDPrFVnZm7Gln3TVHr96hcMNHUTAhPVWfWwg98MH+O5IjbTW03ZcTP/LoJV8Xy3O
WC9NY4lb7BEsja5sYA35g0xUKvQ0DaNdQeMEkZ4pLi3i17EbFtnDGlQxRe1nUPNgRtEx5z
fk9axW6yqPdUR8S0MufFW82VGjIXvEEXJD44NlXrjUGbBzK24q6VAkCBH1L5qiC/KfFBLO
W1gnTsS8AUjWF/0b4JL1D+HiVdWvq3AAAAwQDdwoK6606A87imIvD3VtaIGY+6N9M5Oodp
ICHg8Cml4nK+hqnFoE/V5UbFDgfBUfKM+XMXaJEwdQLkFKeY9U7BczB+0A1KrQS31LQK+/
Nl7792pZzcll2YT8THx91FDNi1dx0zmHRZv2oURDJMc0AJDTqSFSZ+X3t1bHs8qLckfR0X
O32JcoQ6JZUlJh+Okyq2A6lbEjQqPDk59NhQw/J24ryKHu5a4oIdfynXOofAqbTZrjQ8Qn
FdNGMEWYEiXx8AAAALdGVzdGVAZGViMTE=
-----END OPENSSH PRIVATE KEY-----

hgbe02@pwn:~/temp$ vim temp
hgbe02@pwn:~/temp$ chmod 600 temp
hgbe02@pwn:~/temp$ ssh-keygen -y -f temp > temp.pub
hgbe02@pwn:~/temp$ cat temp.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHnkVd725zQHWzxW8JJFcTlmQRh2nQGEIiwsZo5dz+C99HqV9jwhryrJ6oucxjlwLatA5Fn270JFTdwHxaqFHQxHRHQBJoApbsVF3zpvhH5a+Y5GoDKToNDKU63pCMgZtdFKPC0+1Yr3D0TO
1ijaZya9ne9mnY20dFFVfGH2sye95C+uiDO1XPmhntqRkj74l6O6I5YqauCjEbb2G4WE5Qp1hw/D10Tul0gCCj9FT/Y4dSgFjzefRxT9JN1927NKmaNCuCfIs8vXeq6Z+wYzF+Obh6eFK4upLvG/P1w4fAyUZZb4LhtdFebhb1N3fjX9XbZtPR
010X8XMbzh6Q53iGifb9rgyFGcGGOTv0OQPCOtWsV+JvmCZR36wCbWE7t7UT9Mmt/zhnYzwhAoGbZX7WaieWS/W8kCvMzZzLbiq2mKOJ9obgFATvaKPc/8eValOhif1wFrbvvuQyAkuFkPMSFffjPxAU7U54L3DlypgTo3oS33X1pPvD8kfINZRcRSk= teste@deb11

然后可以看到:

maria@hades:~$ cd .ssh             
maria@hades:~/.ssh$ ls -la
total 16
drwxr-xr-x 2 root root  4096 Apr  5 06:36 .
drwxr-x--- 3 root maria 4096 Apr  5 06:36 ..
-rw-r----- 1 root maria  569 Apr  5 06:36 authorized_keys
-rw-r----- 1 root maria 2590 Apr  5 06:36 id_rsa
maria@hades:~/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx55FXe9uc0B1s8VvCSRXE5ZkEYdp0BhCIsLGaOXc/gvfR6lfY8Ia
8qyeqLnMY5cC2rQORZ9u9CRU3cB8WqhR0MR0R0ASaAKW7FRd86b4R+WvmORqAyk6DQylOt
6QjIGbXRSjwtPtWK9w9EztYo2mcmvZ3vZp2NtHRRVXxh9rMnveQvrogztVz5oZ7akZI++J
ejuiOWKmrgoxG29huFhOUKdYcPw9dE7pdIAgo/RU/2OHUoBY83n0cU/STdfduzSpmjQrgn
yLPL13qumfsGMxfjm4enhSuLqS7xvz9cOHwMlGWW+C4bXRXm4W9Td341/V22bT0dNdF/Fz
G84ekOd4hon2/a4MhRnBhjk79DkDwjrVrFfib5gmUd+sAm1hO7e1E/TJrf84Z2M8IQKBm2
V+1monlkv1vJArzM2cy24qtpijifaG4BQE72ij3P/HlWpToYn9cBa2777kMgJLhZDzEhX3
4z8QFO1OeC9w5cqYE6N6Et919aT7w/JHyDWUXEUpAAAFgCnyEcUp8hHFAAAAB3NzaC1yc2
EAAAGBAMeeRV3vbnNAdbPFbwkkVxOWZBGHadAYQiLCxmjl3P4L30epX2PCGvKsnqi5zGOX
Atq0DkWfbvQkVN3AfFqoUdDEdEdAEmgCluxUXfOm+Eflr5jkagMpOg0MpTrekIyBm10Uo8
LT7VivcPRM7WKNpnJr2d72adjbR0UVV8YfazJ73kL66IM7Vc+aGe2pGSPviXo7ojlipq4K
MRtvYbhYTlCnWHD8PXRO6XSAIKP0VP9jh1KAWPN59HFP0k3X3bs0qZo0K4J8izy9d6rpn7
BjMX45uHp4Uri6ku8b8/XDh8DJRllvguG10V5uFvU3d+Nf1dtm09HTXRfxcxvOHpDneIaJ
9v2uDIUZwYY5O/Q5A8I61axX4m+YJlHfrAJtYTu3tRP0ya3/OGdjPCECgZtlftZqJ5ZL9b
yQK8zNnMtuKraYo4n2huAUBO9oo9z/x5VqU6GJ/XAWtu++5DICS4WQ8xIV9+M/EBTtTngv
cOXKmBOjehLfdfWk+8PyR8g1lFxFKQAAAAMBAAEAAAGAfLX0wGsFphtvbZC7fgqmHCao/g
qLoOaG6xCkxIRXPKBOLocygTCThWky9ladytpdfiVfhT/GIeFQ4/mNt1XRR4x02M6+sRxt
DdjnmYGHO+PTgMGzOaZYDi8IS28g/6c5WT270cx1TCLPftFQvXGhu3qF8zYfisv0CsT6wV
x/rFqW0WHQQaygP8MWz9QFUN4mFaeMAi4P1Eupwmojsvf4dYsXRf9QpYlncNFbkxLix2t2
76Qf7n0Sqngj+14RuRN8h8bGJSfTS5oUI6rY/3+QcmACjp7Sm784HwZPmLTWig5MrIsVBq
Y35pmDO7YbIZ66Pi327dC/JwuBn1pVMuxsoUOl3mZdRCUuUFdCD3gyxMU88vHEBq+SU9rO
DxsNauBPkEqJk9E24ElkkdkJ0zzirrsrs4R0TbyJqVS80/Witt7nG9jxb5NWbtp6c1Utr2
O9fnVv2OF7xvpMk81hJFOCkfHZF2uWOFC9Ey6rH80VBS6VocF6cy3jTK1Mq9sqZMrBAAAA
wBjxlJnsFonnKdWvaYJ5oVWZINRghBOYBQe3TzpneHivPLevivVz3ABGxzKcPCP2qHVELo
8gxoMEVqkL+RSaVTM6xoVVYBNoN8bb2nUnXk8IZtFIYhnWzVqfQ4+VNFcDbWSE0SIG0my7
lOUyX6W7a5xWzo6TitAtKKRcKsbMTv3UuVDoyvOZPmFiReCKfsRA3KIWNT5OXA6anjON03
dZkhrBUWc6izs5z/4bVMFFMoV4cRgoSCQCqHZo7bklFWNjxAAAAMEA5nCSZXESZUVLyajK
q0oUa/gDPrFVnZm7Gln3TVHr96hcMNHUTAhPVWfWwg98MH+O5IjbTW03ZcTP/LoJV8Xy3O
WC9NY4lb7BEsja5sYA35g0xUKvQ0DaNdQeMEkZ4pLi3i17EbFtnDGlQxRe1nUPNgRtEx5z
fk9axW6yqPdUR8S0MufFW82VGjIXvEEXJD44NlXrjUGbBzK24q6VAkCBH1L5qiC/KfFBLO
W1gnTsS8AUjWF/0b4JL1D+HiVdWvq3AAAAwQDdwoK6606A87imIvD3VtaIGY+6N9M5Oodp
ICHg8Cml4nK+hqnFoE/V5UbFDgfBUfKM+XMXaJEwdQLkFKeY9U7BczB+0A1KrQS31LQK+/
Nl7792pZzcll2YT8THx91FDNi1dx0zmHRZv2oURDJMc0AJDTqSFSZ+X3t1bHs8qLckfR0X
O32JcoQ6JZUlJh+Okyq2A6lbEjQqPDk59NhQw/J24ryKHu5a4oIdfynXOofAqbTZrjQ8Qn
FdNGMEWYEiXx8AAAALdGVzdGVAZGViMTE=
-----END OPENSSH PRIVATE KEY-----
maria@hades:~/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHnkVd725zQHWzxW8JJFcTlmQRh2nQGEIiwsZo5dz+C99HqV9jwhryrJ6oucxjlwLatA5Fn270JFTdwHxaqFHQxHRHQBJoApbsVF3zpvhH5a+Y5GoDKToNDKU63pCMgZtdFKPC0+1Yr3D0TO
1ijaZya9ne9mnY20dFFVfGH2sye95C+uiDO1XPmhntqRkj74l6O6I5YqauCjEbb2G4WE5Qp1hw/D10Tul0gCCj9FT/Y4dSgFjzefRxT9JN1927NKmaNCuCfIs8vXeq6Z+wYzF+Obh6eFK4upLvG/P1w4fAyUZZb4LhtdFebhb1N3fjX9XbZtPR
010X8XMbzh6Q53iGifb9rgyFGcGGOTv0OQPCOtWsV+JvmCZR36wCbWE7t7UT9Mmt/zhnYzwhAoGbZX7WaieWS/W8kCvMzZzLbiq2mKOJ9obgFATvaKPc/8eValOhif1wFrbvvuQyAkuFkPMSFffjPxAU7U54L3DlypgTo3oS33X1pPvD8kfINZRcRSk= maria@hades.hmv
hgbe02@pwn:~/temp$ vim temp
hgbe02@pwn:~/temp$ chmod 600 temp
hgbe02@pwn:~/temp$ ssh-keygen -y -f temp > temp.pub
hgbe02@pwn:~/temp$ cat temp.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHnkVd725zQHWzxW8JJFcTlmQRh2nQGEIiwsZo5dz+C99HqV9jwhryrJ6oucxjlwLatA5Fn270JFTdwHxaqFHQxHRHQBJoApbsVF3zpvhH5a+Y5GoDKToNDKU63pCMgZtdFKPC0+1Yr3D0TO
1ijaZya9ne9mnY20dFFVfGH2sye95C+uiDO1XPmhntqRkj74l6O6I5YqauCjEbb2G4WE5Qp1hw/D10Tul0gCCj9FT/Y4dSgFjzefRxT9JN1927NKmaNCuCfIs8vXeq6Z+wYzF+Obh6eFK4upLvG/P1w4fAyUZZb4LhtdFebhb1N3fjX9XbZtPR
010X8XMbzh6Q53iGifb9rgyFGcGGOTv0OQPCOtWsV+JvmCZR36wCbWE7t7UT9Mmt/zhnYzwhAoGbZX7WaieWS/W8kCvMzZzLbiq2mKOJ9obgFATvaKPc/8eValOhif1wFrbvvuQyAkuFkPMSFffjPxAU7U54L3DlypgTo3oS33X1pPvD8kfINZRcRSk= teste@deb11