Nmap scan report for 10.10.10.10 Host is up (0.23s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA) | 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA) |_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.7.3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Job Portal – Just another WordPress site Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.2 - 4.9 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 4.9 (91%), Linux 3.12 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 237.00 ms 10.10.16.1 2 309.00 ms 10.10.10.10
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 541.37 seconds
$ steghide extract -sf HackerAccessGranted.jpg Enter passphrase: wrote extracted data to "id_rsa".
OK,提取出了id_rsa文件,再用John一把梭
1 2 3 4 5 6 7 8 9 10 11 12 13 14
$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash $ /sbin/john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status superpassword (id_rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:08 DONE (2020-03-18 10:52) 0.1173g/s 1683Kp/s 1683Kc/s 1683KC/sa6_123..*7¡Vamos! Session completed