SSH利用私钥登录时一个简单错误的解决过程
SSH利用私钥登录时一个简单错误的解决过程
问题描述
在一次渗透测试过程中,利用linpeas.sh脚本扫描有无本地提权漏洞,发现了目标靶机有SSH私钥,并且又相应的权限读取,因此从linpeas.sh脚本的输出结果中SSH私钥相应的内容拷贝至攻击机本地,
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue2]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue2]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue2]
└─$ ssh -i id_rsa freddie@192.168.56.191
The authenticity of host '192.168.56.191 (192.168.56.191)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.191' (ED25519) to the list of known hosts.
Load key "id_rsa": error in libcrypto
freddie@192.168.56.191's password:
解决过程
但是利用该私钥登录时,却报错。网上查了好久,看有没有解决方法各种说法都有,最后才发现,原因是由于从linpeas.sh输出结果中直接拷贝内容,然后在kali linux本地粘贴这些内容导致的。
解决思路其实很简单,只需要从目标主机将私钥原始文件下载到本地,可以在目标主机利用python3启用web。
└─$ wget http://192.168.56.191:8000/id_rsa
--2022-11-18 22:26:22-- http://192.168.56.191:8000/id_rsa
Connecting to 192.168.56.191:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1823 (1.8K) [application/octet-stream]
Saving to: ‘id_rsa.1’
id_rsa.1 100%[=================================================================================================================================>] 1.78K --.-KB/s in 0s
2022-11-18 22:26:22 (332 MB/s) - ‘id_rsa.1’ saved [1823/1823]
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue2]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue2]
└─$ ssh -i id_rsa freddie@192.168.56.191
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
