Eu passei horas e horas em uma tarefa "simples e divertida" em uma plataforma de aprendizado on-line.
De acordo com o site:
When Bash (a popular Linux shell) starts, it executes the commands in
a variety of different scripts. When Bash is invoked as an interactive
login shell, it first reads and executes '/etc/profile' from the file,
if that file exists.
After reading that file, it looks for '~/.bash_profile, ~/.bash_login'
and '~/.profile', in that order then reads and executes commands from
the first one that exists and is readable.
When a login shell exits, Bash reads and executes commands from the
file '~/.bash_logout', if it exists. When an interactive shell that is
not a login shell is started, Bash reads and executes commands from
'~/.bashrc', if that file exists. This may be inhibited by using the
–norc option. The –rcfile file option will force Bash to read and
execute commands from file instead of '~/.bashrc'.
In some cases system owners enforce security through these scripts.
The corresponding exercise for this skill area will need you to
understand what the script could be running and try to intercept in
some fashion.
This is a fun exercise with a simple solution.
Logon to the server once it has started using 'user' as the username
and 'Uncr4ckable1!' as the password, using SSH on port 22.
You need to get the token once you’ve managed to login.
O servidor se conecta, mas depois me diz:
Hi
Sorry to have to tell you but this server does not allow you to login
You will now be automatically logged off.
Thanks
Server Admin Connection to closed by remote host.
Connection to closed.
Tanto quanto eu posso dizer que toda a internet diz ...
$ ssh hostname "bash --noprofile"
ou
$ ssh -t hostname "bash --noprofile"
ou
$ ssh -t hostname "bash --noprofile --norc"
ou
$ ssh user@hostname /bin/bash
deve funcionar - no entanto, na melhor das hipóteses, ele faz login e não me expulsa, mas não parece ter nenhum tipo de shell - eu posso digitar comandos, mas não ver uma reação de qualquer tipo (nem tenho uma opção para ver o servidor diretamente ... por isso não podemos verificar o que há nos scripts ...)
Com -vvv ativado, o ssh fornece a seguinte saída:
> OpenSSH_7.6p1 Debian-2, OpenSSL 1.0.2m 2 Nov 2017 debug1: Reading
> configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config
> line 19: Applying options for * debug2: resolving "<ip>" port
> 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to
> <ip> [<ip>] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file
> or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1:
> key_load_public: No such file or directory debug1: identity file
> /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file
> or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1:
> key_load_public: No such file or directory debug1: identity file
> /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file
> or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1:
> key_load_public: No such file or directory debug1: identity file
> /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file
> or directory debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory debug1: identity
> file /root/.ssh/id_ed25519-cert type -1 debug1: Local version string
> SSH-2.0-OpenSSH_7.6p1 Debian-2 debug1: Remote protocol version 2.0,
> remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 debug1: match:
> OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000 debug2:
> fd 3 setting O_NONBLOCK debug1: Authenticating to <ip> as
> 'user' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /root/.ssh/known_hosts:4 debug3: load_hostkeys: loaded 1 keys from
> <ip> debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3:
> receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2:
> local client KEXINIT proposal debug2: KEX algorithms:
> curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms:
> [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected],zlib debug2:
> compression stoc: none,[email protected],zlib debug2: languages ctos:
> debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved
> 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms:
> [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
> debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected] debug2: compression
> stoc: none,[email protected] debug2: languages ctos: debug2: languages
> stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex:
> algorithm: [email protected] debug1: kex: host key
> algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher:
> [email protected] MAC: <implicit> compression: none
> debug1: kex: client->server cipher: [email protected] MAC:
> <implicit> compression: none debug3: send packet: type 30 debug1:
> expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:6O6B8ub+hwfuf607NjA85cersGNi6MrV/+1XQtv5ovU debug3:
> hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3:
> record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:4
> debug3: load_hostkeys: loaded 1 keys from <ip> debug1: Host
> '<ip>' is known and matches the ECDSA host key. debug1: Found
> key in /root/.ssh/known_hosts:4 debug3: send packet: type 21 debug2:
> set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1:
> SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3:
> receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2:
> set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key:
> /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil))
> debug2: key: /root/.ssh/id_ecdsa ((nil)) debug2: key:
> /root/.ssh/id_ed25519 ((nil)) debug3: send packet: type 5 debug3:
> receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1:
> kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50
> debug3: receive packet: type 51 debug1: Authentications that can
> continue: publickey,password debug3: start over, passed a different
> list publickey,password debug3: preferred
> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey debug3: remaining preferred:
> keyboard-interactive,password debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey debug1: Trying private
> key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No
> such file or directory debug1: Trying private key: /root/.ssh/id_dsa
> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
> debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such
> identity: /root/.ssh/id_ecdsa: No such file or directory debug1:
> Trying private key: /root/.ssh/id_ed25519 debug3: no such identity:
> /root/.ssh/id_ed25519: No such file or directory debug2: we did not
> send a packet, disable method debug3: authmethod_lookup password
> debug3: remaining preferred: ,password debug3: authmethod_is_enabled
> password debug1: Next authentication method: password
> user@<ip>'s password: debug3: send packet: type 50 debug2:
> we sent a password packet, wait for reply debug3: receive packet: type
> 52 debug1: Authentication succeeded (password). Authenticated to
> <ip> ([<ip>]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2:
> channel 0: send open debug3: send packet: type 90 debug1: Requesting
> [email protected] debug3: send packet: type 80 debug1:
> Entering interactive session. debug1: pledge: network debug3: receive
> packet: type 80 debug1: client_input_global_request: rtype
> [email protected] want_reply 0 debug3: receive packet: type 91
> debug2: channel_input_open_confirmation: channel 0: callback start
> debug2: fd 3 setting TCP_NODELAY debug3: ssh_packet_set_tos: set
> IP_TOS 0x08 debug2: client_session2_setup: id 0 debug1: Sending
> environment. debug3: Ignored env LS_COLORS debug3: Ignored env
> XDG_MENU_PREFIX debug1: Sending env LANG = en_GB.UTF-8 debug2: channel
> 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored
> env GDM_LANG debug3: Ignored env DISPLAY debug3: Ignored env COLORTERM
> debug3: Ignored env USERNAME debug3: Ignored env XDG_VTNR debug3:
> Ignored env SSH_AUTH_SOCK debug3: Ignored env S_COLORS debug3: Ignored
> env XDG_SESSION_ID debug3: Ignored env USER debug3: Ignored env
> DESKTOP_SESSION debug3: Ignored env PWD debug3: Ignored env HOME
> debug3: Ignored env JOURNAL_STREAM debug3: Ignored env SSH_AGENT_PID
> debug3: Ignored env QT_ACCESSIBILITY debug3: Ignored env
> XDG_SESSION_TYPE debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env
> XDG_SESSION_DESKTOP debug3: Ignored env GJS_DEBUG_OUTPUT debug3:
> Ignored env GTK_MODULES debug3: Ignored env WINDOWPATH debug3: Ignored
> env TERM debug3: Ignored env SHELL debug3: Ignored env VTE_VERSION
> debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env
> GPG_AGENT_INFO debug3: Ignored env SHLVL debug3: Ignored env XDG_SEAT
> debug3: Ignored env WINDOWID debug3: Ignored env GDMSESSION debug3:
> Ignored env GNOME_DESKTOP_SESSION_ID debug3: Ignored env LOGNAME
> debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env
> XDG_RUNTIME_DIR debug3: Ignored env XAUTHORITY debug3: Ignored env
> PATH debug3: Ignored env GJS_DEBUG_TOPICS debug3: Ignored env
> SESSION_MANAGER debug3: Ignored env _ debug3: Ignored env OLDPWD
> debug1: Sending command: /bin/bash -vvv debug2: channel 0: request
> exec confirm 1 debug3: send packet: type 98 debug2:
> channel_input_open_confirmation: channel 0: callback done debug2:
> channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd
> adjust 2097152 debug3: receive packet: type 99 debug2:
> channel_input_status_confirm: type 99 id 0 debug2: exec request
> accepted on channel 0
O que estou perdendo? esta tarefa supostamente deve levar 30 minutos, e eu sinto que eu vasculhei metade da internet sem sorte